An Information Security Governance Framework

ABSTRACT

Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and that they include in their working procedures. Employees develop certain perceptions and exhibit behavior, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components. This article evaluates four approaches towards information security governance frameworks in order to arrive at a complete list of information security components. The information security components are used to compile a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective, thereby minimising risk and cultivating an acceptable level of information security culture.     

Cyber crime risk awareness in Kyrgyz Republic

ABSTRACT

In this paper we present the information security awareness rate of students in Kyrgyz Republic, where there is a rapid pace of formation and development of the information society. The survey was conducted with a sample of 172 students from different departments of the university. Our research study showed that despite the huge number of reports about computer crimes in the web, the knowledge about cybercrime is quite low and students are mostly not aware of many aspects of computer crime. Analysis was done to determine dependence of information security awareness rate on computer literacy rate and the education field of students. We conclude that although information technology is of wide usage, the information security topics need to be taught to prevent them from becoming victims of cyber crime.     

湖南大学信息安全专业本科培养计划修订调查分析及改进思路

基于面向湖南大学信息安全专业本科培养计划的调研情况，从国内外高校、校外专家、本系授课教师和本系学生4个方向进行分析。针对发现的问题，基于已有的大量校企合作经验和成果，以校企联合培养为特色来改进现有的信息安全专业本科培养计划。     

Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT

The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.     

大学生信息安全素养分析与形成

针对当前大学生信息安全素养缺失现象,从社会工程学的角度分析讨论大学生信息安全素养形成的措施和方法。通过实践证实,在培养大学生信息安全素养方面取得了较好的效果。     

Organization Security Metrics: Can Organizations Protect Themselves?

ABSTRACT

Organizations normally do not possess a way to communicate those needs back to the rest of an organization. This paper demonstrates that organizations are vigilant to activity within their environment, so this research project will focus on process improvement to better organizations through internal processes. Prior to this project, Company X was unable to communicate and address threats to their organization. Prior to this project, each employee was not trained on security. However, each employee understood the norms and values of company processes on an individual level. Each employee was able to contribute details of security issues as they perceived them to make a comprehensive security model. This Security Working Group (SWG) project describes the steps necessary to create a self-educating, self-perpetuating process that spurns co-generative learning among an entire organization. Security training prepared each employee to be more attentive to risks to potential security issues. The result of this research proves that employees can detect threats in an organization with relatively little training.     

Potential Problems with Information Security Risk Assessments

ABSTRACT

To protect the information assets of any organization, management must rely on accurate information security risk management. Management must access the risk to the organizations assets then develop information security strategies to reduce the risks. This assessment is difficult because of rapidly changing technology and new threats that are frequently being discovered. Research to address methods associated with information security risk management includes quantitative and qualitative methods. More comprehensive approaches combine both the quantitative and qualitative methods. This paper argues that current methods of information security assessment are flawed because management decisions regarding information security are often based on heuristics and optimistic perceptions.     

教学研究型大学信息安全专业人才培养方案优化和实践

分析了信息安全专业的特点;讨论了教学研究型大学信息安全专业人才培养中存在的人才特点不够鲜明、动手能力不足、知识不够全面、自主学习时间得不到保证等问题;针对信息安全专业的特点和教学研究型大学的自身情况,提出了增强学生实践能力、优化课程设置、提高教师素质等优化措施。这些优化措施在本校得以实践,对于解决教学研究型大学存在的问题具有较好的效果。     

User preference of cyber security awareness delivery methods

Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.     

提高信息安全实验教学质量的方法研究

本文旨在本科信息安全专业教学中研究出提高信息安全实验教学质量的有效措施,介绍了如何对信息安全实验室进行科学管理,并且对实验教学思路、实验教学内容和手段以及培养创新人才等方面的改革也进行了详细的阐述。     

Effective Change Management: Ensuring Alignment of IT and Business Functions

ABSTRACT

The objective of a financial audit is to detect any “material” misstatement in financial records and reports. On the surface, that objective seems to be unrelated to information security. The relationship between the two sets of activities may also seem to be insignificant. In fact, there is a significant relationship and one that is mutually beneficial. Entities that are subject to financial audits and employ best practices of information security should improve the efficiency and effectiveness of the financial audit. It is also possible that the financial audit of such an entity would uncover any existing relevant gaps in the entity's application of information security best practices which, when remediated, should improve the effectiveness of information security function.     

General Misconceptions about Information Security Lead to an Insecure World

ABSTRACT

It is becoming clear that the underground hacking industry as a whole (not just individual hackers) is continually gaining ground despite the best efforts of the information security industry. It seems the latter should have an overwhelming advantage, as a multibillion dollar industry staffed with hundreds of thousands of security professionals. However, the efforts of the information security industry are almost always reactive, and in most cases amount to losing ground on the defensive. The unfortunate and seldom acknowledged truth is that the underground hacking industry is always one step ahead. Why are we so slow to respond when all evidence indicates that such delays lead to enormous business losses? Is it possible that the fundamental way our information system security is organized has some inherited deficiencies which are prohibiting us from successfully mounting an effective defense?

Today's losses are becoming too great to say that we are just in need of some evolutionary improvements. Instead, we need to reevaluate the way we go about security business as a whole. In this article, we consider various processes common to both information systems and information system security based on both well-known cases and personal experience. This is our initial attempt to analyze how information system security is organized and to suggest some core changes to its processes.     

高职院校信息安全课程体系优化与教学内容改革的研究

从提高学生职业能力理念出发,以高素质技能型人才培养为目标,教学改革和课程体系设计为先导,整合信息安全课程体系并进行优化,构建人才培养新方案,对教学内容进行有效探索,以期提高信息安全专业人才培养质量.     

Security Through Deception

ABSTRACT

For each layer of information security there is a number of techniques and tools that can be used to ensure information superiority. Indeed some experts would argue that you cannot have the former without the latter. In today's technological & interconnected world, however, information superiority is very hard to achieve and almost impossible to maintain. This paper will argue that the art of deception is a reliable and cost effective technique that can assure the security of an infrastructure. The paper will conclude by presenting a technical solution of the above statement.     

新媒体技术在公安高校思想政治教育中的作用研究

公安教育是我国高等教育的一个重要组成部分,担负着培养高素质公安专门人才的任务.新媒体资源丰富、信息传播迅捷,成为高校大学生学习和交流的新平台.本文重点研究了新媒体技术对公安院校大学生思想政治教育产生重要的影响,同时也对新媒体环境下公安高校思想政治教育工作提出了新的要求.     

信息安全专业“信息隐藏”课程的教学研究

信息隐藏是信号处理和信息安全的交叉学科,在网络信息安全和军事保密上具有重要的作用。本文首先分析了"信息隐藏"课程在信息安全课程体系中的位置和作用,在相关调研的基础上,确定"信息隐藏"课程的教学内容,并根据教学实际,介绍了该课程在课堂教学、试验教学等方面的探索和实践。     

Differentiated management strategies on cloud computing data security driven by data value

ABSTRACT

Data security is a primary concern for the enterprise moving data to cloud. This study attempts to match the data of different values with the different security management strategies from the perspective of the enterprise user. With the help of core ideas on data value evaluation in information lifecycle management, this study extracts usage features and user features from the operating data of the enterprise information system, and applies K-means to cluster the data according to its value. A total of 39,348 records of logon log and 120 records of users from the information system of a ship-fitting manufacturer in China were collected for an empirical study. The functional modules of the manufacturer’s information system are divided into five classes according to their value, which is proven reasonable by the discriminant function obtained via discriminant analysis. The differentiated data security management strategies on cloud computing are formulated for a case study with five types of data to enhance the enterprise’s active cloud computing data security defense.     

Behavioural threshold analysis: methodological and practical considerations for applications in information security

ABSTRACT

The application of behavioural threshold analysis to analyse group behaviour in information security presents a unique challenge in terms of the measurement instruments and methodology used to gather relevant attitude data. This paper presents an analysis of the specialised requirements for such a measurement instrument and makes methodological recommendations on the content and especially presentation of information security topics in a measurement instrument for this context. A comparison between existing methods and the specific requirements for threshold analysis is presented and serves as the main rationale for the suggested methodology. The recommended methodology and subsequent measurement instrument were implemented and experimentally tested in case studies to gauge their feasibility. Applications of behavioural threshold analysis in information security that follow the recommended methodology suggested in this article performed satisfactorily and elicits cause for further real-world experimentation.     

Hacking the Nation-State: Security,Information Technology and Policies of Assurance∗

ABSTRACT

The transmission and storage of information in digital form coupled with the widespread proliferation of networked computers has created new issues for policy. An indispensable business tool and knowledge-sharing device, the networked computer is not without vulnerability, including the disruption of service and the theft, manipulation, and destruction of electronic data. This paper seeks to identify frame analysis of the security of information resources. Historical review of security issues presented by electronic communication since the inception of the telegraph is conducted so as to produce salient points for study regarding the security of more recently developed computer networks. The authors aim to inform the blossoming area of study falling under the label information security with a primer on the key pieces of what may be considered a theory of digital statecraft, drawing back to the nineteenth century.     

Preemptive Security Through Information Analytics

ABSTRACT

Business security and threat actors continue to play a dangerous cat-and-mouse game with businesses intellectual property, customer data, and business reputations at stake. Businesses need to delve into a new way of doing business security to break out of this game. Businesses are sitting on repositories full of security-relevant data that is not being capitalized upon with the current information security and physical security organizations within businesses. This article poses the introduction of a data scientist role and a new supporting central data correlation technology platform based on big data predictive analytics into business security functions. The goal is to intelligently and autonomously identify, correlate and pinpoint normally innocuous or unnoticed security event attributes to allow security personnel to preemptively remediate physical and information risks before exploitation or loss of intellectual property occurs.