ECHO Information sharing models

As part of the ECHO project, the Early Warning System (EWS) is one of four technologies under development. The E-EWS will provide the capability to share information to provide up to date information to all constituents involved in the E-EWS. The development of the E-EWS will be rooted in a comprehensive review of information sharing and trust models from within the cyber domain as well as models from other domains

Cyber maturity in the Asia-Pacific Region 2014

Summary: To make considered, evidence-based cyber policy judgements in the Asia-Pacific there’s a need for better tools to assess the existing ‘cyber maturity’ of nations in the region. Over the past twelve months the Australian Strategic Policy Institute’s International Cyber Policy Centre has developed a Maturity Metric which provides an assessment of the regional cyber landscape. This measurement encompasses an evaluation of whole-of-government policy and legislative structures, military organisation, business and digital economic strength and levels of cyber social awareness. This information is distilled into an accessible format, using metrics to provide a snapshot by which government, business, and the public alike can garner an understanding of the cyber profile of regional actors

Reviewing qualitative research approaches in the context of critical infrastructure resilience

Modern societies are increasingly dependent on the proper functioning of critical infrastructures (CIs). CIs produce and distribute essential goods or services, as for power transmission systems, water treatment and distribution infrastructures, transportation systems, communication networks, nuclear power plants, and information technologies. Being resilient becomes a key property for CIs, which are constantly exposed to threats that can undermine safety, security, and business continuity. Nowadays, a variety of approaches exist in the context of CIs’ resilience research. This paper provides a state-of-the-art review on the approaches that have a complete qualitative dimension, or that can be used as entry points for semi-quantitative analyses. The study aims to uncover the usage of qualitative research methods through a systematic review based on PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses). The paper identifies four principal dimensions of resilience referred to CIs (i.e., techno-centric, organisational, community, and urban) and discusses the related qualitative methods. Besides many studies being focused on energy and transportation systems, the literature review allows to observe that interviews and questionnaires are most frequently used to gather qualitative data, besides a high percentage of mixed-method research. The article aims to provide a synthesis of literature on qualitative methods used for resilience research in the domain of CIs, detailing lessons learned from such approaches to shed lights on best practices and identify possible future research directions

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

An information systems security framework for the e-Government Programme of Jordan

Any e-government programme provides e-services as one of the most important means by which the interaction between citizens, businesses and governments takes place. This has brought great opportunities but also raises serious cybersecurity challenges. Critical information assets are facing various potential security risks and threats. Information systems security is necessary to mitigate those risks and threats that are faced by the e-government programme and to safeguard the confidentiality, integrity and availability of the available e-services. In light of the above, the aim of this study is to examine how information security is managed and approached within e-government programmes and the case study of the Ministry of ICT in Jordan informs that aim. The study deconstructs information security through the Technical/Formal/Informal (TFI) framework and enriches that framework by customising it for e-government, expanding it also to include citizens’ online trust. To achieve this aim, a qualitative investigation of the Jordanian e-government programme was conducted by following the research design of a case study in the interpretivist tradition. Furthermore, a survey was used as a complementary phase to examine citizens’ perspectives on e-government security. By combining, analysing and reflecting on the empirical data, a consolidated information security framework was developed for different security aspects, based on the TFI model (technical, formal and informal). The dissertation contributes to the knowledge domain at the intersection of e-government and cybersecurity both practically and theoretically, focusing on technical aspects and non-technical aspects as well. The proposed framework provides an overview of the TFI-categorised elements that can help governments reflect on and manage the security challenges of their corresponding e-government programmes

Barriers to Secure ICT in a Maritime Environment

The purpose of the research reported in this thesis was to investigate the barriers to ICT security in a maritime environment so that the findings of the research can be used to develop a secure ICT maritime profile that will be capable of being updated on an on-going basis. This is an important area of research because the maritime sector is increasingly reliant upon ICT yet there is evidence that ICT security and the potential threats and consequences if ICT is not available when needed have not been given the attention they deserve. Indeed, the literature review carried out as part of this research pointed to a big gap in the maritime literature regarding ICT security. Literature from non-maritime specific fields was used to establish a basic understanding of the barriers most likely to be relevant and provide key terminology for use in this research. Empirical data were collected from semi-structured interviews with Royal Naval personnel and informal discussions with Merchant Navy officers. A robust yet flexible approach was used to interpret the results and thus identify the barriers, many of which are caused by complex interactions between social and technical factors, particularly on-board ships. Nine barriers to ICT security were revealed. They are: tensions experienced between security experts and ICT users; operational imperatives override security requirements; security requirements impeding business process; a limited ability to recover from disruption; unable or unwilling to share security incident information; Inadequate security training; disruption to situational awareness; unpredictable behaviour of people in difficult situations; and a lack of ICT security awareness. A new understanding of barriers arose from further interpretation of the findings, the results of which led to recommendations for the design for an updateable maritime ICT security profile that could be used to guide relevant staff (including Ship’s Security Officers) and as a tool to raise security awareness for non-experts

Tackling the barriers to achieving Information Assurance

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.This original, reflective practitioner study researched whether professionalising IA could be successfully achieved, in line with the UK Cyber Security Strategy expectations. The context was an observed changing dominant narrative from IA to cybersecurity. The research provides a dialectical relationship with the past to improve IA understanding. The Academic contribution: Using archival and survey data, the research traced the origins of the term IA and its practitioner usage, in the context of the increasing use of the neologism of cybersecurity, contributing to knowledge through historical research. Discourse analysis of predominantly UK government reports, policy direction, legislative and regulatory changes, reviewing texts to explore the functions served by specific constructions, mainly Information Security (Infosec) vs IA. The Researcher studied how accounts were linguistically constructed in terms of the descriptive, referential and rhetorical language used, and the function that serves. The results were captured in a chronological review of IA ontology. The Practitioner contribution: Through an initial Participatory Action Research (PAR) public sector case study, the researcher sought to make sense of how the IA profession operates and how it was maturing. Data collection from self-professed IA practitioners provided empirical evidence. The researcher undertook evolutionary work analysing survey responses and developed theories from the analysis to answer the research questions. The researcher observed a need to implement a unified approach to Information Governance (IG) on a large organisation-wide scale. Using a constructivist grounded theory the researcher developed a new theoretical framework - i3GRC™ (Integrated and Informed Information Governance, Risk, and Compliance) - based on what people actually say and do within the IA profession. i3GRC™ supports the required Information Protection (IP) through maturation from IA to holistic IG. Again, using PAR, the theoretical framework was tested through a private sector case study, the resultant experience strengthening the bridge between academia and practitioners

Identifying the critical success factors to improve information security incident reporting

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly