Information security research: External hacking, insider breach, and profound technologies

Information assets are one of the most valuable intangible productive capital for a company to compete with its rivals, to learn consumers’ shopping habits, to guide its development directions, and to standout to retain its profitability. However, with the Internet’s characteristic of pervasiveness, information breaches from both external hacking and internal corruption are continuously encroaching a company’s economic profit. This dissertation consists of three studies where each study investigates the different aspects of information security, and it is aimed to address the growing concern of securing a company’s information assets. The first study examines the external hackers’ behaviors and models a Bayesian game between a firm and two discrete types of hackers (domestic and international) based on the framework of Inspection Game. This study explains why external hackings, especially the international ones, are hard to prevent effectively. The second study is an empirical work and explores the other side of information security data breach, which is mainly due to insiders’ (e.g., employee) malicious deeds or noncompliance with information security policy. This study shows that individual reward and punishment together with 100% detection is the best incentive structure to reduce insider data breaches. In addition, the second study finds that individual reward is more effective than individual punishment, which can better explain why employees are more willing to spend time to comply with security policy when a reward is present. Lastly, the third study is a conceptual work and relies on the Theory of Bounded Rationality to discuss how the Blockchain technology can undermine the motivations of both external and internal intruders in order to prevent information breaches. Overall, this dissertation discusses the current issues of hacking, constructs a payment/incentive structure to regulate noncompliance, empirically tests the validity of the proposed structure, points out a solution to advance information security defense, and provides some managerial recommendations to practitioners

Blockchain and Smart Contract for Peer-to-Peer Energy Trading Platform: Legal Obstacles and Regulatory Solutions, 19 UIC REV. INTELL. PROP. L. 285 (2020)

This paper discusses the implications of smart contracts in energy trading for the protection of consumer and individual rights. It examines the legal risks and regulatory solutions for a peer-to-peer energy trading platform (P2P-ETP) in creating a sustainable energy ecosystem. Part I discusses the conceptual framework of P2PETP, which enables consumers to become energy ‘producers\u27 and traders. Smart technologies—smart contracts, smart meters, and distributed ledger technology (DLT) platforms, are the main components of this platform. The study examines the legal basis for these components. Part II analyzes the legal uncertainty of the smart contract, such as its enforceability, and the inadequate protection for consumers and their individual rights through price manipulation, violation of rights to privacy, and data breaches. Part III discusses the potential policy implementations and the principles behind a legal and regulatory framework for establishing a trusted peer-to peer energy trading platform

Privacy, Access Control, and Integrity for Large Graph Databases

Graph data are extensively utilized in social networks, collaboration networks, geo-social networks, and communication networks. Their growing usage in cyberspaces poses daunting security and privacy challenges. Data publication requires privacy-protection mechanisms to guard against information breaches. In addition, access control mechanisms can be used to allow controlled sharing of data. Provision of privacy-protection, access control, and data integrity for graph data require a holistic approach for data management and secure query processing. This thesis presents such an approach. In particular, the thesis addresses two notable challenges for graph databases, which are: i) how to ensure users\u27 privacy in published graph data under an access control policy enforcement, and ii) how to verify the integrity and query results of graph datasets. To address the first challenge, a privacy-protection framework under role-based access control (RBAC) policy constraints is proposed. The design of such a framework poses a trade-off problem, which is proved to be NP-complete. Novel heuristic solutions are provided to solve the constraint problem. To the best of our knowledge, this is the first scheme that studies the trade-off between RBAC policy constraints and privacy-protection for graph data. To address the second challenge, a cryptographic security model based on Hash Message Authentic Codes (HMACs) is proposed. The model ensures integrity and completeness verification of data and query results under both two-party and third-party data distribution environments. Unique solutions based on HMACs for integrity verification of graph data are developed and detailed security analysis is provided for the proposed schemes. Extensive experimental evaluations are conducted to illustrate the performance of proposed algorithms

Best Practices to Minimize Data Security Breaches for Increased Business Performance

In the United States, businesses have reported over 2,800 data compromises of an estimated 543 million records, with security breaches costing firms approximately $7.2 million annually. Scholars and industry practitioners have indicated a significant impact of security breaches on consumers and organizations. However, there are limited data on the best practices for minimizing the impact of security breaches on organizational performance. The purpose of this qualitative multicase study was to explore best practices technology leaders use to minimize data security breaches for increased business performance. Systems theory served as the conceptual framework for this study. Fourteen participants were interviewed, including 2 technology executives and 5 technical staff, each from a banking firm in the Northcentral United States and a local government agency in the Southcentral United States. Data from semistructured interviews, in addition to security and privacy policy statements, were analyzed for methodological triangulation. Four major themes emerged: a need for implementation of security awareness education and training to mitigate insider threats, the necessity of consistent organization security policies and procedures, an organizational culture promoting data security awareness, and an organizational commitment to adopt new technologies and innovative processes. The findings may contribute to the body of knowledge regarding best practices technology leaders can use for securing organizational data and contribute to social change since secure organizational data might reduce consumer identity theft

Contextual and Granular Policy Enforcement in Database-backed Applications

Database-backed applications rely on inlined policy checks to process users' private and confidential data in a policy-compliant manner as traditional database access control mechanisms cannot enforce complex policies. However, application bugs due to missed checks are common in such applications, which result in data breaches. While separating policy from code is a natural solution, many data protection policies specify restrictions based on the context in which data is accessed and how the data is used. Enforcing these restrictions automatically presents significant challenges, as the information needed to determine context requires a tight coupling between policy enforcement and an application's implementation. We present Estrela, a framework for enforcing contextual and granular data access policies. Working from the observation that API endpoints can be associated with salient contextual information in most database-backed applications, Estrela allows developers to specify API-specific restrictions on data access and use. Estrela provides a clean separation between policy specification and the application's implementation, which facilitates easier auditing and maintenance of policies. Policies in Estrela consist of pre-evaluation and post-evaluation conditions, which provide the means to modulate database access before a query is issued, and to impose finer-grained constraints on information release after the evaluation of query, respectively. We build a prototype of Estrela and apply it to retrofit several real world applications (from 1000-80k LOC) to enforce different contextual policies. Our evaluation shows that Estrela can enforce policies with minimal overheads

Data Security and the FTC\u27s UnCommon Law

There were more data breaches in 2014 than any prior year, including the well-publicized attacks on Sony, Target, JPMorgan, and Home Depot—and uncountably more on individuals and smaller companies. This pace continued into 2015, with attacks against Anthem BCBS, Hacking Team, eBay, Trump Hotels, and Ashley Madison, and with a notable expansion into attacks on government targets, including major breaches from OPM and the IRS. Over the past 15 years, and in response to the lack of any comprehensive legal framework for addressing data security concerns, the FTC has acted as the primary regulator of data security practices in the United States. In this role, the FTC has used ad-hoc enforcement of its statutory “unfair acts and practices” authority to develop a “common law” of data security. This Article raises concerns that the FTC’s self-styled “common-law” approach to data security regulation is yielding an unsound body of law. It argues that the FTC’s approach lacks critical features of the common law that are necessary for the development of jurisprudentially legitimate rules, and also that this approach raises jurisdictional and due process concerns. It builds on these critiques to recommend an alternative approach for the FTC to consider: treating a firm’s lack of an affirmative data security policy as an unfair practice. In so doing, this Article makes contributions to ongoing pressing discussions about how the law and regulators should respond to data security issues. It also makes contributions to ongoing scholarly discussions of agency choice of procedure and due process, both of which are of active and increasing interest in the administrative and regulatory law communities

Moving Beyond “Reasonable”: Clarifying the FTC’s Use of Its Unfairness Authority in Data Security Enforcement Actions

Data security breaches, which compromise private consumer information, seem to be an ever-increasing threat. To stem this tide, the Federal Trade Commission (FTC) has relied upon its authority to enforce the prohibition against unfair business practices under section 5 of the Federal Trade Commission Act (“section 5”) to hold companies accountable when they fail to employ data security measures that could prevent breaches. Specifically, the FTC brings enforcement actions when it finds that companies have failed to implement “reasonable” data security measures. However, companies and scholars argue that the FTC has not provided adequate notice of which data security practices it considers “reasonable” for the purposes of section 5. This Note explains and critically analyzes several existing proposals that seek to bring clarity to the FTC’s application of its unfairness authority in the data security context and ultimately proposes a novel solution which encourages the FTC explicitly to outline its minimum data security requirements through nonlegislative rulemaking. This Note contends that the FTC should incorporate a principle of proportionality in any rule to ensure that companies know which data security measures they should implement based on the relative sensitivity of the consumer data that they retain. Additionally, this Note suggests that the FTC should incorporate a safe harbor provision so that compliant companies know that, by following the FTC’s guidelines, they will be immune from section 5 enforcement actions

Stand in the Place Where Data Live: Data Breaches as Article III Injuries

Every day, another hacker gains unauthorized access to information, be it credit card data from grocery stores or fingerprint records from federal databases. Bad actors who orchestrate these data breaches, if they can be found, face clear criminal liability. Still, a hacker’s conviction may not be satisfying to victims whose data was accessed, and so victims may seek proper redress through lawsuits against compromised organizations. In those lawsuits, plaintiff-victims allege promising theories, including that the compromised organization negligently caused the data breach or broke an implied contract to protect customers’ personal information. However, many federal courts see a data breach as essentially harmless, or that data breach plaintiff-victims do not necessarily suffer cognizable legal injuries. In practice, this means that the plaintiffs do not have Article III standing, and courts do not reach merits determinations of fault. Instead, a data breach to these courts is only harmful to the extent that it leads to a subsequent injury, like identity theft or fraud. Therefore, data breach victims must suffer even more harm before they can bring a lawsuit. Other courts under this framework do nonetheless find that data breach plaintiff-victims have standing. However, even those courts still wrongfully check whether the plaintiffs suffered future identity theft, fraud, or other harm. Those courts simply find that such subsequent harm is readily apparent. This Note offers a proper approach to standing in data breach lawsuits. I argue that the moment a victims’ data is exposed without their authorization, they suffer a cognizable common law injury, regardless of whether that data exposure actually causes subsequent harm. Rather than thinking of data breaches as a means to future data misuse, courts should think of data breaches as injurious in and of themselves