数据泄露:安全不能承受之重

2017年数据泄露情势变得更加复杂,已经成为“安全不能承受之重”.据金雅拓（Gemalto）发布的《2017年上半年数据泄露水平指数报告》统计,仅2017年上半年的数据泄露情况已令2016年黯然失色,即仅上半年被盗的数据量就已超过2016年全年被盗数据总量.比较美国威瑞森电信公司（Verizon）《2016年数据泄露报告》和《2017年数据泄露报告》（DBIR）发现,不但数据泄露事件涉及的国家数量增加,而且数据泄露事件数量也出现“雪崩式”增长.虽然越来越多的人已经意识到数据泄露风险并主动寻求规避,然而不断被曝光的数据泄露事件带来的影响、经济损失及其背后的原因等课题,值得探究.     

工业控制系统网络安全防护对策

工控系统网络化的实现是指工业控制与企业网络管理相关联,打造多场景、多维度的数据驱动机制,打破信息孤岛问题。从网络系统运行模式而言,控制系统的联网运行也将受到网络风险因素的影响,造成数据泄露问题。基于此,文章指出工业控制系统网络中的安全风险,分析工业控制系统网络安全防护内容,并对安全防护对策进行研究。     

面向制造大数据的安全存储交换技术

为解决制造大数据的安全存储和交换问题,提出一种面向制造大数据的存储交换模式,重点分析了制造大数据在存储和交换时的安全风险,提出一种面向制造大数据的安全存储交换模式。使用可搜索加密技术、基于属性的访问控制技术和进程度量方法等关键技术解决数据存储和交换时的泄露风险,并总结分析了这些关键技术的现状和不足,展望未来发展。     

社交网络用户隐私泄露量化评估方法

社交网络用户隐私泄露的量化评估有利于帮助用户了解个人隐私泄露状况,提高公众隐私保护和防范意识,同时也能为个性化隐私保护方法的设计提供依据.针对目前隐私量化评估方法主要用于评估隐私保护方法的保护效果,无法有效评估社交网络用户的隐私泄露风险的问题,提出了一种社交网络用户隐私泄露量化评估方法.基于用户隐私偏好矩阵,利用皮尔逊相似度计算用户主观属性敏感性,然后取均值得到客观属性敏感性;采用属性识别方法推测用户隐私属性,并利用信息熵计算属性公开性;通过转移概率和用户重要性估计用户数据的可见范围,计算数据可见性;综合属性敏感性、属性公开性和数据可见性计算隐私评分,对隐私泄露风险进行细粒度的个性化评估,同时考虑时间因素,支持用户隐私泄露状况的动态评估,为社交网络用户了解隐私泄露状况、针对性地进行个性化隐私保护提供支持.在新浪微博数据上的实验结果表明,所提方法能够有效地对用户的隐私泄露状况进行量化评估.     

基于Qt的工业互联网数据管理平台开发及信息保护设计

工业互联网数据管理平台能够对通过网络流动的工业数据进行便捷而又高效的管理和分析,是工业互联网建设中的重要一环,但也正因为它提供了便捷的数据管理通道,才使得它具有更高的数据泄露风险和安全需求.针对这一问题,本文基于中国移动OneNET平台,设计了一套工业互联网数据管理平台,通过对数据信息进行分类保护,对用户进行分级限制数据交互的方法,在能够满足管理需求的情况下尽量降低数据信息的泄露和破坏风险,在一定程度上提高了工业互联网数据信息的安全性.     

一种基于矩阵计算的数据开放隐私泄露评估方法

大数据时代,数据开放过程中的隐私保护研究是重要的研究领域之一。现有的隐私保护研究致力于对数据中的敏感信息进行匿名化、添加噪音、扰动等处理以保护隐私,但在一些数据使用场景下要求使用原始数据。在这种情境下对数据开放带来的隐私泄露风险进行评估,就显得尤为重要。在对现有隐私保护研究进行总结的基础上,提出一种基于矩阵计算的隐私泄露评估方法,为支持数据开放提供了有力保障。     

个人信息安全保障能力建设研究

在互联网、大数据时代背景下,迅速发展的大数据信息系统对个人信息保护的要求不断提高,安全事件频发,从法律法规层面将个人信息保护提升到一个前所未有的高度。从个人信息泄露造成影响的现状出发,深入分析了个人信息的泄露源、泄露风险、泄露原因、泄露方式和泄露渠道。最后在各个方向上提出了对个人信息保护的解决措施,以纵深防护的思想让恶意人员无法获取个人信息、无法使用个人信息和无法逃脱法律惩戒。为加强信息系统个人信息保护能力提供参考。     

基于区块链技术架构的隐私泄露风险评估方法

区块链技术的广泛应用导致其隐私泄露问题日益严重。为有效评估区块链技术存在的隐私泄露风险,从区块链技术架构的角度,通过基于博弈的方法对攻击进行量化,提出一种区块链隐私泄露风险评估方法。考虑用户对区块链技术架构层中各攻击的敏感性程度不同,构建用户敏感度矩阵,分别计算主观敏感度与客观敏感度。利用区块链诚实用户与恶意攻击者之间的策略交互过程构建不完全信息静态贝叶斯博弈模型,通过双方的期望收益定义风险影响性与可能性,从而得到基于区块链技术架构层的风险评估分数以及整个区块链的隐私泄露风险评估分数。在此基础上,利用Sigmoid函数对风险评估分数进行正则化处理并根据风险指数判断隐私泄露的风险等级,将隐私泄露分为风险可忽略、风险适中以及风险异常3种状态。实验结果表明,该方法能够有效评估区块链隐私泄露风险情况,指导用户进行多层次、有针对性的隐私保护。     

基于水印与属性筛选的用电数据泄露溯源方法

用电数据涉及客户隐私,在分发共享过程中存在泄露风险,数字水印是实现泄露溯源追责的有效手段。而水印植入将导致数据偏移,影响数据分析可用性,且部分数据泄漏时溯源效果不够理想。本文提出一种基于子水印和属性筛选的用电数据泄露溯源算法WRTA,该方法通过利用信息增益率和基尼系数计算数据属性的重要程度,通过密钥和主键随机选择非重要属性来构建子水印,并且兼顾数据分析可用性和安全性,实现部分数据泄露的溯源。     

基于云计算的气象数据信息安全技术研究

0引言气象业务数据在并行处理中对处理器、存储技术提出更高要求,而传统的分布式数据存储与网络服务,已经难以满足气象业务数据的快速处理。云计算是基于现代高速计算及海量存储基础上,通过云数据库方式来实现并行处理。由于气象数据本身的特殊性,在进行云计算过程中,容易受到泄露风险。如云端存储系统中用户数据在不同访问权限、不同用户的认证中一旦被仿冒,就会带来敏感数据的泄露。利用分发     

Enterprise reputation threats on social media: A case of data breach framing

Reputation threats on social media in the aftermath of a data breach is a critical concern to enterprises. We argue that any effort to minimize reputation threats will require an orderly assessment of how reputation threat manifests on social media. Drawing on crisis communication and social media literature, we analyze Twitter postings related to the 2014 Home Depot data breach. We identify a taxonomy of data breach frames and sub-frames and the related reputation threats as manifested by data breach responsibility-attributions and negative emotional responses. Results indicate that reputation threats vary for intentional, accidental, and victim data breach frames. Based on crisis stage theory, we also analyze the dynamics of evolving reputation threats as data breach situation unfolds on social media. Results suggest that the data breach frames and associated reputation threats vary across the crisis stages. Further, intentional and accidental frames increase subsequent responsibility-attributions and negative emotions. Tweets with responsibility-attributions further increase the subsequent generation of reputation-threatening tweets. Negative emotions, particularly anger and disgust, also increase subsequent reputation threats. Our study has implications for enterprise reputation management and word-of-mouth literature. The results yield valuable insights that can guide enterprise strategy for social media reputation management and post data breach intervention.     

Earthquake-induced landslide dam in the Kashmir Himalayas

The Kashmir earthquake of 2005 triggered numerous landslides in inaccessible areas of the western Himalayas, which could be mapped using satellite remote sensing. The largest recorded seismicity-induced landslide dammed a river, which resulted in the formation of a stream in the toe region and created two reservoirs that pose an enormous threat in the event of a landslide dam breach. Using Advanced Spaceborne Thermal Emission and Reflection Radiometer (ASTER) data sets corresponding to the pre- and post-earthquake period and derived digital elevation models, landslide-induced lakes were monitored. The aerial extent, depth profile and volume of both the reservoirs were determined. This study has demonstrated the utility of ASTER data in providing valuable information that is critical for hazard mitigation in case of a landslide dam breach.     

Organizational Data Breach: Building Conscious Care Behavior in Incident Response

Organizational and end user data breaches are highly implicated by the role of information security conscious care behavior in respective incident responses. This research study draws upon the literature in the areas of information security, incident response, theory of planned behaviour, and protection motivation theory to expand and empirically validate a modified framework of information security conscious care behaviour formation. The applicability of the theoretical framework is shown through a case study labelled as a cyber-attack of unprecedented scale and sophistication in Singapore’s history to-date, the 2018 SingHealth data breach. The single in-depth case study observed information security awareness, policy, experience, attitude, subjective norms, perceived behavioral control, threat appraisal and self-efficacy as emerging prominently in the framework’s applicability in incident handling. The data analysis did not support threat severity relationship with conscious care behaviour. The findings from the above-mentioned observations are presented as possible key drivers in the shaping information security conscious care behaviour in real-world cyber incident management.     

Market Price Effects of Data Security Breaches

ABSTRACT

This study examines the impact of reported breaches in computer security using event study analysis. We use the event-study methodology to measure the magnitude of the effect of data security breach events on the behavior of stock markets. Our data come from security breaches spanning a ten-year period and involving various industries. The findings of the study suggest that there exist abnormal negative stock price returns following the announcement of a breach. Such abnormal negative returns persist over the next several years. Moreover, the source of data breach may moderate the price effect; the market tends to punish more heavily those compromises that could have been avoided with reasonable precautions by the breached company.     

数据库信息安全网关的设计与实现

数据审计作为信息系统审计的重要组成部分,对信息安全具有十分重要的意义。该文通过比较不同的数据库审计机制,并结合具体应用的需求,设计实现了基于Oracle数据库的信息安全网关,为实现数据库安全的实时监控和事后监察提出了完整的解决方案,以此实施"既信任又验证"的信息化企业安全原则。     

DATA BREACH MANAGEMENT: AN INTEGRATED RISK MODEL

In response to organizations’ increasing vulnerability to data breaches, we present an integrated risk model for data breach management based on a systematic review of the literature. Theoretically, the study extends the body of knowledge on data breach management by identifying and updating conceptualizations of data breach risks (items) and resolutions (actions) and by providing a foundation for organizational responses to emerging data breach incidents (heuristics). Practically, the study provides key insights that practitioners can use to organize and orchestrate effective data breach management based on comprehensive profiles of risk items and resolution techniques.     

数值型敏感属性的近邻泄露保护方法研究*

针对在发布数值型敏感属性数据时,因同一分组中个体的敏感属性值之间过小的差异而导致攻击者可以较高的概率以及较小的误差推导出目标个体的敏感信息,从而出现近邻泄露问题,提出了一种有效的防止近邻泄露的模型:(εp,l)-anonymity。该模型根据不同的敏感属性值区间设置不同的阈值εi(1≤i≤p)控制敏感属性值之间的相似度,并采用有损链接的方法对隐私数据进行保护。实验结果表明,该方法可以明显减少近邻泄露,提高信息可用性,增强数据发布的安全性。     

Risk-neutral evaluation of information security investment on data centers

Based on given data center network topology and risk-neutral management, this work proposes a simple but efficient probability-based model to calculate the probability of insecurity of each protected resource and the optimal investment on each security protection device when a data center is under security breach. We present two algorithms that calculate the probability of threat and the optimal investment for data center security respectively. Based on the insecurity flow model (Moskowitz and Kang 1997) of analyzing security violations, we first model data center topology using two basic components, namely resources and filters, where resources represent the protected resources and filters represent the security protection devices. Four basic patterns are then identified as the building blocks for the first algorithm, called Accumulative Probability of Insecurity, to calculate the accumulative probability of realized threat (insecurity) on each resource. To calculate the optimal security investment, a risk-neutral based algorithm, called Optimal Security Investment, which maximizes the total expected net benefit is then proposed. Numerical simulations show that the proposed approach coincides with Gordon’s (Gordon and Loeb, ACM Transactions on Information and Systems Security 5(4):438–457, 2002) single-system analytical model. In addition, numerical results on two common data center topologies are analyzed and compared to demonstrate the effectiveness of the proposed approach. The technique proposed here can be used to facilitate the analysis and design of more secured data centers.     

Antecedents and consequences of data breaches: A systematic review

Research on data breaches is scattered across disciplines and methodologies. To help consolidate it, we review 43 articles on data breaches’ antecedents and 83 on their consequences. We find eight different categories each for antecedents and consequences. Most research is empirical-quantitative and employs an organizational unit of analysis. Theoretical lenses discovered range from a data breach as organizational crisis to criminological and privacy-specific theories. Our review provides researchers and practitioners with a synthesis of extant research and elaborates on future implications for data breach literature.     

Saudi cloud infrastructure: a security analysis

The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.