European Digital Libraries: Web Security Vulnerabilities

Purpose – The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons. Design/methodology/approach – A web vulnerability testing tool was used to analyze 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems. Findings – Analysis results from surveying the libraries show the majority have serious security flaws in their web applications. The research shows that despite country-specific laws mandating secure sites, system librarians have not implemented appropriate measures to secure their online information systems. Research limitations/implications – Further research on library vulnerability throughout the world can be taken to educate librarians in other countries of the serious nature of protecting their systems. Practical implications – The findings serve to remind librarians of the complexity in providing a secure online environment for their patrons and that a disregard or lack of awareness of securing systems could lead to serious vulnerabilities of the patrons' personal data and systems. Lack of consumer trust may result in a decreased use of online commerce and have serious repercussions for the municipal libraries. Several concrete examples of methods to improve security are provided. Originality/value – The paper serves as a current paper on data security issues at Western European municipal library web sites. It serves as a useful summary regarding technical and managerial measures librarians can take to mitigate inadequacies in their security implementation

An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

Computer Security Checklist for Non-Security Technology Professionals

Networked computers and electronic data storage make computer security a fundamental component of a company’s survival. Security incidents can cause reputation damage, loss customers, or even liability. Companies that are unable or unwilling to hire certified security professionals often rely on non-security IT professionals for assistance. This paper provides a checklist the non-security professional can use to assist the company in the critical areas of conducting risk analysis, performing vulnerability assessments, educating employees and developing computer security policies and procedure

Optimal Investment in Information Security: A Business Value Approach

With increasing level of security threats and constant budget limitations, it is critical for a company to know how much and where to invest in information security. To date, all of the studies—academia or practitioner—focus on risk reduction as the primary effect of security investments, assuming that they generate no direct business benefits. However, some potential business values such as brand reputation and data stability are not only real but also quite important. This study addresses related research questions and extends the existing model to take into account direct business benefits in optimizing security investments, filling a significant research gap. As such, this research makes contribution to both theory development in information security management and management implications in practice

The Economic Impact of Security Breaches on Publicly Traded Corporations: An Empirical Investigation

In a 2008 survey of 522 computer security professionals, the Computer Security Institute found an average reported cost close to $500,000 for those companies that experienced a financial fraud. A survey of potential cloud computing adopters show that security and privacy are the primary concerns for not using the cloud. The present research conducts an event study to investigate the impact of publicly announced security breaches on the market value of the breached companies. We utilize the cumulative abnormal returns, risk shifts, and volume changes to measure this impact. Our results show that the cumulative abnormal return due to a security breach is -.19%. We also found the mean risk factor increases by about 22 percent. Our results also show an abnormal trading volume of about 6%. None of the previous research studies in the information systems area has investigated the impact of security breaches on cumulative abnormal returns, volume changes, and risk shifts

An Extreme Value Approach to Information Technology Security Investment

Information technology security investment is receiving increasing attention in recent years. Various methods have been proposed to determine the effective level of security investment. In this paper, we introduce an extreme value approach to address the issues of effective budgeting and investing in IT security. In our model, the security status of a system depends on two factors: system security level, which is measured by the level of security investment, and system attack level, which reflects the security risk with which the system is confronted. Security investment level is endogenous to the system, while attack level is exogenous. Extreme value analysis is used to characterize the stochastic behavior of high-level attacks based on the historical data and to make inferences on future attacks. Based on these inferences, we determine the effective security solutions and the level of security investment to modulate the likelihood of system failure. For illustration purposes, we use an extreme value approach to analyze a set of traffic data collected from a regional bank

Adapted Loss Database – A New Approach to Assess IT Risk in Automated Business Processes

Service-oriented architectures (SOA) provide companies with dynamic IT infrastructures to adapt business processes flexibly to new requirements. However, the success of SOA will also depend on the ability to manage risk resulting from frequent and context-specific changes of IT support for automated business processes. Assessing this IT risk is challenging, since frequently changing relations between the causes of risk and their effects on business processes turns established methods for assessing risk into a game of hazard. Following a design science approach, this contribution proposes a novel approach for taking changes of cause-effect relations into consideration. Based on a backward-directed recalculation of historical loss data, a risk-adjusted loss database is generated that can provide a more realistic basis for assessing IT risk