A roadmap towards improving managed security services from a privacy perspective

Published version of an article in the journal: Ethics and Information Technology. Also available from the publisher at: http://dx.doi.org/10.1007/s10676-014-9348-3This paper proposes a roadmap for how privacy leakages from outsourced managed security services using intrusion detection systems can be controlled. The paper first analyses the risk of leaking private or confidential information from signature-based intrusion detection systems. It then discusses how the situation can be improved by developing adequate privacy enforcement methods and privacy leakage metrics in order to control and reduce the leakage of private and confidential information over time. Such metrics should allow for quantifying how much information that is leaking, where these information leakages are, as well as showing what these leakages mean. This includes adding enforcement mechanisms ensuring that operation on sensitive information is transparent and auditable. The data controller or external quality assurance organisations can then verify or certify that the security operation operates in a privacy friendly manner. The roadmap furthermore outlines how privacy-enhanced intrusion detection systems should be implemented by initially providing privacy-enhanced alarm handling and then gradually extending support for privacy enhancing operation to other areas like digital forensics, exchange of threat information and big data analytics based attack detection

Outsourcing Information Security: The Role of Information Leakage in Outsourcing Decisions

Emerging research regarding the economics of outsourcing information security recommends that firms utilize full outsourcing due to its cost advantages but ignore the risk of information leakage. In our model, we take the information leakage into account, and show that it is necessary for firm to assess the risk before outsourcing. Next, we divide a firm’s business operations into core business and non-core business operations and introduce a partial outsourcing strategy. We find that the security quality of partial outsourcing is always lower. Subsequently, we demonstrate the conditions for selecting from among three security strategies, i.e., in-house development, partial outsourcing and full outsourcing. Based on our results, in high-risk information leakage environments, we do not recommend outsourcing. We further demonstrate that outsourcing security of non-core business is an alternative strategy when the risk of information leakage is not high. A firm should shift from outsourcing to developing security protection in-house as the percentage of information assets utilized for core business increases. In addition, our results show that outsourcing information security of only core business is a strictly dominated strategy

Familiarity with Internet threats: Beyond awareness

The degree of familiarity with threats is considered as a predictor of Internet attitudes and security behaviors. Cross-sectional data were collected from 323 student participants about their familiarity about 16 different Internet threats. All participants were presented with definitions of threats and then asked to state how familiar they were with each. Their responses were then used to identify the extent to which threat familiarity differed among the sample. Three different clusters were identified. One set of participants were relatively knowledgeable about all threats. Cluster 1 was therefore labeled experts (n = 92). Clusters 2 (n = 112) and 3 (n = 92) showed very different patterns as familiarity appeared to depend on the novelty of the threat (with one cluster showing more familiarity with well-known threats and the other more familiarity with new threats). Participants who were experts were more likely to engage in computer security behaviors than the other two groups. Mediation analysis showed that time spent on the Internet and the length of Internet experience were significant predictors of familiarity, and both were significant indirect predictors of computer security use (suggesting a relationship fully mediated by familiarity). Our paper makes several important contribution. First, the research reflects a systematic effort to investigate the relationship between the familiarity and engagement of online security activities. Second, we provide evidence that familiarity is a mediator between Internet use and security behaviors – making this a baseline variable to consider in terms of training on future threat-oriented interventions aimed at changing security behavior. This study also provides implications for practitioners to improve user familiarity of security risks