Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders

Towards a Qatar Cybersecurity Capability Maturity Model with a Legislative Framework

في هذا العصر، يجب على الدول وضع التشريعات التي تقيس قدرات أمنها السيبراني وتطوير برامجها، بالأخص عندما تُستخدم ثغرات الأمن السيبراني كذريعة لفرض الحصار، كما هو الحال في دولة قطر، وذلك بعد أن تم اختراق وكالة الأنباء القطرية. يقترح هذا البحث نموذجًا لتعزيز قدرات الأمن السيبراني (Q-C2M2) في دولة قطر ضمن إطار تشريعي. ويتناول البحث نموذجًا أصيلًا لتعزيز قدرات الأمن السيبراني مع تسليط الضوء على غرضه وخصائصه واعتماده. كما يعرض البحث نماذجًا لتعزيز قدرات الأمن السيبراني الحالية والمعترف بها عالميًا، ودراسة عن الأمن السيبراني في دولة قطر باستخدام الوثائق المتاحة، وذلك بناء على منهجية التحليل الموضوعي للوثائق. كما يقدم هذا البحث تحليلًا مقارنًا لنماذج تعزيز قدرات الأمن السيبراني في ضوء الأمن السيبراني القطري. وفي هذا الإطار، ساعد التحليل المقارن للوثائق في تحديد الثغرات الموجودة في سياسة تأمين المعلومات الوطنية القطرية بشكل عام، ودليل تأمين المعلومات الوطنية القطرية بشكل خاص. يهدف نموذج  (Q-C2M2) المقترح إلى تعزيز إطار عمل الأمن السيبراني في قطر من خلال توفير نموذج عملي مع عنصر تشريعي يمكن استخدامه لقياس أداء الأمن السيبراني وتطويره. كما يقترح هذا النموذج مجالات للمستخدمين “USERS” التي تتكون من الفهم (Understand)، والأمن(Secure) ، والكشف(Expose) ، والاستعادة(Recover) ، والاستدامة(Sustain) ، حيث يتضمن كل مجال مجالات فرعية، والتي بموجبها يمكن للمؤسسة إنشاء أنشطة للأمن السيبراني عند التقييم الأولي. يستخدم نموذج (Q-C2M2) المستويات الخمسة التالية لقياس تعزيز قدرات الأمن السيبراني للمنظمات: البدء والتطبيق والتطوير والتكيف والمرونة.In an age when cybersecurity vulnerabilities can be used as a pretext for a blockade, as in the case of Qatar prompted by a hack of the Qatar News Agency, it becomes incumbent upon states to consider legislating the capability maturity measurement and the development of their cybersecurity programs across the community. This paper proposes a Qatar Cybersecurity Capability Maturity Model (Q-C2M2) with a legislative framework. The paper discusses the origin, purpose and characteristics of a capability maturity model and its adoption in the cybersecurity domain. Driven by a thematic analysis under the document analysis methodology, the paper examines existing globally recognized cybersecurity capability maturity models and Qatar’s cybersecurity framework using publicly available documents. This paper also conducts a comparative analysis of existing cybersecurity capability maturity models in light of the Qatari cybersecurity framework, including a comparative analysis of cybersecurity capability maturity model literature. The comparative document analysis helped identify gaps in the existing Qatar National Information Assurance Policy and specifically the Qatar National Information Assurance Manual. The proposed Q-C2M2 aims to enhance Qatar’s cybersecurity framework by providing a workable Q-C2M2 with a legislative component that can be used to benchmark, measure and develop Qatar’s cybersecurity framework. The Q-C2M2 proposes the USERS domains consisting of Understand, Secure, Expose, Recover and Sustain. Each domain consists of subdomains, under which an organization can create cybersecurity activities at initial benchmarking. The Q-C2M2 uses the following five levels to measure the cybersecurity capability maturity of an organization: Initiating, Implementing, Developing, Adaptive and Agile

TCG based approach for secure management of virtualized platforms: state-of-the-art

There is a strong trend shift in the favor of adopting virtualization to get business benefits. The provisioning of virtualized enterprise resources is one kind of many possible scenarios. Where virtualization promises clear advantages it also poses new security challenges which need to be addressed to gain stakeholders confidence in the dynamics of new environment. One important facet of these challenges is establishing 'Trust' which is a basic primitive for any viable business model. The Trusted computing group (TCG) offers technologies and mechanisms required to establish this trust in the target platforms. Moreover, TCG technologies enable protecting of sensitive data in rest and transit. This report explores the applicability of relevant TCG concepts to virtualize enterprise resources securely for provisioning, establish trust in the target platforms and securely manage these virtualized Trusted Platforms

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

The strategic use of business method patents: a pilot study of out of court settlements

A patent is an exclusive right preventing the use or exploitation of an invention by others than the owner of the patent. A patent can be accurately described as a statutory monopoly within the scope and the jurisdiction of its grant. Proprietary positions in electronic commerce are particularly critical because of the low barriers to entry in the digital environment, and the huge potential value buried in reengineering supply chains and direct retailing services

Regulatory Compliance in Multi-Tier Supplier Networks

Over the years, avionics systems have increased in complexity to the point where 1st tier suppliers to an aircraft OEM find it financially beneficial to outsource designs of subsystems to 2nd tier and at times to 3rd tier suppliers. Combined with challenging schedule and budgetary pressures, the environment in which safety-critical systems are being developed introduces new hurdles for regulatory agencies and industry. This new environment of both complex systems and tiered development has raised concerns in the ability of the designers to ensure safety considerations are fully addressed throughout the tier levels. This has also raised questions about the sufficiency of current regulatory guidance to ensure: proper flow down of safety awareness, avionics application understanding at the lower tiers, OEM and 1st tier oversight practices, and capabilities of lower tier suppliers. Therefore, NASA established a research project to address Regulatory Compliance in a Multi-tier Supplier Network. This research was divided into three major study efforts: 1. Describe Modern Multi-tier Avionics Development 2. Identify Current Issues in Achieving Safety and Regulatory Compliance 3. Short-term/Long-term Recommendations Toward Higher Assurance Confidence This report presents our findings of the risks, weaknesses, and our recommendations. It also includes a collection of industry-identified risks, an assessment of guideline weaknesses related to multi-tier development of complex avionics systems, and a postulation of potential modifications to guidelines to close the identified risks and weaknesses

Skills, organisational performance and economic activity in the hospitality industry : a literature review

This monograph aims to understand the pressures which push organisations to adopt particular routes to competitive advantage. The monograph aims to discover if the best practice high skill, high wage and high quality route is used in the hospitality industry. It seeks to determine the influence of companies' product market strategies and their in-company and external structural factors on skills levels, work organisation, job design and people management systems. The monograph looked at the notion of best practice approaches and then moved on to consider the best way to carry forward the future research agenda of reviewing the nature of human resource management (HRM) in the hospitality sector. Conclusions were drawn from a range of interviews and from existing work which has sought to address the issue of HRM in the hospitality sector