112,028 research outputs found

    Dynamic deployment of context-aware access control policies for constrained security devices

    Get PDF
    Securing the access to a server, guaranteeing a certain level of protection over an encrypted communication channel, executing particular counter measures when attacks are detected are examples of security requirements. Such requirements are identi ed based on organizational purposes and expectations in terms of resource access and availability and also on system vulnerabilities and threats. All these requirements belong to the so-called security policy. Deploying the policy means enforcing, i.e., con guring, those security components and mechanisms so that the system behavior be nally the one speci ed by the policy. The deployment issue becomes more di cult as the growing organizational requirements and expectations generally leave behind the integration of new security functionalities in the information system: the information system will not always embed the necessary security functionalities for the proper deployment of contextual security requirements. To overcome this issue, our solution is based on a central entity approach which takes in charge unmanaged contextual requirements and dynamically redeploys the policy when context changes are detected by this central entity. We also present an improvement over the OrBAC (Organization-Based Access Control) model. Up to now, a controller based on a contextual OrBAC policy is passive, in the sense that it assumes policy evaluation triggered by access requests. Therefore, it does not allow reasoning about policy state evolution when actions occur. The modi cations introduced by our work overcome this limitation and provide a proactive version of the model by integrating concepts from action speci cation languages

    European Energy Union? Caught between securitisation and ‘riskification’

    Get PDF
    Fears about the security of supplies have been central to debates about the development of an integrated EU energy policy over the past decade, leading to claims that energy has been ‘securitised’. Previous analyses have found, however, that although shared security concerns are frequently used as justification for further integration, they can also serve as a rationale for Member States to resist sharing sovereignty. Transcending this apparent paradox would require not just agreement about whether energy supplies are security concerns, but also agreement about what kind of security concern they are. In this article, we examine whether such an agreement could emerge through a comparative analysis of constructions of gas security in the UK and Poland. Utilising a framework that draws from both the philosophical and sociological wings of Securitisation Studies, we demonstrate that although gas has been elevated on the security agendas of both states, the specific logic of insecurity – securitisation or riskification – underpinning these constructions differs substantially, and is conditioned by distinct modes of governance in each Member State. This, we contend, limits the potential for further integration of EU energy policies in the context of the European Commission’s proposals for an ‘Energy Union’

    Usable Security: Why Do We Need It? How Do We Get It?

    Get PDF
    Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

    Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

    Get PDF
    Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p
    • 

    corecore