Gaining Real-World Experience in Information Security: A Roadmap for a Service-Learning Course

Students need real-world experience. Industry needs graduating students entering the workforce to be skilled in relevant subject matter, critical thinking, and communication skills. Community-based nonprofit organizations, as well as small businesses, need help in building organizational capacity. Instructors also benefit from periodic observation of organizational work in the instructor’s area of teaching. A service-learning course that is focused on capacity building is a means to reach all of these goals. This article presents a roadmap for teaching a service-learning course in information security risk assessment. Students work in teams on a term-long project conducting an on-site risk assessment, making security recommendations, and producing and presenting a final security risk report to an organization’s management. Teaching tips are offered on course planning, launch, materials, and execution

IS Security Requirements Identification from Conceptual Models in Systems Analysis and Design: The Fun & Fitness, Inc. Case

This teaching case introduces students to a relatively simple approach to identifying and documenting security requirements within conceptual models that are commonly taught in systems analysis and design courses. An introduction to information security is provided, followed by a classroom example of a fictitious company, Fun & Fitness, in the process of updating its e-Commerce site for class registrations. The case illustrates how UML class diagrams can be used for information classification, data input validation, and regulatory compliance considerations; how a UML use case diagram can be transformed into a “misuse case” diagram to identify threats and countermeasures to functional use cases; and how a data flow diagram may be used to analyze and document threats and countermeasures to data stores, data flows, processes, and external entities using the STRIDE approach developed by Microsoft. The case is geared toward a systems analyst who does not have former training in IS security, and is suitable for upper-division undergraduate and graduate courses

"I have nothing to hide; thus nothing to fear": Defining a Framework for Examining the 'Nothing to Hide' Persona

ABSTRACT "I've got nothing to hide" is a common response when people are asked their view on government surveillance and online tracking for the sake of national security and interest-based advertising, respectively. The 'nothing to hide' (NtH) privacy view, characterized by Solove, raises new and important research questions scarcely explored. By clearly conceptualizing the NtH persona, the focus shifts away from whether the person 'is' concerned about privacy, to focusing more on 'why' concern may (or may not) be needed and how privacy and security scholars and practitioners can better understand and design for this consumer. In this paper, we present a framework to help conceptualize and identify the NtH consumer. We then describe a method to translate the findings from this framework into actionable information that informs design using privacy personas, which are archetypal characters who share common goals, attitudes, and behaviors around privacy. A NtH persona can help to communicate the NtH perspective, prompt new research questions, and positively influence technology design

User Participation in Information Systems Security Risk Management

This paper examines user participation in information systems security risk management and its influence in the context of regulatory compliance via a multi-method study at the organizational level. First, eleven informants across five organizations were interviewed to gain an understanding of the types of activities and security controls in which users participated as part of Sarbanes-Oxley compliance, along with associated outcomes. A research model was developed based on the findings of the qualitative study and extant user participation theories in the systems development literature. Analysis of the data collected in a questionnaire survey of 228 members of ISACA, a professional association specialized in information technology governance, audit, and security, supported the research model. The findings of the two studies converged and indicated that user participation contributed to improved security control performance through greater awareness, greater alignment between IS security risk management and the business environment, and improved control development. While the IS security literature often portrays users as the weak link in security, the current study suggests that users may be an important resource to IS security by providing needed business knowledge that contributes to more effective security measures. User participation is also a means to engage users in protecting sensitive information in their business processes

Genetic determinants of risk in pulmonary arterial hypertension: international genome-wide association studies and meta-analysis.

BACKGROUND: Rare genetic variants cause pulmonary arterial hypertension, but the contribution of common genetic variation to disease risk and natural history is poorly characterised. We tested for genome-wide association for pulmonary arterial hypertension in large international cohorts and assessed the contribution of associated regions to outcomes. METHODS: We did two separate genome-wide association studies (GWAS) and a meta-analysis of pulmonary arterial hypertension. These GWAS used data from four international case-control studies across 11 744 individuals with European ancestry (including 2085 patients). One GWAS used genotypes from 5895 whole-genome sequences and the other GWAS used genotyping array data from an additional 5849 individuals. Cross-validation of loci reaching genome-wide significance was sought by meta-analysis. Conditional analysis corrected for the most significant variants at each locus was used to resolve signals for multiple associations. We functionally annotated associated variants and tested associations with duration of survival. All-cause mortality was the primary endpoint in survival analyses. FINDINGS: A locus near SOX17 (rs10103692, odds ratio 1·80 [95% CI 1·55-2·08], p=5·13 × 10-15) and a second locus in HLA-DPA1 and HLA-DPB1 (collectively referred to as HLA-DPA1/DPB1 here; rs2856830, 1·56 [1·42-1·71], p=7·65 × 10-20) within the class II MHC region were associated with pulmonary arterial hypertension. The SOX17 locus had two independent signals associated with pulmonary arterial hypertension (rs13266183, 1·36 [1·25-1·48], p=1·69 × 10-12; and rs10103692). Functional and epigenomic data indicate that the risk variants near SOX17 alter gene regulation via an enhancer active in endothelial cells. Pulmonary arterial hypertension risk variants determined haplotype-specific enhancer activity, and CRISPR-mediated inhibition of the enhancer reduced SOX17 expression. The HLA-DPA1/DPB1 rs2856830 genotype was strongly associated with survival. Median survival from diagnosis in patients with pulmonary arterial hypertension with the C/C homozygous genotype was double (13·50 years [95% CI 12·07 to >13·50]) that of those with the T/T genotype (6·97 years [6·02-8·05]), despite similar baseline disease severity. INTERPRETATION: This is the first study to report that common genetic variation at loci in an enhancer near SOX17 and in HLA-DPA1/DPB1 is associated with pulmonary arterial hypertension. Impairment of SOX17 function might be more common in pulmonary arterial hypertension than suggested by rare mutations in SOX17. Further studies are needed to confirm the association between HLA typing or rs2856830 genotyping and survival, and to determine whether HLA typing or rs2856830 genotyping improves risk stratification in clinical practice or trials. FUNDING: UK NIHR, BHF, UK MRC, Dinosaur Trust, NIH/NHLBI, ERS, EMBO, Wellcome Trust, EU, AHA, ACClinPharm, Netherlands CVRI, Dutch Heart Foundation, Dutch Federation of UMC, Netherlands OHRD and RNAS, German DFG, German BMBF, APH Paris, INSERM, Université Paris-Sud, and French ANR