Access to Electronic Data for Criminal Investigations Purposes in the EU. CEPS Paper in liberty and security in Europe No. 2020-01, February 2020

Within the EU and across the Atlantic, investigation and prosecution of crime increasingly relies on the possibility to access, collect and transfer electronic information and personal data held by private companies across borders. Cross-border access to and collection of data for the purpose of fighting crime raise several legal and jurisdictional issues. This paper comparatively examines the constitutional, legal and administrative frameworks on access to and use of digital information in cross-border criminal justice cooperation in a selection of EU member states. It presents key challenges in the application of the EU mutual recognition and mutual legal assistance instruments, as well as the existence of 'promising practices' across the EU and in transatlantic relations. The paper also assesses a set of legal and practical questions raised by the ongoing policy and normative debate on the so-called “E-Evidence” Package. Finally, it sets out a number of policy options and practical ways forward for EU and national policy makers to promote judicial cooperation for cross-border access to and collection of electronic data in line with EU and international rule law and fundamental rights standards

Development of virtue ethics based security constructs for information systems trusted workers

Despite an abundance of research on the problem of insider threats only limited success has been achieved in preventing trusted insiders from committing security violations. Virtue ethics may be a new approach that can be utilized to address this issue. Human factors such as moral considerations and decisions impact information system design, use, and security; consequently they affect the security posture and culture of an organization. Virtue ethics based concepts have the potential to influence and align the moral values and behavior of Information Systems workers with those of an organization in order to provide increased protection of IS assets. This study examines factors that affect and shape the ethical perspectives of individuals trusted with privileged access to personal, sensitive, and classified information. An understanding of these factors can be used by organizations to assess and influence the ethical intentions and commitment of information systems trusted workers. The overall objective of this study’s research is to establish and refine validated virtue ethics based constructs which can be incorporated into theory development and testing of the proposed Information Systems security model. The expectation of the researcher is to better understand the personality and motivations of individuals who pose an insider threat by providing a conceptual analysis of character traits which influence the ethical behavior of trusted workers and ultimately Information System security

Examining the Influence of Perceived Risk on the Selection of Internet Access in the U.S. Intelligence Community

Information technology security policies are designed explicitly to protect IT systems. However, overly restrictive information security policies may be inadvertently creating an unforeseen information risk by encouraging users to bypass protected systems in favor of personal devices, where the potential loss of organizational intellectual property is greater. Current models regarding the acceptance and use of technology, Technology Acceptance Model Version 3 (TAM3) and the Unified Theory of Acceptance and Use of Technology Version 2 (UTAUT2), address the use of technology in organizations and by consumers, but little research has been done to identify an appropriate model to begin to understand what factors would influence users that can choose between using their own personal device and using organizational IT assets, separate and distinct from “bring your own device” constructs. There are few organizations with radical demarcations between organizational assets and personal devices. One such organization, the United States Intelligence Community (USIC), provides a controlled environment where personal devices are expressly forbidden in workspaces and therefore provides a uniquely situated organizational milieu in that the use of personal devices would have to occur outside of the organizational environment. This research aims to bridge the divide between these choices by identifying the factors that influence users to select their own devices to overcome organizational restrictions in order to conduct open-source research. The research model was amalgamated from the two primary theoretical frameworks, TAM3 and UTAUT2, and is the first to integrate these theories as they relate to the intention to use personal or organizational systems to address the choices employees make when choosing between personal and organizational assets to accomplish work related tasks. Using survey data collected from a sample of 240 employees of the USIC, Partial Least Squares Structural Equation Modeling (PLS-SEM) statistical techniques were used to evaluate and test the model, estimate the path relationships, and provide reliability and validity checks. The results indicated that the Perception of Risk in the Enterprise (PoRE) significantly increased the Intention to Use Private Internet and decreased the Intention to Use Enterprise devices, as well as increasing the Perceived Ease of Use of Private Internet (PEUPI). The results of this study provide support to the concept that organizations must do more to balance threats to information systems with threats to information security. The imposition of safeguards to protect networks and systems, as well as employee misuse of information technology resources, may unwittingly incentivize users to use their own Internet and devices instead, where enterprise safeguards and protections are absent. This incentive is particularly pronounced when organizations increase the perceived threat of risk to users, whether intentional or inadvertent, and when the perception of the ease of use and usefulness of private Internet devices is high

Value focused approach to information systems risk management

Information Systems (IS) risk management is a challenge to every organization, in that they are exposed to cyber-attacks that bypass physical barriers. Organizations increase online business in order to remain competitive, but as a consequence their online exposure becomes greater. However their risk management practices and governance are inadequate in the face of increasing new threats and vulnerabilities. This paper presents a Multi- Objective Decision Model for assessing Information Systems Risks. The decision model is based on the values and perceptions of stakeholders. It uses the Value-Focused Thinking approach, as opposed to the predominant Alternative-Focused Thinking. The objectives serve as a basis for decision making in the context of Information Systems risk management in complex managerial situationsinfo:eu-repo/semantics/publishedVersio

Health Information Security and Privacy: A Social Science Exploration of Nurses\u27 Knowledge and Risk Behaviors with Security and Privacy Issues Focusing on Mobile Device Usage

Background. Health information system security and privacy are critical issues that impact the wide use of the Electronic Health Record (EHR) in healthcare including hospitals, providers and health systems (Breaches Affecting 500 or More Individuals, 2017). These issues have been researched from a technology standpoint in this era of accelerated electronic health record adoption, but less has been done related to the EHR users in the United States. Most of the literature related to security and privacy explores research topics, peripheral and direct, regarding policy adherence mechanisms. Yet to be studied is a social science exploration of nurses’ risk knowledge and risk behaviors associated with security and privacy issues. Purpose. This dissertation examines characteristics related to cybersecurity practices of new nurses a year following graduation from nursing school where they may have been prepared to work in environments with EHRs. The study will explore their understanding of cybersecurity as it relates to use and protection of the sources of information in the EHRs, and their own personal risk behaviors with mobile technologies that may put them at risk to outside hacking or misuse of information. The questions that drive the study are the associations with nurses’ knowledge of information system security, risk behaviors specifically with mobile device use, and their threat appraisal that may influence their personal habits and their concern for potential misuse of their own electronic health information. Method. A web-based survey was emailed to a sample of new graduates who completed the National Student Nurses’ Association (NSNA) Annual Survey and gave their permanent email address voluntarily to be contacted again for additional surveys. The survey designed in SurveyMonkey®, the same approach used with this sample in prior studies, was sent to a list of 3,000 addresses. The variables of interest are Knowledge of Information System Security (KISS), ii Risk Behaviors (RB), Personal Technology Practices (PTP), Mobile Device Habits (MDH), Threat Appraisal (Internal and External), Concern for Information Privacy (CFIP), and Information Privacy Protection Response (IPPR). Pilot Testing. Several measures developed for the study were tested on a sample of senior graduating nursing students (n=167) to assess their validity and reliability, including KISS, RB and PTP. Prior to data collection, the new items were assessed for content validity by five judges in preparation to be tested for reliability analysis. A paper-pencil version of the new items was distributed to the nursing students just prior to their graduation. Their responses were entered and analyzed using SPSS, which yielded a final set of items with acceptable reliability (α = .700), These new items were combined with the other variables of previously studied items, slightly modified, for integration on the final tool. Additional demographic questions and mobile device usage were added. Procedures. The final survey was distributed to the list of participants (n=3,000), anticipating a 10 - 20% return rate that would yield 300 - 600 subjects. A reminder was sent every 2 weeks for 6 weeks while the study remained open. Participants were offered an incentive of being eligible for a $250 drawing at the conclusion of the study. Analysis. The first level of analysis included an extensive descriptive analysis of the frequencies and measures of central tendency for subject self-reported mobile device frequency and types of use. The subsequent analysis included a series of correlations calculated on the variables of interest to determine the relationships of predicted relationships. The model did not support the predictions and an adjusted model was proposed for future studies on the measured variables and demographic variables of interest. iii Limitations. The pilot study was distributed in a paper format whereas the proposed format for the national study used an electronic medium. Conclusions. This study provided information about the relationship between the core variables and demographic components. These findings could inform educators and employers about new nurses’ knowledge and risk behaviors related to information system security

Establishing Regis Network Security Policy

This project proposes to establish a security policy for the computer lab Local Area Network (LAN) at the Colorado Springs Campus (CSC) for the Network Lab Practicum (NLP) by completing a network analysis to determine requirements. Utilizing the current network configuration, a risk assessment will be performed to identify vulnerabilities and threats to the information system. Once the risk analysis is completed, a network security plan will be developed to protect system resources. The security policy will include, at a minimum, access policies, password management, firewall policy, policy on use of active code and the Internet, standards and interoperability policies, a VPN policy, and enforcement standards. The System Development Life Cycle (SDLC) approach will be used as the project methodology. Key deliverables will include a configuration management baseline, security policy and procedures, wiring diagram, firewall, anti virus protection and lessons learned. The project will culminate with a presentation to the academic board. Class utilization of the LAN will determine the success of the project. In the final phase of the project, the LAN will be turned over to the CSC NLP for administration, classroom support and future project opportunities. Keywords: security policy, risk assessment, lessons learned, local area network, system development life cycle, password, firewall, antivirus, configuration management