When security meets software engineering: a case of modelling secure information systems

Although security is a crucial issue for information systems, traditionally, it is considered after the definition of the system. This approach often leads to problems, which most of the times translate into security vulnerabilities. From the viewpoint of the traditional security paradigm, it should be possible to eliminate such problems through better integration of security and software engineering. This paper firstly argues for the need to develop a methodology that considers security as an integral part of the whole system development process, and secondly it contributes to the current state of the art by proposing an approach that considers security concerns as an integral part of the entire system development process and by relating this approach with existing work. The different stages of the approach are described with the aid of a real-life case study; a health and social care information system.     

基于区域卷积神经网络的图像秘密共享方案

数字图像在如今网络高速发展时代已成为重要的信息载体,而对图像信息的安全保护也成为安全领域的重要研究课题.图像秘密共享方案是一种基于门限的密码学方案,能够为多个用户提供一种保护图像秘密信息的方案.该方案将秘密图像加密成若干个影子图像,分配给不同的用户.当用户的个数达到门限值后,原始图像可以被重构,否则用户无法获得原始图像...     

一种量化的网络安全态势评估方法

本文根据网络中系统运行信息和系统配置信息,运用故障树模型对网络安全态势进行分层量化评估.经实验证实该评估方法能够较准确的反映网络安全运行态势.     

大数据时代的金融信息安全

继云计算、物联网被发明和应用之后,大数据成为了当前信息产业的又一大技术创新。大数据技术创新在给人们带来机会和挑战的同时也对现有的信息安全手段提出了更高的要求。特别是大数据技术在金融行业的应用,现在的金融信息化已全面进入信息安全管理阶段,对计算机信息系统有着高度的依赖性,金融信息安全问题日益突显。本文主要论述了大数据时代对信息安全存在的威胁,并提出了如何采取对策确保大数据环境下的金融信息安全。     

A novel logic-based automatic approach to constructing compliant security policies

It is significant to automatically detect and resolve the incompliance in security policy.Most existing works in this field focus on compliance verification,and few of them provide approaches to automatically correct the incompliant security policies.This paper proposes a novel approach to automatically transform a given security policy into a compliant one.Given security policy Π and delegation policy M declared by logic programs,the approach automatically rewrites Π into a new one ΠM which is compliant with M and is readable by the humans.We prove that the algorithm is sound and complete under noninterference assumption.Formally,we show that the security policy query evaluation algorithm with conflict and unsettlement resolution still works very well on ΠM.The approach is automatic,so it doesn’t require a administrator with excess abilities.In this sense,our proposal can help us to save much manpower resource in security management and improves the security assurance abilities.     

Security Attack Testing (SAT)—testing the security of information systems at design time

For the last few years a considerable number of efforts have been devoted into integrating security issues into information systems development practices. This has led to a number of languages, methods, methodologies and techniques for considering security issues during the developmental stages of an information system. However, these approaches mainly focus on security requirements elicitation, analysis and design issues and neglect testing. This paper presents the Security Attack Testing (SAT) approach, a novel scenario-based approach that tests the security of an information system at the design time. The approach is illustrated with the aid of a real-life case study involving the development of a health and social care information system.     

车载信息系统的安全测评体系及方法

汽车信息系统的安全工作主要集中在分析、挖掘车载信息系统及其功能组件现存的安全漏洞及可行攻击方式的实验验证,缺乏全面、系统的车载信息系统安全测评体系及评估方法。论文在分析车载信息系统安全现状的基础之上,提出将车载信息系统的安全等级划分为：家用车载信息系统和商用车载信息系统,定义了两个等级车载信息系统的保护能力,并借鉴通用信息系统的安全等级保护要求,提出车载信息系统不同保护等级的基本安全要求,首次建立车载信息系统的安全等级测评体系。进一步建立层次化安全评估模型及算法,实现车载信息系统的定量安全评估。通过奥迪C6的安全测评案例证明,提出的等级测评体系及评估方法是可行、合理的,为分析车辆信息系统的安全状况提供支撑,填补了国内车载信息系统安全测评体系及评估方法的空白。     

On the role of the Facilitator in information security risk assessment

In organisations where information security has historically been a part of management and for which the risk assessment methodologies have been designed there are established methods for communicating risk. This is the case for example in the banking and military sectors. However in organisations where information security is not embedded into management thinking and where the relationship between information security and the business is less clear-cut, communicating the risks to the business is less straightforward. In such circumstances it has been observed during field research that information security risk assessments frequently output findings to which the business cannot relate and the process is consequently often viewed as a “tick box” exercise, as opposed to one that provides real value to the business. In such a situation the information security risk assessment is divorced from the business process and not embedded into the organisation’s processes or thinking. The research for this paper was undertaken in order to identify what needs to be done in order to ensure that businesses of this type find the risk assessment process valuable in practice. Lizzie Coles-Kemp is a postgraduate research student in Computer Science and Richard E. Overill is a Senior Lecturer in Computer Science.     

Enhancing information security with the information resource management approach

Recently, computer security and incidents of computer crime have received considerable attention. Without a doubt, in computer security the risks are high, and the problems and their solutions are complex; nonetheless, the emphasis of this attention has been misplaced. The emphasis should be primarily on the security of information itself and secondarily on the devices that handle information and on any of the other factors that go into information production. The factors of information production should certainly be considered, but only after planning and analysis based on information has been completed. For example, when considering the possibility that a competitor may steal your firm's proprietary information, it is best to consider first what information should be safequarded and what expenditure is warranted for such protection; then one can consider the environments in which this information appears (paper-based, computerized, verbal, etc.) and controls that are appropriate for these environments.This paper explores the application to the information security area of Information Resource Management (IRM), a new and promising approach that concentrates, on information not on computers. This paper explains the concepts underlying IRM, how they are applied, and what general information systems benefits can be obtained. In a more specifically security-oriented sense, it indicates how IRM can help address a few of the pressing problems now encountered by information security practitioners: controls suboptimization, the Maginot Line syndrome, top management understanding and support, disaster recovery planning, security policy-making, consideration of noncomputerized information, and expeditious resolution of security problems.     

视图的秘密分享及其代数编码方法

视图的秘密分享是图像信息安全领域独具吸引力的研究问题。寻求秘密视图完全的(Perfect)和理想的(Ideal)门限秘密分享方案(也称图像门限分享的完备方案),则是其中富有挑战性的未决课题。文中引入灰度值域GF(2m)上像素矩阵秘密分享的新观点和相应的代数几何编码方法,实现了数字图像(t,n)门限秘密分享的一种完备方案。该方案能够将一幅或多幅秘密图像编码为n幅各具随机视觉内容,同时又共具(t,n)门限结构的影子图像(或称份额图像)。证明了这种秘密分享方案的(t,n)门限结构不仅是完全的而且也是理想的,并给出了提高像素灰度值域GF(2m)上图像秘密分享算法效率的“m位像素值的分拆与并行”方法。分析表明,该图像秘密分享方法可以应用于高安全等级的秘密图像的网络多路径传输、保密图像信息的分散式存储控制、高维图形码(Bar-code in k dimension)和弹出码(Popcode)等新一代信息载体技术的识读控制等各方面。     

Research on children's personalized sports in the environment of smart wearable devices

The audit point is to understand and use to perform the upgrade wearable innovation injuries in sports. Understanding the game's biomechanics is that damage response and performance upgrades are essential, and usually, investigation uses optical motion capture. In any case, this approach may be limited by the amount of limit catch climatic factors and the overwhelmed wearable research center of innovation. Ordered to make queries are used to study in seven information centers and sports car wearable innovation factors. This article was banned because they do not measure the program members on the sensor zero and the motor or motor factors or the application of an innovative set. Thirty-three incorporated into the collection of the full text of the survey carried out to identify members' dynamic development through observation and a slice of wearable progress in the game. Inertial sensors, the sensor and the flexible, attractive and precise speed field sensors are used in the game with more than 15 measured motion gadgets. The use of wearable innovation, the potential of these innovative practices, and the impact of competitors' training methods are still in the exploratory stage.     

Driving Information Systems Security through Innovations—First Indications

Modern organizations and even nations are increasingly dependent on information systems (IS) security, and their economic prosperity is strongly linked to innovation. Do these two important issues also relate one to another, and how? Can some lessons be learned that are important not only to security professionals but also to organizational and other important systems managing decision makers? Assuming that the answer is yes, how can we deploy innovation techniques to further improve IS security? Because this interdisciplinary area has not been addressed so far, this article presents one of the first attempts to address it on the basis of statistically relevant data on a national and international scale. It provides experimental results that imply some important statistical interdependencies that call for further study and also identifies systemic limitations, including those that exist on the European Union scale, that should be addressed to enable progress in this area.     

Persuasive narrative advertisement generator: A microenterprise service innovation perspective

In the era of the service economy, service innovation is a means to cope with fierce competition within a fast-changing industry. However, most microenterprises are at a competitive disadvantage in that they have limited resources and information for putting service innovation into their business practice. Owing to their inferior situation, microenterprises often do not think service innovation is related to them, nor do they have the bravery to engage their innovation endeavors. This paper presents a novel and automatic approach that can generate persuasive narrative advertisements in the form of customized motivation stories intended to encourage microenterprises to consider innovation just as the protagonist does in a story. This study adopts a three-act structure as the story framework and takes advantage of Story of Mind elements, service innovation types and microenterprise individual information as the story elements. Our approach and its information system uses Probabilistic Extended FSMs to model the story frameworks and the story elements. The approach proposed here has preliminary been justified through the observational and analytical evaluation method and is believed to shed light on the development of automated persuasive narrative communications for electronic services.     

动态安全的虚拟组织体系结构

虚拟组织作为网络经济时代组织创新的新模式,在虚拟组织共享组织信息的框架下保障组织信息的动态安全成为组织者不得不考虑的问题。从计算机及网络科学的角度,探讨了一种动态安全的虚拟组织体系结构。在该体系结构呈现的虚拟组织平台系统上能够动态地构建多个具有保护组织信息访问安全、存储安全和流转安全的虚拟组织系统,从技术层面有效保护虚拟组织电子信息资产的安全。     

Service-Oriented Security Indications for Use

In evolutionary terms, the information security field is more than a decade behind software development. Developers have evolved, businesses have increasingly bet their entire business models on the Web and networks, and both sides have increased their security budgets. But what has the security architecture (as it's deployed in the field) got to show for all of this? More firewalls and more Secure Sockets Layer (SSL) connections. Why has information security failed? The problem lies with its mission-confidentiality, integrity, and availability are fine statements to make, but they don't lead anywhere. Because information security has proven incapable of evolving, it's time to learn from a discipline that has mastered innovation-software development. In this installment of Building Security In, we'll learn what this field can teach us.     

大数据安全问题的几点思考

大数据是继云计算、物联网之后信息产业的又一次颠覆性技术变革,已成为当前创新、竞争和生产力的下一个新领域。文章首先介绍了大数据的特征和发展概况,进而探讨了大数据在用户隐私、企业安全和国家安全等方面带来的新挑战,最后从大数据存储使用安全、法规政策、基础性工作等方面进行了对策思考。     

Clinical psychology offers in the internet in Spain

This paper analyzes the situation of on-line clinical psychology in Spain. Internet is becoming one of the principal tools for people to access to psychological information. Thus, users will be biased by the contents of the sites they contact to. Psychologists should pay attention to what kind of services are being spread through the Internet. To do this, a few characteristics such us interaction, security, theoretical approach or treated disorders have been revised in 185 Spanish psychology websites. Results shows that there are critical differences between public and private sites suggesting that the public sector should make un effort to keep up with the advances on this field, that private sites could improve their services in some ways such as security or the interaction user-professional and some interesting findings referred to the relation between the theoretical approach of the sites and the kind of help they provide.     

一种主机系统安全的量化风险评估方法

随着信息技术安全问题的日益突出,信息安全产品的开发者纷纷寻求可信的第三方的安全评估,而目前针对主机软件系统的评估方法都存在着一定的缺点。该文结合软件系统的弱点信息,提出了一种主机系统安全的量化风险评估方法,并以评估实例分析了评估算法,最后阐明了本评估方法的优势。     

Quantifying information security risks using expert judgment elicitation

In the information security business, 30 years of practical and theoretical research has resulted in a fairly sophisticated appreciation for how to judge the qualitative level of risk faced by an enterprise. Based upon that understanding, there is a practical level of protection that a competent security manager can architect for a given enterprise. It would, of course, be better to use a quantitative approach to risk management, but, unfortunately, sufficient quantitative data that has been scientifically collected and analyzed does not exist. There have been many attempts to develop quantitative data using traditional quantitative methods, such as experiments, surveys, and observations, but there are significant weaknesses apparent in each approach. The research described in this paper was constructed to explore the utility of applying the well-established method of expert judgment elicitation to the field of information security. The instrument for eliciting the expert judgments was developed by two information security specialists and two expert judgment analysis specialists. The resultant instrument was validated using a small set of information security experts. The final instrument was used to elicit answers to both the calibration and judgment questions through structured interviews. The data was compiled and analyzed by a specialist in expert judgment analysis. This research illustrates the development of prior distributions for the parameters of models for cyber attacks and uses expert judgment results to develop the distributions.     

基于多主体的信息安全管理系统研究与设计

采用多主体技术构建信息安全管理系统可有效解决传统信息安全管理系统存在的缺陷.鉴于此,构建了一种基于多主体的动态分布式信息安全管理系统,该系统动态集成了大部分分布式信息安全管理工具,能以协同的方法最大程度地提高信息安全管理系统的能力.采用了多种攻击方式来验证本文系统的性能,实验结果表明了该系统是有效的.