Patterns of information security postures for socio-technical systems and systems-of-systems

This paper describes a proposal to develop patterns of security postures for computer based socio-technical systems and systems-of-systems. Such systems typically span many organisational boundaries, integrating multiple computer systems, infrastructures and organisational processes. The paper describes the motivation for the proposed work, and our approach to the development, specification, integration and validation of security patterns for socio-technical and system-of-system scale systems

Towards a development of a users’ ratified acceptance of multi-biometrics intentions model (RAMIM): Initial empirical results

User authentication is a continuous balance between the level of invasiveness and system security. Password protection has been the most widely user authentication approach used, however, it is easily compromised. Biometrics authentication devices have been implemented as less compromised approach. This paper reports on initial results of user perceptions about their acceptance of a multi-biometrics authentication approach in the context of elearning systems. Specifically, this paper reports on the initial empirical results on the development of a learners’ Ratified Acceptance of Multibiometrics Intentions Model (RAMIM). The model proposed look at the contributions of learners’ code of conduct awareness, perceived ease-of-use, perceived usefulness, and ethical decision making to their intention to use multi-biometrics for authentication during e-learning exams. The study participants included 97 managers from service oriented organization and government agencies who attended e-learning courses. Results demonstrated high reliability for all constructs measured and indicated that perceived easeof-use and perceived usefulness are significant contributors to learners’ intention to use multi-biometrics. Conversely, code of conduct awareness appears to have little or no contribution on learners’ intention to use multibiometrics, while learners’ ethical decision making appears to have marginal contribution

Supporting Compliance through Enhancing Internal Control Systems by Conceptual Business Process Security Modeling

The importance of Business Process Modeling (BPM) particularly in sensitive areas combined with the rising impact of legislative requirements on IT operations results in a need to conceptually represent security seman- tics in BPM. We define critical security semantics that need to be incorporated in BPM to aid documentation of security needs and support compliant behavior of security systems. We analyze ways to express such semantics in BPM and their possible role in designing and operating internal control systems, which ensure and document the execution of compliance-related activities. The analysis shows that there are informal, semi-formal and for- mal approaches to represent security semantics in BPM. We consider the informal approaches as best suited to express security objectives and their formal counterparts as best to specify security mechanisms to enforce the objectives. All three groups of approaches have the potential to enhance the expressiveness and informative value of an internal control system

Web Engineering Security (WES) Methodology

The impact of the World Wide Web on basic operational economical components in global information-rich civilizations is significant. The repercussions force organizations to provide justification for security from a business-case perspective and to focus on security from a Web application development environment standpoint. The need for clarity promoted an investigation through the acquisition of empirical evidence from a high level Web survey and a more detailed industry survey to analyze security in the Web application development environment ultimately contributing to the proposal of the Essential Elements (EE) and the Security Criteria for Web Application Development (SCWAD). The synthesis of information provided was used to develop the Web Engineering Security (WES) methodology. WES is a proactive, flexible, process neutral security methodology with customizable components that is based on empirical evidence and used to explicitly integrate security throughout an organization’s chosen application development process