ISSEC: A socio-technical DSS for information security planning

The traditional notion of information security, rooted in a solidly technical foundation, has within the past decade seen wide criticism within academia - much of which has originated from the social sciences community - as being narrow and technology-centric instead of holistic and organizational in its focus. As information security awareness encompasses an ever-greater scope of organizational dynamics, it becomes necessary for us to develop design methodologies and ultimately, systems, capable of dealing practically with the complex and multifaceted nature of the decision-making of information systems security which is entailed by the emerging notions of a new paradigm for security. To this end, we present an architecture which implements a web-based multi-user decision support system (DSS) driven by an operational security model within a qualitative multi-criteria framework that utilizes AHP as its inference engine. The system is then demonstrated in action, by addressing a multi-criteria security control selection decision

ISSEC: A Socio-technical Decision Support System for Information Security Planning

The traditional notion of information security, rooted in a solidly technical foundation, has within the past decade seen wide criticism within academia - much of which has originated from the social sciences community - as being narrow and technology-centric instead of holistic and organizational in its focus. As information security awareness encompasses an ever-greater scope of organizational dynamics, it becomes necessary for us to develop design methodologies and ultimately, systems, capable of dealing practically with the complex and multifaceted nature of the decision-making of information systems security which is entailed by the emerging notions of a new paradigm for security. To this end, we present an architecture which implements a web-based multi-user decision support system (DSS) driven by an operational security model within a qualitative multi-criteria framework that utilizes AHP as its inference engine. The system is then demonstrated in action, by addressing a multi-criteria security control selection decision

Raising security awareness using cybersecurity challenges in embedded programming courses

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.info:eu-repo/semantics/acceptedVersio

Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.Comment: Preprint accepted for publication at the First International Conference on Code Quality (ICCQ 2021

Malware in the Future? Forecasting of Analyst Detection of Cyber Events

There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number for resource allocation, estimation of security resources, and the development of effective risk-management strategies. We used a Bayesian State Space Model for forecasting and found that events one week ahead could be predicted. To quantify bursts, we used a Markov model. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa

Expanding Protection Motivation Theory: The Role of Individual Experience in Information Security Policy Compliance

The purpose of the present study is to make contributions to the area of behavioral information security in the field of Information Systems and to assist in the improved development of Information Security Policy instructional programs to increase the policy compliance of individuals. The role of an individual’s experience in the context of information security behavior was explored through the lens of protection motivation theory. The practical foundation was provided by the framework of Security Education, Training, and Awareness (SETA) programs which are typically used by organizations within the United States to instruct employees regarding information security. A pilot study and primary study were conducted with separate data collections and analyses. Both existing and new measures were tested in the study which used a Modified Solomon Four Group Design to accommodate data collection via a web-based survey that included a two-treatment experimental component. The primary contribution to academia proposed in this study was to expand the protection motivation theory by including direct and vicarious experience regarding both threats and responses to the threats. Clear definitions and valid and reliable reflective measures for each of the four experience constructs were developed and are presented in this dissertation. Furthermore, the study demonstrated that all four forms of experience play an important part in the prediction of the primary constructs in the protection motivation model, and as such ultimately play an important part in the prediction of behavioral intent in the context of information security. The primary contribution to practice was expected to be specifically related to the application of fear appeals within a SETA instructional framework. The contribution to practice made by this dissertation became instead the implications resulting from the strong performance of the experience constructs. Specifically, experience, both direct and vicarious, and with threats and with responses, are all important influences on individuals’ behavioral choices regarding information security and should continue to be explored in this context

Security Evaluation of Cyber-Physical Systems in Society- Critical Internet of Things

In this paper, we present evaluation of security awareness of developers and users of cyber-physical systems. Our study includes interviews, workshops, surveys and one practical evaluation. We conducted 15 interviews and conducted survey with 55 respondents coming primarily from industry. Furthermore, we performed practical evaluation of current state of practice for a society-critical application, a commercial vehicle, and reconfirmed our findings discussing an attack vector for an off-line societycritical facility. More work is necessary to increase usage of security strategies, available methods, processes and standards. The security information, currently often insufficient, should be provided in the user manuals of products and services to protect system users. We confirmed it lately when we conducted an additional survey of users, with users feeling as left out in their quest for own security and privacy. Finally, hardware-related security questions begin to come up on the agenda, with a general increase of interest and awareness of hardware contribution to the overall cyber-physical security. At the end of this paper we discuss possible countermeasures for dealing with threats in infrastructures, highlighting the role of authorities in this quest

Education and outreach activities within the biological weapons convention

No description supplie

An information security retrieval and awareness model for industry

The present study originated from a realisation that employees in an organisation should be aware of their role and responsibility towards securing the information they work with. Only if employees are aware of their role and responsibilities towards Information Security, could they be held accountable if the information they work with is compromised in any way. Further motivation for the study was the realisation that information is the lifeline of many organisations and should therefore be properly secured and managed to ensure that it is not compromised in any way. If organisations fail to do so, they could be faced with serious consequences such as prosecution under a number of legal frameworks, or a loss of money, time and business opportunities. The ultimate responsibility for the management of Information Security lies with top management. Top management should enforce Information Security and create an Information Security culture within the organisation. To ensure that employees adhere to the Information Security rules and regulations, top management should measure and monitor the status of Information Security awareness among employees on a continuous basis. A further incentive for this study was the realisation that many Information Security breaches occur due to human action (deliberate as well as accidental). Information Security should therefore also address the non-technical, human-related Information Security issues and not focus on the technical issues only. Bearing these realisations in mind, this study is principally aimed at making a contribution towards enhancing Information Security awareness in industry, and for this reason, culminates in an Information Security Retrieval and Awareness model specifically developed for the industry sector. While developing this model, special care was taken to address the limitations of current models in the said domain. An investigation into the current status of Information Security awareness in each of the sectors of the Information Security community (i.e. government, industry and academia) indicated that there is an urgent need for enhancing Information Security awareness in each of these sectors. Although many governments around the globe have initiated projects to address Information Security, they should continue to launch new initiates to keep up with the constant changes in Information Technology. These changes continuously trigger new risks that could lead to Information Security breaches. In the Industry sector, technical Information Security issues receive most of the attention when Information Security is addressed, and the non-technical, humanrelated Information Security issues are often ignored or neglected. The pressing need for an Information Security awareness model for industry that incorporates the nontechnical, human-related Information Security issues is therefore self-evident. The academic sector has incorporated Information Security into its curricula, but these efforts are still not enough. Information Security should be incorporated at all levels - undergraduate as well as postgraduate - and should be included in Computer Science and Information Systems, as well as other related disciplines such as Law. After having investigated the current status of Information Security awareness in the Information Security community, the researcher proceeded to explore the ongoing development of Information Security over the past few years. These developments created paradigm shifts ranging from a purely technical approach towards Information Security, towards a more managerial way of protecting information, and currently focusing on creating an Information Security culture within organisations. With the development of Information Security came Information Security documents that address the management and implementation of Information Security. An investigation into these documents has lead to the identification of ten Information Security documents that are accepted as leading documents in the Information Security community. These documents were identified as the basis for a Common Body of Knowledge for Information Security suited to industry. After having explored the limitations of current efforts to create such a Common Body of Knowledge, a Common Body of Knowledge for Information Security suited to industry that addresses these limitations was proposed. The proposed Common Body of Knowledge addresses the Information Security responsibility of both users with little or no formal background on Information Security, and of specialists in the field. This is achieved by grouping stakeholders according to their job category into IT authority levels. The people on each IT authority level have different responsibilities towards securing the information they work with. In addition, the proposed Common Body of Knowledge explicitly distinguishes between the technical and the non-technical, human-related Information Security issues. Such a Common Body of Knowledge can be used as a guideline during the management and implementation of Information Security in industry. Having explored the IT authority levels of a typical organisation and after investigating the non-technical, human-related Information Security issues, an Information Security Retrieval and Awareness model (ISRA) was developed specifically for the industry. The proposed model enhances Information Security awareness in the said domain in the sense that it is based on a Common Body of Knowledge for Information Security suited to industry. In addition, the ISRA model ensures that stakeholders are made aware of the Information Security issues relevant to their specific job category only, to prevent them from being burdened with irrelevant information. Finally, the ISRA model allows stakeholders to retrieve specific information related to Information Security at any time. The ISRA model focuses specifically on the industry sector and consists of three parts: the ISRA Dimensions; Information Security Retrieval and Awareness; and Measuring and Monitoring. The ISRA dimensions form the building blocks of the model and integrate the non-technical, human-related Information Security issues, the IT authority levels and the 10 state-of-the-art Information Security document dimensions. The purpose of the Retrieval and Awareness part of the ISRA model is to enable each stakeholder to retrieve information from the ISRA dimensions at any time. In this way Information Security awareness among all stakeholders can be enhanced. IT authority levels could also request specific information to assist them in their decision-making processes. The last part of the ISRA model, Measuring and Monitoring, provides top management with a tool to determine the status of Information Security awareness within the organisation and enables them to identify vulnerable areas with regard to Information Security awareness. The current research culminates in the development and implementation of a prototype to confirm that the ISRA model is not merely a theoretical concept, but that it also constitutes a practicable Information Security Retrieval and Awareness model.COMPUTINGPHD (INFORMATION SYSTEMS

PRIVACY PRESERVING DATA MINING FOR NUMERICAL MATRICES, SOCIAL NETWORKS, AND BIG DATA

Motivated by increasing public awareness of possible abuse of confidential information, which is considered as a significant hindrance to the development of e-society, medical and financial markets, a privacy preserving data mining framework is presented so that data owners can carefully process data in order to preserve confidential information and guarantee information functionality within an acceptable boundary. First, among many privacy-preserving methodologies, as a group of popular techniques for achieving a balance between data utility and information privacy, a class of data perturbation methods add a noise signal, following a statistical distribution, to an original numerical matrix. With the help of analysis in eigenspace of perturbed data, the potential privacy vulnerability of a popular data perturbation is analyzed in the presence of very little information leakage in privacy-preserving databases. The vulnerability to very little data leakage is theoretically proved and experimentally illustrated. Second, in addition to numerical matrices, social networks have played a critical role in modern e-society. Security and privacy in social networks receive a lot of attention because of recent security scandals among some popular social network service providers. So, the need to protect confidential information from being disclosed motivates us to develop multiple privacy-preserving techniques for social networks. Affinities (or weights) attached to edges are private and can lead to personal security leakage. To protect privacy of social networks, several algorithms are proposed, including Gaussian perturbation, greedy algorithm, and probability random walking algorithm. They can quickly modify original data in a large-scale situation, to satisfy different privacy requirements. Third, the era of big data is approaching on the horizon in the industrial arena and academia, as the quantity of collected data is increasing in an exponential fashion. Three issues are studied in the age of big data with privacy preservation, obtaining a high confidence about accuracy of any specific differentially private queries, speedily and accurately updating a private summary of a binary stream with I/O-awareness, and launching a mutual private information retrieval for big data. All three issues are handled by two core backbones, differential privacy and the Chernoff Bound