Security in online learning assessment towards an effective trustworthiness approach to support e-learning teams

(c) 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.This paper proposes a trustworthiness model for the design of secure learning assessment in on-line collaborative learning groups. Although computer supported collaborative learning has been widely adopted in many educational institutions over the last decade, there exist still drawbacks which limit their potential in collaborative learning activities. Among these limitations, we investigate information security requirements in on-line assessment, (e-assessment), which can be developed in collaborative learning contexts. Despite information security enhancements have been developed in recent years, to the best of our knowledge, integrated and holistic security models have not been completely carried out yet. Even when security advanced methodologies and technologies are deployed in Learning Management Systems, too many types of vulnerabilities still remain opened and unsolved. Therefore, new models such as trustworthiness approaches can overcome these lacks and support e-assessment requirements for e-Learning. To this end, a trustworthiness model is designed in order to conduct the guidelines of a holistic security model for on-line collaborative learning through effective trustworthiness approaches. In addition, since users' trustworthiness analysis involves large amounts of ill-structured data, a parallel processing paradigm is proposed to build relevant information modeling trustworthiness levels for e-Learning.Peer ReviewedPostprint (author's final draft

A Knowledge Framework for Information Security Modeling

The data collection process for risk assessment highly depends on the security experience of security staffs of an organization. It is difficult to have the right information security staff, who understands both the security requirements and the current security state of an organization and at the same time possesses the skill to perform risk assessment. However, a well defined knowledge model could help to describe categories of knowledge required to guide the data collection process. In this paper, a knowledge framework is introduced, which includes a knowledge model to define the data skeleton of the risk environment of an organization and security patterns about relationships between threat, entity and countermeasures; and a data integration mechanism for integrating distributed security related data into a security data repository that is specific to an organization for information security modelling

Knowledge Systems and Risk Management: Towards a Risk and Threat Assessment Framework

Knowledge is the most important asset that a company can have. Thus, it is imperative that this asset is safeguarded just like generic information assets. However, knowledge management (KM) and knowledge systems are different than traditional information systems with different threats and different operational requirements. Risk assessment is the corner stone to security. This paper discusses risk assessment. frameworks and builds on a KM/knowledge system specific risk assessment framework with a step-by-step guideline for managers as well as a generic KM/knowledge system specific threat assessment

The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.Comment: Presented at the Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, June 201

Evidential Reasoning Approach to Behavioural Analysis of ICT Users’ Security Awareness

The role of ICT system’s user should be taken into consideration when developing different information security solutions because user, as its constitutive element, can significantly affect overall system security with his/her potentially risky behaviour depending on the level of user’s security awareness. In this paper authors propose risk assessment approach of ICT users’ behaviour based on the evidential reasoning technique. Performance testing was compared using combination of cluster analysis and discriminant analysis while empirical analysis was conducted on the total of 627 e-mail users grouped regarding gender, age, technical background knowledge and level of experience. Assessment methodology used in this paper has proven to be well suited for evaluation of users’ awareness and identification of their potentially risky behaviour. Results of empirical analysis showed that all groups of users got overall utility grade higher than the simulated "minimally enough aware" user, but less than “average awareness” grade. As users of all groups are highly critical towards collocutor, it can mean that users are quite aware about the importance of information security foundation, but also about lack of knowledge regarding different security issues. Another possible reason may be the users’ negligence toward security guidelines and protocols

Causal Connections Mining Within Security Event Logs

Performing both security vulnerability assessment and configuration processes are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system's event log provides historical information depicting potential security threats, as well as recording configuration activities. In this paper, a novel technique is developed that can process security event logs on a computer that has been assessed and configured by a security professional, and autonomously establish causality amongst event log entries to learn performed configuration tasks. This extracted knowledge can then be exploited by non-professionals to plan steps that can improve the security of a previously unseen system

Enhancing Key Digital Literacy Skills: Information Privacy, Information Security, and Copyright/Intellectual Property

Key Messages Background Knowledge and skills in the areas of information security, information privacy, and copyright/intellectual property rights and protection are of key importance for organizational and individual success in an evolving society and labour market in which information is a core resource. Organizations require skilled and knowledgeable professionals who understand risks and responsibilities related to the management of information privacy, information security, and copyright/intellectual property. Professionals with this expertise can assist organizations to ensure that they and their employees meet requirements for the privacy and security of information in their care and control, and in order to ensure that neither the organization nor its employees contravene copyright provisions in their use of information. Failure to meet any of these responsibilities can expose the organization to reputational harm, legal action and/or financial loss. Context Inadequate or inappropriate information management practices of individual employees are at the root of organizational vulnerabilities with respect to information privacy, information security, and information ownership issues. Users demonstrate inadequate skills and knowledge coupled with inappropriate practices in these areas, and similar gaps at the organizational level are also widely documented. National and international regulatory frameworks governing information privacy, information security, and copyright/intellectual property are complex and in constant flux, placing additional burden on organizations to keep abreast of relevant regulatory and legal responsibilities. Governance and risk management related to information privacy, security, and ownership are critical to many job categories, including the emerging areas of information and knowledge management. There is an increasing need for skilled and knowledgeable individuals to fill organizational roles related to information management, with particular growth in these areas within the past 10 years. Our analysis of current job postings in Ontario supports the demand for skills and knowledge in these areas. Key Competencies We have developed a set of key competencies across a range of areas that responds to these needs by providing a blueprint for the training of information managers prepared for leadership and strategic positions. These competencies are identified in the full report. Competency areas include: conceptual foundations risk assessment tools and techniques for threat responses communications contract negotiation and compliance evaluation and assessment human resources management organizational knowledge management planning; policy awareness and compliance policy development project managemen

The assessment of efforts to return to work in the European Union

Background: Assessment of efforts to promote return-to-work (RTW) includes all efforts (vocational and non-vocational) designed to improve the work ability of the sick-listed employee and increase the chance to return to work. Aim of the study was to investigate whether in 13 European countries these RTW efforts are assessed and to compare the procedures by means of six criteria. METHODS: Data were gathered in the taxonomy project of the European Union of Medicine in Assurance and Social Security and by means of an additional questionnaire. RESULTS: In seven countries RTW efforts are subject of the assessment in relation to the application for disability benefits. Description of RTW efforts is a prerequisite in five countries. Guidelines on the assessment of RTW efforts are only available in the Netherlands and no countries report the use of the ICF model. Based on the results of the additional questionnaire, the assessor is a social scientist or a physician. The information used to assess RTW efforts differs, from a report on the RTW process to medical information. A negative outcome of the assessment leads to delay of the application for disability benefits or to application for rehabilitation subsidy. Conclusion: RTW efforts are assessed in half of the participating European countries. When compared, the characteristics of the assessment of RTW efforts in the participating European countries show both similarities and differences. This study may facilitate the gathering and exchange of knowledge and experience between countries on the assessment of RTW efforts

Teaching Case: Information Security Management in Distress at SkillPlat

In this role-playing teaching case, students impersonate Selective Consulting, a fictitious, Australian-based company tasked with assessing the information security practices of SkillPlat, a provider of apprenticeship and traineeship services. The case develops around the one-week visit paid by Selective Consulting to SkillPlat’s headquarters, during which the consultants identify several issues that denote poor information security management practices by the company. After analysing the case materials (the main text, plus seven exhibits), students write a report in which they assess the pros and cons of SkillPlat’s information security management practices, offer recommendations for improvement, and indicate other sources of information that could be useful for a more detailed analysis. The report is expected to cover various topics in information security management: policies, user behaviours/human factors, governance, security practices, risk management, physical security, protection of personally identifiable information and privacy, organisational culture, etc. This teaching case has been successfully utilised with two cohorts of Master students as an assessment piece, at the end of a course on cybersecurity management. The present case requires students to offer solid arguments in favour of their assessment and recommendations, tapping into their knowledge of the subject and external resources (e.g., industry reports, academic papers, etc.). This Teaching Case needs to be accompanied by its Teaching Notes