CPS Information Security Risk Evaluation Based on Blockchain and Big Data

CPS (Cyber Physical Systems) have got wide application and research, and information security risk evaluation became the key for CPS greatly developing. In view of the physical structure and business characteristics of CPS, this paper constructs an information security risk evaluation system for CPS. In the process of risk evaluation, colligating the analysis results from experts and the analysis results of external data sources’ related big data for information security risk evaluation of CPS, by experts confirming the index system and indexes’ weight values for CPS information security risk evaluation, further through using evaluation model to realize the quantitative calculation to CPS information security risks. This paper proposes using blockchain technology to construct the data’s authenticity and reliability guarantee system for CPS and CPS related external systems, and constructing blockchain’s layered model structure based on CPS. In the part of case analysis, comparing and analysing the evaluation system based on blockchain and big data and the evaluation system based on traditional mode, to confirm the research value of this paper

An Experience Report of Eliciting Security Requirements from Business Processes

Väikesed ja keskmise suurusega ettevõtted näevad vaeva, et leida strateegiaid saavutamaks kõrgetasemelist infoturvet. Tihti ei ole need ettevõtted teadlikud infotehnoloogiaga seonduvatest riskidest. Lisaks suurendab haavatavuse riski finants- ja IT osakondade vähesus, kellel ei ole oma teabeturbe ametnikku. Äriprotsesside juhtimise ning joondamine, mis omakorda avaldub turvalisuse vajaduste esiletoomises kasutades äriprotsessidepõhist lähenemist, pakub sellele sektoripõhisele teemale oma lahenduse, võimaldades juurutada turvalisuse riskidele orienteeritud mudeleid ka ärianalüütikute jaoks. Kontekstuaalsetel valdkondadel põhinevad mustrid illustreerivad ettevõttevarasid, haavatavust ja riskikohtlemist turvanõuete kujul. See saavutatakse kasutades äriprotsesside mudelit, Notation 2.0 modelleerimiskeelt ning spetsiaalselt projekteeritud lahendusi, mis lisanduvad IT turvalisuse valdkondkonnale. Selle tulemuseks on kohaldatav lahendus, mis kutsub esile turvanõuded. Selle uurimuse keskmes on mustrite rakendumine, mõõtmaks nende sooritust saksa SME-s. Ärivahendite ja ohutusalaste eesmärkide määramise järel identifitseeriti mitmed mustri esinemised, mis kulmineerusid mitmete ohutusnõuete määramisega. Rakendamise oskuste ja kasutatavusega seoses ettevõttega, tõi esile väga selge mustrite esinemise. Lisaks arendati eelnevaga seoses uus muster kasutades informatsioonisüsteemi turvariski juhtimise domeeni (Information System Security Risk Management Domain) mudelit. Lõpetuseks soovitab autor käesolevas uurimuses prioritiseerimise ja inspektsiooni meetodite kaasamist ohutuskvaliteedi nõuete tehnika metoodikast ning organisatsioonilise koosseisu teoreemi laiendust, mis omakorda võimaldab SREBP-i täiendavat automatiseerimist. Need muudatused toovad kaasa käsitluse, mille alusel suureneb väikese ja keskmise suurusega ettevõtete turvalisus. Märksõnad: väiksed ja keskmise suurusega ettevõtted, äriprotsesside juhtimine, ohutusnõuete esilekutsumine äriprotsesside baasil, ohutusriskialased mustrid, ohutusnõuded, mustri esinemised, informatsioonisüsteemi turvariski juhtimise domeeni mudel.Small and Medium Sized Enterprises struggle to find strategies to achieve a high level of information security or are unaware of the risks posed by information technology. A lack of finance and IT departments that miss an information security officer increase the risk of exploited vulnerabilities. The alignment of Business Process Management and Security engineering manifested in the Security Requirements Elicitation using Business Processes approach provides a solution of this sector wide issue by introducing Security Risk-oriented Patterns applicable also for Business analysts. Patterns that are based on contextual areas illustrate business assets, vulnerabilities and risk treatment in form of security requirements. This is achieved by using the Business Process Model and Notation 2.0 modeling language and specifically engineered extensions which add the IT security domain. Outcome of this bridging is an applicable solution to elicit security requirements. Core of this thesis is the pattern application to measure their performance in a German SME. After business assets and security objectives were set, several pattern occurrences have been identified that resulted in a number of security requirements. Implementation abilities and usefulness with regards to the company underlined strong pattern performance. Moreover, a new pattern has been developed by using the Information System Security Risk Management Domain Model. Finally, the inclusion of prioritization and inspection techniques from the Security Quality Requirements Engineering methodology is suggested and extensions from the theorem of organizational configurations that enable further automation of SREBP. These modifications result in an approach that increases the security of Small and Medium Sized Enterprises. Keywords: Small and Medium Sized Enterprises; Business Process Management; Security Requirements Elicitation using Business Processes; Security Risk-oriented Patterns; security requirements; pattern occurrences; Information System Security Risk Management Domain Mode

Protecting management information systems: Virtual Private Network competitive advantage

Information security technologists and business scholars are motivated by a desire to understand how and to what extent the application of IT within enterprise systems leads to improved and secured organizational performance. An effective relationship between business and IT professionals is a primary determinant of success in gaining business advantage through the enterprise system. As business innovation has relied increasingly on partnerships between business and IT professional, a different perspective of how IT professionals view their organizational contributions was needed for organizations to remain competitive. Business knowledge is essential if IT professionals are to create linkages with other organizational units and have a wider perspective about business objectives, thus achieving fit between IT and organizational strategies. Organizations have started responding to this challenge by demanding more business acumen in their IT staff. The focus of this study is on the knowledge that is beyond that of independent business and IT only domain knowledge of information security. Therefore, technical areas of knowledge, such as hardware and software, all of which are closely associated with IT skills, are not discussed in this thesis. This is not to declare that such knowledge is not important. Clearly technical knowledge is part of the IT professional's overall information security technology expertise, but this study is about the organization proficiency of business and the IT professional, and is therefore interested in what enables business and IT professionals to apply their business domain and technical knowledge in ways that are beneficial to the organization and to act cooperatively with their customers and business partners. The purpose of this study is to employ the triangulation method to identify the theoretical links and empirically examine the association between business and IT perspective of information security. An important contribution of this study is the identification of business and IT perspectives on information security technology. By establishing the link between business and IT, the study focuses and evaluates Virtual Private Network (VPN) as an information security technology to find out if VPN can secure and gain competitive advantage by partisan business process and organization performance. This study articulates distinctive characteristics of Virtual Private Network and management processes that extend the range of applicability across diverse business segments. It distinguishes between business and IT and explains why the exploitation of a complementary set of related information security entities (such as VPN) across multiple functions create competitive vi advantages even across a diverse set of businesses that have limited opportunity to exploit business process and organization performance. The most important direct predictor of this study is a high level of communication between business and IT. However, one cannot mandate meaningful communication between individuals. IT people have to earn the right to play a meaningful role in management forums. Based on the findings from this study, one important way for an IT person to be heard is for him/her to devote the time necessary to create competitive advantage and develop shared domain knowledge, the most influential construct in the research model. An IT person needs to understand the leverage points of the industry, the history and current issues of the business units, and to learn to apply business oriented objectives in the application of technology to business problems. This change in view would help focus their attention on security technology and ideas that could produce the most benefit and create competitive advantage, rather than those that offer the most technical promise

A maturity model for implementation and application of Enterprise Resource Planning systems and ERP utilization to Industry 4.0

This study analyzes the evolution of ERP systems and the current trends of their implementation and application, also the organization's readiness for further digitalization. Throughout the study, it is identified that there are many critical factors that have an impact on the process of implementation and application of ERP systems. There are different studies and reports that confirm that organizations are struggling with this process. The researchers have identified and proposed different stages of implementation and application of ERP systems. Moreover, three maturity models are identified, which aim to measure the ERP maturity level in the organizations, but they lack defining the complete process which supports the organizations to check their maturity level of ERP systems by themselves. On the other hand, Industry 4.0, as a new technological concept, aims to support organizations to complete digitalization and automation of their processes and functions, specifically in the manufacturing industry. Based on the undertaken study, a new ERP Maturity Model (ERPMM) is developed with the aim to measure the maturity of implementation and application of the ERP system in the organizations. With the purpose to check the reliability and validity of the developed model, the quantitative methodology was applied. The proposed model (ERPMM) to measure the maturity of ERP system implementation and application will support organizations in generating a clear picture of their organization status related to the implementation and application of the ERP system. In this way, they are able to evaluate the benefits of implementation and application of an ERP system, and whether they should do anything in the way they are applying such a system. The study also analyzes the impact of different factors that have an effect on a successful ERP system implementation and application. In addition, this study has investigated whether strategic use of IT positively affects the ERP selection, implementation, and application process, as well as if appropriate ERP selection has a positive effect on the implementation and application and the role of ERP implementation on the application. Also, the impact of the ERP application on Business Performance. The study shows that there is a relationship between all the stages of ERP implementation and application, starting with the organization's IT strategy to the ERP application. The results of the study present that the ERP application has a positive impact on business performance. Also, the study presents an analysis of the integration of ERP and Industry 4.0, which is done based on secondary data. Industry 4.0 is seen as the beginning phase, where computers and automation become connected and as an opportunity to increase the efficiency and effectiveness in the manufacturing industry, with the application of real-time data and information by integrating physical machinery and devices with networked sensors and software to predict, control and reduce costs in a long-term view. Primary data was used to analyze if the ERP application can be used to predict the readiness of the organizations for Industry 4.0. Based on the statistical analysis, it is proved that partially ERP application can be used to predict the readiness of the organizations for Industry 4.0. Based on the findings, there are many challenges related to the integration of Industry 4.0 and current ERP systems, especially when it comes to machine to machine, machine to ERP communication, and the security of the data. Based on the proposed ERP Maturity Model (ERPMM), a prototype is developed, which supports the organizations in evaluating their status of ERP system implementation and application by themselves. The prototype is a web-based application that is developed on PHP and MySQL database. The main contributions of this study are: Identifies and presents the current status of implementation and application of the ERP system and ERP maturity models; Analyzes the role of strategic use of IT in the process of ERP selection, implementation, and application; Analyzes the impact of ERP selection on implementation and application also the effect of ERP implementation on the application; Identifies the ERP application effect on business performance also the ability of the organization to evaluate their readiness for further digitalization based on the ERP application; A new ERP Maturity Model (ERPMM) to support the organizations for the evaluation of implementation and application of the ERP system is developed; A developed prototype that applies ERPMM to support organizations for ERP maturity level assessment

Modeling a Longitudinal Relational Research Data System

A study was conducted to propose a research-based model for a longitudinal data research system that addressed recommendations from a synthesis of literature related to: (1) needs reported by the U.S. Department of Education, (2) the twelve mandatory elements that define federally approved state longitudinal data systems (SLDS), (3) the constraints experienced by seven Midwestern states toward providing access to essential educational and employment data, and (4) constraints reported by experts in data warehousing systems. The review of literature investigated U.S. government legislation related to SLDS and protection of personally identifiable information, SLDS design and complexity, repurposing business data warehouse systems for educational outcomes research, and the use of longitudinal research systems for education and employment outcomes. The results were integrated with practitioner experience to derive design objectives and design elements for a model system optimized for longitudinal research. The resulting model incorporated a design-build engineering approach to achieve a cost effective, obsolescence-resistant, and scalable design. The software application has robust security features, is compatible with Macintosh and PC computers, and is capable of two-way live connections with industry standard database hardware and software. Design features included: (1) An inverted formal planning process to connect decision makers and data users to the sources of data through development of local interactive research planning tools, (2) a data processing module that replaced personally identifiable information with a system-generated code to support the use of de-identified disaggregate raw data across tables and agencies in all phases of data storage, retrieval, analysis, visualization, and reporting in compliance with restrictions on disclosure of personally identifiable information, (3) functionality to support complex statistical analysis across data tables using knowledge discovery in databases and data mining techniques, and (4) integrated training for users. The longitudinal research database model demonstrates the result of a top down-bottom up design process which starts with defining strategic and operational planning goals and the data that must be collected and analyzed to support them. The process continues with analyzing and reporting data in a mathematically programmed, fully functional system operated by multiple level users that could be more effective and less costly than repurposed business data warehouse systems

The second international workshop on enterprise security

Welcome to our second international workshop on Enterprise Security as part of CloudCom 2015, Vancouver, Canada, November 30-December 3, 2015. The first international workshop held in Singapore has been a major success since then we have achieved greater team activities, research, and international collaborations as the major and significant outcome of our first workshop on this topic. Enterprise Security involves all business, products, governments, organization, and their contractors. This also includes research areas of information security, software security, computer security, cloud security, IoT security, data and big data security. This workshop provides a significant contribution from experts on some of the following key research areas:* Incident response Systems Security - This involves many organisations are outsourcing computer operations to third parties, and the next logical step is to outsource management of computer security incidents as well.* Cloud Security Assurance Model - Defining proper measures for evaluating the effectiveness of an assurance model, which we have developed to ensure cloud security, is vital to ensure the successful implementation and continued running of the model. We need to understand that with security being such an essential component of business processes, responsibility must lie with the board.* Cloud Security - The development of cloud computing and the vast use of its services poses significant security and privacy concerns to the people and the organizations relying on these services. Diversification and obfuscation approaches are of the most promising proactive techniques that protect computers from harmful malware, by preventing them to take advantage of the security vulnerabilities. Mission critical applications are limited in the cloud as it has various security issues. As the data size are being increased gradually and the difficulty in storing, retrieving and managing data makes the application to move into cloud.* Cloud Forensics & Cryptanalysis and Enhancement - Password based authentication has been used extensively as a one of the most appropriate authentication techniques.* Validating technology and BI Techniques – This is useful for organizations to understand their status with return and risk. They can evaluate their security policies and technologies regularly.* Risk Analysis and Big Data – This is increasingly important for organizations since they deal with growing amount of data, dependency and complexity. Risk analysis can be applied to many areas related or outside cloud computing.We are pleased to receive 24 papers from researchers of 12 different countries. After the vigorous review process and careful considerations, 11 papers have been selected, with 5 full papers and 6 short papers. We have offered two prize awards. One award is to award the best paper in the information system category. The other award is to award the best paper in the computational category. Each winner can be invited to International Journal of Information Management (IJIM) and Future Generation Computer Systems (FGCS). Another good news we have is that extended version of conference papers and other security/risk researchers can contribute to our Springer book scheduled to call for papers after our workshop. We are honoured to have Dr. Konstantin Beznosov to be our keynote speaker.Enterprise Security has been a popular topic since it includes cyber security, risk management, information security, Cloud and Forensic security, risk analysis and Big Data. It is an area that can make theory into practice and allow any organizations that adopt our recommendations to enjoy the benefits of enforced Enterprise Security. The outputs of our workshop can provide organizations with several useful recommendations, proofs-of-concepts and demonstrations to improve current security and risk practices.We hope the second international workshop will foster collaborations of projects, research publications and funding opportunities at the international setting in Vancouver, Canada.Workshop Organizing Committee would like to thank CloudCom organizers for their fullest support

An Intelligent Decision Support System for Business IT Security Strategy

Cyber threat intelligence (CTI) is an emerging approach to improve cyber security of business IT environment. It has information of an a ected business IT context. CTI sharing tools are available for subscribers, and CTI feeds are increasingly available. If another business IT context is similar to a CTI feed context, the threat described in the CTI feed might also take place in the business IT context. Businesses can take proactive defensive actions if relevant CTI is identi ed. However, a challenge is how to develop an e ective connection strategy for CTI onto business IT contexts. Businesses are still insu ciently using CTI because not all of them have su cient knowledge from domain experts. Moreover, business IT contexts vary over time. When the business IT contextual states have changed, the relevant CTI might be no longer appropriate and applicable. Another challenge is how a connection strategy has the ability to adapt to the business IT contextual changes. To ll the gap, in this Ph.D project, a dynamic connection strategy for CTI onto business IT contexts is proposed and the strategy is instantiated to be a dynamic connection rule assembly system. The system can identify relevant CTI for a business IT context and can modify its internal con gurations and structures to adapt to the business IT contextual changes. This thesis introduces the system development phases from design to delivery, and the contributions to knowledge are explained as follows. A hybrid representation of the dynamic connection strategy is proposed to generalise and interpret the problem domain and the system development. The representation uses selected computational intelligence models and software development models. In terms of the computational intelligence models, a CTI feed context and a business IT context are generalised to be the same type, i.e., context object. Grey number model is selected to represent the attribute values of context objects. Fuzzy sets are used to represent the context objects, and linguistic densities of the attribute values of context objects are reasoned. To assemble applicable connection knowledge, the system constructs a set of connection objects based on the context objects and uses rough set operations to extract applicable connection objects that contain the connection knowledge. Furthermore, to adapt to contextual changes, a rough set based incremental updating approach with multiple operations is developed to incrementally update the approximations. A set of propositions are proposed to describe how the system changes based on the previous states and internal structures of the system, and their complexities and e ciencies are analysed. In terms of the software development models, some uni ed modelling language (UML) models are selected to represent the system in design phase. Activity diagram is used to represent the business process of the system. Use case diagram is used to represent the human interactions with the system. Class diagram is used to represent the internal components and relationships between them. Using the representation, developers can develop a prototype of the system rapidly. Using the representation, an application of the system is developed using mainstream software development techniques. RESTful software architecture is used for the communication of the business IT contextual information and the analysis results using CTI between the server and the clients. A script based method is deployed in the clients to collect the contextual information. Observer pattern and a timer are used for the design and development of the monitor-trigger mechanism. In summary, the representation generalises real-world cases in the problem domain and interprets the system data. A speci c business can initialise an instance of the representation to be a speci c system based on its IT context and CTI feeds, and the knowledge assembled by the system can be used to identify relevant CTI feeds. From the relevant CTI data, the system locates and retrieves the useful information that can inform security decisions and then sends it to the client users. When the system needs to modify itself to adapt to the business IT contextual changes, the system can invoke the corresponding incremental updating functions and avoid a time-consuming re-computation. With this updating strategy, the application can provide its users in the client side with timely support and useful information that can inform security decisions using CTI

Proposing a secure component-based-application logic and system’s integration testing approach

Software engineering moved from traditional methods of software enterprise applications to com-ponent based development for distributed system’s applications. This new era has grown up forlast few years, with component-based methods, for design and rapid development of systems, butfact is that , deployment of all secure software features of technology into practical e-commercedistributed systems are higher rated target for intruders. Although most of research has been con-ducted on web application services that use a large share of the present software, but on the otherside Component Based Software in the middle tier ,which rapidly develops application logic, alsoopen security breaching opportunities .This research paper focus on a burning issue for researchersand scientists ,a weakest link in component based distributed system, logical attacks, that cannotbe detected with any intrusion detection system within the middle tier e-commerce distributed ap-plications. We proposed An Approach of Secure Designing application logic for distributed system,while dealing with logically vulnerability issue