Vulnerabilities and responsibilities: dealing with monsters in computer security

Purpose – The purpose of this paper is to analyze information security assessment in terms of cultural categories and virtue ethics, in order to explain the cultural origin of certain types of security vulnerabilities, as well as to enable a proactive attitude towards preventing such vulnerabilities.\ud \ud Design/methodology/approach – Vulnerabilities in information security are compared to the concept of “monster” introduced by Martijntje Smits in philosophy of technology. The applicability of different strategies for dealing with monsters to information security is discussed, and the strategies are linked to attitudes in virtue ethics.\ud \ud Findings – It is concluded that the present approach can form the basis for dealing proactively with unknown future vulnerabilities in information security.\ud \ud Research limitations/implications – The research presented here does not define a stepwise approach for implementation of the recommended strategy in practice. This is future work.\ud \ud Practical implications – The results of this paper enable computer experts to rethink their attitude towards security threats, thereby reshaping their practices.\ud \ud Originality/value – This paper provides an alternative anthropological framework for descriptive and normative analysis of information security problems, which does not rely on the objectivity of risk

Explanation and trust: what to tell the user in security and AI?

There is a common problem in artificial intelligence (AI) and information security. In AI, an expert system needs to be able to justify and explain a decision to the user. In information security, experts need to be able to explain to the public why a system is secure. In both cases, the goal of explanation is to acquire or maintain the users' trust. In this paper, we investigate the relation between explanation and trust in the context of computing science. This analysis draws on literature study and concept analysis, using elements from system theory as well as actor-network theory. We apply the conceptual framework to both AI and information security, and show the benefit of the framework for both fields by means of examples. The main focus is on expert systems (AI) and electronic voting systems (security). Finally, we discuss consequences of our analysis for ethics in terms of (un)informed consent and dissent, and the associated division of responsibilities

Intrusion detection through knowledge sharing

The financial losses caused by computer crimes have increased by more than $100 million every year since 1999. The combination of financial losses and high profile events such as the spread of the Code Red worm has sparked public interest in computer crime. With the increasing public awareness of the need for better computer security, companies are beginning to rely heavily on intrusion detection systems. Currently, security companies focus on the creation of complete, comprehensive intrusion detection products. So far no single product has been able to dominate the intrusion detection market. As a result, computer networks use multiple intrusion detection systems functioning independently of each other. There exists the possibility of better intrusion detection by linking the independent components into a knowledge-sharing system. With cooperative detection methods in mind, an outline for a knowledge-sharing protocol is developed. For this experiment the control is a hybrid intrusion detection system that is unable to share knowledge of previously detected attacks, and whose performance is effectively the sum of its components. The test IDS is the control system modified to take advantage of knowledge sharing. The experiment shows that better results can be achieved through the cooperation of the components of existing intrusion detection systems

Bridging the gap between human and machine trust : applying methods of user-centred design and usability to computer security

This work presents methods for improving the usability of security. The work focuses on trust as part of computer security. Methods of usability and user-centred design present an essential starting point for the research. The work uses the methods these fields provide to investigate differences between machine and human trust, as well as how the technical expressions of trust could be made more usable by applying these methods. The thesis is based on nine publications, which present various possibilities to research trust with user-centric methods. The publications proceed chronologically and logically from the first user interviews about trust, trusting attitudes and behaviours in general to the actual design and usability testing of user interfaces for security applications, finally presenting the outcomes and conclusions of the research. The work also presents a review of relevant previous work in the area, concentrating on work done in the fields of usability and user-centred design. The work is of cross-disciplinary nature, falling into the areas of human-computer interaction, computer science and telecommunications. The ultimate goal of the conducted research has been to find out 1) how trust is to be understood in this context; 2) what methods can be used to gain insight into trust thus defined; and, finally, 3) what means can be used to create trust in the end users in online situations, where trust is needed. The work aims at providing insight into how trust can be studied with the methods provided by user-centred design and usability. Further, it investigates how to take understanding of trust formation in humans into account when attempting to design trust-inducing systems and applications. The work includes an analysis and comparison of the methods used: what kinds of methods to study trust exist in the field of usability and user-centred design. Further, it is evaluated, what kind of results and when can be reached with the different methods available, by applying a variety of these methods. Recommendations for the appropriate application of these methods when studying the various parts of trust is one of the outcomes. The results received with the methods used have also been compared with results received by others by applying alternative methods to the same research questions. On a conceptual level, the work contains an analysis of the concept of trust. It also contains a brief investigation into both technical and humane ways to express trust, with a comparison between the two

La volonté machinale: understanding the electronic voting controversy

Contains fulltext : 32048_voloma.pdf (publisher's version ) (Open Access)Radboud Universiteit Nijmegen, 21 januari 2008Promotor : Jacobs, B.P.F. Co-promotores : Poll, E., Becker, M.226 p

A study of employees' attitudes towards organisational information security policies in the UK and Oman

There is a need to understand what makes information security successful in an organization. What are the threats that the organization must deal with and what are the criteria of a beneficial information security policy? Policies are in place, but why employees are not complying? This study is the first step in trying to highlight effective approaches and strategies that might help organizations to achieve good information security through looking at success factors for the implementation. This dissertation will focus on human factors by looking at what concerns employees about information security. It will explore the importance of information security policy in organizations, and employee’s attitudes to compliance with organizations' policies. This research has been divided into four stages. Each stage was developed in light of the results from the previous stage. The first two stages were conducted in the Sultanate of Oman in order to use a population just starting out in the information security area. Stage one started with a qualitative semi-structured interview to explore and identify factors contributing towards successful implementation of information security in an organization. The results suggested a number of factors organizations needed to consider to implement information security successfully. The second stage of the research was based on the first stage’s results. After analysing the outcomes from the semi-structured interviews a quantitative questionnaire was developed to explore for information security policy. The findings did suggest that the more issues the organization covers in their security policy the more effective their policy is likely to be. The more an organization reports adoption of such criteria in their security policy, the more they report a highly effective security policy. The more the organization implements the ‘success factors’ the more effective they feel their security policy will be. The third stage was conducted in the UK at Glasgow University because employees are somewhat familiar with the idea of information security. It was based on the findings derived from the analysis of the quantitative questionnaire at stage two. The findings revealed different reasons for employee’s non-compliance to organization security policy as well as the impact of non-compliance. The fourth stage consolidates the findings of the three studies and brings them together to give recommendations about how to formulate a security policy to encourage compliance and therefore reduce security threats

A Framework for the Identification of Electronic Commerce Visual Design Elements that Enable Trust within the Small Hotel Industry

Trust plays an important role in any customer relationship or transaction. This is especially true in the world of commerce. Buyers and sellers must make the conscious decision whether or not to trust the other party. Trust is an integral part of commerce and has been in existence since the beginning of human social interactions. With the emerging use of the Internet as a business medium of exchange, trust maintains an important role in electronic commerce. This research reviews the role of trust within the small hotel industry and the design elements having the highest impact toward developing trust between the buyer and seller. small hotel organizations to utilize the electronic commerce environment as a competitive advantage. Trust is a concept that most people understand but have trouble defining. Brick and mortar companies can establish trust by providing personal service, one-on-one contact, and creating an environment that communicates trust to the customer. In the electronic commerce environment, many of the face-to-face experiences a shopper receives from the physical store are missing. The online shopper must develop a level of trust based on the web representation of the company or organization. Only through good experiences are the bonds of trust solidified, making the user more comfortable with sharing information and engaging in extensive forms of commerce. Trust must be established from the first exposure to the property or online representation of the hotel. How can the small hotel compete with large chains, such as Marriott, Sheraton, Hilton, or Embassy Suites? The Internet is becoming the main communication channel for the Business to Consumer (B2C) market, leaving the ability to differentiate between the luxury hotel and the small hotel to the skill of the web developer. Therefore, smaller hotels must exploit the Internet in order to develop trust and increase their market share. small hotel organizations to utilize the electronic commerce environment as a competitive advantage. The goal of this research was to create a usable framework for building trust in an online environment, focusing specifically on the small hotel sector within the lodging industry. This framework was constructed based on the literature review and enabled the development of a solid information architecture and Internet strategy. This study established that page layout, navigation, professional style, graphics, and information content are significantly related to the establishment of online trust. The utilization of these visual design elements will enable small hotel organizations to utilize the electronic commerce environment as a competitive advantage