Selecting An EDP System For Audit

Abstract

In spite of an ambiguous standard with regard to definition, spyware is one of the most challenging problems confronting the information technology (IT) community in terms of privacy violations. This problem is magnified in the business arena. Despite the increasing technical endeavors made toward spyware mitigation, no panacea exists for spyware control and management, which is now becoming a serious business strategic issue. This article focuses on the vicious side of spyware. A framework is proposed to identify five involved parties for spyware management and control along with respective recommendations to cope with spyware pervasion.     

Spyware & Adware: the Risks facing Businesses

Spyware is the term for a category of malicious software that affects privacy and confidentiality a lot more than viruses and other types of malicious software. The risks to business from viruses, and associated countermeasures are relatively well understood and discussed. However, whilst there is an overlap between the issues presented by viruses and spyware, this article focuses specifically on the issues associated with spyware, and the related categories of malicious software known as adware. It defines the terms used and describes the nature of the problem, what the security risks and issues are and what actions need to be taken by corporate IT Security Management and individuals to combat them. Whilst primarily aimed at the corporate audience, this white paper will also be useful to individuals. Indeed the issues facing individuals will need to be appreciated by corporations delivering E-commerce services.     

Minimizing security risks in ubicomp systems

In the Internet's early days, few people foresaw the emergence of spam, phishing schemes, and malware such as viruses, worms, Trojan horses, spyware, and key loggers that plague users today. It's safe to assume that ubicomp technologies will suffer from the same sorts of unforeseen vulnerabilities that have plagued the Internet. We can't account for every possible security and privacy risk in ubiquitous computing systems. We can, however, design such systems to reduce the burden on users as well as develop better security models and interaction techniques to prevent and minimize foreseeable threats.     

Fighting Spyware and Adware in the Enterprise

Abstract

While obvious security threats like fast-spreading worms have a tendency to garner news headlines, other stealthy security risks threaten businesses every day. Increasing amounts of spyware and adware programs have the ability to facilitate the disclosure of business information and risk privacy, confidentiality, integrity, and system availability. Corporations usually accumulate a vault of information that could cause serious problems if it were shared with the wrong contacts or, even worse, taken. Spyware's evolution from simple cookies to a range of sophisticated user-tracking systems has left many businesses without the control over their proprietary data and operations.     

Obstacles Experienced by Care Managers in Managing Information for the Care of Chronically Ill Patients

ABSTRACT

Care managers play a key role in coordinating care, especially for patients with chronic conditions. They use multiple health information technology (IT) applications in order to access, process, and communicate patient-related information. Using the work system model and its extension, the Systems Engineering Initiative for Patient Safety (SEIPS) model, we describe obstacles experienced by care managers in managing patient-related information. A web-based questionnaire was used to collect data from 80 care managers (61% response rate) located in clinics, hospitals, and a call center. Care managers were more likely to consider “inefficiencies in access to patient-related information” and “having to use multiple information systems” as major obstacles than “lack of computer training and support” and “inefficient use of case management software.” Care managers who reported “inefficient use of case management software” as an obstacle were more likely to report high workload. Future research should explore strategies used by care managers to address obstacles, and efforts should be targeted at improving the health information technologies used by care managers.     

Abstracts & Commentary

Abstract

“The Recentralization of IT [Information Technology]” by Ernest von Simson. Computerworld Leadership Series. (PO Box 9171, Framingham MA 01701-9171), pp. 2–3, 6–7.     

Trust, privacy, and legal protection in the use of software with surreptitiously installed operations: An empirical evaluation

The class of software which is “surreptitiously installed on a user’s computer and monitors a user’s activity and reports back to a third party on that behavior” is referred to as spyware “(Stafford and Urbaczewski in Communications of the AIS 14:291–306, 2004)”. It is a strategic imperative that software vendors, who either embed surreptitious data collection and other operations in legitimate software applications or whose software is unwittingly used as a delivery vehicle for surreptitious operations, understand users’ perceptions of trust, privacy, and legal protection of such software to remain competitive. This paper develops and tests a research model to explore application software users’ perceptions in the use of software with embedded surreptitious operations. An experiment was undertaken to examine whether the presence of spyware in application software impacts users’ perceptions and beliefs about trustworthiness of the application software, privacy control of the software vendor, United States legal protection, and overall trust of the software vendor. The results indicate users of software with spyware, versus users of software without spyware, have lower trust perceptions of a software vendor. Further examination of trustworthiness as a multi-dimensional construct reveals a software vendor’s competence in appropriately using private user information collected and the user’s belief that the vendor will abide by acceptable principles in information exchange are important influences in gaining users’ overall trust in a vendor. User trust in software utilization is critical for a software vendor’s success because without it, users may avoid a vendor’s software should the presence of spyware be discovered. Software vendors should respond to the strategic necessity to gain users’ trust. Vendors must institute proactive and protective measures to demonstrate that their software should be trusted. These protections could take the form of technological approaches or government legislation, or both.

信息增值机制下在线医疗隐私保护策略

近年来我国经济水平和人民生活水平飞速发展,医疗水平和医疗技术相继取得了突破。随着“互联网+”对各大领域商业模式创新的不断推动和深化,“互联网+”医疗发展得到了快速推动。机器学习、数据挖掘等数据处理技术不断发展,在线医疗过程中用户个人医疗隐私数据泄露风险引起了广大研究者的关注。考虑信息的可推断性,采用贴现机制以描述博弈不同阶段间用户隐私信息价值的变化;结合在线医疗隐私保护动机领域研究现状,通过博弈分析以从隐私保护动机层面探究如何调动博弈双方主体的积极性。针对用户有强意愿继续使用在线医疗平台、间断性提供隐私的博弈特征,采用重复博弈方法以更好地刻画用户与在线医疗平台之间的博弈过程。得出博弈双方主体的倾向变化规律,分析不同模型参数条件下博弈模型的混合策略纳什均衡及随着博弈阶段的进行双方博弈策略的变化趋势,给出当参数满足 2(c_p-c_n)≥l_p(p_n-p_p)时,用户开始由选择“同意共享隐私数据”转为选择“拒绝共享隐私数据”的重复博弈阶段,并通过仿真实验对上述结论进行了验证。基于以上结论,分别从在线医疗平台视角和用户视角,针对在线医疗过程中如何从博弈双方隐私保护动机层面实现隐私保护给出了可行的政策性建议。     

Knowledge transfer,translation and transformation in the work of information technology architects

ContextInformation Technology (IT) architects are the professionals responsible for designing the information systems for an organization. In order to do that, they take into account many aspects and stakeholders, including customers, software developers, the organization’s business, and its current IT infrastructure. Therefore, different aspects influence their work.ObjectiveThis paper presents results of research into how IT architects perform their work in practice and how different aspects are taken into account when an information system is developed. An understanding of IT architects’ activities allows us to better support their work. This paper extends our own previous work (Figueiredo et al., 2012) [30] by discussing aspects of knowledge management and tool support.MethodA qualitative study was conducted using semi-structured interviews for data collection and grounded theory methods (Strauss and Corbin, 1998) [5] for data analysis. Twenty-seven interviews were conducted with twenty-two interviewees from nine different companies through four cycles of data collection and analysis.ResultsCompanies divide IT architecture activities among different roles. Although these roles receive different names in different organizations, all organizations follow a similar pattern based on 3 roles: enterprise, solutions and software architects. These architects perform both the technical activities related to the IT architecture and the social activities regarding the communication and coordination with other stakeholders and among themselves. Furthermore, current tools used by IT architects lack adequate support for all these aspects.ConclusionThe activities of the different IT architects are highly interconnected and have a huge influence in the way the requirements are handled in every phase of the development of an information system. The activities of IT architects are also important for knowledge transfer, translation and transformation, since they receive from and spread information to different groups of stakeholders. We also conclude that they lack appropriate tool support, especially regarding support for their collaborative work.     

Learning-Based Artificial Algae Algorithm with Optimal Machine Learning Enabled Malware Detection

Malware is a ‘malicious software program that performs multiple cyberattacks on the Internet, involving fraud, scams, nation-state cyberwar, and cybercrime. Such malicious software programs come under different classifications, namely Trojans, viruses, spyware, worms, ransomware, Rootkit, botnet malware, etc. Ransomware is a kind of malware that holds the victim’s data hostage by encrypting the information on the user’s computer to make it inaccessible to users and only decrypting it; then, the user pays a ransom procedure of a sum of money. To prevent detection, various forms of ransomware utilize more than one mechanism in their attack flow in conjunction with Machine Learning (ML) algorithm. This study focuses on designing a Learning-Based Artificial Algae Algorithm with Optimal Machine Learning Enabled Malware Detection (LBAAA-OMLMD) approach in Computer Networks. The presented LBAAA-OMLMD model mainly aims to detect and classify the existence of ransomware and goodware in the network. To accomplish this, the LBAAA-OMLMD model initially derives a Learning-Based Artificial Algae Algorithm based Feature Selection (LBAAA-FS) model to reduce the curse of dimensionality problems. Besides, the Flower Pollination Algorithm (FPA) with Echo State Network (ESN) Classification model is applied. The FPA model helps to appropriately adjust the parameters related to the ESN model to accomplish enhanced classifier results. The experimental validation of the LBAAA-OMLMD model is tested using a benchmark dataset, and the outcomes are inspected in distinct measures. The comprehensive comparative examination demonstrated the betterment of the LBAAA-OMLMD model over recent algorithms.     

FTC finds internet privacy self-regulation disappointing

After giving private industry the opportunity to self-regulate the collection of personal information from children on the Internet, Federal Trade Commission Chairman Robert Pitofsky, admitted on 4 June 1998 that he was, “surprised how little progress was made”. He added, “industry self-regulation has not worked”. Consequently, Pitofsky called on Congress to enact legislation to provide online privacy protection for children 12 years and under.     

用Internet/Intranet技术开发社会保险信息系统

阐述了基于Internet/Intranet技术开发社会保险信息系统 的必要性和优越性,探讨如何建立社会保险信息系统模型,以及开发技术、安全措施、软硬 件配置等,并划分了社保系统内务网和公众信息网。针对社保系统复杂性和特殊性,提出“ 领先与导向”软件开发的新办法。     

Justifications,Strategies, and Critical Success Factors in Successful ITIL Implementations in U.S. and Australian Companies: An Exploratory Study

Abstract

A growing number of organizations are implementing the ITIL (IT Infrastructure Library) “best practice” framework in an attempt to improve their IT service management processes. However, not all ITIL implementations are successful and some companies have been disappointed with the outcomes. This exploratory research reports on four case studies of “successful” implementations of IT service management using the process-based ITIL V2 framework. Two companies are located in the U.S. and two in Australia. The cases demonstrate a mix of implementation justifications and strategies. Critical success factors (CSFs) suggested in the literature are compared against those attributed to these successful ITIL implementations. Some CSFs, including executive management support, interdepartmental communication and collaboration, use of consultants, training and careful software selection are confirmed. Three new CSFs are identified: creating an ITIL-friendly culture, process as a priority, and customer-focused metrics. Practitioner guidelines, to assist IT managers, who are contemplating adopting ITIL for process improvement and organisational transformation, are also provided together with some challenges encountered and their associated resolutions.     

An Empirical Study of Home IoT Services in South Korea: The Moderating Effect of the Usage Experience

This article examines the responses of users to home Internet of Things (IoT) services in South Korea, which is taking progressive steps in the field of IoT. It is important to investigate the user’s response because home IoT users are the core users of the IoT business. To this end, the research model includes two trust constructs — “trust in the service provider” and “institutional trust”; two risk constructs — “perceived security risk” and “perceived privacy risk”; and “perceived benefit” construct. This study has two main objectives: (1) to establish the functional relationship among the five constructs listed above; (2) to examine the moderating role of home IoT usage experience in these relationships. The study first reviews the literature on home IoT services and describes the Korean situation. Data were collected from residents living in a smart apartment complex. They were made aware of not only the benefits of home IoT but also the security and privacy risks before they moved into their new homes. The research model was empirically analyzed with structural equation modeling (SEM) using Amos 22.0. The results show that (1) “trust in the service provider” negatively influences “perceived security risk” and “perceived privacy risk” while “institutional trust” does not have a significant influence on them, (2) “perceived security risk” and “perceived privacy risk” negatively influence “perceived benefit,” and (3) “trust in service provider” does not directly influence “perceived benefit” while “institutional trust” has a positive and direct influence on it. In addition, there is a significant moderating effect of home IoT usage experience on some paths. Finally, the study’s findings and limitations are discussed, and potential avenues for future research are suggested.     

基于监控的可信网构软件构造方法建模

网构软件是一种面向网络环境的新型软件形态,其构建依赖于对开放、动态和多变环境中各网络节点软件实体之间的有效协同,然而,目前的软件构造方法都是基于静态可信,即:都是研究软件制造过程中的可信度,一旦软件制作完成,在运行过程中,软件的可信度是否会改变就不在研究范围之内。针对网构软件的开放、动态和多变特性,设计了一种基于监控的可信网构软件构造模型,该模型随着网构软件的运行,随时根据网络节点状态等相关因素动态评估网构软件的可信度,并根据监测结果改进网构软件和监控参数,为网构软件提供动态可信支持,并逐步提高网构软件的可信度。     

The new fundamental right to it security — First evaluation and comparative view at the U.S.

The recent Decision of the German Federal Constitutional Court from February 2008 sheds light on the constitutional side of the intersection of law and technology. 25 years after its landmark “Census” decision promulgating the fundamental right to information self-determination the Court “invented” a new fundamental right to the integrity and confidentiality of IT systems. On the background of rapid technological development and especially the rising of the internet as a new medium of communication the Court consistently expanded its line of constitutional protection to fill the gap that has arisen. This decision further opens the gap to the restrictive stance of the U.S. Supreme Court on the constitutional foundation of privacy while at the same time providing some comparative insights into the different interpretations of the respective Constitutions in the information age.     

Sarbanes—Oxley and Enterprise Security: IT Governance — What It Takes to Get the Job Done

Abstract

Several sections of the Sarbanes— Oxley Act of 2002 (SOX) directly affect the governance of the information technology (IT) organization, including potential SOX certification by the chief information officer, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. The Securities and Exchange Commission (SEC) requires publicly traded companies to comply with the Treadway Commission's Committee of Sponsoring Organizations (COSO) that defines enterprise risk and places security as a critical variable in enterprise risk assessment. Effective IT and security governance are examined in terms of SOX compliance. Motorola IT security governance demonstrates effective structures, processes, and communications; centralized security leaders participate with Motorola's Management Board to create an enabling security organization to sustain long-term change.     

Issues in high-speed Internet security

With global Internet access, people and organizations can share information instantly. Unfortunately, such access also leaves the Internet vulnerable to malicious actions that can cripple computers, businesses, governments, and lives on a scale never before possible. Hackers, worms, and viruses can unleash attacks with electronic as well as physical, economic, and safety ramifications. Over the past decade, the threat of computer worms and viruses has grown from a nuisance to perhaps the greatest obstacle to the growth and reliability of the Internet and large networks in general. As the SQL Slammer worm proved, current high-speed security solutions are immature and ineffective. Protecting networks against such fast-moving threats requires a new paradigm that offers flexibility, high performance, and speed.