Optimizing Outcomes in Security Organizations

The optimization of security operations in larger organizations has often centered around discussions of the relative degree of convergence of the physical security functions and the cybersecurity functions. In a collaborative effort with an academic group and a security advisory group, it was determined to explore the factors to be considered when larger organizations make decisions about the placement, governance and operational strategies are evaluated and proposed for update or revision. A broad multipart project has been conceived to explore this topic. This initial study will quantify some of the precursors that influence optimization outcomes in security function convergence, present these criteria as a survey, and take a snapshot of these criteria in the practice setting. A subsequent study will use individuals who have responded to the survey to identify those from organizations that exhibit characteristics from many difference degrees of convergence and optimization. Those individuals will be interviewed to develop additional understanding of the complexities of security convergence and optimization. The planned stream of research will seek to document ways to measure security optimization and how to make such measurements

Defending Cyber Terrorism - A Game Theoretic Modeling Approach

In this work we attempt to develop a game theoretic model that can indicate the nuances of strategic investments in the face of possible cyber terrorist attacks. First, we briefly review the literature on terrorism. Second, we identify the „cyber‟ factors in terrorism, and how this new mode of attack alters the general scenario. Then, beginning with a naïve counter terrorism model, we incrementally incorporate the factors of cyber terrorism to develop our game theoretic model. Our current work is geared towards developing a model that can adequately incorporate the cyber factors of today‟s networked economy. In this report, we have also discussed some preliminary insights of (countering) cyber terrorism from the proposed model. This is a research in progress; and we have not yet analyzed the model in its entirety to realize the whole range of conceivable insights

The Impact of Operating System Obsolescence on the Life Cycle of Distributed Teams

Operating System obsolescence is widely considered an important factor when architectural choices are made during the planning phase of systems development and maintenance. In this work, we seek to understand the importance that planners actually ascribe to this attribute in practice, and ask probing questions to the managers, developers, and analysts of systems in industry in the form of a survey. Initial results suggest that obsolescence is neither perceived as a critical factor during planning for systems development, nor is it viewed as a major contributor to the total cost of operation of client/server systems. However, the survey does identify that organizations have a number of valid and functional coping strategies when obsolescence does affect systems operations

Editorial

Editorial for Volume 2023, Issue

Developing and Implementing Information Security Programs: AMCIS 2005 Workshop Proposal

One of the continuing challenges facing industry is the security and protection of information. Advances in information security have been unable to keep pace with advances in computing in general. One of the recognized ways to combat the threat to information security is education needed to prepare students to create a secure and ethical computing environment

From the Editors

Welcome to the inaugural issue of the Journal of Cybersecurity Education, Research and Practice (JCERP)

Improving Information Security Through Policy Implementation

Information security policy is essential to the success of any information security program because it is the primary process used by organizations to influence the performance of personnel in ways that enhance the information security of the organization’s information assets. Whereas computer security can be thought of as the processes and techniques of securing IT hardware, software and data (including networks), information security is a broader concept. The processes of information security are concerned with the protection of the confidentiality, integrity and availability of information within systems comprising hardware, software, networks, data, procedures and personnel. As organizations change through evolution of practices and hiring of new personnel for growth or replacement policy emerges as the mechanism whereby an organization defines what is to be secured and establishes what to secure, why it needs to be secured and perhaps how to achieve the desired levels of security.. Without sound policy as a foundation an organization is less likely to be successful in its mission to protect information assets

A Draft Model Curriculum for Programs of Study in Information Security and Assurance

With the dramatic increase in threats to information security, there is a clear need for a corresponding increase in the number of information security professional. With a lack of formal curriculum models, many academic institutions are unprepared to implement the courses and laboratories needed to prepare this special class of information technologist. This paper provides an overview of lessons learned in the implementation of both individual courses and a degree concentration in information security. It refers to a more comprehensive document, available on the Web, which includes the methodology used in developing the curriculum, individual course syllabi for recommended components, and laboratory development and implementation recommendations

Information Security Governance for the Non-Security Business Executive

Information security is a critical aspect of information systems usage in current organizations. Often relegated to the IT staff, it is in fact the responsibility of senior management to assure the secure use and operation of information assets. Most managers recognize that governance is the responsibility of executive management. The primary objective of governance can be achieved when the members of an organization know what to do, how it should be done, as well as who should do it. The focus on governance has expanded to include information systems and information security. This article offers value to the executive by first defining governance as it is applied to information security and exploring three specific governance-related topics. The first of these examines how governance can be applied the critical aspect of planning both for normal and contingency operations. The next topic describes the need for measurement programs and how such metrics can be developed for information security assessment and continuous improvement. Finally, aspects of effective communication among and between general and information security managers is presented

From the Editors

A message from the editors