Information Security Training & Awareness

Information security standards, best practices and literature all identify the need for Training & Awareness, the theory is clear. The surveys studied show that in the real world the situation is different: the focus of businesses is still on technical information security controls aimed at the external attacker. And although threats and vulnerabilities point out that personnel security becomes more important, the attitude of managers and employees does not reflect that. Information Security Training and Awareness is not recognised as contributor to security. This needs changing, which means changing behaviour and attitude. One way of achieving that is giving people the information security knowledge and awareness they need for their role. It seems that the solution is not to be found in technical controls but more on the non-technical side: the side of human resource security and psychology. A psychological model is introduced in this project and applied to information security. This model can be used as a tool to visualise and quantify the forces that impact on information security. The exercise of analysing the driving and restraining forces impacting on security in general and the security of information in particular visualises how forces work together or against each other; and identifies the relationship with business processes. The driving and restraining forces of the information security force field diagram reflect all areas of information security counter measures: technical, procedural and personnel. Visualising the forces enables the information security professional to explain to nonspecialists why an organisation needs to invest, in resources and finances, to secure information. The diagram will point out where investments are most effective and efficient. The information security force field analysis and diagram as introduced in this project, can be a useful new tool for information security professionals to: * communicate effectively to line and senior managers about the link between business processes and information security; * explain how investment in training and awareness can impact on information security and improve security of an organisation; * quantify the level of security of an organisation in comparison with other organisations or in comparison with the previous moment of measuring; * quantify the impact of information security training & awareness. The information security force field diagram will prove that investing in training and awareness is a very cost-effective counter measure: it will increase the overall level of security of an organisation and it decreases the restraining forces and with doing so the driving forces become more effectiv

Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. {\em Shared} hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10\% and 19\% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10\% to the best-performing 10\%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels

An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

The effects of human resource practices on firm growth

Although the connection between firm growth and labour is well documented in economics literature, only recently the link between human resources (HR) and firm growth has attracted the interest of researchers. This study aims to assess the extent, if any, to which, specific HR practices may contribute to firm growth. We review a rich literature on the links between firm performance and the following HR practices: (1) job security (2) selective hiring, (3) self-managed teams (4) compensation policy, (5) extensive training, and (6) information sharing. We surveyed HR managers and recorded their perceptions about the links between HR practices and firm growth. Results demonstrated that compensation policy was the strongest predictor of sales growth. Results provide overall support for all HR practices except of job security. Eventually, selecting, training, and rewarding employees as well as giving them the power to decide for the benefit of their firm, contribute significantly to firm growth

Measuring Effectiveness of Quantitative Equity Portfolio Management Methods

In this paper, I use quantitative computer models to measure the effectiveness of Quantitative Equity Portfolio Management in predicting future stock returns using commonly accepted industry valuation factors. Industry knowledge and practices are first examined in order to determine strengths and weaknesses, as well as to build a foundation for the modeling. In order to assess the accuracy of the model and its inherent concepts, I employ up to ten years of historical data for a sample of stocks. The analysis examines the historical data to determine if there is any correlation between returns and the valuation factors. Results suggest that the price to cash flow and price to EBITDA exhibited significant predictors of future returns, while the price to earnings ratio is an insignificant predictor

Exploring the Effectiveness of Transit Security Awareness Campaigns in the San Francisco Bay Area, Research Report 09-19

Public involvement in alerting officials of suspicious and potentially harmful activity is critical to the overall security of a transit system. As part of an effort to get passengers and the public involved, many transit agencies have security awareness campaigns. The objective of this research is to learn how transit agencies seek to make security awareness campaigns effective and explore how they measure the effectiveness of such campaigns, if at all. This research project includes data from case studies of five major agencies that provide transit service in the San Francisco Bay Area region. The case study data are comprised of descriptions of the types of security awareness campaigns the agencies have implemented, the goals of the campaigns, and how they seek to make their campaigns effective, as well as whether and how these agencies measure and determine the effectiveness of their campaigns. A positive finding of this research is the consistency with which Bay Area transit organizations address the need for passenger awareness as part of their overall security program. However, none of the five agencies analyzed for this study measures the effectiveness of their campaigns. Whereas they all have a similar goal—to increase passenger awareness about security issues—little evidence exists confirming to what extent they are achieving this goal. The paper concludes with suggestions for using outcome measurements to provide a reasonable indication of a campaign’s effectiveness by capturing the public’s response to a campaign

Methodological Guide to Co-design Climate-smart Options with Family Farmers

Climate-smart agriculture (CSA) seeks to improve productivity for the achievement of food security (pillar 1: Productivity), to develop a better ability to adapt (pillar 2: Adaptation), and to limit greenhouse gas emissions (pillar 3: Mitigation). Technical and organizational innovations are needed to find synergies among those three pillars. Innovation (its creation and its operation) is a social phenomenon. Many studies worldwide have shown that promoting a sustainable change and innovation within organizations has to be analyzed and implemented with stakeholders. Thus, the ability of local actors to tackle climate change and mitigate its effects will depend on their ability to innovate and mobilize material and non-material resources, to articulate links among national policies, not only between themselves, but also undertaking actions at the local level. To support stakeholders in the development of responses to this challenge, we propose the development of open innovation platforms, in which all local actors may participate. These platforms are virtual, physical, or physico-virtual spaces to learn, jointly conceive, and transform different situations; they are generated by individuals with different origins, different backgrounds and interests (Pali and Swaans, 2013).The purpose of this manual is to provide a seven-step methodology to allow family farmers to co-build and adopt CSA options to tackle climate change in an open innovation platfor