Alert verification through alert correlation—An empirical test of SnIPS

A significant problem with today’s intrusion detection systems is the high number of alerts they produce for events that are regarded as benign or noncritical by system administrators. A large number of solutions has been proposed to deal with this issue. This article tests SnIPS, a tool that correlates alerts from the intrusion detection system Snort and assigns beliefs that the host has been compromised on various occasions. The tests are performed against data collected from a cyber security exercise during which 51 compromises of monitored machines occurred. The beliefs assigned by SnIPS are not calibrated in the sense that they reflect the probability that a host has been compromised. However, a compromise is more likely when alerts have a high belief. Alerts from SnIPS with high beliefs also have better precision than the high-priority alerts from Snort, even if static network information is used to verify these alerts. However, the recall of SnIPS is lower than if high-priority alerts from Snort are used.     

Modeling Security of Power Communication Systems Using Defense Graphs and Influence Diagrams

The purpose of this paper is to present a framework for assessing the security of wide-area networks (WANs) used to operate electrical power systems. The framework is based on the formalism influence diagrams and the concept of defense graphs and facilitates a so-called consequence-based analysis of the security problem. The framework is also capable of managing uncertainties, both related to the efficacy of countermeasures and the actual posture of the supervisory control and data-acquisition system. A model over WAN attacks and countermeasures and experiences from applying the framework are described.     

The Theory of Planned Behavior and Information Security Policy Compliance

ABSTRACT

Much of the research on security policy compliance has tested the relationships posited by the theory of planned behavior. This theory explains far from all of the measurable variance in policy compliance intentions. However, it is associated with something called the sufficiency assumption, which essentially states that no variable is missing from the theory. This paper addresses this assumption in the context of information security policy compliance. A meta-analysis of published tests on information security behavior and a review of the literature in related fields are used to identify variables that have the potential to improve the theory’s predictions. These results are tested using a random sample of 645 white-collar workers. The results suggest that the variables anticipated regret and habit improve the predictions. The variables increase the explained variance by 3.4 and 2.6 percentage points, respectively, when they are added individually, and by 5.4 percentage points when both are added.