Information security value in e-entrepreneurship

This paper researches the information security value in e-entrepreneurship by revising the literature that establishes the entrepreneurial domain and by relating it with the development of technological resources that create value for the customer in an online business. It details multiple paradigms regarding consumer’s values of information security, while relating them with common practices and previous researches in technological entrepreneurship. This research presents and discusses the benefits of information security standards in e-entrepreneurship. It details and discusses the ISO 27001 and PCI-DSS information security standards that can be used to differentiate security initiatives to achieve competitive advantage, while preserving information leadership as a critical resource for online business success. Based on the literature review, a theoretical research model is presented and research hypotheses are discussed. This model believes that information security affects information leadership and that information leadership, as a unique resource in e-business, contributes to e-entrepreneurship success. The adoption of information security standards affects customer’s trust in e-business, which also benefits e-entrepreneurial strategy

Value focused assessment of cyber risks to gain benefits from security investments

Doutoramento em GestãoCom a multiplicação de dispositivos tecnológicos e com as suas complexas interacções, os ciber riscos não param de crescer. As entidades supervisoras estabelecem novos requisitos para forçar organizações a gerir os ciber riscos. Mesmo com estas crescentes ameaças e requisitos, decisões para a mitigação de ciber riscos continuam a não ser bem aceites pelas partes interessadas e os benefícios dos investimentos em segurança permanecem imperceptíveis para a gestão de topo. Esta investigação analisa o ciclo de vida da gestão de ciber risco identificando objectivos de mitigação de ciber risco, capturados de especialistas da área, prioritizando esses objectivos para criar um modelo de decisão para auxiliar gestores de risco tendo em conta vários cenários reais, desenvolvendo um conjunto de princípios de gestão de risco que possibilitam o estabelecimento de uma base para a estratégia de ciber risco aplicável e adaptável às organizações e finalmente a avaliação dos benefícios dos investimentos em segurança para mitigação dos ciber riscos seguindo uma abordagem de melhoria contínua. Duas frameworks teóricas são integradas para endereçar o ciclo de vida completo da gestão de ciber risco: o pensamento focado em valor guia o processo de decisão e a gestão de benefícios assegura que os benefícios para o negócio são realizados durante a implementação do projecto, depois de tomada a decisão para investir numa solução de segurança para mitigação do ciber risco.With the multiplication of technological devices and their multiple complex interactions, the cyber risks keep increasing. Supervision entities establish new compliance requirements to force organizations to manage cyber risks. Despite these growing threats and requirements, decisions in cyber risk minimization continue not to be accepted by stakeholders and the business benefits of security investments remain unnoticed to top management. This research analyzes the cyber risk management lifecycle by identifying cyber risk mitigation objectives captured from subject matter experts, prioritizing those objectives in a cyber risk management decision model to help risk managers in the decision process by taking into account multiple real scenarios, developing the baseline of cyber risk management principles to form a cyber risk strategy applicable and adaptable to current organizations and finally evaluating the business benefits of security investments to mitigate cyber risks in a continuous improvement approach. Two theoretical frameworks are combined to address the full cyber risk management lifecycle: value focused thinking guides the decision process and benefits management ensures that business benefits are realized during project implementation, after the decision is taken to invest in a security solution to mitigate cyber risk.info:eu-repo/semantics/publishedVersio

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Automatic extraction of quotes and topics from news feeds

The explosive growth in information production poses increasing challenges to consumers, confronted with problems often described as information overow. We present verbatim, a software system that can be used as a personal information butler to help structure and lter information. We address a small part of the information landscape, namely quotes extraction from portuguese news. This problem includes several challenges, specically in the areas of information extraction and topic distillation. We present a full description of the problems and our adopted approach. verbatim is available online at http://irlab.fe.up.pt/p/verbatim

The Role of the Chief Information Security Officer (CISO) in Organizations

In an increasingly connected and digital world, information is seen as a business enabler and source of sustained competitive advantage. Thus, information security is becoming critical to protect these information assets, which is why organizations’ information security strategy has been aligning with their strategic goals. This paper aims to study organizations’ general information security environment, analyse the CISO’s role in them and understand where they should be positioned on the organizational structure. Interviews were conducted on experienced information security consultants, information systems and information security directors, which allowed to conclude that organizations in Portugal still need to increase their maturity when it comes to information security, and that this may be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being considered that it should have a close and independent relationship with organizations’ boards

SUCTION MEASUREMENTS AND WATER RETENTION IN UNSATURATED SOILS

Techniques for testing unsaturated soils have been investigated by the author where the measurement and control of parameters were undertaken directly. Suction was measured and controlled with a new high suction tensiometer and water content through mass measurements with a balance. These techniques have been used for the determination of soil water retention curves and for the development of a suction . control system using air circulation and water injection. The techniques allow the soil to be subject to the same drying and wetting conditions that occur in nature and avoid the need for elevated air pressures, as are traditionally involved in testing using the axis translation technique. The performance of the new high suction tensiometer was evaluated, followed by its applications to soil testing. The tensiometer performance focused on the factors controlling cavitation, calibration in the negative pressure range and measurement. It was found that isotropic unloading is the most accurate technique for calibration in the negative range and that axis translation techniques can lead to errors. The research confirms high suction tensiometers are easy to use and versatile devices. Techniques were developed to measure and control suction and water content in unconfined and confined samples. Research on the unconfined samples focused on the procedures to obtain the soil water retention curve: discrete (soil dried or wetted in stages) and continuous (soil drying continuously). While both procedures were found not to influence the curves significantly, it is demonstrated that the continuous procedure is sensitive to factors such as the exposed surface area to drying or wetting and so should be used carefully. For confined conditions, wetting, drying, and water content measurement systems were developed. Wetting was based on the injection of water; drying was based on air circulation through a desiccant within a closed loop system. Water content was determined from the. difference between water injected and that adsorbed by the desiccant. This has been applied as part of a· double cell triaxial testing system that allows continuous determination of suction, water content and volume change. A challenge of such a system was imposing an air tight environment. The suitability of environmental scanning electron microscopy to observe unsaturated soils at the particle level was explored. The imaging of micron-sized materials at different relative humidities allowed a series of observations previously undocumented, among them: water menisci were visible, including their shape and interaction with surfaces; the contact angle between the air-water and water-solid interfaces was measurable.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Using temporal evidence in blog search

In this paper we present a study on the relevance of web documents over time and the use of temporal evidence in blog search tasks. Time is an intrinsic property of social media, most notably in blogs where each post is typically attached with a timestamp representing its publish date. However, due to the challenges in obtaining document collections containing temporal information, research on this field has been scarce. We base our study on the Blog06 collection and the relevance assessments produced in the context of the TREC Blog Track, to investigate the relevance of time-based features in standard retrieval tasks. We observe small, but statistically significant improvements over a BM25 baseline when temporal information is used. Also, we find a direct connection between recency and relevance of documents for ad-hoc retrieval