The Impact of Computer Security Regulation on American Companies

Since the mid 1990\u27s, e-business and electronic communication have spread rapidly and widely throughout the United States. According to one study, the majority of the U.S. population, fifty-four percent, used the Internet in September 2001, up twenty-six percent from the year before. Companies are targeting their e-business efforts to reach this expanding customer base. By entering the world of e-business, companies can benefit from lower transaction costs, improvement in the time to take products to market, cost savings in inventory and supply chain reduction, improved communications, and the ability to outsource organizational tasks such as payroll and customer-relations management. Cost savings and easy access for both online businesses and consumers depend on the ability of such online businesses to collect, store, transfer, and analyze vast amounts of data. As more and more business is conducted online, electronic security has become more of a concern. In 2001 alone, $380 million was lost due to breaches in electronic security. While terrorist attacks and financial fraud should motivate companies to carefully consider their information security, recent developments in the law require some companies to safeguard certain types of consumer information. Additionally, Internet users appear concerned about disclosing personal identifying information. According to a recent study, eightynine percent of Internet users are worried that companies may sell their private information, and eighty-one percent of Internet users who seek health information want the right to sue an online web company for violations of their privacy policies. Companies that wish to collect and use such data need to consider what steps they can take to reassure customers and to overcome their fears. The implementation of adequate security measures may improve consumer confidence. According to one survey conducted by Cyber Dialogue, retailers lost$6.2 billion in sales in 2001 from consumers concerned about the privacy of their information. The focus of this Article is on legal requirements for the implementation of security safeguards to protect the privacy of information

Extracting Role-Based Access Control Models from Business Process Event Logs

Keeruliste äriprotsesside ja järjest suurenevate andmemahtude juures on väljakutsuvaks ülesandeks analüüsida ja parandada ettevõtte äriprotsessi andmeturvalisust. Infosüsteemid, mis toetavad äriprotsessi mudeli (abstraktne esitus äriprotsessist) rakendamist, registreerivad äriprotsessi tegevusi sündmustena eraldi logisse. Salvestatud sündmuste logid on aluseks äriprotsessiga seotud andmete kaevamiseks. Need andmed on vajalikud äriprotsessi analüüsimiseks ja parendamiseks, kuid neid andmeid võib kasutada ka turvaanalüüsiks. Turvaanalüüsi üheks eesmärgiks on ka kontrollida, kas nende andmete hulgas turvalisusega seotud informatsioon on kooskõlas praeguste turvanõuetega. Lisaks, äriprotsessi logide peal saab rakendada äriprotsessikaeve (uurimisvaldkond, mis ühendab andmekaeve ja äriprotsesside modelleerimise) tehnikaid, et luua äriprotsessi mudeleid. Lisaks äriprotsessi mudelitele on võimalik tuletada ka teisi mudeleid, näiteks turvamudeleid, mida saab hiljem kasutada turvameetmete tagamiseks infosüsteemis. Käesoleva töö eesmärgiks on esitada üks võimalik meetod, kuidas luua rollipõhist ligipääsukontrolli esitatavaid turvamudeleid (Role- Based Access Control models) XES-formaadis sündmuste logidest, mis on salvestatud äriprotsessi toetava infosüsteemi poolt. Lisatähelepanu on suunatud kaitstavate infovarade väljaselgitamiseks sündmuste logide põhjal. Need infovarad on näiteks dokumendid, dokumendiväljad, või muud andmed, mida töödeldakse äriprotsessi tegevuste jooksul. Lisaks, me hindame antud meetodi rakendatavust reaalse äriprotsessi sündmuste logi peal. Ühe võimaliku meetodina me kontrollime sündmuste logi andmete ja seoste vastavust juurdepääsu õigustega olemasoleva rollipõhise juurdepääsu kontrolli turvamudelis. Lõppkokkuvõttes võib sündmuste logidest tuletatud rollipõhist ligipääsu kontrolli mudelit võtta aluseks turvaanalüüsiks või rakendada mõnes süsteemis juurdepääsumehhanismina.Today, as business processes are getting more complex and the volumes of stored data about business process executions are increasing in size, collecting information for the analysis and for the improvement of the business process security1, is becoming a complex task. Information systems that support business processes record business process executions into event logs which capture the behavior of system usage in terms of events. Business process event logs can be used for analysing and improving the business process, but also for analysing the information security. One of the main goals of security analysis is to check the compliance with existing security requirements. Also event logs can be the basis for business process mining, or shortly process mining. Utilizing bottom-up process mining on event logs, we can extract business process-related information for security analysis. Process mining is not just only for discovering business process models, but also other models, such as security models. For this purpose, we present a possible approach to extract RBAC models (semi-)automatically from event logs in XES format. The focus is also on determining the protected business assets, such as document or other artifact data that is exchanged and accessed during business process activities. In addition, we evaluate the applicability of this approach with conformance checking where we check the compliance of a real-life event log with respect to the LTL constraints translated from RBAC model. Eventually, the purpose of the extracted RBAC models is that they provide a basis for security analysis and they can be adapted by other applications in order to implement access control mechanism

The Chief Information Security Officer: An Exploratory Study

The proliferation and embeddedness of Information Technology (IT) resources into many organizations’ business processes continues unabated. The security of these IT resources is essential to operational and strategic business continuity. However, as the large number of recent security breaches at various organizations illustrate, there is more that needs to be done in securing IT resources. Firms, through organizational structures, usually delegate the management and control of IT security activities and policies to the Chief Information Security Officer (CISO). Nevertheless, there seem to be a number of firms without a CISO and for the ones that do, there is little consensus regarding who the CISO should be reporting to. This exploratory study investigates the organizational security reporting structures using a dataset of all the firms that hired a CISO between 2010 and 2014. The results suggest that the number of firms hiring CISOs is increasing and that the hired CISOs are predominantly coming from outside the firm. Also, CISOs who are hired to fill newly created positions tend to report to the CEO whereas replacement hires for existing positions tend to report to the CIO. These findings have implications for both academics and practitioners

Identifying the critical success factors to improve information security incident reporting

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly

The Web Engineering Security (WES) methodology

The World Wide Web has had a significant impact on basic operational economical components in global information rich civilizations. This impact is forcing organizations to provide justification for security from a business case perspective and to focus on security from a web application development environment perspective. This increased focus on security was the basis of a business case discussion and led to the acquisition of empirical evidence gathered from a high level Web survey and more detailed industry surveys to analyse security in the Web application development environment. Along with this information, a collection of evidence from relevant literature was also gathered. Individual aspects of the data gathered in the previously mentioned activities contributed to the proposal of the Essential Elements (EE) and the Security Criteria for Web Application Development (SCWAD). The Essential Elements present the idea that there are essential, basic organizational elements that need to be identified, defined and addressed before examining security aspects of a Web Engineering Development process. The Security Criteria for Web Application Development identifies criteria that need to be addressed by a secure Web Engineering process. Both the EE and SCWAD are presented in detail along with relevant justification of these two elements to Web Engineering. SCWAD is utilized as a framework to evaluate the security of a representative selection of recognized software engineering processes used in Web Engineering application development. The software engineering processes appraised by SCWAD include: the Waterfall Model, the Unified Software Development Process (USD), Dynamic Systems Development Method (DSDM) and eXtreme Programming (XP). SCWAD is also used to assess existing security methodologies which are comprised of the Orion Strategy; Survivable / Viable IS approaches; Comprehensive Lightweight Application Security Process (CLASP) and Microsoft’s Trust Worthy Computing Security Development Lifecycle. The synthesis of information provided by both the EE and SCWAD were used to develop the Web Engineering Security (WES) methodology. WES is a proactive, flexible, process neutral security methodology with customizable components that is based on empirical evidence and used to explicitly integrate security throughout an organization’s chosen application development process. In order to evaluate the practical application of the EE, SCWAD and the WES methodology, two case studies were conducted during the course of this research. The first case study describes the application of both the EE and SCWAD to the Hunterian Museum and Art Gallery’s Online Photo Library (HOPL) Internet application project. The second case study presents the commercial implementation of the WES methodology within a Global Fortune 500 financial service sector organization. The assessment of the WES methodology within the organization consisted of an initial survey establishing current security practices, a follow-up survey after changes were implemented and an overall analysis of the security conditions assigned to projects throughout the life of the case study

ISGOP: A model for an information security governance platform

Sound information security governance is an important part of every business. However, the widespread ransomware attacks that occur regularly cast a shadow of doubt on information security governance practices. Countermeasures to prevent and mitigate ransomware attacks are well known, yet knowledge of these countermeasures is not enough to ensure good information security governance. What matters is how the countermeasures are implemented across a business. Therefore, an information security governance structure is needed to oversee the deployment of these countermeasures. This research study proposes an information security governance model called ISGoP, which describes an information security governance platform comprising a data aspect and a functional aspect. ISGoP adopted ideas from existing frameworks. An information security governance framework known as the Direct-Control Cycle was analyzed. This provided ISGoP with conceptual components, such as information security-related documents and the relationships that exist between them. It is important to understand these conceptual components when distributing information security-related documents across all level of management for a holistic implementation. Security related documents and their relationships comprise the data aspect of ISGoP. Another framework that influenced ISGoP is the SABSA framework. The SABSA framework is an enterprise architecture framework that enables interoperability. It ensures collaboration between the people working for a business. Ideas from the SABSA framework were used to identify roles within the information security governance framework. The SABSA life cycle stages were also adopted by ISGoP. Various functions define the functional aspect of ISGoP. These functions are organised according to the life cycle stages and the views defined for the various roles. A case study was used to evaluate the possible utility of ISGoP. The case study explored a prototype implementation of ISGoP in a company. In addition to demonstrating its utility, the case study also allowed the model to be refined. ISGoP as a model must be refined and modified for specific business circumstances but lays a solid foundation to assist businesses in implementing sound information security governance

The Development of Information Assurance and Cyber Security Competencies

Information assurance and cybersecurity has become a critical element in the daily lives of almost every individual and organization across the globe. To be able to protect Personal Identity Information (PII), Intellectual Property (IP) and organizational trademarks requires producing more cybersecurity practitioners. The problem being addressed by this study is the identification of comprehensive competency levels for information assurance and cybersecurity practitioners is unknown. This research created definitions for three levels of cybersecurity practitioners that can be utilized by government, industry and academia individuals and organizations. 14 core competencies for cybersecurity practitioners were identified and defined. The Qualtrics survey was distributed through email by sending a link to survey participants. To obtain the opinions of the government the survey was distributed to the United States Army Information Technology and Security community and the Department of Homeland Security (DHS) Office of Technology. To gain insight from the academia community the survey was distributed to the Purdue community and affiliates of the Center for Education and Research in Information Assurance and Security (CERIAS) and the Department of Computer and Information Technology. For input from the industry the following Information Assurance and Security departments of the following companies received the survey: Lockheed Martin Cybersecurity, Cook Medical, RSA Security, LLC., Dell, Cisco, SAP Software Solutions, and Business Applications and Technology. The data was analyzed using SPSS a statistical software package available to Purdue faculty, staff, and students. Overall there were 61 government participants, 27 industry participants, and 13 academia participants. The one-way ANOVA test for all the government, industry and academia practitioners yielded many significant findings. Some of the most important competencies that spanned across all affiliations and levels were Access Control and Incident Management and Response. This research aimed to identify a broad list of competencies that could be used to design training, curriculum, and certification courses for cybersecurity practitioners

Identifying the science and technology dimensions of emerging public policy issues through horizon scanning

Public policy requires public support, which in turn implies a need to enable the public not just to understand policy but also to be engaged in its development. Where complex science and technology issues are involved in policy making, this takes time, so it is important to identify emerging issues of this type and prepare engagement plans. In our horizon scanning exercise, we used a modified Delphi technique [1]. A wide group of people with interests in the science and policy interface (drawn from policy makers, policy adviser, practitioners, the private sector and academics) elicited a long list of emergent policy issues in which science and technology would feature strongly and which would also necessitate public engagement as policies are developed. This was then refined to a short list of top priorities for policy makers. Thirty issues were identified within broad areas of business and technology; energy and environment; government, politics and education; health, healthcare, population and aging; information, communication, infrastructure and transport; and public safety and national security.Public policy requires public support, which in turn implies a need to enable the public not just to understand policy but also to be engaged in its development. Where complex science and technology issues are involved in policy making, this takes time, so it is important to identify emerging issues of this type and prepare engagement plans. In our horizon scanning exercise, we used a modified Delphi technique [1]. A wide group of people with interests in the science and policy interface (drawn from policy makers, policy adviser, practitioners, the private sector and academics) elicited a long list of emergent policy issues in which science and technology would feature strongly and which would also necessitate public engagement as policies are developed. This was then refined to a short list of top priorities for policy makers. Thirty issues were identified within broad areas of business and technology; energy and environment; government, politics and education; health, healthcare, population and aging; information, communication, infrastructure and transport; and public safety and national security

Combining Scenario Workshops and Participatory System Dynamics Modelling to Study Food Security. A case study with farmers in Zambia

Food security, which affects mainly developing countries, is a worldwide problem that has called the attention of the economic, political and scientific community. Achieving food security is a very complex process that involves not only the ability of farming but also a constant adaptation to natural phenomena, as for example, rainfall patterns. Limited knowledge and access to information and technologies, restrict the capacity of local farming communities to achieve food security. Furthermore, there is a lack of suitable methods and tools for involving stakeholders, such as farmers, in the development and assessment of food policies and their long-term system-wide effects. The main goal of this research is to investigate how the use of mixed-methods – scenarios and participatory System Dynamics (SD) modelling – are capable of improving understanding and an integrative view of food systems, serving as a lever for supporting food security decision-making processes. Additionally, this research aims to answer the following two questions: i) How can scenarios and participatory SD be used together to study plausible futures of food security involving smallholder farmers in developing countries?; ii) What are the possible policy pathways to avoid undesirable situations and to stimulate desirable ones, in a context of subsidence farming in Sub-Saharan African countries?. For this specific purpose, a group of smallholder farmers in Zambia was analyzed as a case study. First, a workshop was implemented in which a scenario of poor rainfall and no government help was developed. In order to achieve food security, participants had to find policy proposals and pathways to avoid or to overcome this undesired scenario. Subsequently, from the scenario workshop data, causal loop diagrams (CLD) were built using a systematic coding process. The next steps were to analyse policy proposals through a cross-impact analysis and develop an outline of pathways to study the complementarity and compatibility of such proposals. The 11 policy proposals were Charcoal Business; Livestock Business; Groundnuts Business; Gardening; Loan; Piecework; Land (productive land); Rental Business; Partnership; Legislation for Deforestation/Afforestation; and, Retention Basins/Drilling Boreholes. Finally, it was possible to design an innovative Action Plan that shows the pathways and the pace at which each proposal may achieve food security. It was concluded that scenario workshop and participatory SD may tightly coupled since these methods complement each other, stimulating system thinking and co-creation of knowledge. Scenario workshops are a disruptive and exploratory method, as it allows to elicit creative and plausible images from participants. Participatory SD supports decision-making processes by analysing policy proposals and its pathways, leading to the elaboration of joint action plans. In the Zambian case, from the 11 plausible policy proposals, it was found that Piecework enables a swifter path to achieve food security, while Rental Business would be the slowest. Additionally, it was found that some of the policy proposals could be reinforced if implemented together, while others, such as Charcoal Business and Legislation for Deforestation/Afforestation, did not show such potential. A follow-up survey with workshop participants showed that they were following the Action Plan, confirming the preference for the short-term policy proposal pathways

Protocol for a Systematic Literature Review on Security-related Research in Ubiquitous Computing

Context: This protocol is as a supplementary document to our review paper that investigates security-related challenges and solutions that have occurred during the past decade (from January 2003 to December 2013). Objectives: The objective of this systematic review is to identify security-related challenges, security goals and defenses in ubiquitous computing by answering to three main research questions. First, demographic data and trends will be given by analyzing where, when and by whom the research has been carried out. Second, we will identify security goals that occur in ubiquitous computing, along with attacks, vulnerabilities and threats that have motivated the research. Finally, we will examine the differences in addressing security in ubiquitous computing with those in traditional distributed systems. Method: In order to provide an overview of security-related challenges, goals and solutions proposed in the literature, we will use a systematic literature review (SLR). This protocol describes the steps which are to be taken in order to identify papers relevant to the objective of our review. The first phase of the method includes planning, in which we define the scope of our review by identifying the main research questions, search procedure, as well as inclusion and exclusion criteria. Data extracted from the relevant papers are to be used in the second phase of the method, data synthesis, to answer our research questions. The review will end by reporting on the results. Results and conclusions: The expected results of the review should provide an overview of attacks, vulnerabilities and threats that occur in ubiquitous computing and that have motivated the research in the last decade. Moreover, the review will indicate which security goals are gaining on their significance in the era of ubiquitous computing and provide a categorization of the security-related countermeasures, mechanisms and techniques found in the literature. (authors' abstract)Series: Working Papers on Information Systems, Information Business and Operation