Quantitative Analysis of Opacity in Cloud Computing Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Federated cloud systems increase the reliability and reduce the cost of the computational support. The resulting combination of secure private clouds and less secure public clouds, together with the fact that resources need to be located within different clouds, strongly affects the information flow security of the entire system. In this paper, the clouds as well as entities of a federated cloud system are assigned security levels, and a probabilistic flow sensitive security model for a federated cloud system is proposed. Then the notion of opacity --- a notion capturing the security of information flow --- of a cloud computing systems is introduced, and different variants of quantitative analysis of opacity are presented. As a result, one can track the information flow in a cloud system, and analyze the impact of different resource allocation strategies by quantifying the corresponding opacity characteristics

Human Resource Reputation: Looking Good May Feel Good But Does It Add Value?

[Excerpt] Examples of human resource signals, such as these, abound. The critical questions are,do signals like these help create an organization asset, a good HR reputation, and does a good reputation add value? In other words, is a company\u27s HR reputation a valuable resource and source of competitive advantage (Barney, 1991)? Is it difficult to copy by its competitors? Does it favorably influence security analysts, stockholders’, applicants’, employees’, and customers’ views of the company? Or, is information about human resource activities discounted or dismissed altogether as nothing more than mere reflections of a facade having little impact on organizational success

Broadband Internet Access as a Localized Resource for Facilitating Information Security Knowledge

With an increasing number of threats to cybersecurity, research continues to focus on methods and behaviors by which individuals may better protect themselves. The availability of broadband infrastructure has been proposed to improve city and regional economic, educational, and health-related prospects, but its impact on facilitating security knowledge gathering has yet to be studied. This study assesses the influence of broadband availability, using data collected from 894 Internet users from across the United States, with multiple analysis techniques supported by geographical information systems (GIS). The results indicate that broadband access, in addition to age and education level, is associated with higher levels of security knowledge. Moreover, geographical weighted regression analyses suggest that the significant variables vary in influence based on their locality

Applying Real Options Thinking to Information Security in Networked Organizations

An information security strategy of an organization participating in a networked business sets out the plans for designing a variety of actions that ensure confidentiality, availability, and integrity of company’s key information assets. The actions are concerned with authentication and nonrepudiation of authorized users of these assets. We assume that the primary objective of security efforts in a company is improving and sustaining resiliency, which means security contributes to the ability of an organization to withstand discontinuities and disruptive events, to get back to its normal operating state, and to adapt to ever changing risk environments. When companies collaborating in a value web view security as a business issue, risk assessment and cost-benefit analysis techniques are necessary and explicit part of their process of resource allocation and budgeting, no matter if security spendings are treated as capital investment or operating expenditures. This paper contributes to the application of quantitative approaches to assessing risks, costs, and benefits associated with the various components making up the security strategy of a company participating in value networks. We take a risk-based approach to determining what types of security a strategy should include and how much of each type is enough. We adopt a real-options-based perspective of security and make a proposal to value the extent to which alternative components in a security strategy contribute to organizational resiliency and protect key information assets from being impeded, disrupted, or destroyed

Estimating ToE Risk Level using CVSS

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time