A systematic review on security in Process-Aware Information Systems – Constitution,challenges, and future directions

ContextSecurity in Process-Aware Information Systems (PAIS) has gained increased attention in current research and practice. However, a common understanding and agreement on security is still missing. In addition, the proliferation of literature makes it cumbersome to overlook and determine state of the art and further to identify research challenges and gaps. In summary, a comprehensive and systematic overview of state of the art in research and practice in the area of security in PAIS is missing.ObjectiveThis paper investigates research on security in PAIS and aims at establishing a common understanding of terminology in this context. Further it investigates which security controls are currently applied in PAIS.MethodA systematic literature review is conducted in order to classify and define security and security controls in PAIS. From initially 424 papers, we selected in total 275 publications that related to security and PAIS between 1993 and 2012. Furthermore, we analyzed and categorized the papers using a systematic mapping approach which resulted into 5 categories and 12 security controls.ResultsIn literature, security in PAIS often centers on specific (security) aspects such as security policies, security requirements, authorization and access control mechanisms, or inter-organizational scenarios. In addition, we identified 12 security controls in the area of security concepts, authorization and access control, applications, verification, and failure handling in PAIS. Based on the results, open research challenges and gaps are identified and discussed with respect to possible solutions.ConclusionThis survey provides a comprehensive review of current security practice in PAIS and shows that security in PAIS is a challenging interdisciplinary research field that assembles research methods and principles from security and PAIS. We show that state of the art provides a rich set of methods such as access control models but still several open research challenges remain.     

Organizational Characteristics Influencing SME Information Security Maturity

In the current business environment, many organizations use popular standards such as the ISO 27000x series, COBIT, and related frameworks to protect themselves against security incidents. However, these standards and frameworks are overly complicated for small to medium-sized enterprises, leaving these organizations with no easy to understand toolkit to address their security needs. This research builds upon the recent Information Security Focus Area Maturity (ISFAM) model for SME information security as a cornerstone in the development of an assessment tool for tailor-made, fast, and easy-to-use information security advice for SMEs. By performing an extensive literature review and evaluating the results with security experts, we propose the Characterizing Organizations’ Information Security for SMEs (CHOISS) model to relate measurable organizational characteristics in four categories through 47 parameters to help SMEs distinguish and prioritize which risks to mitigate.     

Information security – Professional perceptions of knowledge-sharing intention under self-efficacy,trust, reciprocity,and shared-language

Knowledge sharing is an important component of knowledge management systems. Security knowledge sharing substantially reduces risk and investment in information security. Despite the importance of information security, little research based on knowledge sharing has focused on the security profession. Therefore, this study analyses key factors, containing attitude, self-efficacy, trust, norm of reciprocity, and shared language, in respect of the information security workers intention to share knowledge. Information security professionals in virtual communities, including the Information Security Professional Association (ISPA), Information Systems Security Association (ISSA), Society of Information Risk Analysts (SIRA), and LinkedIn security groups, were surveyed to test the proposed research model. Confirmatory factor analysis (CFA) and the structural equation modelling (SEM) technique were used to analyse the data and evaluate the research model. The results showed that the research model fit the data well and the structural model suggests a strong relationship between attitude, trust, and norms of reciprocity to knowledge sharing intention. Hypotheses regarding the influence of self-efficacy and reciprocity, to knowledge sharing attitude were upheld. Shared language did not influence either the attitude or intention to share knowledge.     

Roles in information security – A survey and classification of the research area

The concept of roles has been prevalent in the area of Information Security for more than 15 years already. It promises simplified and flexible user management, reduced administrative costs, improved security, as well as the integration of employees’ business functions into the IT administration. A comprehensive scientific literature collection revealed more than 1300 publications dealing with the application of sociological role theory in the context of Information Security up to now. Although there is an ANSI/NIST standard and an ISO standard proposal, a variety of competing models and interpretations of the role concept have developed. The major contribution of this survey is a categorization of the complete underlying set of publications into different classes. The main part of the work is investigating 32 identified research directions, evaluating their importance and analyzing research tendencies. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution potential future developments in the area of role-research are considered.     

Analysis of Secure LEACH-Based Clustering Protocols in Wireless Sensor Networks

LEACH or Low-Energy Adaptive Clustering Hierarchy is a successful clustering-based routing protocol that recently has attracted a lot of attention in literature. However, this protocol is not prefect and has some deficiencies that other extensions of LEACH try to solve it. Security is one of the main problems of LEACH and many security attacks can be launched against this protocol. The need for security in LEACH protocol has inspired many researchers to design secure versions of this protocol and to make it resilient against insider and outsider attackers. In this paper, we discuss about the current state-of-the-art secure LEACH schemes that are proposed in literature. We briefly describe the security features of each solution and highlight their objectives, advantages and limitations. In addition, we classify secure LEACH schemes into cryptographic-based and trust-based solutions and review the major development in these two categories. Then, we present a qualitative comparison on secure LEACH schemes based on various security metrics. Finally, we conclude with open research issues.     

Alternative genres in information systems research

In this special issue, we advocate a critical stance toward the presentational conventions that we – as authors, reviewers, and editors – accept as the academic article genre. We seek to highlight and illustrate the generative capacity and the significant role of genres in the production of knowledge. Furthermore, we wish to encourage Information Systems (IS) scholars to leverage a wider array of alternative genres to present their research in order to develop new insights on subject matters of interest to the IS discipline, as well as expand on how contemporary and emergent phenomena of interest are conceived and studied. Adopting a broad view of alternative genres, we solicited articles that apply unconventional presentational modalities to expand or challenge the prevailing modus operandi of communicating IS scholarship and practice. Six articles survived a rather lengthy and challenging review process. We briefly discuss the nature of the academic article genre and the role of alternative ways of writing. We also introduce the six exemplars of alternative genres in the special issue, namely conversation, French new novel, meditation, memoir, allegory, and crowdsourced research. We highlight key insights and contemplate their implications for current and future IS research.     

State-of-the-Art des State-of-the-Art

The world-wide increasing amount of literature makes it necessary to describe, to synthesize, to evaluate, to clarify, or to integrate the results of papers in a particular field of research. Today, the process of conducting a literature review is seen as a scientific procedure, which should be guided by appropriate research methods. This paper analyzes the achieved research level in the Information Systems discipline from a methodological point of view. As a sample we use all articles from the column ?State-of-the-Art” of the journal WIRTSCHAFT-SINFORMATIK. The study shows that this research method is common in Information Systems research. However, several important aspects for further development are identified: (1) Until now no mathematical-statistical analysis has been used. (2) Research methods used in the primary papers are not taken into account by reviews. (3) No explicit objectives are discussed by about one third of the articles in the sample. (4) The selection of literature used as a basis for the review is not explicated in any article. (5) About one half of the reviewed articles do not discuss further research questions.     

Computer controls — Diffusion into the smaller firm: (A Qualitative Research Study: Part 2)

This two-part article outlines the findings of a research study into the ‘formal’ security controls of the smaller enterprise. Structured Information Systems Security evolved primarily within computing science. By mapping to economic theory, it is hoped that ‘information controls’ can become a recognized, valid contributor to any multi-disciplined Social Sciences debate. Comments are sought.     

Geographical information systems and location science

Since the 1970s the field of Geographical Information Systems (GIS) has evolved into a mature research and application area involving a number of academic fields including Geography, Civil Engineering, Computer Science, Land Use Planning, and Environmental Science. GIS can support a wide range of spatial queries that can be used to support location studies. GIS will play a significant role in future location model development and application. We review existing work that forms the interface between GIS and Location Science and discuss some of the potential research areas involving both GIS and Location Science.Scope and purposeDuring the past 30 years there have been many developments in spatial data analysis, spatial data storage and retrieval, and mapping. Many of these developments have occurred in the field of Geographical Information Science. Geographical Information Systems software now supports many elementary and advanced spatial analytic approaches including the production of high quality maps. GIS will have a major impact on the field of Location Science in terms of model application and model development. The purpose of this paper is to explore the interface between the field of Location Science and GIS.     

市级公安警务系统的安全策略分析与实现

在“科技强警”理论的指导下,公安警务系统建设的数量越来越多,规模越来越大。由于其警务系统的特殊性．因此在警务系统中对安全性的要求就非常高。采用基于角色的访问控制、PKI技术和SSL安全机制、日志器等安全技术．可以充分保证软件系统的安全性。     

江西地税安全运维管理平台的建设研究

文章主要分析了江西地税网络安全管理过程中存在的问题,就这些问题介绍了江西地税安全运维管理平台建设过程中的研究和实践。     

安全网闸在公安信息化工作中的应用探讨

随着信息技术的不断发展,犯罪手段的逐步多样化,当前社会对新时期的公安工作也提出了新的要求。金盾工程作为公安信息化工作的重点工程,对公安建设提出了很多安全性的要求。本文从技术路线的角度探讨了安全隔离网闸技术(GAP)在金盾工程实施中对于提高整个公安网安全保障体系的可靠性所能起到的重要作用,并从宏观、微观两方面阐述了部署安全网闸的基本实现流程。     

信息系统安全等级保护物理安全测评方法研究

随着信息产业的高速发展,作为信息系统的基础——物理安全的重要性更加突出,文章根据国家规范对物理安全的相关要求,重点阐述了设备安全和环境安全检测问题,以期与读者共同探讨信息系统安全等级保护测评中物理安全测评的问题.     

Information security management: An entangled research challenge

In May 2009 the Information Security Group, Royal Holloway, became host to a medical sociologist from St. George’s Hospital, University of London, under EPSRC’s discipline hopping scheme. As part of this knowledge transfer activity, a sociotechnical study group was formed comprising computer scientists, mathematicians, organisational researchers and a sociologist. The focus of this group is to consider different avenues of sociotechnical research in information security. This article briefly outlines some of the areas of research where sociotechnical studies might contribute to information security management.     

网络安全审计系统的实现方法

本文主要介绍了基于网络的安全审计系统的传统常用方法以及其适用场合和不足，并讨论了如何将有学习能力的数据挖掘技术应用到安全审计系统中去。     

Information systems research in the Asia Pacific region

Research in information systems (IS) in the Asia Pacific has experienced fast progress in the past 10 years. A major driving force is the Pacific Asia Conference on Information Systems. In this paper, we provide an overview of the IS research in the Asia Pacific and in China and four best papers selected from the 2004 Pacific Asia Conference on Information System Shanghai Conference.     

市级公安警务系统的安全策略分析与实现

在"科技强警"理论的指导下,公安警务系统建设的数量越来越多,规模越来越大。由于其警务系统的特殊性,因此在警务系统中对安全性的要求就非常高。采用基于角色的访问控制、PKI技术和SSL安全机制、日志器等安全技术,可以充分保证软件系统的安全性。     

“心脏出血”漏洞引发的思考

＂心脏出血＂漏洞引起了全球对信息安全的广泛讨论。本文从安全经济学、安全机制、开源安全性和国家安全出发,多角度地对此次事件进行思考和讨论,揭示出信息安全作是一项系统工程,我们不仅要关注技术层面,更需要关注安全事件背后反映出来的深层次问题。     

Real world anti-virus product reviews and evaluations — Part 2

This article discusses frequently encountered errors in the evaluation process relative to anti-virus software selection by examining some of the methods commonly used by corporate and governmental personnel working in the area of Management Information Systems (MIS). In addition to discussing inherent problems, we will suggest alternative methodologies for evaluation. We will examine commercial certification processes, as well as the Information Technology Security Evaluation and Certification (ITSEC) approach, as possible models for anti-virus product evaluation and certification. Finally, we will discuss ways in which the information which is currently available may be used to help select anti-virus software which is both functional and cost efficient.     

An economic mechanism to manage operational security risks for inter-organizational information systems

As organizations increasingly deploy Inter-organizational Information Systems (IOS), the interdependent security risk they add is a problem affecting market efficiency. Connected organizations become part of entire networks, and are subject to threats from the entire network; but members’ security profile information is private, members lack incentives to minimize impact on peers and are not accountable. We model the problem as a signaling-screening game, and outline an incentive mechanism that addresses these problems. Our mechanism proposes formation of secure communities of organizations anchored by Security Compliance Consortium (SCC), with members held accountable to the community for security failures. We study the interconnection decisions with and without the mechanism, and characterize conditions where the mechanism plays roles of addressing moral hazard and hidden information issues by screening the organizations’ security types and/or by providing them incentives to improve. We also discuss the welfare gains and the broad impact of the mechanism.