Your search keyword '"information system security"' showing total 148 results

51. 脆弱性水平对信息系统安全技术策略影响研究.

Author

方 玲, 仲伟俊, and 梅姝娥

Published

2015

52. Cyber insurance as an incentive for information system security.

Author

GU Jian-qiang, MEI Shu-e, and ZHONG Wei-jun

Abstract

A firm's probability to incur loss (from being attacked) depends on both his security level and the network security level. We fully characterize equilibria of the noncooperative game, which give us the individually optimal security choices. And we also get the socially choices. After comparing these two equilibrium results, it is found that the nature of interdependent causes a negative externality that results in under-investment in self-defense relative to the socially efficient level by ignoring marginal external costs or benefits conferred on others. To solve the above mentioned problem, we design cyber insurance as an incentive for information system security investment. The key result is that limiting insurance coverage through deductibles can partially internalize this externality and thereby improve individual and social welfare. [ABSTRACT FROM AUTHOR]

Published

2015

53. Development of Virtue Ethics Based Security Constructs for Information Systems Trusted Workers.

Author

Gray, John and Tejay, Gurvirender

Abstract

Despite an abundance of research on the problem of insider threats only limited success has been achieved in preventing trusted insiders from committing security violations. Virtue ethics may be a new approach that can be utilized to address this issue. Human factors such as moral considerations and decisions impact information system design, use, and security; consequently they affect the security posture and culture of an organization. Virtue ethics based concepts have the potential to influence and align the moral values and behavior of Information Systems workers with those of an organization in order to provide increased protection of IS assets. This study examines factors that affect and shape the ethical perspectives of individuals trusted with privileged access to personal, sensitive, and classified information. An understanding of these factors can be used by organizations to assess and influence the ethical intentions and commitment of information systems trusted workers. The overall objective of this study's research is to establish and refine validated virtue ethics based constructs which can be incorporated into theory development and testing of the proposed Information Systems security model. The expectation of the researcher is to better understand the personality and motivations of individuals who pose an insider threat by providing a conceptual analysis of character traits which influence the ethical behavior of trusted workers and ultimately Information System security. [ABSTRACT FROM AUTHOR]

Published

2014

54. Description of a Practical Application of an Information Security Audit Framework.

Author

Pereira, Teresa and Santos, Henrique

Abstract

Organizations are increasingly relying on information systems to enhance business operations, facilitate management decision-making, and deploy business strategies. This dependence has increased in current business environments where a variety of transactions involving exchange of information and services are accomplished electronically. The technological advances, the increases use of the Internet, the emergence of the Internet-enabled services and the current audit environment has promoted a growing interest in the continuously deployment of auditing information system security, in order to ensure the reliability of the organizational information systems. However the current approaches available to assist the auditor to perform a security audit is limited concerning the used concepts and it is increasingly dependence on the experience and knowledge of the auditor. This paper intends to present a developed framework, which is based on a conceptual model to assist the auditor to conduct an auditing in the information system security domain. The model developed contains the semantic concepts its relationships and axioms, defined in a subset of the information security domain. This conceptual approach promotes the standardization of the terminology used in the security information domain and to improve the information system security audit process within organizations. Comparisons of the current available approaches to audit information systems will be presented as well. [ABSTRACT FROM AUTHOR]

Published

2011

55. User Privacy in Web Search

Author

Domingo-Ferrer, Josep, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Sudan, Madhu, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Vardi, Moshe Y., Series editor, Weikum, Gerhard, Series editor, Goebel, Randy, editor, Siekmann, Jörg, editor, Wahlster, Wolfgang, editor, Torra, Vicenç, editor, Narukawa, Yasuo, editor, and Daumas, Marc, editor

Published

2010

56. A Conceptual Model Approach to Manage and Audit Information Systems Security.

Author

Pereira, Teresa and Santos, Henrique

Abstract

Speed and accessibility operations promoted by information and communication technologies, particularly the Internet, leads organizations to become heavily dependent of their information systems. Further, the rapid technological advances have also created significant risks to organizations and government operations. The risks are expected to continue to escalate as new technologies and new Internet-enabled services emerge. As a result, the security strategies of these organizations need to evolve as well, in response to the evolving information security requirements. In short, there is a need for a proper information security management, within the context of the organization's structure, objectives and activities. One way to achieve this goal is to plan regular audits to evaluate the information systems security. The current available resources are typically guidelines and checklists, more or less linked to particular views. To address this issue, it was developed a framework based on a conceptual model approach. This solution introduces a new perspective to model information in security domain. It allows the description of the data semantics and enables to firm up and unify the concepts and terminology defined in the information security domain, based on the ISO/IEC̱JTC1 standards. This paper presents the preliminary stage of the framework development, in particular, the adoption of the ontological approach for the information security management. [ABSTRACT FROM AUTHOR]

Published

2010

57. Модель управления рисками информационной безопасности при нарастающей величине ущерба

Subjects

модель управления рисками, ущерб информационным активам, защищенность информационной системы, risk management model, property damage to information assets, прогнозирование инцидентов, инциденты информационной безопасности, information security incidents, information system security, predicting incidents

Abstract

Настоящая статья посвящена вопросам защищенности информационных систем и, в частности, построению и исследованию модели управления рисками информационной безопасности, при которой учитывается накопление ущерба от происходящих инцидентов. Предполагается, что в случайные дискретные моменты времени в информационной системе происходят инциденты, приводящие к нарушению информационной безопасности: компьютерные атаки, сбой в работе, нарушение правил эксплуатации и тому подобное. Каждый инцидент сопровождается ущербом. Определяется множество возможных вариантов величины ущерба при появлении инцидентов. Средства защиты информационной системы реагируют на инциденты, и возможные действия могут осуществляться по нескольким сценариям. Один из возможных вариантов сценария состоит в последовательном сравнении величин ущерба при возникновении очередного инцидента с максимально допустимой величиной ущерба. В случае если величина ущерба, причиненного инцидентом, независимо от других инцидентов, не превышает установленную границу, система продолжает работу в штатном режиме. В противном случае производится корректировка политики безопасности, введение дополнительных защитных мер и другие аналогичные мероприятия. Во втором варианте сценария при возникновении инцидентов производится последовательное суммирование значений соответствующих ущербов и последующее сравнение значения суммы с максимально допустимой величиной ущерба. Если при появлении очередного инцидента суммарный ущерб не превышает максимального значения, информационная система продолжает работу в штатном режиме. В противном случае, аналогично первому сценарию, делается вывод о недостаточной защищенности системы и необходимости корректировки политики безопасности, в частности, введении дополнительных мер защиты. На основании построенных моделей предложена процедура оценки риска нарушения информационной безопасности и найдено вероятностное распределение времени безопасной работы информационной системы. В качестве иллюстрации предложенного подхода построены экспериментальные модели количества несанкционированных операций со счетами юридических лиц и количества несанкционированных операций с использованием платежных карт. Указанные модели основаны на анализе реальных инцидентов и строятся с применением разработанных ранее методов прогнозирования в виде непрерывной аппроксимирующей функции., This article is devoted to the issues of security of information systems and, in particular, to the construction and study of the information security risk management model, which takes into account the accumulation of damage from incidents. It is assumed that at random discrete moments in the information system, incidents occur that lead to a violation of information security: computer attacks, malfunction, violation of operating rules, and the like. Every incident comes with damage. The set of possible options for the magnitude of damage in the event of incidents is determined. Information system protection tools react to incidents, and possible actions can be carried out according to several scenarios. One of the possible variants of the scenario consists in sequential comparison of the values of damage in the event of the next incident with the maximum allowable amount of damage. In the event that the amount of damage caused by the incident, regardless of other incidents, does not exceed the established limit, the system continues to work as usual. Otherwise, the security policy is adjusted, additional protective measures are introduced and other similar measures. In the second variant of the scenario, when incidents occur, the values of the corresponding damages are sequentially summed up and then the value of the sum is compared with the maximum allowable amount of damage. If, when the next incident occurs, the total damage does not exceed the maximum value, the information system continues to work in normal mode. Otherwise, similar to the first scenario, it is concluded that the system is insuffi ciently protected and the need to adjust the security policy, in particular, the introduction of additional protection measures. On the basis of the constructed models, a procedure for assessing the risk of information security breach is proposed and a probabilistic distribution of the time of safe operation of the information system is found. As an illustration of the proposed approach, experimental models of the number of unauthorized transactions with the accounts of legal entities and the number of unauthorized transactions using payment cards are constructed. These models are based on the analysis of real incidents and are built using previously developed forecasting methods in the form of a continuous approximating function., Промышленные АСУ и контроллеры, Выпуск 8 2021

Published

2021

58. Classification of Security Threats in Information Systems.

Author

Jouini, Mouna, Rabai, Latifa Ben Arfa, and Aissa, Anis Ben

Subjects

DATA security, CYBERTERRORISM, INFORMATION technology security, COMPUTER systems, INFORMATION technology

Abstract

Abstract: Information systems are frequently exposed to various types of threats which can cause different types of damages that might lead to significant financial losses. Information security damages can range from small losses to entire information system destruction. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Currently, organizations are struggling to understand what the threats to their information assets are and how to obtain the necessary means to combat them which continues to pose a challenge. To improve our understanding of security threats, we propose a security threat classification model which allows us to study the threats class impact instead of a threat impact as a threat varies over time. This paper addresses different criteria of information system security risks classification and gives a review of most threats classification models. We define a hybrid model for information system security threat classification in order to propose a classification architecture that supports all threat classification principles and helps organizations implement their information security strategies. [Copyright &y& Elsevier]

Published

2014

59. INFORMATION SYSTEM SECURITY THREATS CLASSIFICATIONS

Author

Sandro Gerić and Željko Hutinski

Subjects

information system security, ISS, security risk, threat, classification, criteria, Information theory, Q350-390

Abstract

Information systems are exposed to different types of security risks. Theconsequences of information systems security (ISS) breaches can vary from e.g. damaging the data base integrity to physical "destruction" of entire information system facilities, and can result with minor disruptions in less important segments of information systems, or with significant interruptions in information systems functionality. The sources of security risks are different, and can origin from inside or outside of information system facility, and can be intentional or unintentional. The precise calculation of loses caused by such incidents is often not possible because a number of small scale ISS incidents are never detected, or detected with a significant time delay, a part of incidents are interpreted as an accidental mistakes, and all that results with an underestimation of ISS risks. This paper addresses the different types and criteria of information system security risks (threats) classification and gives an overview of most common classifications used in literature and in practice. We define a common set of criteria that can be used for information system security threats classification, which will enable the comparison and evaluation of different security threats from different security threats classifications.

Published

2007

60. A Research Agenda for Security Engineering.

Author

Goyette, Rich, Robichaud, Yan, and Marinier, François

Subjects

INTERNET security, RISK management in business, INFORMATION technology security, INFORMATION resources management

Abstract

In this article, the author focuses on the implementation of concept and ideas regarding information systems security engineering. They focus on the development of a common threat model that defines threat environment and ensures cyber security. They discuss challenges associated with the implementation of security engineering and risk management strategies in business enterprises.

Published

2013

61. Analýza rizik informačního systému nakládajícího s osobními údaji.

Author

Fortinová, Jana

Subjects

RISK management in business, INFORMATION technology, RISK assessment, INFORMATION storage & retrieval systems, ELECTRONIC information resources

Abstract

Copyright of Systémová Integrace is the property of Czech Society for Systems Integration and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published

2012

62. Analysis of vulnerability assessment results based on CAOS.

Author

Corral, G., Garcia-Piquer, A., Orriols-Puig, A., Fornells, A., and Golobardes, E.

Subjects

COMPUTER network security, MATHEMATICAL optimization, ARTIFICIAL insemination, DATA analysis, ALGORITHMS, INFORMATION theory, MULTIPLE criteria decision making, COMPUTER security

Abstract

Abstract: Information system security must battle regularly with new threats that jeopardize the protection of those systems. Security tests have to be run periodically not only to identify vulnerabilities but also to control information systems, network devices, services and communications. Vulnerability assessments gather large amounts of data to be further analyzed by security experts, who recently have started using data analysis techniques to extract useful knowledge from these data. With the aim of assisting this process, this work presents CAOS, an evolutionary multiobjective approach to be used to cluster information of security tests. The process enables the clustering of the tested devices with similar vulnerabilities to detect hidden patterns, rogue or risky devices. Two different types of metrics have been selected to guide the discovery process in order to get the best clustering solution: general-purpose and specific-domain objectives. The results of both approaches are compared with the state-of-the-art single-objective clustering techniques to corroborate the benefits of the clustering results to security analysts. [Copyright &y& Elsevier]

Published

2011

63. Technology-push and need-pull roles in information system security diffusion.

Author

Quey-Jen Yeh and Arthur Jung-Ting Chang

Subjects

*INFORMATION resources management, *INFORMATION resources, *SECURITY management, *BUSINESS planning, *INDUSTRIAL security, *SECURITY systems

Abstract

Research of information system security (ISS) usually conceives of security models on the basis of positive, strategic benefits, such as planning or developing a security baseline. However, ISS works only when it enables an organisation to protect against attacks, so managers seldom adopt positively based new security measures. By theorising ISS as a technology cluster that consists of distinguishable but interrelated countermeasures, this study analyses managers' security concerns on the basis of two forces - technology-push (TP) and need-pull (NP) - traditionally applied to technology diffusion. Both TP, which entails managers' perceived security threats, and NP, or requirements associated with the industry, organisational readiness, and security incidents, forces may prompt organisational ISS diffusion. The empirical findings suggest this conceptualisation effectively explains organisational ISS diffusion, though NP forces appear dominant. In general, organisations are less likely to adopt new security measures unless compelled to do so by industry or security gaps or if they are large enough and technically prepared for security innovations. Therefore, organisations should adjust their security plans to align with the threats facing their industries. [ABSTRACT FROM AUTHOR]

Published

2011

64. Toward a Unified Model of Information Security Policy Compliance

Subjects

ta113, unified theory, turvallisuus, survey, information system security, tietojärjestelmät

Published

2018

65. THE IMPACT OF MALICIOUS AGENTS ON THE ENTERPRISE SOFTWARE INDUSTRY.

Author

Galbreth, Michael R. and Shor, Mikhael

Subjects

*COMPUTER software industry, *ECONOMIC competition, *MALWARE, *COMPUTER crimes, *MOTIVATION (Psychology), *PROFIT

Abstract

In this paper, a competitive software market that includes horizontal and quality differentiation, as well as a negative network effect driven by the presence of malicious agents, is modeled. Software products with larger installed bases, and therefore more potential computers to attack, present more appealing targets for malicious agents. One finding is that software firms may profit from increased malicious activity. Software products in a more competitive market are less likely to invest in security, while monopolistic or niche products are likely to be more secure from malicious attack. The results provide insights for IS managers considering enterprise software adoption. [ABSTRACT FROM AUTHOR]

Published

2010

66. Integrating Disaster Recovery Plan Activities into the System Development Life Cycle.

Author

Aggelinos, George and Katsikas, Sokratis

Subjects

INFORMATION services security measures, SYSTEMS development, COMPUTER programming, INFORMATION resources management, CRISIS management, RISK management in business

Abstract

The development of an IS for an organization is a project of a strategic nature. The development process is a time-consuming and special budgeted project that follows the six stages of the System Development Life Cycle (SDLC). Integrating security within the SDLC is a very important issue. The security of an IS is designed at the very early stages of its development. A security object that is nowadays a must is the Disaster Recovery Plan. Security questions like "Is the Information System Security an issue that has to be a matter of concern for the organization from the start of Information System development?' and "At which stage of its development does an Information System begin to be at risk?" concern both the organizations and the developers. This paper proposes the enhancement of the SDLC stages in order to reduce the risks from the start of a development, by integrating the development of the Disaster Recovery Plan into the SDLC process. Details are given on how to achieve this, as well as the reasons and the benefits to the organization and to the manufacturer. [ABSTRACT FROM AUTHOR]

Published

2010

67. An integrated conceptual model for information system security risk management supported by enterprise architecture management

Author

Nicolas Mayer, Roel Wieringa, Christophe Feltus, Eric Grandry, Elio Goettelmann, and Jocelyn Aubert

Subjects

Process management, business.industry, Process (engineering), Computer science, Conceptual model (computer science), 020207 software engineering, Usability, 02 engineering and technology, Domain model, Information system security, n/a OA procedure, Domain (software engineering), Enterprise architecture management, Modeling and Simulation, 0202 electrical engineering, electronic engineering, information engineering, Information system, business, Software, Risk management

Abstract

Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model.

Published

2019

68. A novel secure business process modeling approach and its impact on business performance.

Author

Alotaibi, Youseef and Liu, Fei

Subjects

*BUSINESS process management, *ORGANIZATIONAL performance, *CELL phones, *SYSTEMS theory, *DATA security

Abstract

Highlights: [•] We create a secure business PM and investigate its impact on business performance. [•] A mobile phone order process uses for validation and a questionnaire for evaluation. [•] Security IS goals should be considered in all system development process. [•] It positively influences system implementation and better meets business expectation. [•] A secure business PM positively impacts business process performance. [Copyright &y& Elsevier]

Published

2014

69. Aligning social concerns with information system security: A fundamental ontology for social engineering.

Author

Li, Tong, Wang, Xiaowei, and Ni, Yeming

Subjects

*SOCIAL engineering (Fraud), *INFORMATION storage & retrieval systems, *INFORMATION technology security, *DESCRIPTION logics, *SECURITY systems

Abstract

Along with the rapid development of socio-technical systems, people are playing an increasingly important role in information system and have actually become an essential system component. However, unlike technology-based attacks that have been investigated for decades, social engineering attacks have not been efficiently addressed. In particular, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering based on a systematic review of existing social engineering taxonomies and ontologies in order to provide a theoretical foundation for social engineering analysis. The essential contributions of this paper include: (1) propose a comprehensive ontology of social engineering and precisely specify ontological definitions of its essential concepts based on Situation Calculus; (2) enumerate and summarize a set of social engineering techniques and present their fine-grained classification based on the proposed ontology; (3) incorporate psychology and sociology knowledge into social engineering analysis, encapsulating such knowledge in terms of a formalized ontology. We have evaluated our ontology based on a set of real social engineering attacks, the results of which show the usefulness of our proposal. • A review of existing social engineering ontologies. • A proposal of a unified set of concepts of social engineering. • A proposal of ontological definitions of social engineering based on Situation Calculus. • A presentation of fine-grained classification of social engineering techniques, incorporating psychology and sociology knowledge into social engineering analysis. • A formalization of social engineering ontology using Description Logic. [ABSTRACT FROM AUTHOR]

Published

2022

70. Informationsäkerhet vid användning av SaaS : En studie om vilka aspekter som påverkar om informationsäkerheten höjs vid användning av Saas

Author

Åman, Petter and Åman, Petter

Abstract

I den tidiga IT-historien utgick data från att endast kunna angripas genom att befinna sig på fysisk plats för att kunna genomföra ett intrång och tillförskaffa sig data eller information. I äldre actionfilmer syns ofta någon rysk eller amerikansk spion som överför data från en fysisk dator till en lika fysisk disk. I takt med den ökade globaliseringen finns också ett ökat behov av tillgång till data och information på olika platser samt på olika sätt. För att tillfredsställa ett ökande behov av tillgänglighet och rörlighet har IT-världen fått skapa nya lösningar vilka uppfyller det behovet. Första steget var i och med införandet av internet och numera med nya olika molnlösningar tillgängliga för företag, privatpersoner och även angripare via internet. Moderna tekniker frambringar också i princip alltid nya risker och hot. Där det tidigare i mänskligheten användes lås för dörrar, måste nu beaktning tas där vilken typ av kryptering, virusskydd och andra åtgärder krävs för att skydda privat information. Cloud Computing och användningen av molntjänster som Software as a Service (SaaS), Plattform as a Service (PaaS) och Infrastructure as a Service (IaaS) fortsätter att öka vilket kan bidrar med många fördelar för företag (Balco, Drahošová & Law, 2017; Basishtha & Boruah, 2013; SCB, 2018; Sultan, 2011; Shahzad, 2014). Dock ger inte en flytt av data, från marken upp till molnet, en garanti för säkerhet eftersom molnets tillgänglighet och förflyttning av data utanför företagets gränser ställer frågor kring informationssäkerheten och kommer med många utmaningar samt risker (Kavitha & Subashini, 2011; Dorey & Leite, 2011). I och med utökad globalitet borde det väl vara passande att data lagras på olika platser i världen. Men hur säkert är det egentligen när ett företag baserat i exempelvis Finland har viktig data lagrad på andra sidan jordklotet? Eftersom ”Molnet” fortsätter att öka finns ett behov att undersöka hur, var och när användning av molnet kan bidra

Published

2019

71. Informations system security when using SaaS : A study of wich aspects affecting information system security when using SaaS

Author

Åman, Petter

Subjects

Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning, Information System Security, SAAS, Informationsäkerhet, Information Systems, Social aspects, Molntjänster, Cloud

Abstract

I den tidiga IT-historien utgick data från att endast kunna angripas genom att befinna sig på fysisk plats för att kunna genomföra ett intrång och tillförskaffa sig data eller information. I äldre actionfilmer syns ofta någon rysk eller amerikansk spion som överför data från en fysisk dator till en lika fysisk disk. I takt med den ökade globaliseringen finns också ett ökat behov av tillgång till data och information på olika platser samt på olika sätt. För att tillfredsställa ett ökande behov av tillgänglighet och rörlighet har IT-världen fått skapa nya lösningar vilka uppfyller det behovet. Första steget var i och med införandet av internet och numera med nya olika molnlösningar tillgängliga för företag, privatpersoner och även angripare via internet. Moderna tekniker frambringar också i princip alltid nya risker och hot. Där det tidigare i mänskligheten användes lås för dörrar, måste nu beaktning tas där vilken typ av kryptering, virusskydd och andra åtgärder krävs för att skydda privat information. Cloud Computing och användningen av molntjänster som Software as a Service (SaaS), Plattform as a Service (PaaS) och Infrastructure as a Service (IaaS) fortsätter att öka vilket kan bidrar med många fördelar för företag (Balco, Drahošová & Law, 2017; Basishtha & Boruah, 2013; SCB, 2018; Sultan, 2011; Shahzad, 2014). Dock ger inte en flytt av data, från marken upp till molnet, en garanti för säkerhet eftersom molnets tillgänglighet och förflyttning av data utanför företagets gränser ställer frågor kring informationssäkerheten och kommer med många utmaningar samt risker (Kavitha & Subashini, 2011; Dorey & Leite, 2011). I och med utökad globalitet borde det väl vara passande att data lagras på olika platser i världen. Men hur säkert är det egentligen när ett företag baserat i exempelvis Finland har viktig data lagrad på andra sidan jordklotet? Eftersom ”Molnet” fortsätter att öka finns ett behov att undersöka hur, var och när användning av molnet kan bidra till att öka informationssäkerheten samt även varför och under vilka omständigheter. Studien kommer fokusera på användningen kring informationssäkerheten inom SaaS och vilka aspekter som påverkar om företag kan tillförskaffa ökad informationssäkerhet. SaaS har valts ut då molntjänsten är mest frekvent förekommen inom företag. Studiens rapport är uppbyggd på följande sätt: kapitel två tar upp relevanta begrepp samt bakgrund till ämnet. Därefter i kapitel tre beskrivs problemområdet samt rapportens syfte och frågeställning. I kapitel fyra presenteras studiens vetenskapliga metod vilken har använts för att samla in och analysera data. I kapitel fem presenteras analysen av arbetet vilket har lett fram till kapitel sex slutmodell. Slutligen följer en diskussion kring studien.

Published

2019

72. An Analytical Approach to Cost-Effective, Risk-Based Budgeting for Federal Information System Security.

Author

Lippiatt, Barbara C. and Fuller, Sieglinde K.

Abstract

The purpose of this report is to identify and illustrate an approach to simplify and strengthen capital planning for information system security in compliance with federal policy and guidance. The report provides the theoretical underpinnings of a methodology that will enable budgeting officials, system owners, and managers to select cost-effective strategies for optimizing the level of information system security to be achieved, given the level of vulnerability faced by the organization. The method of evaluation used is the Analytic Hierarchy Process (AHP), a multi-attribute decision approach. It integrates quantitative and qualitative information in a hierarchical structure in such a way that decision-makers can logically and consistently evaluate all the alternatives in a complex decision problem. An illustrative case study applies the AHP to the selection of a cost-effective security investment, given the likelihood and magnitude of threats to the information system. Expert judgments of risks, overall agency goals, and existing system weaknesses are merged with investment costs to illustrate the AHP process for calculating a measure of merit for evaluating investment alternatives. [ABSTRACT FROM AUTHOR]

Published

2007

73. Toward a Unified Model of Information Security Policy Compliance

Author

Seppo Pahnila, Mikko T. Siponen, and Gregory D. Moody

Subjects

Information Systems and Management, Management science, Computer science, turvallisuus, 05 social sciences, Theory of planned behavior, Rational choice theory, Context (language use), 02 engineering and technology, Information security, Security policy, information system security, Computer Science Applications, Management Information Systems, Theory of reasoned action, Empirical research, unified theory, 020204 information systems, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, 050211 marketing, survey, Balance theory, Information Systems, tietojärjestelmät

Abstract

Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model, and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures. peerReviewed

Published

2018

74. Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets

Author

Tsafrir Livne, Shai Levi, and Eli Amir

Subjects

050208 finance, ComputingMilieux_THECOMPUTINGPROFESSION, Financial markets, Negative information, 05 social sciences, Financial market, Equity (finance), Market reaction, 050201 accounting, Data breach, Monetary economics, Information system security, General Business, Management and Accounting, Corporate finance, Incentive, Accounting, 0502 economics and business, ComputingMilieux_COMPUTERSANDSOCIETY, Business, Suspect, Capital market, Public finance

Abstract

Firms should disclose information on material cyber-attacks. However, because managers have incentives to withhold negative information, and investors cannot discover most cyber-attacks independently, firms may underreport them. Using data on cyber-attacks that firms voluntarily disclosed, and those that were withheld and later discovered by sources outside the firm, we estimate the extent to which firms withhold information on cyber-attacks. We find withheld cyber-attacks are associated with a decline of approximately 3.6% in equity values in the month the attack is discovered, and disclosed attacks with a substantially lower decline of 0.7%. The evidence is consistent with managers not disclosing negative information below a certain threshold and withholding information on the more severe attacks. Using the market reactions to withheld and disclosed attacks, we estimate that managers disclose information on cyber-attacks when investors already suspect a high likelihood (40%) of an attack.

Published

2018

75. POSSIBILITIES OF DYNAMIC BIOMETRICS FOR AUTHENTICATION AND THE CIRCUMSTANCES FOR USING DYNAMIC BIOMETRIC SIGNATURE

Author

Frantisek Hortai

Subjects

Biometrics, Computer science, Compromise, media_common.quotation_subject, Computer security, computer.software_genre, lcsh:QA75.5-76.95, information system security, dynamic biometrics, 0502 economics and business, Information system, Simplicity, media_common, Authentication, business.industry, 05 social sciences, Information technology, Signature (logic), Authentication (law), dynamic biometric signature, biometric standards, Independence (mathematical logic), lcsh:Electronic computers. Computer science, business, computer, 050203 business & management

Abstract

New information technologies alongside their benefits also bring new dangers with themselves. It is difficult to decide which authentication tool to use and implement in the information systems and electronic documents. The final decision has to compromise among the facts that it faces several conflicting requirements: highly secure tool, to be a user-friendly and user simplicity method, ensure protection against errors and failures of users, speed of authentication and provide these features for a reasonable price. Even when the compromised solution is found it has to fulfill the given technology standards. For the listed reasons the paper argues one of the most natural biometric authentication method the dynamic biometric signature and lists its related standards. The paper also includes measurement evaluation which solves the independence between the person’s signature and device on which it was created.

Published

2017

76. Classification of Security Threats in Information Systems

Author

Mouna Jouini, Latifa Ben Arfa Rabai, and Anis Ben Aissa

Subjects

Cloud computing security, criteria, Computer science, Information security, Risk factor (computing), Asset (computer security), Computer security, computer.software_genre, Information system security, Security testing, Security information and event management, Threat, Information security management, Threat classification, Security through obscurity, Information system, General Earth and Planetary Sciences, Security management, security risk, computer, Countermeasure (computer), General Environmental Science

Abstract

Information systems are frequently exposed to various types of threats which can cause different types of damages that might lead to significant financial losses. Information security damages can range from small losses to entire information system destruction. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Currently, organizations are struggling to understand what the threats to their information assets are and how to obtain the necessary means to combat them which continues to pose a challenge. To improve our understanding of security threats, we propose a security threat classification model which allows us to study the threats class impact instead of a threat impact as a threat varies over time. This paper addresses different criteria of information system security risks classification and gives a review of most threats classification models. We define a hybrid model for information system security threat classification in order to propose a classification architecture that supports all threat classification principles and helps organizations implement their information security strategies.

Published

2014

77. A Highly Recoverable and Efficient Filesystem

Author

Duminda Wijesekera and Mohammed Alhussein

Subjects

Computer science, business.industry, Fragmentation (computing), Information systems security, Information system security, computer.software_genre, exFAT, Data recovery, Data_FILES, Operating system, General Earth and Planetary Sciences, Record-oriented filesystem, business, computer, File system fragmentation, General Environmental Science

Abstract

Data recovery is a significant problem that presents a real challenge to forensics investigators today. File carvers have traditionally helped mitigate these difficulties. However, two issues still present significant challenges – 1) Prior knowledge of file types is required for building file carvers, and 2) fragmentation prevents file carvers from successful recovery. In previous research, we proposed a framework for recovering deleted files without prior knowledge of file types and with the existence of fragmentation. In this paper, we introduce the design and a functioning implementation of our system by modifying an exFat filesystem running on top of FUSE. Evaluation of the overhead of our filesystem shows only a 5% decrease in performance in write operations when compared to an unmodified exFat filesystem, and almost identical read measurements. Our system also shows significantly better recovery rates in the presence of fragmentation when compared to two selected file carvers.

Published

2014

78. VRE4EIC Deliverable 5.2 Implications for the VRE end-users to handle security, privacy and trust issues - first version

Author

Hollink L., Concordia C., Ashley K., and Whyte A.

Subjects

Information System Security, trustworthy VRE systems, Virtual Research Environments

Abstract

For the e-VRE being developed by the VRE4EIC project, the security, privacy and trust requirements significantly vary amongst the potential end-users from various research domains and public. In deliverable D5.1, the VRE4EIC project has defined the strategies handling potential issues and risks regarding security, privacy and trust aspects. However, these strategies are mainly produced to help the technical developers better design the e-VRE and choose appropriate technologies for the implementation of the e-VRE. We assume that most of the potential end-users will have limited ICT knowledge so that they may have a different understanding or interpretation regarding these strategies to deal with security, privacy and trust related issues. In order to help our potential end- users understand the logic and consideration of the strategies developed in D5.1, this deliverable clarifies these strategies in the early stage of e-VRE development. The user is a global actor representing any user accessing the e-VRE (according to its definition, "VRE users" only concern people that want to access research data). This approach will also help the engagement of potential end-users. After implementing an e-VRE prototype that will be tested by user groups, a second version of this deliverable will be completed in Month 33 (D5.4). Upon acceptance of this strategy document, it will be made publicly available and especially distributed to target users of the existing e-RI initiatives and VRE-related initiatives.

Published

2017

79. Daiktų interneto informacinės sistemos saugumo pagerinimo tyrimas

Author

Mauragas, Karolis and Plėštys, Rimantas

Subjects

išmanusis įrenginys, informacinės sistemos saugumas, internet of things, information system security, smart device, daiktų internetas

Abstract

Darbo tikslas - pagerinti sukurtos daiktų interneto informacinės sistemos saugumą, aptinkant įsilaužėlių atakas ir pritaikant apsaugos priemones. Daiktų interneto viena iš pagrindinių sudedamųjų dalių yra informacinė sistema, kuri apdoroja sukauptus duomenis. Viena iš iškylančių problemų kuriant tokias sistemas yra duomenų perdavimo ir saugojimo saugumas. Daiktų interneto informacinė sistema turi užtikrinti tris pagrindines saugumo funkcijas, tokias kaip: duomenų konfidencialumą, vientisumą ir prieinamumą. Realizuotoje daiktų interneto informacinėje sistemoje pagerinu išmaniojo įrenginio autorizavimo metodą bei pritaikau perduodamų ir talpinamų duomenų šifravimo algoritmą. Taip pat realizuoju įrenginio blokavimo ir atakų aptikimo metodus. Realizuoti metodai gali būti pritaikomi visiems, tirtą belaidį duomenų perdavimo protokolą palaikantiems įrenginiams, nepakeičiant standarto specifikacijų. Tai užtikrina sistemos suderinamumą su visais šią technologiją palaikančiais įrenginiais., The goal of this work is to improve the internet of things information system security by detecting hacker attacks and applying security measures. One of the key components of internet of things is an information system, which processes the collected data. Data transmission and storage security is one of the problems facing the development of such systems. Information system of internet of things must guarantee the three key security features: data confidentiality, integrity and availability. In established internet of things information system it was improved smart device authentication method and applied cryptographic algorithm for the transferred and stored data. It was also implemented device blocking and attack detection methods. Researched methods can be applied to all devices which support tested wireless data transmission protocol, without changing standard specification. This ensures that the system will be compatible with all of this technology enabled devices.

Published

2016

80. Varnostna politika podjetja

Author

FLORJANČIČ, LUKA and Bajec, Marko

Subjects

security policy, varnost informacijskega sistema, standardi varovanja informacij, varnostna politika, information security standards, information system security

Abstract

Informacije so postale zelo pomemben dejavnik in temeljni vir v organizaciji. Za uspešno poslovanje podjetja je pomembno obdelava in varovanje informacij, s katerimi podjetje razpolaga. Pri varovanju informacij je pomembno, da te ohranjajo celovitost, zaupnost in razpoložljivost. Če informacije pridejo v napačne roke, ima lahko to resne posledice za podjetje in njegovo poslovanje. Pomembno je, da se nevarnosti zavedajo tako vodstvo kot zaposleni v podjetju. Varnostna politika tako predstavlja nekakšna pravila in pomoč zato, da bi se izognili incidentom in bi se posledice zmanjšale. Je dokument, na katerem lahko razvijemo učinkovit in celovit program informacijske varnosti v podjetju. V diplomski nalogi sem opisal teoretične osnove s področja informacijske varnosti in določenih standardov, ki so najbolj uveljavljeni za varovanje informacij. Izdelava varnostne politike je kompleksen postopek, ki poteka v več fazah. Tako smo upoštevali vse faze in izdelali varnostno politiko za specifično podjetje. Information has become a significant factor and a primary source in any organization. A successful business depends upon the processing and security of information at its disposal, which must remain integral, confidential and available at all times. If the information falls into the wrong hands, a company and its business activities may be confronted by serious consequences. Both management and employees should be aware of such risks. Security policy thus represents the rules and guidelines on how to avoid incidents, or at least, how to minimize the consequences. It has a form of a document, on which effective and comprehensive programme of company's information security policy is based. This thesis describes the theoretical foundations for information security and its established standards. Developing security policy is a complex process that takes place in several stages. In formulating a security policy for a specific company, we considered all of them.

Published

2016

81. POSSIBILITIES OF DYNAMIC BIOMETRICS FOR AUTHENTICATION AND THE CIRCUMSTANCES FOR USING DYNAMIC BIOMETRIC SIGNATURE

Author

Hortai, František and Hortai, František

Abstract

New information technologies alongside their benefits also bring new dangers with themselves. It is difficult to decide which authentication tool to use and implement in the information systems and electronic documents. The final decision has to compromise among the facts that it faces several conflicting requirements: highly secure tool, to be a user-friendly and user simplicity method, ensure protection against errors and failures of users, speed of authentication and provide these features for a reasonable price. Even when the compromised solution is found it has to fulfill the given technology standards. For the listed reasons the paper argues one of the most natural biometric authentication method the dynamic biometric signature and lists its related standards. The paper also includes measurement evaluation which solves the independence between the person’s signature and device on which it was created.

Published

2017

82. Does organisational culture affect dysfunctional behaviour in information system security?

Author

Mat Roni, Saiyidi, Djajadikerta, Hadrian Geri, Trireksani, Terri, Mat Roni, Saiyidi, Djajadikerta, Hadrian Geri, and Trireksani, Terri

Abstract

Information system (IS) security incidents occur, in part, because employees undermine security policy. While existing studies suggest organisational culture influences employee behaviour in ways that can comprise IS security, examining organisational culture as a single component, or investigating only one dimension of culture, can put the discipline at harm. This is because organisational culture is a conjugation of multifaceted collective beliefs that materialises in actions and artefacts. Investigating organisational culture at only its higher order level can mask dimensional effects of culture at its lower order factors. This study provides additional insight into the body of knowledge in IS security by examining organisational culture at its higher order and at its dimensions in order to investigate how these dimensions play their roles in the realm of IS security noncompliance and intentional violations.

Published

2017

83. POSSIBILITIES OF DYNAMIC BIOMETRICS FOR AUTHENTICATION AND THE CIRCUMSTANCES FOR USING DYNAMIC BIOMETRIC SIGNATURE

Abstract

New information technologies alongside their benefits also bring new dangers with themselves. It is difficult to decide which authentication tool to use and implement in the information systems and electronic documents. The final decision has to compromise among the facts that it faces several conflicting requirements: highly secure tool, to be a user-friendly and user simplicity method, ensure protection against errors and failures of users, speed of authentication and provide these features for a reasonable price. Even when the compromised solution is found it has to fulfill the given technology standards. For the listed reasons the paper argues one of the most natural biometric authentication method the dynamic biometric signature and lists its related standards. The paper also includes measurement evaluation which solves the independence between the person’s signature and device on which it was created.

Published

2017

84. POSSIBILITIES OF DYNAMIC BIOMETRICS FOR AUTHENTICATION AND THE CIRCUMSTANCES FOR USING DYNAMIC BIOMETRIC SIGNATURE

Abstract

New information technologies alongside their benefits also bring new dangers with themselves. It is difficult to decide which authentication tool to use and implement in the information systems and electronic documents. The final decision has to compromise among the facts that it faces several conflicting requirements: highly secure tool, to be a user-friendly and user simplicity method, ensure protection against errors and failures of users, speed of authentication and provide these features for a reasonable price. Even when the compromised solution is found it has to fulfill the given technology standards. For the listed reasons the paper argues one of the most natural biometric authentication method the dynamic biometric signature and lists its related standards. The paper also includes measurement evaluation which solves the independence between the person’s signature and device on which it was created.

Published

2017

85. POSSIBILITIES OF DYNAMIC BIOMETRICS FOR AUTHENTICATION AND THE CIRCUMSTANCES FOR USING DYNAMIC BIOMETRIC SIGNATURE

Abstract

New information technologies alongside their benefits also bring new dangers with themselves. It is difficult to decide which authentication tool to use and implement in the information systems and electronic documents. The final decision has to compromise among the facts that it faces several conflicting requirements: highly secure tool, to be a user-friendly and user simplicity method, ensure protection against errors and failures of users, speed of authentication and provide these features for a reasonable price. Even when the compromised solution is found it has to fulfill the given technology standards. For the listed reasons the paper argues one of the most natural biometric authentication method the dynamic biometric signature and lists its related standards. The paper also includes measurement evaluation which solves the independence between the person’s signature and device on which it was created.

Published

2017

86. User-centred security event visualisation

Author

Humphries, Christopher, INRIA Futurs, Institut National de Recherche en Informatique et en Automatique (Inria), CentraleSupélec, Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Télécom Bretagne-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA), Université Rennes 1, Christophe Bidan, Nicolas Prigent, Frédéric Majorczyk, STAR, ABES, Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Télécom Bretagne-Centre National de la Recherche Scientifique (CNRS), and Université de Rennes

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Sécurité informatique, Visualisation sécurité, Information system security, [INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR]

Abstract

Managing the vast quantities of data generated in the context of information system security becomes more difficult every day. Visualisation tools are a solution to help face this challenge. They represent large quantities of data in a synthetic and often aesthetic way to help understand and manipulate them. In this document, we first present a classification of security visualisation tools according to each of their objectives. These can be one of three: monitoring (following events in real time to identify attacks as early as possible), analysis (the exploration and manipulation a posteriori of a an important quantity of data to discover important events) or reporting (representation a posteriori of known information in a clear and synthetic fashion to help communication and transmission). We then present ELVis, a tool capable of representing security events from various sources coherently. ELVis automatically proposes appropriate representations in function of the type of information (time, IP address, port, data volume, etc.). In addition, ELVis can be extended to accept new sources of data. Lastly, we present CORGI, an successor to ELVIS which allows the simultaneous manipulation of multiple sources of data to correlate them. With the help of CORGI, it is possible to filter security events from a datasource by multiple criteria, which facilitates following events on the currently analysed information systems., Il est aujourd'hui de plus en plus difficile de gérer les énormes quantités de données générées dans le cadre de la sécurité des systèmes. Les outils de visualisation sont une piste pour faire face à ce défi. Ils représentent de manière synthétique et souvent esthétique de grandes quantités de données et d'événements de sécurité pour en faciliter la compréhension et la manipulation. Dans ce document, nous présentons tout d'abord une classification des outils de visualisation pour la sécurité en fonction de leurs objectifs respectifs. Ceux-ci peuvent être de trois ordres : monitoring (c'est à dire suivi en temps réel des événements pour identifier au plus tôt les attaques alors qu'elles se déroulent), exploration (parcours et manipulation a posteriori d'une quantité importante de données pour découvrir les événements importants) ou reporting (représentation a posteriori d'informations déjà connues de manière claire et synthétique pour en faciliter la communication et la transmission). Ensuite, nous présentons ELVis, un outil capable de représenter de manière cohérente des évènements de sécurité issus de sources variées. ELVis propose automatiquement des représentations appropriées en fonction du type des données (temps, adresse IP, port, volume de données, etc.). De plus, ELVis peut être étendu pour accepter de nouvelles sources de données. Enfin, nous présentons CORGI, une extension d'ELVIs permettant de manipuler simultanément plusieurs sources de données pour les corréler. A l'aide de CORGI, il est possible de filtrer les évènements de sécurité provenant d'une source de données en fonction de critères résultant de l'analyse des évènements de sécurité d'une autre source de données, facilitant ainsi le suivi des évènements sur le système d'information en cours d'analyse.

Published

2015

87. Defense against social engineering attacks

Author

Škopec, Antonín, Sigmund, Tomáš, and Šimek, Luděk

Subjects

security policies, information system security, social engineering, Sociální inženýrství, Penetrační testování, Bezpečnostní politika, staff awereness and training, penetration testing, Trénink a školení personálu, Bezpečnost informačního systému

Abstract

This theses concerns with social engineering and defense against it. Social engineering attacks represents significant threat for organizations and their information systems, especially because they target weakest link in information systems security, its users. That way attacker can easily bypass even highly sophisticated security system. This theses tries to deal with question, how to effectively secure human factor of information system.

Published

2015

88. A risques multiples cadres théoriques multiples : le cas des cybers attaques dans les collectivités territoriales

Author

Rémy, Février, Lebraty, Jean-Fabrice, Lobre, Katia, Laboratoire de Recherche Magellan, Université Jean Moulin - Lyon 3 (UJML), and Université de Lyon-Université de Lyon-Institut d'Administration des Entreprises (IAE) - Lyon

Subjects

managerial perspective, recommandations managériales, [SHS.GESTION]Humanities and Social Sciences/Business administration, Local authorities, Collectivités locales, sécurité de systèmes d’information, information system security

Abstract

International audience; This communication may be intended as an exploratory research with a managerial perspective. We will investigate local authorities facing information system security issues. We aim to propose alternative theoretical framework in order to complement regular methods used in public administrations. Through six perspectives we will propose managerial advices which may be implemented in information system security projects; Cette communication peut être entendue comme une recherche exploratoire en cours à visée managériale. Elle porte sur le domaine des collectivités locales intégrant toujours plus d’applications numériques et ainsi confrontées à un nombre croissant de risques « cyber ».Dans ce cadre, cette communication a pour but de proposer des cadres théoriques venant enrichir l’approche classique rationnelle prévalant dans les méthodes de sécurité des systèmes d’information les plus courantes et mise en œuvre dans les organisations publiques. Au travers de six angles d’approches nous proposons des recommandations managériales simples et susceptibles d’être prise en compte dans des projets de SSI.

Published

2014

89. A Study of Phishing Attacks and Effectiveness of the Countermeasures

Author

Purkait, Swapan

Subjects

Phishing awareness, Phishing counter measures, Virtual browser, Social engineering, Internet safe practices, Phishing, Information system security, Identity theft

Published

2013

90. INFORMATION SECURITY IMPROVEMENT WITH INTRODUCTION GROUP POLICIES IN A LARGE COMPANY

Author

Trček, Marko and Brezavšček, Alenka

Subjects

skupinske politike, varnost informacijskega sistema, Implementation, aktivni imenik, Group policy, Information system security, Active directory, vpeljava

Abstract

Raziskava obravnava predlog za uvedbo skupinskih politik v veliko podjetje. Predstavili smo teoretična izhodišča s področja skupinskih politik. Opisali smo tako osnovno delovanje skupinskih politik kot tudi varnostne nastavitve, ki bistveno vplivajo na povečanje informacijske varnosti. Predstavljene so dobre prakse in priporočila pri vpeljavi skupinskih politik v veliko podjetje. Dobre prakse se nanašajo na samo pripravo okolja za vpeljavo skupinskih politik in tudi na specifične nastavitve posameznih skupinskih politik. Izdelali smo predlog za odvzem administratorskih pravic, pripravo testnega okolja, pripravo skupin uporabnikov in predlog strukture organizacijskih enot v aktivnem imeniku. Predvideni učinki uvedbe skupinskih politik v veliko podjetje so predvsem povečanje varnosti informacijskega sistema, poenostavitev upravljanja, skrajšanje časa za upravljanje, zmanjšanje števila napak in večja preglednost nastavitev informacijskega sistema. The master's thesis presents a proposal for the group policy introdution in a large company. We have presented the theoretical basis regardings the group policy. We have described the basic group policy operations as well as the security settings, which can significant impact on the increase of information security. We have described the best practices for the group policy implementation to the large company. Best practices relate to the environment preparation for the group policy implementation as well as to specific settings for a individual group policy. We have prepared a poposal for the administrator rights removal, preparation of user groups, and we have proposed a structure of organizational units in the active directory. The focus of proposal was on the security settings. We have shown that the successful implementation of the group policy significantly increase the level of information security in the enterprise. Other expected impacts of introducing the group policy in a large company are mainly the following: simplified and less time consuming management, less system errors, and better transparency of information system settings.

Published

2013

91. SECURING LOCAL AREA NETWORK OF CHOSEN BANK

Author

Marić, Zlatko and Gradišar, Miro

Subjects

varnost IS, information system, authentication 802.1x, informacijski sistem, avtentikacija 802.1x, AAA, information system security

Abstract

V nalogi je predstavljena problematika varovanja lokalnega omrežja banke, ki je pomemben del informacijskega sistema (v nadaljevanju IS) banke. Varno lokalno omrežje je pomembno za varen IS. Prvi dve poglavji opisujeta nevarnosti, ki ogrožajo IS. V teh poglavjih so obravnavane nevarnosti, ki grozijo sodobnim IS, in načini varovanja IS. Sledi opis sistema AAA kot enega ključnih elementov, ki omogočajo varovanje lokalnega omrežja iz notranjosti omrežja. Opisani sistem služi kot osnova za izgradnjo varnega lokalnega omrežja obravnavane banke. Naslednje poglavje je usmerjeno v razvoj rešitve v obravnavani banki. Izpostavljene so nevarnosti, ki ogrožajo lokalno omrežje banke in s tem tudi IS. Opisana je rešitev sistema za varovanje lokalnega omrežja v obravnavani banki z avtomatiziranimi sodobnimi varnostnimi mehanizmi. Opisu rešitve je dodana tudi kratka analiza ekonomske upravičenosti predlaganega modela. V zaključku so iz primera povzete sklepne ugotovitve implementirane rešitve za varovanje IS banke, podana pa je tudi splošna ocena ustreznosti izbrane rešitve. The thesis discusses problems regarding the security of a local area network in a bank, which is an important part of the IS (information system) of a bank. A secure local area network is important for a secure IS. The first two chapters describe risks that are threatening the information system’s security in general. They discuss risks that threaten the contemporary IS and ways to secure the IS. This is followed by a description of the system for checking genuineness as one of the key elements which enable protection of the local area network from inside of the network. The described system serves as a basis for building a secure local area network of the discussed bank. The next chapter is directed towards the development of a solution in the discussed bank. Highlighted are risks that threaten the bank’s local area network and consequently the IS. Described is a system solution to protect the local area network of the discussed bank with automated safety mechanisms. A short analysis of the economic viability of the proposed model is added to the description of the solution. The conclusion summarizes the final finding of the implemented solution for securing the bank’s IS, followed by a general evaluation of the solution’s adequacy.

Published

2013

92. PROJECT OF ISMS IMPLEMENTATION IN THE COMPANY ALPINA, D.O.O

Author

Vehar, Klemen and Brezavšček, Alenka

Subjects

SUIV, varnost informacijskega sistema, PROSIS, ISO/IEC 27003, projektni plan, Information system security, Project plan, ISMS, ISO/IEC 27001

Abstract

Namen magistrskega dela je prikazati, kako lahko s pomočjo napotkov standarda ISO/IEC 27003 in z uporabo računalniških orodij za projektno vodenje izdelamo plan vpeljave SUIV za določeno organizacijo. V teoretičnemu delu smo prikazali osnove s področja varnosti informacijskega sistema. Predstavili smo družino standardov ISO 27000 in druge standarde, ki služijo kot osnova pri vpeljavi sistema za upravljanje informacijske varnosti (SUIV) v organizacijo in so v praksi največkrat uporabljeni. Prikazane so bile tudi osnove s področja projektnega dela. V aplikativnem delu smo podrobno predstavili model planiranja SUIV po standardu ISO/IEC 27003. V nadaljevanju smo ta model uporabili pri izdelavi plana vpeljave SUIV v podjetje Alpina, d.o.o. Za izdelavo podrobnega projektnega plana smo uporabili dve računalniški orodji, projektni sistem PROSIS in program Microsoft Project. V zaključku smo pokazali, kaj smo z izdelanim projektnim planom dosegli in kakšne naloge nas še čakajo v prihodnosti. The purpose of the master's thesis is to present the usage of the standard ISO/IEC 27003 and the project management computer tools for creation of the project plan of an information security management system (ISMS) implementation in a particular organization. In the theoretical part of the thesis, the bases of the information system security are given. The ISO 27000 family of standards as well as other standards which are widely used as the base for the ISMS implementation in organizations are presented. Besides, the fundamentals of the project management are described. In the applicative part of the thesis, the model of the ISMS planning up to ISO/IEC 27003 standard is described in detail. This model has been used to create a detailed plan of the ISMS implementation in the Alpina enterprise. For a creation of this project plan two computer tools have been used, the project system PROSIS and the Microsoft Project software. In the conclusion, our project achievements have been presented and the future tasks have been exposed.

Published

2013

93. INTRODUCTION OF SECURITY POLICY IN A MEDIUM ENTERPRISE

Author

Schweighofer, Tina and Hölbl, Marko

Subjects

security policy, risk analysis, varnost informacijskega sistema, udc:(659.2:004):004.7.056(043.2), varnostna politika, analiza tveganj, neprekinjeno poslovanje, information system security, business continuity

Abstract

Za uspešno poslovanje podjetja je ključno obvladovanje in varovanje informacij, s katerimi podjetje razpolaga. Če pomembne informacije preidejo v roke nepooblaščenih oseb, ima lahko to resne posledice za podjetje in njegovo poslovanje. Zaradi tega je pomembno, da se groženj in nevarnosti zavedajo tako zaposleni kot tudi vodstvo podjetja. Varnostna politika vsakemu podjetju predstavlja vodilo in pomoč, pri izogibanju incidentom oziroma zmanjševanju posledic. Je skupina dokumentov, ki združujejo navodila, priporočila in napotke s področja informacijske varnosti v podjetju. Izdelava varnostne politike je kompleksen postopek, ki se izvede v več fazah. V okviru diplomskega dela smo izdelali varnostno politiko za specifično podjetje. Pri tem so izvedli vse faze izdelave, pomagali pa smo si tudi z priporočili in navodili za pripravo varnostne politike. Every successful enterprise needs to manage and protect their key information. If important information is leaked and comes into the hands of malicious persons, this can have serious consequences for the enterprise and its business. Therefore it is vital that the management as well as employees are aware of the risks and security threats. The security policy of an enterprise is a guideline for avoiding incidents or reducing their consequences to a minimum. Security policy is a group of documents that combine instruction, recommendations and guidance in the field of information security within the enterprise. The making of a security policy is a complex process conducted in several phases. In the diploma work we develop a security policy for a specific company. In the development process we have to complete the mentioned phases in which we also consider recommendations and directions for preparing a good security policy.

Published

2010

94. SECURITY ANALYSIS OF THE INFORMATION SYSTEM IN THE COMPANY STROKA PRODUKT D.O.O

Author

Aldin, Kočan and Brezavšček, Alenka

Subjects

analiza tveganja, grožnje, threats, vulnerabilities,countermeasures, risk analysis, varnost informacijskega sistema, varovalni ukrepi, information system security, ranljivost

Abstract

V diplomski nalogi sem izvedel analizo varnosti informacijskega sistema v podjetju Stroka Produkt d.o.o. PE Ljubljana, kjer sem tudi zaposlen. V nalogi sem podal teoretične osnove s področja varnosti, predstavil sem podjetje in opisal njegov informacijski sistem. Analiza je narejena s popisom dobrin, njihovim vrednotenjem ter popisom groženj in ranljivosti, ki je skladna s starim standardom BS 7799 ter sedanjim ISO 27001 standardom. Z izvedeno analizo tveganja sem poizkusil izpostaviti kritična področja v podjetju ter podal predloge za izboljšavo in zmanjševanje tveganj. Z uvedbo teh ukrepov bi v obravnavanemu podjetju bistveno izboljšali varnost njihovega informacijskega sistema ter pripomogli k učinkovitejšemu poslovanju. This diploma deals with the security analysis of the information system in the company Stroka Produkt d.o.o. branch office Ljubljana. In the first part of the diploma a theoretical bases of information security are presented. Besides, the company as well as its information system is described. The main part of the diploma includes the qualitative risk analysis which has been performed using the old BS 7799 standard and currently valid ISO 27001. On the basis of the risk analysis results, some additional countermeasures have been suggested. Implementation of these countermeasures could slightly improve the existent level of information security that could result in more efficient business of the company under consideration.

Published

2009

95. A framework for integrating security in software development projects

Author

UCL - SST/ICTM/INGI - Pôle en ingénierie informatique, UCL - Ecole Polytechnique de Louvain, Lobelle, Marc, Quisquater, Jean-Jacques, Bonaventure, Olivier, Van Lamsweerde, Axel, Avoine, Gildas, De Decker, Bart, Deswarte, Yves, Kabasele Tenday Ndonda, Jean-Marie G., UCL - SST/ICTM/INGI - Pôle en ingénierie informatique, UCL - Ecole Polytechnique de Louvain, Lobelle, Marc, Quisquater, Jean-Jacques, Bonaventure, Olivier, Van Lamsweerde, Axel, Avoine, Gildas, De Decker, Bart, Deswarte, Yves, and Kabasele Tenday Ndonda, Jean-Marie G.

Abstract

The practice of building secure applications has been challenging for decades for research community and industries as highlighted by news and statistics. The main reasons are the lack of knowledge and guidance for developers, and the fact that software security has traditionally been treated as an afterthought leading to a cycle of “penetrate and patch”. This thesis proposes a framework that supports the integration and the improvement of security in the Software Delivery Life Cycle (SDLC) based on the Object-Oriented paradigm, the UML standards, the development life cycle and the Software Assurance Maturity Model (SAMM). We have defined an asset as an “object” and we have built the Object Based Access Control (OBAC) model from which we have refined the security concepts. This brings more granularities in the protection of the asset. Based on this model, we have reviewed security concepts like Misuse Cases and Security Use Cases. They have been formalized and positioned on the UML meta-model to make sure security is taken into account at the beginning of the SDLC. To deal with the regulation and corporate standards that extend the security requirements, we have introduced the Upper Security Specification Layer (USSL)and the Application Security Specification Layer (ASSL) in the security process. All these concepts are integrated in the SAMM and a SDLC model to constitute our framework. Finally, a case study demonstrates the improvement of maturity levels by using this framework., (FSA - Sciences de l'ingénieur) -- UCL, 2013

Published

2013

96. User authentication : a state-of-the-art review.

Author

Zviran, Moshe, Haga, William J., Naval Postgraduate School, Information Systems, Coley, John A., Zviran, Moshe, Haga, William J., Naval Postgraduate School, Information Systems, and Coley, John A.

Abstract

Access control of computing systems is considered a key issue among Information Systems managers. There are different methods available to computing systems to ensure a proper authentication of a user. Authentication mechanisms can use simple user-generated passwords to complicated combinations of passwords and physical characteristics of the user (i.e., voice recognition device, retina scanner, signature recognition device, etc.). This thesis looks at the various authentication mechanisms available to a security manager. It describes how different authentication mechanisms operate and the advantages and disadvantages associated with each mechanism. It also reports on several commercially available software products that support the user authentication process. Finally, a discussion of password use in the military environment and the unique requirements of the Department of Defense., http://archive.org/details/useruthenticatio1094528630, Lieutenant Commander, United States Navy, Approved for public release; distribution is unlimited.

Published

2013

97. Access rights as a part of information security in enterprises

Author

Golden, William, Conboy, Kieran, Acton, Thomas, and Halonen, Raija

Subjects

Information security and cryptography, Computer security, Access rights, Information system security, Design science, Data protection

Abstract

This paper highlights the problem with access rights as a part of information security in enterprises with many information systems and their human users. In many organisations, users often write down their user names and passwords, thus enabling outsiders to enter information systems without proper authorisation. Furthermore, access rights commonly remain active after their possessors have left the organisation or after roles in the organisation have changed. In addition, there are instances in enterprises where access rights are managed with severe deficiencies. In this study we discuss a case where this issue was found out to be in a critical state when the organisation planned to extend and specialise its business abroad. Literature exposed several approaches and concepts to be concerned with. In our paper, we introduce how we approached the problem with a pragmatic contextual view. Based on prior research we explored access rights perceived in the enterprise with the help of a pre-study in the mode of a semi-structured questionnaire. The design science based framework described by Hevner et al. (2004) provided us with a solution that satisfied the enterprise in its information security efforts. Instead of describing the artifact, we highlighted the usability of the framework in real life and explained how we applied it in our research project.

Published

2008

98. Creativity and the mediating role of Social Capital in the domain of Information Systems Security

Author

Cavallari, Maurizio, Cavallari, Maurizio (ORCID:0000-0003-0970-8227), Cavallari, Maurizio, and Cavallari, Maurizio (ORCID:0000-0003-0970-8227)

Abstract

Much research effort has been devoted in order to understand the antecedents of the phenomenon of creativity. Previous findings identify, among others, transformational leadership, individual inspiration and social capital to be of importance. In the present research paper we propose a model where social capital can influence as a mediator the impact of the other two predictors on creativity. The novelty of the present research is that the domain of economic activity investigated is restricted to the information systems security one. The argument is that social capital with the domain of ISS enacts higher levels of creativity, needed in order to deal with unexpected events. Empirical data were gathered and a structural model testing pursued. Results of analysis fully confirm theoretical framework and hypotheses

Published

2012

99. ZAŠTITA INFORMACIJSKIH SUSTAVA U POSLOVNOJ PRAKSI

Author

Ksenija Klasić

Subjects

informacijski sustav, zaštita informacijskog sustava, zaštita na radu, ergonomija, ISO/IEC 17799:2000, Pravilnik o sigurnosti i zaštiti zdravlja pri radu s računalom, information system, information system security, occupational safety, ergonomics, Safety and Health Regulations in Working with Computers

Abstract

Primjena informacijskih tehnologija u svakodnevnom radu u stalnom je porastu. Dok je još prije samo desetak godina relativno mali broj zaposlenika za obavljanje svojih radnih obveza koristio računalo, danas je nezamislivo zaposliti novog djelatnika koji ne poznaje rad na računalu. Broj sati aktivnog rada za računalom raste, pri čemu se to ne odnosi samo na tvrtke koje se bave informatičkom djelatnošću. Stoga se stručnjaci za zaštitu na radu sve češće susreću s različitim problemima iz domene primjene računala u poslovnoj praksi, a koji direktno ili indirektno utječu na rezultate rada. Svako poduzeće posjeduje vlastiti informacijski sustav koji može, ali i ne mora biti podržan računalom. Ipak, danas je informacijska tehnologija duboko prodrla u sve pore poslovanja i svakodnevnog života, na što je značajno utjecala decentralizacija opreme i programske podrške (softvera). Pri tomu se često nije predviđala adekvatna zaštita računala i podataka, a postojeća pravila koja su se primjenjivala u centraliziranim računalnim centrima nisu se ažurirala. Uvođenje internetske tehnologije samo je pridonijelo nesigurnosti informacijskih sustava. Korisnici informacijskog sustava ili nekog njegova segmenta ponekad nisu ni upoznati s potrebom i značenjem podatkovnih resursa poduzeća kao ni načinima njihove zaštite. Podaci su osnovni resurs poslovnog sustava tako da se šteta nastala njihovom zloporabom (ili gubitkom, pogrešnom uporabom i slično) zapravo nanosi poduzeću u cjelini. Stoga je organizacija zaštite informacijskog sustava interdisciplinarni zadatak svih zaposlenika poduzeća kojem je cilj ostvariti što viši stupanj sigurnosti u skladu s prihvatljivim gubicima s kojima poduzeće mora računati. U tu svrhu najčešće se primjenjuju različiti dokumenti koji se odnose na pojedine aspekte zaštite sustava, a koji se uglavnom kreiraju i počinju primjenjivati tek kada se dogodi neki od oblika narušavanja sigurnosti sustava. U praksi se obveza izrade i primjene takvih dokumenata uglavnom propisuje posebnim pravilnikom, a tek rijetka poduzeća počinju uvoditi model zaštite informacijskog sustava u skladu s međunarodnom normom ISO/IEC 17799:2000. Također, zaštita radnika koji svakodnevno obavljaju svoj posao uz primjenu računala mora se provoditi u skladu s Pravilnikom o sigurnosti i zaštiti zdravlja pri radu s računalom. Njime su propisani zahtjevi koje računalna oprema mora zadovoljavati, te je propisana obvezna izrada procjene opasnosti za ta radna mjesta. Zaštita informacijskog sustava zajednička je odgovornost svih zaposlenika tvrtke, tako da samo zdravi, zadovoljni i adekvatno educirani radnici, koji rade u primjerenim uvjetima rada, mogu pridonijeti unapređenju sigurnosti opreme i podataka u poslovnom sustavu., SUMMARY: The application of information technologies in daily work is marking an ever-increasing trend. Only ten years ago a relatively small number of employees used a computer in their work, whereas it is nowadays unthinkable that a person without computer skills would get employment. The number of hours spent in active work at the computer is growing and not only in companies with business in information. One of the consequences is that occupational safety experts are constantly and increasingly faced with a range of problems arising from the application of the computer in business practice which directly or indirectly affect work results. Each company has its own information system that may or may not be supported by a computer. It may, however, be asserted that information technology has penetrated all pores of business and everyday life resulting from, to a great degree, a decentralization of equipment and software. In the process, more often than not, no suitable protection of computers and data has been designed, and the existing regulations applied in centralized computer centers are not regularly updated. The introduction of the Internet technology only compounds the insecurity of information systems. The users of an information system or one of its segments are occasionally not even aware of the need and importance of the data resources in a company and the methods for their protection. Data is the fundamental resource of a company, so that damage stemming from their abuse (loss, misuse, etc.) is harmful to the company as a whole. Therefore the organization of information system security is an interdisciplinary task involving all employees in a company with the aim to ensure as high as possible security, but with awareness that some losses are acceptable and need to be tolerated. For this purpose a variety of documents is used relevant to the different aspects of system security, which are by and large introduced only after some compromise in the system security has been observed. In practice, the obligation to compile and implement such documents is commonly prescribed by a special set of regulations, with only very few companies introducing a model of information system security which is in compliance with the international ISO/IEC 17799:2000 standard. Furthermore, the protection of employees working at the computer on a daily basis in their jobs must also be regulated in the Safety and Health Regulations in Working with Computers. The Regulations prescribe the requirements which the computer equipment must comply with, with a mandatory risk assessment for the work places. Information system security is the responsibility of all employees in a company. Only healthy, happy and suitably trained employees working in satisfactory working conditions may contribute to the improvements in equipment and data security in a business system.

Published

2007

100. The Use of Expert Systems in Information System Security

Author

Gerić, Sandro, Hutinski, Željko, Čišić, Dragan, Hutinski, Željko, Baranović, Mirta, and Sandri, Roberto

Subjects

Information system security, Protective measures, Security measures, Expert system, expert systems, security, IS

Abstract

This paper addresses the possibility of expert system's use in information system security (ISS) and defines a model of an expert system for selection of a security and protective measures. The development and increasing importance of information systems (IS) and their resources in business organizations emphasis the vulnerability of information systems and potential loses for organizations produced by different events that are threat for ISS. Some organizations are solving this problem with unplanned and inefficient use of security measures, but there are organizations that are using and implementing security measures that are appropriate, necessary and in accordance with other aspects of their organization. In this paper we explain a model how to define a set of security measures with those characteristics with help of an expert systems, that by combining the knowledge base, conclusion mechanism, risk assessment and ability to learn is able to select the necessary and appropriate security measures for ISS improvement.

Published

2006