Integrating security and usability into the requirements and design process

According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human–computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system's assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these

Information security, data breaches, and protecting cardholder information: facing up to the challenges

On September 13 and 14, 2006, the Payment Cards Center of the Federal Reserve Bank of Philadelphia and the Electronic Funds Transfer Association (EFTA) hosted a conference entitled “Information Security, Data Breaches, and Protecting Cardholder Information: Facing Up to the Challenges.” The two-day event was designed to bring together a diverse set of stakeholders from the U.S. payments industry to discuss a framework to guide industry practices and inform public policy. This paper summarizes key highlights from this event. Conference participants emphasized that the industry must address two fundamental issues: (1) increasingly dangerous threats to sensitive consumer information and (2) public perception and understanding of the risks from data breaches. These challenges are related but need different solutions. A consensus emerged that while the situation is not yet dire, it is serious, and warrants attention from all payments stakeholders.Data protection ; Payment systems ; Computer security

Interdependent Security: The Case of Identical Agents

Do firms have adequate incentives to invest in anti-terrorism mechanisms? This paper develops a framework for addressing this issue when the security choices by one agent affect the risks faced by others. We utilize the airline security problem to illustrate how the incentive by one airline to invest in baggage checking is affected by the decisions made by others. Specifically if an airline believes that others will not invest in security systems it has much less economic incentive to do so on its own. Private sector mechanisms such as insurance and liability will not necessarily lead to an efficient outcome. To induce adoption of security measures one must turn to regulation, taxation or institutional coordinating mechanisms such as industry associations. We compare the airline security example with problems having a similar structure (i.e., computer security and fire protection) as well as those with different structures (i.e., theft protection and vaccinations). The paper concludes with suggestions for future research.

Gender Inequality in Cybersecurity: Exploring the Gender Gap in Opportunities and Progression

This paper considers the impact of gender in the cybersecurity industry. There is currently significant underrepresentation of females in the industry caused by low numbers of women entering the field and compounded by a high rate of women choosing to leave a highly male dominated work environment. The findings are based upon a quantitative study conducted by means of an online survey. The research considers the motivations, experiences and progression of those working within cybersecurity roles with a focus predominantly on the UK. The findings from the research indicate that computer security offers an interesting, exciting and challenging work environment, job security, and excellent opportunities for progression and development. Barriers remain for women though; despite the perception that anyone with the ‘right skills, knowledge and experience can work in cybersecurity’, it is clear that the respondents to this study feel that computer security is viewed as a ‘man’s job’ by wider society and by customers and clients and that there is perceived gender inequality in recruitment, opportunities and progression

Developing a Metrics Framework for the Federal Government in Computer Security Incident Response

As technology advances and society becomes more dependent on information technology (IT), the exposure to vulnerabilities and threats increases. These threats pertain to industry as well as government information systems. There is, however, a lack in how we measure the performance and create accountability for computer security incident response (CSIR) capabilities. Many government organizations still struggle to determine what security metrics to use and how to find value within these metrics. To fill this apparent gap, a metrics framework has been developed for incident response to serve as an internal analysis, supporting continuous improvement in incident reporting and strengthening the security posture for an organization’s mission. The goal of this metrics framework for CSIR aims to provide a holistic approach towards security metrics, which is specific to incident reporting and promotes efforts of more practical and clear guidelines on measuring the computer security incident response team (CSIRT). An additional benefit to this project is that it provides middle management with a framework for measuring the results of incident reporting in a CSIR program