An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

A Measure for Ending Hunger in the United States

Hunger is a persistent problem in the United States. In 1999, three percent of U.S. households (more than 7.5 million people) were food insecure with hunger.2(p7) An additional seven percent of households (more than 23 million people) were food insecure without hunger. In all, 31 million Americans, including 12 million children, did not have enough food to meet their basic needs.In response, PARTNERS IN ENDING HUNGER (a grass-roots organization with over 17 years of experience) has declared itself an organization accountable for providing communities with the tools and training necessary to create and implement effective action plans for ending hunger (see Appendix A). Two essential tools for this work are: (1) a direct and accurate way to measure hunger in a community and (2) criteria that define when hunger has ended.The hunger measure PARTNERS has chosen is the U.S. Household Food Security Measure. It is a survey instrument and severity scale developed under the joint leadership of the U.S. Departments of Agriculture (USDA) and Health and Human Services (HHS). It has been used to measure the extent of hunger at national and state levels since 1995 and was specifically designed to be used at the local level as well.Building on distinctions and definitions presented in the U.S. Household Food Security Measure, PARTNERS has established criteria that define when hunger in a community has ended. According to PARTNERS' criteria, a community has ended hunger when, for two consecutive years, the results of the U.S. Household Food Security Measure show that none of the community's households have members who experience hunger and four percent or fewer of the community's households experience food insecurity. PARTNERS asserts that when communities meet these criteria and sustain these results over time, they have ended the persistence of hunger. These communities will then serve as models and catalysts for other communities to do the same

Sense about science - making sense of crime

Booklet 'Making Sense of Crime' published by registered charity 'Sense About Science'There’s always heated debate about crime in the media and a lot of political argument about how we should respond to it. But these arguments rarely provide insight into what actually causes crime, what lies behind trends over time and in different places, and how best to go about reducing it. Values inform how a society decides to deal with crime. We may decide that rehabilitation is a better principle than punishment, and this will influence how we decide what is most effective. However, we also expect these choices to be disciplined by sound evidence, because if crime policy ignores what works and what doesn’t, there are likely to be bad social consequences. And with over £10bn spent annually on tackling crime through the police, prisons, probation and courts, unless we look at evidence we can’t see how effective any of it is. Crime policy usually has twin aims – to prevent crime, and to seek justice by punishing those who commit offences. Research shows there’s only a loose link, if any, between the way offenders are punished and the number of offences committed. There is no reliable evidence for example, that capital punishment reduces serious crimes as its supporters claim. Yet politicians and commentators regularly claim that more punishments are a way to cut crime. Academic, government and community organisations have all said crime policies need to be based more on evidence, but much of the evidence available at the moment is poor or unclear. Debates about crime rarely reflect how strong the evidence behind opposing policies is, and even when politicians honestly believe they’re following the evidence, they tend to select evidence that supports their political views. This guide looks at some of the key things we do know and why it has been so difficult to make sense of crime policy. An important point throughout is that policymakers sometimes have to make decisions when things are not clear-cut. They have a better chance of making effective policies if they admit to this uncertainty – and conduct robust research to find out more. In the following pages we have shared insights from experts in violent crime, policing, crime science, psychology and the media’s influence on the crime debate. They don’t have all the answers, but we hope they leave you better-placed to hold policymakers and commentators to account and promote a more useful discussion about crime

A qualititative approach to HCI research

Whilst science has a strong reliance on quantitative and experimental methods, there are many complex, socially based phenomena in HCI that cannot be easily quantified or experimentally manipulated or, for that matter, ethically researched with experiments. For example, the role of privacy in HCI is not obviously reduced to numbers and it would not be appropriate to limit a person's privacy in the name of research. In addition, technology is rapidly changing – just think of developments in mobile devices, tangible interfaces and so on – making it harder to abstract technology from the context of use if we are to study it effectively. Developments such as mediated social networking and the dispersal of technologies in ubiquitous computing also loosen the connection between technologies and work tasks that were the traditional cornerstone of HCI. Instead, complex interactions between technologies and ways of life are coming to the fore. Consequently, we frequently find that we do not know what the real HCI issues are before we start our research. This makes it hard, if not actually impossible, to define the variables necessary to do quantitative research, (see Chapter 2). Within HCI, there is also the recognition that the focus on tasks is not enough to design and implement an effective system. There is also a growing need to understand how usability issues are subjectively and collectively experienced and perceived by different user groups (Pace, 2004; Razavim and Iverson, 2006). This means identifying the users' emotional and social drives and perspectives; their motivations, expectations, trust, identity, social norms and so on. It also means relating these concepts to work practices, communities and organisational social structures as well as organisational, economic and political drivers. These issues are increasingly needed in the design, development and implementation of systems to be understood both in isolation and as a part of the whole. HCI researchers are therefore turning to more qualitative methods in order to deliver the research results that HCI needs.With qualitative research, the emphasis is not on measuring and producing numbers but instead on understanding the qualities of a particular technology and how people use it in their lives, how they think about it and how they feel about it. There are many varied approaches to qualitative research within the social sciences depending on what is being studied, how it can be studied and what the goals of the research are.Within HCI, though, grounded theory has been found to provide good insights that address well the issues raised above (Pace, 2004; Adams, Blandford and Lunt, 2005; Razavim and Iverson, 2006). The purpose of this chapter is to give an overview of how grounded theory works as a method. Quantitative research methods adopt measuring instruments and experimental manipulations that can be repeated by any researcher (at least in principle) and every effort is made to reduce the influence of the researcher on the researched, which is regarded as a source of bias or error. In contrast, in qualitative research, where the goal is understanding rather than measuring and manipulating, the subjectivity of the researcher is an essential part of the production of an interpretation. The chapter therefore discusses how the influence of the researcher can be ameliorated through the grounded theory methodology whilst also acknowledging the subjective input of the researcher through reflexivity. The chapter also presents a case study of how grounded theory was used in practice to study people's use and understanding of computer passwords and related security

A Comparative Usability Study of Two-Factor Authentication

Two-factor authentication (2F) aims to enhance resilience of password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. However, it also introduces non-negligible costs for service providers and requires users to carry out additional actions during the authentication process. In this paper, we present an exploratory comparative study of the usability of 2F technologies. First, we conduct a pre-study interview to identify popular technologies as well as contexts and motivations in which they are used. We then present the results of a quantitative study based on a survey completed by 219 Mechanical Turk users, aiming to measure the usability of three popular 2F solutions: codes generated by security tokens, one-time PINs received via email or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record contexts and motivations, and study their impact on perceived usability. We find that 2F technologies are overall perceived as usable, regardless of motivation and/or context of use. We also present an exploratory factor analysis, highlighting that three metrics -- ease-of-use, required cognitive efforts, and trustworthiness -- are enough to capture key factors affecting 2F usability.Comment: A preliminary version of this paper appears in USEC 201

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems

Deliver security awareness training, then repeat:{deliver; measure efficacy}

Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours

Quantum Copy-Protection and Quantum Money

Forty years ago, Wiesner proposed using quantum states to create money that is physically impossible to counterfeit, something that cannot be done in the classical world. However, Wiesner's scheme required a central bank to verify the money, and the question of whether there can be unclonable quantum money that anyone can verify has remained open since. One can also ask a related question, which seems to be new: can quantum states be used as copy-protected programs, which let the user evaluate some function f, but not create more programs for f? This paper tackles both questions using the arsenal of modern computational complexity. Our main result is that there exist quantum oracles relative to which publicly-verifiable quantum money is possible, and any family of functions that cannot be efficiently learned from its input-output behavior can be quantumly copy-protected. This provides the first formal evidence that these tasks are achievable. The technical core of our result is a "Complexity-Theoretic No-Cloning Theorem," which generalizes both the standard No-Cloning Theorem and the optimality of Grover search, and might be of independent interest. Our security argument also requires explicit constructions of quantum t-designs. Moving beyond the oracle world, we also present an explicit candidate scheme for publicly-verifiable quantum money, based on random stabilizer states; as well as two explicit schemes for copy-protecting the family of point functions. We do not know how to base the security of these schemes on any existing cryptographic assumption. (Note that without an oracle, we can only hope for security under some computational assumption.)Comment: 14-page conference abstract; full version hasn't appeared and will never appear. Being posted to arXiv mostly for archaeological purposes. Explicit money scheme has since been broken by Lutomirski et al (arXiv:0912.3825). Other quantum money material has been superseded by results of Aaronson and Christiano (coming soon). Quantum copy-protection ideas will hopefully be developed in separate wor

Beyond Bullets and Bombs: Fixing the U.S. Approach to Development in Pakistan

Explains the rationale for a clear U.S. strategy for Pakistan's development, ways to improve planning and implementation, and policy recommendations for supporting the private sector through trade and investment and targeting aid for long-term impact