Is Security a Conversation-Stopper?

Security is a politically powerful concept. When someone claims that their security is threatened, it often feels as if we should stop talking and start acting. This is a mistake. The ambiguity of security requires us to ask: What goods do we want to secure? How much insecurity are we willing to tolerate? What other values are we willing to sacrifice in order to secure those goods? The invocation of security is just the beginning of the conversation

Is Security Realistic in Cloud Computing?

Cloud computing is rapidly emerging as an attractive IT option for businesses. As a concept cloud computing is well received because of the benefits it offers but many users are not clear about the scope of security in cloud computing. Many surveys point out that security in the cloud remains the top concern for many businesses in their decision making consideration in spite of the cost advantages it offers. In order to identify the security concerns we analyzed over 50 research articles and industry white papers published over the past five years. In this paper we focus on the question “Is security realistic in cloud computing?” In presenting the justification that it is possible to expect adequate security features in the cloud we address several related issues. In this context we first briefly describe the three types of cloud services – SaaS, PaaS and IaaS. Then we focus on the security aspects that businesses must pay attention to in order to succeed. Next, we consider the importance of trust in the service providers and how they could build customer trust in their services. This discussion leads to service reliability in the cloud and what the cloud providers have learned from cloud outages in order to build trust. Also, we highlight how the security features offered in the cloud support compliance requirements. We conclude the paper with some relevant information on the legal aspects related to cloud computing

Measuring User Satisfaction with IS Security

Information systems security has been the focus of many academic and non-academic research. It is an important aspect of any information system and due to increasing security incidents and threats it has become a factor affecting users satisfaction with information systems. This article introduces and validates a survey instrument that measures user satisfaction with the security attribute of information systems

Mindful Administration of IS Security Policies

Managers of information systems have ethical, moral and legal obligations to protect their organization’s intellectual property. They often look to frameworks such as the Control Objectives for Information and related Technology (CobIT) to guide them to what data needs to be secured or standards such as the ISO/IEC 27000 series to provide best practices regarding their policies on how to safeguard this information. However, these policies are either vague in the details or not fluid and flexible enough to account for the unexpected security events that may render them obsolete. For example, Google recently released an online suite of applications that would allow an organization’s employees to collaborate on items of intellectual capital stored on Google’s servers outside the control of the organization’s information technology (IT) department. Additionally, new techniques have been discovered to break the encryption of data that was previously thought to be lost when the device containing it was powered off. While these events certainly have utility to practitioners, they also pose new threats to the security of intellectual capital created and stored on IT artifacts. This paper advocates mindfulness (Weick and Sutcliffe, 2001) as a necessary component of choosing and adapting security policies to better predict the unexpected security threats that may come as a result of technological change, environmental forces, or organizational use of IT

Sensitizing Employees’ Corporate IS Security Risk Perception

Motivated by recent practical observations of employees’ unapproved sourcing of cloud services at work, this study empirically evaluates bring your own cloud (BYOC) policies and social interactions of the IT department to sensitize employees’ security risk perception. Based on social information processing theory, BYOC strategies varying in the level of restriction from the obligatory, recommended, permitted, not regulated, to the prohibited usage of cloud services in the organization as well as social information including IT department’s policies, recommendations and responsiveness, are assessed according to their influence on employees’ perceived security risk to the organization. Results of a mixed-method approach containing expert interviews and survey data of 115 computer users in SME and large-scale enterprises analyzed using Kruskal-Wallis and WarpPLS-SEM identify the organizational-wide prohibition of and IT department’s advices against the cloud service usage at the workplace as the most effective actions to guarantee the protection of the organizational IT assets

A Reclassification of IS Security Analysis Approaches

The role of security management in the development and operation of information systems has a long tradition of research in computer science, information systems and management science. Integrating the economic, organizational, and technical aspects of information systems security analysis and assessment requires a bridging of these different research streams. We examined major articles published concerning IS security using a new classification scheme for IS security analysis and assessment approaches. We looked at approaches discussed in recent publications as well those examined as in past articles that have attempted to classify various approaches to IS security. This paper therefore organizes a diverse collection of literature into a cohesive whole with the aim of providing IS management with an overview of current security analysis approaches, thereby offering management an effective aide for selecting the methods best suited to their needs. Furthermore, this work structures IS security research into a classification scheme that can also be used in future research and practice

How Effective Is Security Screening of Airline Passengers?

With a simple mathematical model, we explored the antiterrorist effectiveness of airport passenger prescreening systems. Supporters of these systems often emphasize the need to identify the most suspicious passengers, but they ignore the point that such identification does little good unless dangerous items can actually be detected. Critics often focus on terrorists\u27 ability to probe the system and thereby thwart it, but ignore the possibility that the very act of probing can deter attempts at sabotage that would have succeeded. Using the model to make some preliminary assessments about security policy, we find that an improved baseline level of screening for all passengers might lower the likelihood of attack more than would improved profiling of high-risk passengers