Vulnerable Path Determination in mobile ad-hoc networks using Markov Model

Security threats are of major concern in information sensitive ad-hoc networks like emergency military communication networks. We propose a Proactive Information Security Management System (PISMS) framework with vulnerable path determination module (VPDM) for such mobile ad-hoc networks. The chief security officer can use it to identify the most vulnerable paths, so that they can be patched using suitable security technologies before the hackers actually attack and compromise them. Our PISMS computes (i) the probability of transitioning from each node to its adjacent neighbors, using two key indicators (angle and distance); (ii) number of steps required to reach a pre-determined destination from different sources using Markov model. The path that requires minimum number of steps to reach a destination is the most vulnerable path. This mechanism of identifying vulnerable path is incorporated as an integral part of the Information systems acquisition, development and maintenance (ISADM) module of ISMS framework ISO27001

A generic framework for process execution and secure multi-party transaction authorization

Process execution engines are not only an integral part of workflow and business process management systems but are increasingly used to build process-driven applications. In other words, they are potentially used in all kinds of software across all application domains. However, contemporary process engines and workflow systems are unsuitable for use in such diverse application scenarios for several reasons. The main shortcomings can be observed in the areas of interoperability, versatility, and programmability. Therefore, this thesis makes a step away from domain specific, monolithic workflow engines towards generic and versatile process runtime frameworks, which enable integration of process technology into all kinds of software. To achieve this, the idea and corresponding architecture of a generic and embeddable process virtual machine (ePVM), which supports defining process flows along the theoretical foundation of communicating extended finite state machines, are presented. The architecture focuses on the core process functionality such as control flow and state management, monitoring, persistence, and communication, while using JavaScript as a process definition language. This approach leads to a very generic yet easily programmable process framework. A fully functional prototype implementation of the proposed framework is provided along with multiple example applications. Despite the fact that business processes are increasingly automated and controlled by information systems, humans are still involved, directly or indirectly, in many of them. Thus, for process flows involving sensitive transactions, a highly secure authorization scheme supporting asynchronous multi-party transaction authorization must be available within process management systems. Therefore, along with the ePVM framework, this thesis presents a novel approach for secure remote multi-party transaction authentication - the zone trusted information channel (ZTIC). The ZTIC approach uniquely combines multiple desirable properties such as the highest level of security, ease-of-use, mobility, remote administration, and smooth integration with existing infrastructures into one device and method. Extensively evaluating both, the ePVM framework and the ZTIC, this thesis shows that ePVM in combination with the ZTIC approach represents a unique and very powerful framework for building workflow systems and process-driven applications including support for secure multi-party transaction authorization

Digitalization of Economic Security Management in Investment Security of Ukraine

Introduction. The study of economic security is relevant due to strengthening competition in the world market and military conflicts, which are becoming critical tasks for the state. Studying economic security makes it possible to identify the problematic aspects of a country's economy, find solutions, and develop strategies to ensure a sustainable investment policy. The specifics of changes in organizational models associated with digitalization also transform investment management systems. The most significant digital changes affect economic security, as the high openness of companies contributes to the emergence of various threats and risks to their activities. Therefore, it is essential to study the problems related to the risks of digital transformation within the framework of economic security management in the investment provision of Ukraine. Aim and tasks.  The purpose of the study is to analyse problems and develop a recommendation for assessing the level of economic security when developing investment projects, taking into account the risks of digital transformation, for better preparation for future projects of post-war reconstruction in Ukraine. The results. This study developed a conceptual model for assessing the level of economic security, which includes the systematization of critical indicators of economic security and the organization of ensuring end-to-end transparency of information during the implementation of investment projects for the post-war reconstruction of Ukraine based on intelligent technologies. Software for assessing economic security using machine learning methods is proposed, which will allow forecasting the state of the enterprise's economic security for the entire implementation period of the investment project. Conclusions. This research proved that an enterprise's economic security is a complex and integral economic concept that requires studying the influence of several external and internal factors. Therefore, the established approach to assessing the state of economic security should cover all current investment processes and risks that arise in the context of the digitalization of enterprises, influencing the choice of critical indicators. Post-war reconstruction should be based on the modernization of the economy by improving the security of the business environment (reducing corruption, ensuring private property rights and strengthening the security of business activities) and the transition to a digital society

The prevention of internal identity theft-related crimes: a case study research of the UK online retail companies.

Ranked the third biggest cyber security threats of 2013 by Forbes, Internal Identity Theft-Related Crimes (IIDTRC) leave countless victims in their wake, including online retail companies and consumers. With the rapid growth in the use of credit and debit cards in e-commerce, the online retail has been a key target for the IIDTRC perpetrators. IIDTRC involve the misuse of information systems (IS) by the dishonest employees to steal victims’ personal identifiable data. The crimes pose significant socio-economic impact and data security risks. In the context of online retail, relatively little research has been done to prevent IIDTRC. A few studies focus on situational-based IIDTRC prevention approach built on an independent use of software security. Others develop IIDTRC prevention frameworks in the context of generic e-businesses. The majority of the frameworks have little or no grounded empirical research. This research entitled the ‘The Prevention of Internal Identity Theft-Related Crimes: A Case Study Research of the UK Online Retail Companies’, attempts to bridge this research gap. It provides answers to two questions – what is the nature of IIDTRC in online retail companies and what framework can be used for IIDTRC prevention. This research set out three aims to answer the two questions. First, it provides understanding of causes, methods of carrying out and prevention of IIDTRC. Second, it extends a role-based framework (RBF) for the prevention of IIDTRC. Third, it evaluates the extent the RBF can be applied in the prevention of IIDTRC in online retail companies. A qualitative case study was used to achieve these aims. The empirical data were collected in the northwest of UK from 2011 to 2013. The field study was carried through archival analysis, semi-structured interview and participant observation. Organisational role theory (ORT) was used to guide the concept of a role-based framework (RBF) – a collaborative approach where the key components of management work in unison is required to prevent IIDTRC. The attributes of RBF were synthesised from the recommended IIDTRC prevention practices. The empirical evidence suggests that IIDTRC perpetrators in online retail companies are likely to be the top management and call centre employees. The findings suggest that online retail consumers’ credits/debits cards details are as much vulnerable to IIDTRC as the companies’ identities such as trade secrets and trademarks. Furthermore, the common methods used by the IIDTRC perpetrators include collaboration, collusion, infiltration and social engineering. Some of the IIDTRC prevention practices, of which the majority is software security, are implemented without considering the contribution of human-centred security based on management roles. In examining the contribution of the management roles in implementing Information Systems security practices, major challenges that are faced by online retail companies were identified. They include lack of resources, lack of management support and lack of IIDTRC prevention awareness training. This research concludes that an application of RBF can reduce the impact of the identified challenges. This was suggested by applying RBF in conducting IS security auditing in three online retail companies. The finding from the selected companies suggests that the RBF approach can maximise management performance in providing effective IIDTRC prevention practices. It provides better returns on cost, quality and time in the IS security auditing. It has an impact on management attitudes on preventing IIDTRC by clarifying and aligning their roles in implementing effective IS security auditing. There is heterogeneity of this effect across the companies suggesting that some are utilising the RBF approach while others are not. The finding confirms the plausibility of the RBF attributes. It suggests that the human-centred security play an integral role for effective internal data security in preventing IIDTRC. It suggests that it pays to use the collaborative management roles approach for implementing IIDTRC prevention practices. Furthermore, the use of the RBF approach can improve the effectiveness of the online retail companies in preventing IIDTRC. The findings suggest that benefits may accrue from the RBF approach when supplemented with a collaborative IS auditing. The benefits depend on the level of management IT skills, their perception of their roles, top management support and the organisational operations. This research contributes to the literature in identity theft prevention in online retail. To IS security practitioners, it identifies the data security challenges and IIDTRC prevention practices. To theory, it extends a role-based framework for IIDTRC prevention. To the emerging research in the digital economy, it puts forward as a robust starting point for further related works in cyber security, cybercrimes prevention and criminology

Identity principles in the digital age: a closer view

Identity and its management is now an integral part of web-based services and applications. It is also a live political issue that has captured the interest of organisations, businesses and society generally. As identity management systems assume functionally equivalent roles, their significance for privacy cannot be underestimated. The Centre for Democracy and Technology has recently released a draft version of what it regards as key privacy principles for identity management in the digital age. This paper will provide an overview of the key benchmarks identified by the CDT. The focus of this paper is to explore how best the Data Protection legislation can be said to provide a framework which best maintains a proper balance between 'identity' conscious technology and an individual's expectation of privacy to personal and sensitive data. The central argument will be that increased compliance with the key principles is not only appropriate for a distributed privacy environment but will go some way towards creating a space for various stakeholders to reach consensus applicable to existing and new information communication technologies. The conclusion is that securing compliance with the legislation will prove to be the biggest governance challenge. Standard setting and norms will go some way to ease the need for centralised regulatory oversight

International Guidelines for Securing Sustainable Small-scale Fisheries

The 'Zero Draft' of the International Guidelines for Securing Sustainable Small-scale Fisheries(SSF Guidelines) has been prepared based on the outcomes of the extensive consultation process that has taken place during the last few years. This preliminary draft text draws in particular on the Discussion Document: Towards Voluntary Guidelines on Securing Sustainable Small-scale Fisheries–prepared as a stock-taking exercise by the FAO SSF Guidelines Secretariat in July 2011 and the contributions to and the outcomes of the FAO Workshop on International Guidelines for Securing Sustainable Small-scale Fisheries held on 7-10 February 2012 in FAO, Rome. It has been prepared to stimulate further consultations among all concerned parties. The outcomes of these additional consultations will provide guidance to the FAO Secretariat when preparing the text of the SSF Guidelines that will be submitted as a draft to the formal inter-governmental negotiation process tentatively scheduled for May 2013

Towards a Layered Architectural View for Security Analysis in SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems support and control the operation of many critical infrastructures that our society depend on, such as power grids. Since SCADA systems become a target for cyber attacks and the potential impact of a successful attack could lead to disastrous consequences in the physical world, ensuring the security of these systems is of vital importance. A fundamental prerequisite to securing a SCADA system is a clear understanding and a consistent view of its architecture. However, because of the complexity and scale of SCADA systems, this is challenging to acquire. In this paper, we propose a layered architectural view for SCADA systems, which aims at building a common ground among stakeholders and supporting the implementation of security analysis. In order to manage the complexity and scale, we define four interrelated architectural layers, and uses the concept of viewpoints to focus on a subset of the system. We indicate the applicability of our approach in the context of SCADA system security analysis.Comment: 7 pages, 4 figure