Analysis of Some Abstract Measures of Protection in Computer Systems ; CU-CS-043-74

The area of computer systems protection has been acclaimed as a very important one, and there is a vast amount of literature on the subject (including several books). However, implementations of protection mechanisms tend to be ad-hoc and there is a lack of quantitative theoretical results upon which one can base decisions and abstract the essence of protection. This paper is the first to present a mathematically rigorous definition (with proofs) of the degree of protection of a system. It is hoped that this alternatives to and generalizations of current implementations and to some of the trade-offs involved in these alternatives. Ultimately, it is hoped that this presentation will contribute to a general Theory of Protection. This investigation is directed toward an analysis and comparison of access mechanisms defined by a family of Boolean functions. Some definitions are stated, and some theorems are proved which are valid for all access mechanisms within the family considered. Algorithms are presented for the optimal and for several types of structured systems. It is proven that for a very general class of systems, the optimal assignment will still allow n/2(ɤ-1) unauthorized accesses to objects where n is the number of subjects and ɤ is the largest integer not greater than the quantity n divided by the number of access classes

Applying the Full Protection and Security Standard of International Investment Law to Digital Assets

This article considers the possibility that digital assets of foreign investors such as websites and computer systems could be protected by the full protection and security (‘FPS’) standard common to many bilateral investment treaties. Such assets can properly be described as investments and the flexible nature of the FPS standard observed in recent arbitration practice could be extended to cover civil disturbances such as 'cyber attacks' against companies. The article considers host state liability with respect to the prevention of harm to digital assets as well as failure to enforce laws that prohibit it. The lack of governmental control over websites suggests that it would be difficult to ascribe state liability under an FPS clause, except possibly in situations of large scale internet infrastructure collapse. A duty to prosecute attacks against digital assets, while common to many jurisdictions and seen in international instruments, is inappropriate as an investment treaty claim because of difficulties in compensation. The FPS standard further appears to incorporate a degree of contextual proportionality linked to the host state’s resources and this may prevent successful claims against Developing States where many cyber attacks occur

How explicit are the barriers to failure in safety arguments?

Safety cases embody arguments that demonstrate how safety properties of a system are upheld. Such cases implicitly document the barriers that must exist between hazards and vulnerable components of a system. For safety certification, it is the analysis of these barriers that provide confidence in the safety of the system. The explicit representation of hazard barriers can provide additional insight for the design and evaluation of system safety. They can be identified in a hazard analysis to allow analysts to reflect on particular design choices. Barrier existence in a live system can be mapped to abstract barrier representations to provide both verification of barrier existence and a basis for quantitative measures between the predicted barrier behaviour and performance of the actual barrier. This paper explores the first stage of this process, the binding between explicit mitigation arguments in hazard analysis and the barrier concept. Examples from the domains of computer-assisted detection in mammography and free route airspace feasibility are examined and the implications for system certification are considered

UK’s Implementation of the Anti-Circumvention Provisions of the EU Copyright Directive: An Analysis

The debate surrounding utilization of technological protection measures to secure copyrighted works in the digital arena has raised many an eyebrow in the past few years. Technological protection measures are broadly bifurcated into two categories: access control measures such as cryptography, passwords and digital signatures that secure the access to information and protected content, and copy control measures such as the serial copy management system for audio digital taping devices and content scrambling systems for DVDs that prevent third parties from exploiting the exclusive rights of the copyright owners. Copyright owners have been wary of the digital environment to exploit and distribute their works and therefore employ technological protection measures, whereas consumers and proponents of free speech favor the free and unrestricted access, use and dissemination of copyrighted works digitally

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding