Enterprise information security strategies

Security decisions are made at every level of an organization and from diverse perspectives. At the tactical and operational levels of an organization, decision making focuses on the optimization of security resources, that is, an integrated combination of plans, personnel, procedures, guidelines and technology that minimize damages and losses. While these actions and tactics reduce the frequency and/or consequences of security breaches, they are bounded by the organization's global security budget. At the strategic, enterprise level management must answer the question, “What is the security budget (cost expenditures), where each dollar spent on security must be weighed against alternative non-security expenditures, that is justified by the foregone (prevented) losses and damages?” The answer to that question depends on the tolerances of decision makers for risk and the information employed to reach it.     

关键信息基础设施检测评估策略

《中华人民共和国网络安全法》对关键信息基础设施检测评估工作提出了明确的要求,是网络运营者的重要任务。对当前关键信息基础设施检测评估工作的不足进行了分析,提出了一套具备普适性及可拓展性的关键信息基础设施检测评估策略,为网络运营者开展关键信息基础设施安全保障工作提供了有效的支撑。     

A context for information systems security planning

Management is often rightfully dissatisfied with the performance of many information security efforts. After investment of considerable resources, and prolonged waiting for results, many efforts can demonstrate little if any significant improvement. This is largely due to a lack of planning. Many efforta lack explicitly articulated plans as well as specific performance milestones. Although many are loathe to admit it, information security efforts at many organizations lack formal planning and performance monitoring.Management's dissatisfaction with information security is exemplified by the seriously inadequate staffing levels found at a large number of organizations. When management is convinced that information security is a prudent investment, they will respond with additional resources.This article examines why information security efforts are often ineffective and why more formal planning efforts can alleviate this condition. It discusses tools best used to prepare an action plan for information security and gives some tips on how to sell such a plan to management. Also discussed are organizational design, policies, standards, and guidelines and other elements of a foundation that is required if an effective information security planning process is to be sustained. The article dwells on the establishment of a context for effective information security planning.     

Information systems resources and information security

Recent studies suggest that the number of information security incidents has increased dramatically and has caused significant economic loss worldwide. Awareness of the significance of information security is evidenced by a rapid increase in information security investments. Despite the fact that information security has taken on a new level of importance, academic research on this subject is still in its infancy. A review of literature indicated that past studies largely took a resource based view, suggesting that organizations invest and develop a variety of IS resources so as to ease potential threats caused by information security breaches. However, the resource-based perspective as used in previous studies was somewhat limited. Based on and extending from previous work, this study employed the resource-based view as a theoretical lens to examine the role that IS resources play in determining the level of information security. A field study was conducted to test the hypotheses. The results of the model testing show that IT human, relational, and infrastructure resources have significant impacts on information security.     

Protection from reconnaissance for establishing information security systems

ABSTRACT

The paper presents a generalized method for improving security of information systems based on protection of the systems from reconnaissance by adversaries. Attacks carried out by exploiting almost all vulnerabilities require particular information about the architecture and operating algorithms of an information system. Obstructions to obtain that information also complicates carrying out attacks. Reconnaissance-protection methods can be utilized for establishing such systems (continuous change of attack surface). Practical implementation of the techniques demonstrated their high efficiency in reducing the risk of information resources to be cracked or compromised.     

Conceptualising improvisation in information systems security

Information Systems Security (ISS) has constantly been ranked as a key concern for Information Systems (IS) managers. Research in the field has largely assumed rational choice (functional) approaches to managing ISS. Such approaches do not give due recognition to the role of improvisation in ISS work. Empirical evidence in organisations suggests that in the context of dynamic, volatile and uncertain environments practitioners are both rational and adaptive (a manifestation of improvisation). In this paper, we conceptualise and demonstrate the manifestation of improvisation in ISS. In order to develop a better understanding of improvisation in ISS activities, hermeneutical and exegetical techniques were employed. Empirical data were collected through in-depth interviews in a single case study. The data obtained were analysed and interpreted hermeneutically. Generally it was found that improvisation is manifested in ISS activities. Implications of these and other findings for the scholarly community and for practical use are discussed.     

Universal national security platform for distributed information and telecommunication systems

The problem of information security in distributed information and telecommunication systems has been considered. The paper analyzes the sources of threats in such systems. Existing security mechanisms have been examined. The class of threats associated with the use of untrusted (including imported) equipment is considered separately. The architecture of a universal security platform for distributed information and communication systems has been proposed.     

A baseline security policy for distributed healthcare information systems

In this paper, the need for identifying and analyzing the generic security characteristics of a healthcare information system is, first, demonstrated. The analysis of these characteristics is based upon a decision-support roadmap. The results from this profiling work are then analyzed in the light of the fact that more than 1000 accidental deaths happened due to computer system failures. As a result of this analysis, a set of recommendations is drawn up, leading to the development of a baseline security policy for healthcare institutions. Such a policy should be flexible enough to reflect the local needs, expectations and user requirements, as well as strict enough to comply with international recommendations. An example of such a baseline policy is then provided. The policy refers to a given security culture and has been based upon an abstract approach to the security needs of a healthcare institution.     

Structures of responsibility and security of information systems

Our research suggests an improved theoretical and conceptual foundation for analysing information systems security. We argue that an analysis of structures of responsibility in organizations leads to the development of secure information systems. The paper surveys the existing approaches to security and proposes an alternative perspective for viewing organizational and security issues.     

The need for information security education

Inadequate security has left individuals and corporations more vulnerable to illegal activities such as computer fraud, telecommunications abuse, and the unauthorized disclosure, modification, or destruction of information. Computer crime is rising and estimates of financial losses due to computer abuse range into the billions of dollars.¹ In the absence of more secure computer and networked systems, the number of system disruptions, intrusions into personal privacy, and incidences that result in economic and human losses will increase.     

The information security digital divide between information security managers and users

Empirical findings from surveys and in-depth interviews with information security managers and users indicate that a digital divide exists between these groups in terms of their views on and experience of information security practices. Information security professionals mainly regard users as an information security threat, whereas users believe themselves that they are an untapped resource for security work. The limited interaction between users and information security managers results in a lack of understanding for the other's point of view. These divergent views on and interpretations of information security mean that managers tend to base their practical method on unrealistic assumptions, resulting in management approaches that are poorly aligned with the dynamics of the users' working day.     

代理节点安全检测的MANET地址配置算法研究

为了提高移动自组织网络地址自动配置性能,提出了一种稳定安全的地址配置方案,核心思想是基于代理节点进行安全检测和地址配置。首先,按照地理位置对网络中的节点进行分组;然后,依据稳定性因子和信任度构建代理节点选择因子,从每一节点组合中选择一个代理节点;接着由代理节点和成员节点产生两组公钥/私钥对,用于加密和签名;最后,由代理节点进行地址配置,使用临时地址和永久地址对进行地址重复性检测,并在配置过程中通过加密和签名来抵御各种攻击。仿真实验结果表明,在受攻击的情况下,该方案的地址分配延迟和协议开销小,同时地址成功分配率高。     

The human immune system as an information systems security reference model

The controls an organization places in its information systems are largely determined by its employee's thinking. Employee awareness of system vulnerabilities and the recognition that information is a strategically important organizational resource are two central ideas critical to effective information systems security thinking. For many years a military physical security environment has been the reference model (or a way of thinking) to which people refer when attempting to organize their thoughts about the complex systems security environment. While certainly still of use, this reference model has severely limited the thinking of those of us in the systems security field. This article defines both a new reference model with which people can view information systems security and several reasons why this new reference model should be adopted.     

异构信息系统下安全策略协同的设计与形式化语言描述

在异构的信息系统中,为了保障信息的安全,都会采用相应强度的访问控制技术和策略。为了在异构信息系统之间,能够有效地共享资源,就需要在异构系统间实现安全策略的协同。给出了一个基于票据的安全策略协同模型,用形式化的语言对其进行了描述,并完成了对票据权限的计算     

计算机网络信息安全及防护策略探讨

互联网是生活中密不可分的部分,网络交易,网上银行,单位和企业的电子档案库等,都要求网络信息安全可靠。但是目前网络存在的安全隐患不计其数,黑客攻击层出不穷,如何采取有效手段保护网络安全是一个重要话题。本文介绍了网络信息安全的概念,分析了网络安全的缺陷,并对安全防护提出了几点建议。     

企业信息安全工作实践

信息安全的重要性越来越受到国家和企业的重视,信息安全等级保护相关规范的出现,给各个企业的信息安全工作提供了一个很好的抓手,企业应该针对不同的信息系统,按照要求从定级、备案、安全建设和整改、等级测评五个方面入手开展企业信息安全工作,不仅能满足国家相关要求,也能从技术和管理两个方面开展工作,搭建企业信息化安全体系架构,提升企业的信息安全整体能力。     

Inter-organizational information systems adoption – a configuration analysis approach

In this article we propose a new complementary approach to investigate Inter-Organizational Information Systems (IOIS) adoption called configuration analysis. We motivate the need for a new approach by the common observation that the structure and the strategy of an IOIS are interdependent and that the IOIS adoptions consequently cluster orderly. For example, an IOIS setup with a powerful customer as a hub and many suppliers as spokes frequently surfaces across diffusion studies. Yet, this fact has not been integrated into existing analyses, and its implications have not been fully developed. We propose that IOIS scholars need to look beyond the single adopting organization in IOIS adoption studies and in contrast consider adoption units what we call an adoption configuration. Each such configuration can be further characterized along the following dimensions: (1) vision, (2) key functionality, (3) mode of interaction, (4) structure and (5) mode of appropriation. In addition, these dimensions do not co-vary independently. For example, a particular organizing vision assumes a specific inter-organizational structure. A typology of IOIS configurations for adoption analysis is laid out consisting of dyadic, hub and spoke, industry and community configurations. Specific forms or adoption analysis are suggested for each type of configuration. Overall, configuration analysis redirects IOIS adoption studies both at the theoretical and the methodological level, and a corresponding research agenda is sketched.     

Siamese neural network for intelligent information security control in multi-robot systems

Anomaly detection of the robot system behavior is one of the important components of the information security control. In order to control robots equipped with many sensors it is difficult to apply the well-known Mahalanobis distance which allows us to analyze the current state of the sensors. Therefore, the Siamese neural network is proposed to intellectually support the security control. The Siamese network simplifies the anomaly detection of the robot system and realizes a non-linear analogue of the Mahalanobis distance. This peculiarity allows us to take into account complex data structures received from the robot sensors.