Quantifying security threats and their potential impacts: a case study

In earlier works we presented a computational infrastructure that allows an analyst to estimate the security of a system in terms of the loss that each stakeholder stands to sustain as a result of security breakdowns. In this paper we illustrate this infrastructure by means of an e-commerce application.     

Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective

The continuous information security failures in organizations have led focus toward organizational culture. It is argued that the development of culture of information security would subsequently lead to a secure organization. However, limited studies have been conducted to understand information security culture. This study aims to understand information security culture and its impact on success with information security efforts in an organization. The research model is based on the theory of primary message systems, which is an established theory from the anthropology discipline. We followed a mixed-methods research design involving two phases of the study. In the first phase, 25 semi-structured interviews with experienced cybersecurity practitioners were conducted to develop the research model. The second phase empirically validated the research model using survey data from 473 participants who completed a web-based survey in Southeast USA from multiple companies. For data analysis, we employed Partial Least Squares - Structural Equation Modeling using SmartPLS. Our findings indicate that group cohesiveness, professional code, information security awareness, and informal work practices have significant influence on information security culture. Further, the security culture has positive impact on information security success perception. The contribution of this research lies in establishing the role of security culture and information security awareness in contributing toward information security success.     

The effects of information systems integration and organizational culture on a firm's effectiveness

Though the relationship between the investment in information systems (IS) and a firm's performance continues to be important; conclusive evidence that information technology (IT) contributes to a firm's effectiveness is rare. This study tests the relationship between the integration of IS during mergers and acquisitions and their effectiveness. The findings point to a positive relationship between IS integration and effectiveness only when controlling for (a) IT intensity, and (b) organizational culture differences between the joining firms. Thus, managers are advised to take into account IT intensity and cultural differences during the pre-merger negotiations and during the post-merger integration process.     

Eliciting information about organizational culture via laddering

Abstract. Eliciting information about organizational culture is an important part of system analysis and design. However, eliciting knowledge of this sort is difficult. Laddering is an established technique that is particularly suitable for eliciting information about goals and for eliciting explanations, which are important issues when investigating organizational culture. This paper describes the method, its strengths and limitations, its use in several case studies and its relation to other elicitation techniques. Recommendations for further work are given.     

The interaction between the use of information technology and organizational culture

Abstract

The interaction between the use of information technology, (IT) in organizations and that organization's culture is examined. The interaction is considered from the early stages of specification through to the regular use of the systems. The changes in the technological artefacts which result from the use of IT are discussed. Some suggestions about control of the interaction are made.     

The interaction between the use of information technology and organizational culture

The interaction between the use of information technology, (IT) in organizations and that organization's culture is examined. The interaction is considered from the early stages of specification through to the regular use of the systems. The changes in the technological artefacts which result from the use of IT are discussed. Some suggestions about control of the interaction are made.     

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.     

The use of mTags for mandatory security: a case study

mTags is an efficient mechanism that augments inter‐thread messages with lightweight metadata. We introduce and discuss a case study that we have conducted in the use of mTags for realizing a kind of mandatory security. Although mTags can be implemented for any message passing thread‐based system, we consider an implementation of it in the POSIX‐compliant QNX Neutrino, a commercial microkernel‐based system. The approach to mandatory security that we adopt is Usable Mandatory Integrity Protection, which has been proposed in recent research. We call our adaptation of Usable Mandatory Integrity Protection using mTags, μMIP. We discuss the challenges we faced, and our design and implementation that overcomes these challenges. We discuss the performance of our implementation for well‐established benchmarks. We conclude with the observation that mTags can be useful and practical to realize mandatory security in realistic systems. Copyright © 2013 John Wiley & Sons, Ltd.     

Reciprocal effects between organizational culture and the implementation of an office communication system: a case study

As part of a study investigating the implementation of an office communication system and its effects on work and organizational processes in a large transportation company, reciprocal effects between organizational culture and the new technology were analysed. It was found that in one department which was characterized by a well established culture, the communication system was integrated fairly easily and thereby reinforced the culture. In a second department, which was in the middle of a strong internal cultural conflict, the new technology was used unsuccessfully by one subgroup to support cultural change. By refusing to use the communication system in the intended way, the other members of the department resisted that attempt. In both departments, the technology did not effect a change, rather it was integrated into pre-existing cultural patterns.     

Effects of organizational culture on a large scale IT introduction effort: a case study of the Norwegian army's EDBLF project

This paper documents a process of introducing new information technology (IT) within the Norwegian army. The research suggests that in the intersection between an organization and IT what emerges as most interesting is the organizational culture. Some of the characteristics of the Norwegian army culture, such as using a particular transfer and application scheme and the use of refreshers training, contributed to a high job rotation, causing instability within the organization and jeopardising the day-to-day work routines within the army units. This part of the Norwegian army's culture combined with an IT system designed in a way that spliced jobs and deskilled workers, while at the same time creating dependencies between different jobs within the organization, contributed to upholding a particular functioning of the organization. Underlying this is the assumption made by the army that as long as the technology is uniform one person can easily be substituted for another. This paper argues that the organizational culture of the Norwegian army was in many ways a hindrance to a successful adoption of IT. Recognising the influence of organizational culture is important, but more empirical studies of organizational culture influence are needed to support the diverse findings presented here and would be a viable and important task in the years to come for anyone interested in a successful adoption of IT systems.     

Factors affecting perception of information security and their impacts on IT adoption and security practices

The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.     

方正信息安全应用案例

一、物价局近日,方正信息安全技术公司屡传捷报:继旗下方正防火墙FG6340在“中国国内市场主流防火墙产品评测”中大放异彩之后,这款防火墙又接连得到广大用户的好评和青睐,在不久前举办的浙江省物价局安全项目招标会上再拔头筹,成功入围该项目!浙江省物价局主要职能是贯彻执行国家和浙江省有关价格的法律、法规、规章和方针、政策以及制订全省价格改革的中长期规划、年度计划、价格总水平调控政策和全省的价格管理目录,并组织实施。随着近年来国家政务信息化建设的蓬勃开展,浙江省物价局作为主管浙江省物价平衡的副厅级行政机构也极为重视…     

The dangers of mitigating security design flaws: a wireless case study

Mitigating design flaws often provides the only means to protect legacy equipment, particularly in wireless local area networks. A synchronous active attack against the wired equivalent privacy protocol demonstrates how mitigating one flaw or attack can facilitate another.     

Human and organizational factors in computer and information security: Pathways to vulnerabilities

The purpose of this study was to identify and describe how human and organizational factors may be related to technical computer and information security (CIS) vulnerabilities. A qualitative study of CIS experts was performed, which consisted of 2, 5-member focus groups sessions. The participants in the focus groups each produced a causal network analysis of human and organizational factors pathways to types of CIS vulnerabilities. Findings suggested that human and organizational factors play a significant role in the development of CIS vulnerabilities and emphasized the relationship complexities among human and organizational factors. The factors were categorized into 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Security practitioners and management should be aware of the multifarious roles of human and organizational factors and CIS vulnerabilities and that CIS vulnerabilities are not the sole result of a technological problem or programming mistake. The design and management of CIS systems need an integrative, multi-layered approach to improve CIS performance (suggestions for analysis provided).     

Intel's incident-free culture: a case study

The occupational ergonomic program that Intel's newly established manufacturing plant in Israel implemented in 1997 helped prevent injuries and also marked the launch of a whole new approach to ergonomics. A key element in the success of the seven-point program was a strong commitment from management, which came to regard this plan as a vital strategic element in the new plant's success. Comprehensive, top-down planning imposed obligations on all elements in the manufacturing spectrum, from suppliers to contractors to employees. Work requirements were set; cooperation with the plant's occupational health professionals was established; and long-term reporting and instruction systems were developed. Extensive ergonomic training was a crucial factor in integrating ergonomic procedures into the organization's day-to-day activities. Along with this instructional program, ergonomic engineers implemented a strict measuring system to ensure that each ergonomic activity would be performed according to schedule. By the time the factory opened its gates and began to produce, a vigorous ergonomic environment had emerged and employees were displaying an ergonomic mindset that also impinged upon their non-work activities. As a result of the successful implementation of the program, Intel's ergonomic program has become a model for Israeli industry. This paper presents a full ergonomic program that besides supplying the Intel plant with solutions was unique enough to impact the whole Israeli industry.     

Measuring organizational impacts by integrating competitive intelligence into executive information system

Despite the progress that has been achieved using modern methods of decision support, competitive intelligence is one of the most economical methods of instrument for executive information system with a relatively high rate of effectiveness. The objectives of this study are (1) to investigate the conception of competitive intelligence and the furtherance of competitive intelligence on the executive information system stage; (2) to form an innovative structural equation modelling for executive information system through the perspectives of competitive intelligence; (3) to examine the influences of competitive intelligence on executive information system and organizational performances. Questionnaire survey methodology was applied to receive data from executives in Taiwan. The process, the product of competitive intelligence, and organizational performances were observed as three considerable axles in this investigation. The results reveal testimony that competitive intelligence is positively related to organizational performances, indicating that competitive intelligence does influence the behavior of decision-making both of enterprise executives and the entire organization. The findings of this study disclose that integrating competitive intelligence activities exert a complete function on executive information system for enterprise executives.     

Paper: a study on the certification of the information security management systems

Current reliable strategies for information security are all chosen using incomplete information. With standards, problems resulting from incomplete information can be reduced, since with standards, we can decrease the choices and simplify the process for reliable supply and demand decision making. This paper is to study the certification of information security management systems based on specifications promulgated by the Bureau of Standards, Metrology and Inspection (BSMI), Ministry of Economic Affairs in accordance with international standards and their related organizations. And we suggest a certification requirement concept for five different levels of “Information and Communication Security Protection System” in our country, the Republic of China, Taiwan.     

Improving password security and memorability to protect personal and organizational information

Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username–password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.     

Automated analysis of timed security: a case study on web privacy

This paper presents a case study on an automated analysis of real-time security models. The case study on a web system (originally proposed by Felten and Schneider) is presented that shows a timing attack on the privacy of browser users. Three different approaches are followed: LH-Timed Automata (analyzed using the model checker HyTech), finite-state automata (analyzed using the model checker NuSMV), and process algebras (analyzed using the model checker CWB-NC ). A comparative analysis of these three approaches is given.     

信息安全技术体系研究

从系统论的观点出发,在对信息安全的目标和信息系统构成分析的基础上,剖析了信息安全技术体系的要素和子系统,并按分层、分域、分级和分时四个维度,给出了信息安全技术的体系结构,探讨了每个维度的具体构成及其与信息安全要素和子系统之间的关系。信息安全技术体系的研究,对认清信息安全技术的本质和规律,以及运用信息安全技术构造信息安全系统具有一定的指导意义。