A roadmap towards improving managed security services from a privacy perspective

Published version of an article in the journal: Ethics and Information Technology. Also available from the publisher at: http://dx.doi.org/10.1007/s10676-014-9348-3This paper proposes a roadmap for how privacy leakages from outsourced managed security services using intrusion detection systems can be controlled. The paper first analyses the risk of leaking private or confidential information from signature-based intrusion detection systems. It then discusses how the situation can be improved by developing adequate privacy enforcement methods and privacy leakage metrics in order to control and reduce the leakage of private and confidential information over time. Such metrics should allow for quantifying how much information that is leaking, where these information leakages are, as well as showing what these leakages mean. This includes adding enforcement mechanisms ensuring that operation on sensitive information is transparent and auditable. The data controller or external quality assurance organisations can then verify or certify that the security operation operates in a privacy friendly manner. The roadmap furthermore outlines how privacy-enhanced intrusion detection systems should be implemented by initially providing privacy-enhanced alarm handling and then gradually extending support for privacy enhancing operation to other areas like digital forensics, exchange of threat information and big data analytics based attack detection

Nature-inspired survivability: Prey-inspired survivability countermeasures for cloud computing security challenges

As cloud computing environments become complex, adversaries have become highly sophisticated and unpredictable. Moreover, they can easily increase attack power and persist longer before detection. Uncertain malicious actions, latent risks, Unobserved or Unobservable risks (UUURs) characterise this new threat domain. This thesis proposes prey-inspired survivability to address unpredictable security challenges borne out of UUURs. While survivability is a well-addressed phenomenon in non-extinct prey animals, applying prey survivability to cloud computing directly is challenging due to contradicting end goals. How to manage evolving survivability goals and requirements under contradicting environmental conditions adds to the challenges. To address these challenges, this thesis proposes a holistic taxonomy which integrate multiple and disparate perspectives of cloud security challenges. In addition, it proposes the TRIZ (Teorija Rezbenija Izobretatelskib Zadach) to derive prey-inspired solutions through resolving contradiction. First, it develops a 3-step process to facilitate interdomain transfer of concepts from nature to cloud. Moreover, TRIZ’s generic approach suggests specific solutions for cloud computing survivability. Then, the thesis presents the conceptual prey-inspired cloud computing survivability framework (Pi-CCSF), built upon TRIZ derived solutions. The framework run-time is pushed to the user-space to support evolving survivability design goals. Furthermore, a target-based decision-making technique (TBDM) is proposed to manage survivability decisions. To evaluate the prey-inspired survivability concept, Pi-CCSF simulator is developed and implemented. Evaluation results shows that escalating survivability actions improve the vitality of vulnerable and compromised virtual machines (VMs) by 5% and dramatically improve their overall survivability. Hypothesis testing conclusively supports the hypothesis that the escalation mechanisms can be applied to enhance the survivability of cloud computing systems. Numeric analysis of TBDM shows that by considering survivability preferences and attitudes (these directly impacts survivability actions), the TBDM method brings unpredictable survivability information closer to decision processes. This enables efficient execution of variable escalating survivability actions, which enables the Pi-CCSF’s decision system (DS) to focus upon decisions that achieve survivability outcomes under unpredictability imposed by UUUR

Pricing and Risk Mitigation Analysis of a Cyber Liability Insurance using Gaussian, t and Gumbel Copulas – A case for Cyber Risk Index

Cyber risk, a type of operational risk, is today considered a key component in the enterprise risk management framework. Under BASEL regulations, a bank could recognize the risk mitigating impact of the Cyber Liability Insurance (CLI) contract while calculating the minimum operational risk capital requirement. Despite this benefit and the onerous data protection acts, organizations are still reluctant to buy CLI contracts. In this work, we price and analyze a CLI contract using Gaussian, t and Gumbel copulas and evaluate the contract’s cyber risk mitigation effectiveness. We find that the current structure of the CLI contract with the limits and sub-limits may be inefficient at mitigating the cyber risk especially if the cyber risk losses were correlated and showed upper tail dependency. We then propose a case for a traded index for the cyber risk similar to the Property Claim Services (PCS) index for the catastrophic risk. A traded cyber risk index could offer wider cyber risk hedging alternatives to the insurers. Given such risk hedging alternatives, the insurers may have lower impetus to set conservative limits in the CLI contracts thus making the contracts more effective in mitigating the cyber risk of the organizations

Strategic governance and risk-management of the outsourcing ecosystem:developing dynamic capabilities and addressing implementation challenges

As outsourcing continues to grow in large global organisations, governance and risk management of the related outsourcing ecosystem is evolving as a strategic Board-level activity, driving competitive advantage and value-creation, in addition to value-protection. Amidst this growth and evolution, the outsourcing of Information Technology (IT) and IT-enabled Business Process Outsourcing (BPO) continues to mature into a broader category referred to by contemporary researchers as “business services” including almost every service that can be delivered by third parties, often enabled by digitisation and technology. Through such strategic initiatives, focused on creating inimitable competitive advantage and organisational value, organisations have increased their levels of dependence on outsourcing, exposing themselves to newer risks amid shifting business environments. But despite these developments, there has been limited research on the ability of organisations to manage risks around outsourcing with a dynamic mind-set to create and protect value for organisations. Instead, most research continues to focus exclusively on preventing “bad things happening”. The first part of the research establishes the context by providing a forward-looking multi-disciplinary view on strategic risk and governance related to outsourcing. This is followed by gaining an understanding of how and why large global organisations are broadening their perspective and enhancing maturity over governance and risk-management around their outsourcing ecosystem, including capabilities that they must develop to emerge as astute decision-makers, using industry-specific case studies. The second part of the research uses primary data to capture the overall progress made in achieving this transformation and implementation challenges. This thesis contributes to the growing body of outsourcing literature by focusing on governance from a novel “outsourcing ecosystem” perspective. It also makes practical contributions by identifying and addressing implementation challenges relevant to this transformational thinking, together with a 2x2 framework, which hold relevance for organisations operating with a significant outsourcing ecosystem and their leadership