Information security: Reality and fiction

Awareness of the need for true information security is steadily evolving in finance, industry and government, although action does not match rhetoric. There is a growing need for sophisticated security measures as evidenced by the increasing incidence of penetrations, at all levels of sophistication, of automated systems. These security measures can be developed and installed based on a procedure of risk analysis, security audit and design of countermeasure.     

Information security: The moving target

Information security has evolved from addressing minor and harmless security breaches to managing those with a huge impact on organisations' economic growth. This paper investigates the evolution of information security; where it came from, where it is today and the direction in which it is moving. It is argued that information security is not about looking at the past in anger of an attack once faced; neither is it about looking at the present in fear of being attacked; nor about looking at the future with uncertainty about what might befall us. The message is that organisations and individuals must be alert at all times. Research conducted for this paper explored literature on past security issues to set the scene. This is followed by the assessment and analysis of information security publications in conjunction with surveys conducted in industry. Results obtained are compared and analysed, enabling the development of a comprehensive view regarding the current status of the information security landscape. Furthermore, this paper also highlights critical information security issues that are being overlooked or not being addressed by research efforts currently undertaken. New research efforts are required that minimise the gap between regulatory issues and technical implementations.     

信息安全与网络安全关系辨析

随着科学技术和网络信息技术的飞速发展,越来越多的网络信息安全问题逐渐出现.本文主要研究了网络信息安全和网络安全之间的关系,并且对如何创造安全的网络环境提出了几点建议.     

Information security and the media

The relationship between the media and information security is intriguing. The media is quick to cover security-related incidents such as worm outbreaks and intrusions into systems and networks, serious vulnerabilities and so on, in many respects helping in the job of raising public awareness of security issues. The media's fascination with information security also has negative consequences, however. Information security professionals, especially those who are consultants, often compete for media exposure. Several weeks ago the president, founder, and business administrator of Forensic Tec, a California-based security consultancy, were indicted for breaking into numerous US government and Department of Defense systems. After allegedly breaking into these systems, members of this consultancy openly bragged about how easy it was to breach their security. The press ran stories to the effect that some of the most critical computers within the US were wide open to attack. Interestingly, the indictment accused the individuals of creating a publicity stunt to drum up business for this new, small consultancy.     

ACSP: A novel security protocol against counting attack for UHF RFID systems

Current research on UHF RFID system security mainly focus on protecting communication safety and information privacy between a pair of specific tags and its corresponding interrogation reader. However, instead of stealing detailed private information of tags, adversaries may just want to estimate the cardinality of tags, which is named counting attack. Unfortunately, most existing protocols are vulnerable to counting attack. To defend against this attack, in this paper we propose ACSP, a novel Anti-Counting Security Protocol. ACSP employs session identifier and provides a corresponding authentication metric to verify the commands sent by the reader. To handle counting attack, ACSP periodically updates the session identifier, and securely identifies tags with encryption. We evaluate the performance of ACSP through theoretical analysis and qualitative comparison. Results show that ACSP can efficiently withstand counting attack as well as defending against regular security threats as existing protocols.     

Information security breaches and IT security investments: Impacts on competitors

In current business climate, a firm’s information systems security is no longer independent from the industry’s broader security environment. A question arises, then, whether stock market values reflect the interdependence of security breaches and investments. In this paper, we used the event study methodology to investigate how a firm’s security breaches and IT security investments influence its competitors. We collected and reviewed 118 information security breaches and 98 IT security investment announcements from 2010 to 2017. We found substantial evidence supporting our hypothesis that information security breaches do, indeed, have a competition effect: when one firm is breached, its competitors have opportunities to absorb market power. For the IT security investment announcements, however, we observed the positive externalities, or contagion effect, in play: market investors feel that the security investments made by one firm increase the security level of the entire network, and hence, competitors also get benefits. Additionally, we found that the competition effect was higher when the breaches occurred after the preceding security investments than when there were no preceding investments before the breaches.     

Information security: Are we losing the game?

As an information security specialist for over 17 years, I've noticed a few unsettling patterns. While a certain pessimism goes along with this job, there are a number of real-world data points that — when collectively viewed — indicate the future will be increasingly chaotic, anarchistic and undisciplined.     

Information systems security: Management success factors

Even if an organization has the best technical computer security talent and the most dedicated staff, it may still have an ineffective systems security function. This situation is frequently encountered and is caused by too much emphasis on the technical aspects and too little attention to the managerial aspects of systems security. Many of us in the systems security field immerse ourselves in fascinating technical details at the expense of the managerial issues essential to the success of a systems security effort. This article-discusses the managerial perspectives with which an appropriate balance between the managerial and the technical may be struck.Although each organization has its idiosyncrasies, experience has shown that a number of common approaches to managing an information systems security function are both effective and prudent. While there exists no standard template with which one can design a systems security function, this article illuminates some tried-and-true methods associated with organizational design, raising the level of management awareness, and obtaining needed resources.This article is based partly on a panel discussion for which the author was the moderator, an informal poll of San Francisco bay area systems security administrators and EDP auditors, and the author's information systems security consulting experience.     

Information security: why the future belongs to the quants

Although most businesses say information security is a primary concern, few have adequate systems in place because securing information requires a risk-management approach with dependable, quantifiable metrics. Simple questions, readily answered in any other business context, are met by information security experts with embarrassed silence. These questions include: Is my security better this year? What am I getting for my security dollars? How do I compare with my peers? Answering such questions requires rigorous security metrics; and a risk-management framework in which to compare them.     

Information and communication policy: Issues and initiatives in South Africa

Abstract

The issue of access to government information in South Africa is clearly a significant one. Ways in which to exploit available infrastructure and expertise to achieve access to this information is becoming an area of considerable debate. The Minister of Posts and Telecommunications has established a human focus as the starting point in the approach to information and communication. People require easy access to information to make the practical decisions that govern their daily lives and enable them to exercise increasing control. Information is also the basis of interaction between communities and their representatives about the many issues being considered at all levels of government. Access to information is critical to development and democracy.     

Information security analysis system

The analysis system is a collection, configuration and integration of software programs that reside on multiple interconnected computer platforms The software, less computer operating systems, is a combination of sensor, analysis, data conversion, and visualization programs The hardware platforms consist of several different types of interconnected computers, which share the software programs, data files, and visualization programs via a Local Area Network (LAN) This collection and integration of software and the migration to a single computer platform results in an approach to LAN/WAN monitoring in either a passive and/or active mode. The architecture permits digital data input from external sensors for analysis, display and correlation with data and displays derived from four major software concept groups These are: Virus Computer Code Detection; Analysis of Computer Source and Executable Code,. Dynamic Monitoring of Data Communication Networks; 3-D Visualization and Animation of Data