20 research outputs found
Engineering Security Agreements Against External Insider Threat
Companies are increasingly engaging in complex inter-organisational networks of business and trading partners,
service and managed security providers to run their operations. Therefore, it is now common to outsource
critical business processes and to completely move IT resources to the custody of third parties. Such extended
enterprises create individuals who are neither completely insiders nor outsiders of a company, requiring new solutions to mitigate the security threat they cause. This paper improves the method introduced in Franqueira
et al. (2012) for the analysis of such threat to support negotiation of security agreements in B2B contracts.
The method, illustrated via a manufacturer-retailer example, has three main ingredients: modelling to scope
the analysis and to identify external insider roles, access matrix to obtain need-to-know requirements, and
reverse-engineering of security best practices to analyse both pose-threat and enforce-security perspectives of
external insider roles. The paper also proposes future research directions to overcome challenges identified