Information Security Awareness Status of Business College: Undergraduate Students

Abstract

Because end users are often the weakest link in a security chain, students need to practice security controls properly to improve information security on campus. This study surveyed undergraduate students in a business college to investigate their understanding and attitudes toward information security. Survey findings show that college students understand most information security topics suggested by National Institute of Standards and Technology (NIST) Special Report 800-50. Universities should provide easily accessible security training programs for students. Practical suggestions are provided to encourage students to participate in security training to enhance their security awareness level.     

A systematic review on security in Process-Aware Information Systems – Constitution,challenges, and future directions

ContextSecurity in Process-Aware Information Systems (PAIS) has gained increased attention in current research and practice. However, a common understanding and agreement on security is still missing. In addition, the proliferation of literature makes it cumbersome to overlook and determine state of the art and further to identify research challenges and gaps. In summary, a comprehensive and systematic overview of state of the art in research and practice in the area of security in PAIS is missing.ObjectiveThis paper investigates research on security in PAIS and aims at establishing a common understanding of terminology in this context. Further it investigates which security controls are currently applied in PAIS.MethodA systematic literature review is conducted in order to classify and define security and security controls in PAIS. From initially 424 papers, we selected in total 275 publications that related to security and PAIS between 1993 and 2012. Furthermore, we analyzed and categorized the papers using a systematic mapping approach which resulted into 5 categories and 12 security controls.ResultsIn literature, security in PAIS often centers on specific (security) aspects such as security policies, security requirements, authorization and access control mechanisms, or inter-organizational scenarios. In addition, we identified 12 security controls in the area of security concepts, authorization and access control, applications, verification, and failure handling in PAIS. Based on the results, open research challenges and gaps are identified and discussed with respect to possible solutions.ConclusionThis survey provides a comprehensive review of current security practice in PAIS and shows that security in PAIS is a challenging interdisciplinary research field that assembles research methods and principles from security and PAIS. We show that state of the art provides a rich set of methods such as access control models but still several open research challenges remain.     

Cyber crime risk awareness in Kyrgyz Republic

ABSTRACT

In this paper we present the information security awareness rate of students in Kyrgyz Republic, where there is a rapid pace of formation and development of the information society. The survey was conducted with a sample of 172 students from different departments of the university. Our research study showed that despite the huge number of reports about computer crimes in the web, the knowledge about cybercrime is quite low and students are mostly not aware of many aspects of computer crime. Analysis was done to determine dependence of information security awareness rate on computer literacy rate and the education field of students. We conclude that although information technology is of wide usage, the information security topics need to be taught to prevent them from becoming victims of cyber crime.     

An Information Security Governance Framework

ABSTRACT

Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and that they include in their working procedures. Employees develop certain perceptions and exhibit behavior, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components. This article evaluates four approaches towards information security governance frameworks in order to arrive at a complete list of information security components. The information security components are used to compile a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective, thereby minimising risk and cultivating an acceptable level of information security culture.     

An Overview of Modern Cryptography

ABSTRACT

Despite strong recommendations by scholars to establish Information Security Culture (ISC), the lack of ISC guidelines persists, particularly in aspects that could effectively improve employees’ security behavior in an organization. This study proposes an ISC model based on seven new formulated dimensions to examine its influence on employees’ Information Security Policy (ISP) compliance behavior. The dimensions represent specific aspects of ISC and were formulated based on widely accepted concepts of Organizational Culture and ISC. The model was tested at 19 out of 21 public universities in Malaysia and validated using Partial Least Square Structural Equation Modelling (PLS-SEM). Findings revealed all seven dimensions are significant in contributing to the underlying concept of ISC, with Information Security Knowledge being the most important dimension. This ISC concept was also found to be significant in influencing ISP compliance behavior. This study contributes to ISC literature in terms of conceptualization and operationalization of an ISC concept based on the new comprehensive dimensions in relation to ISP compliance behavior. The model could be employed by practitioners in assessing, improving and cultivating a positive ISC that would effectively influence employees’ security behavior in higher educational institutions.     

论网络信息安全的信息管理

当前,保证网络信息安全是促进信息管理的前提,在计算机网络信息管理中占有拳足轻重的地位笔者结合自身工作实践,在本文中阐述了网络信息安全管理的概念及分类,分析了当前网络信息的安全问题,并在此基础上,提出了进一步加强信息管理的对策措施,以期对业内同行有所参考借鉴。     

一种基于流立方体的网络安全态势感知模型

网络安全态势感知是网络安全监控技术一个新的发展方向,对网络安全态势的掌握对于网络安全而言具有重要的意义。在已有的关于数据立方体模型的研究基础之上,本文提出了一种基于流立方体模型的网络安全态势感知模型,以描述和抽象化网络安全态势感知中涉及的多维分析结构,从网络安全事件统计数据流的数据特征出发分析网络安全态势。给出了基于频率、趋势和熵值这三种数据特征的模型实例,利用流立方体相邻层次间单元的关系证明了这三种数据特征可以只从原始数据计算底层单元的特征,而上层单元的数据特征则可以通过对底层数据特征的运算而直接得到,从而实现高效计算。实际应用系统的构建和利用网络安全数据的测试实验表明了所提模型和方法的有效性。     

Hacking the Nation-State: Security,Information Technology and Policies of Assurance∗

ABSTRACT

The transmission and storage of information in digital form coupled with the widespread proliferation of networked computers has created new issues for policy. An indispensable business tool and knowledge-sharing device, the networked computer is not without vulnerability, including the disruption of service and the theft, manipulation, and destruction of electronic data. This paper seeks to identify frame analysis of the security of information resources. Historical review of security issues presented by electronic communication since the inception of the telegraph is conducted so as to produce salient points for study regarding the security of more recently developed computer networks. The authors aim to inform the blossoming area of study falling under the label information security with a primer on the key pieces of what may be considered a theory of digital statecraft, drawing back to the nineteenth century.     

Employ Five Fundamental Principles to Produce a SOLID,Secure Network

ABSTRACT

While reading online forums and frequently asked questions (FAQs) pertaining to network security, inevitably one of the questions asked is “Is my network secure'” The typical answer is that one can never be completely certain that all security measures have been taken to protect a network from intruders. While this may be true, there are ways to increase the confidence of network administrators with regards to protecting the data and resources entrusted to them. This paper will present a strategy that, if implemented, will improve confidence that all necessary precautions in establishing a secure network have been taken.     

Market Price Effects of Data Security Breaches

ABSTRACT

This study examines the impact of reported breaches in computer security using event study analysis. We use the event-study methodology to measure the magnitude of the effect of data security breach events on the behavior of stock markets. Our data come from security breaches spanning a ten-year period and involving various industries. The findings of the study suggest that there exist abnormal negative stock price returns following the announcement of a breach. Such abnormal negative returns persist over the next several years. Moreover, the source of data breach may moderate the price effect; the market tends to punish more heavily those compromises that could have been avoided with reasonable precautions by the breached company.     

The influence of information security on the adoption of web-based integrated information systems: an e-government study in Peru

This study analyzes the determinants of information security that influence the adoption of Web-based integrated information systems (IIS) by government agencies in Peru. The study introduces Web-based information systems designed to formulate strategic plans for the Peruvian government. A theoretical model is proposed to test the impact of organizational factors such as deterrent efforts, severity efforts, and preventive efforts and individual factors such as perceived information security threats and security awareness on intentions to use Web-based IIS. The empirical results indicate that deterrent efforts and deterrent severity have no significant influence on use intentions of IIS, whereas preventive efforts play an important role in such intentions. Information security awareness and perceived information security threats as individual factors have a significant effect on intentions to use the system. This suggests that organizations should implement preventive efforts by introducing various information security solutions, and improve information security awareness while reducing perceived information security threats.     

Behavioural threshold analysis: methodological and practical considerations for applications in information security

ABSTRACT

The application of behavioural threshold analysis to analyse group behaviour in information security presents a unique challenge in terms of the measurement instruments and methodology used to gather relevant attitude data. This paper presents an analysis of the specialised requirements for such a measurement instrument and makes methodological recommendations on the content and especially presentation of information security topics in a measurement instrument for this context. A comparison between existing methods and the specific requirements for threshold analysis is presented and serves as the main rationale for the suggested methodology. The recommended methodology and subsequent measurement instrument were implemented and experimentally tested in case studies to gauge their feasibility. Applications of behavioural threshold analysis in information security that follow the recommended methodology suggested in this article performed satisfactorily and elicits cause for further real-world experimentation.     

Model‐based security testing: a taxonomy and systematic classification

Model‐based security testing relies on models to test whether a software system meets its security requirements. It is an active research field of high relevance for industrial applications, with many approaches and notable results published in recent years. This article provides a taxonomy for model‐based security testing approaches. It comprises filter criteria (i.e. model of system security, security model of the environment and explicit test selection criteria) as well as evidence criteria (i.e. maturity of evaluated system, evidence measures and evidence level). The taxonomy is based on a comprehensive analysis of existing classification schemes for model‐based testing and security testing. To demonstrate its adequacy, 119 publications on model‐based security testing are systematically extracted from the five most relevant digital libraries by three researchers and classified according to the defined filter and evidence criteria. On the basis of the classified publications, the article provides an overview of the state of the art in model‐based security testing and discusses promising research directions with regard to security properties, coverage criteria and the feasibility and return on investment of model‐based security testing. Copyright © 2015 John Wiley & Sons, Ltd.     

User preference of cyber security awareness delivery methods

Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.     

Empirical evaluation of a cloud computing information security governance framework

ContextCloud computing is a thriving paradigm that supports an efficient way to provide IT services by introducing on-demand services and flexible computing resources. However, significant adoption of cloud services is being hindered by security issues that are inherent to this new paradigm. In previous work, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise’s strategy.ObjectiveAlthough a significant body of literature has started to build up related to security aspects of cloud computing, the literature fails to report on evidence and real applications of security governance frameworks designed for cloud computing environments. This paper introduces a detailed application of ISGCloud into a real life case study of a Spanish public organisation, which utilises a cloud storage service in a critical security deployment.MethodThe empirical evaluation has followed a formal process, which includes the definition of research questions previously to the framework’s application. We describe ISGcloud process and attempt to answer these questions gathering results through direct observation and from interviews with related personnel.ResultsThe novelty of the paper is twofold: on the one hand, it presents one of the first applications, in the literature, of a cloud security governance framework to a real-life case study along with an empirical evaluation of the framework that proves its validity; on the other hand, it demonstrates the usefulness of the framework and its impact to the organisation.ConclusionAs discussed on the paper, the application of ISGCloud has resulted in the organisation in question achieving its security governance objectives, minimising the security risks of its storage service and increasing security awareness among its users.     

Potential Problems with Information Security Risk Assessments

ABSTRACT

To protect the information assets of any organization, management must rely on accurate information security risk management. Management must access the risk to the organizations assets then develop information security strategies to reduce the risks. This assessment is difficult because of rapidly changing technology and new threats that are frequently being discovered. Research to address methods associated with information security risk management includes quantitative and qualitative methods. More comprehensive approaches combine both the quantitative and qualitative methods. This paper argues that current methods of information security assessment are flawed because management decisions regarding information security are often based on heuristics and optimistic perceptions.     

Security Through Deception

ABSTRACT

For each layer of information security there is a number of techniques and tools that can be used to ensure information superiority. Indeed some experts would argue that you cannot have the former without the latter. In today's technological & interconnected world, however, information superiority is very hard to achieve and almost impossible to maintain. This paper will argue that the art of deception is a reliable and cost effective technique that can assure the security of an infrastructure. The paper will conclude by presenting a technical solution of the above statement.     

An information security knowledge sharing model in organizations

Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security.     

Organization Security Metrics: Can Organizations Protect Themselves?

ABSTRACT

Organizations normally do not possess a way to communicate those needs back to the rest of an organization. This paper demonstrates that organizations are vigilant to activity within their environment, so this research project will focus on process improvement to better organizations through internal processes. Prior to this project, Company X was unable to communicate and address threats to their organization. Prior to this project, each employee was not trained on security. However, each employee understood the norms and values of company processes on an individual level. Each employee was able to contribute details of security issues as they perceived them to make a comprehensive security model. This Security Working Group (SWG) project describes the steps necessary to create a self-educating, self-perpetuating process that spurns co-generative learning among an entire organization. Security training prepared each employee to be more attentive to risks to potential security issues. The result of this research proves that employees can detect threats in an organization with relatively little training.     

网络信息系统技术安全与防范

信息安全防范是进行全面的安全漏洞检测和分析,依据其结果制定防范措施和解决方案;正确配置防火墙、网络防病毒软件、入侵检测系统、建立安全认证系统等安全系统;完善安全管理规范和机制,切实落实安全管理制度。以增强安全防范意识,确保网络信息系统安全运转。