Analyzing settings for social identity management on Social Networking Sites: Classification,current state,and proposed developments

The rising prevalence of Social Networking Sites (SNS) and their usage in multiple contexts poses new privacy challenges and increasingly prompts users to manage their online identity. To address privacy threats stemming from interacting with other users on SNS, effective Social Identity Management (SIdM) is a key requirement. It refers to the deliberate and targeted disclosure of personal attribute values to a subset of one's contacts or other users on the SNS. Protection against other entities such as the site operator itself or advertisers and application programmers is not covered by SIdM, but could be incorporated in further refinement steps. Features and settings to perform SIdM have been proposed and subsequently implemented partly by some SNS. Yet, these are often isolated solutions that lack integration into a reference framework that states the requirements for successfully managing one's identity. In this article, such a reference framework of existing and desired SIdM settings is derived from identity theory, literature analysis, and existing SNS. Based thereupon, we examine the SIdM capabilities of prevalent SNS and highlight possible improvements. Lastly, we reason about developing a metric to objectively compare the capability of SNS in regards to their support for SIdM.     

Towards a capability maturity model for digital forensic readiness

Wireless Networks - Increasing IT-Security breaches and the extensively growing loss due to fraud related incidents cause the need for being prepared for a digital investigation. A specific...     

Roles in information security – A survey and classification of the research area

The concept of roles has been prevalent in the area of Information Security for more than 15 years already. It promises simplified and flexible user management, reduced administrative costs, improved security, as well as the integration of employees’ business functions into the IT administration. A comprehensive scientific literature collection revealed more than 1300 publications dealing with the application of sociological role theory in the context of Information Security up to now. Although there is an ANSI/NIST standard and an ISO standard proposal, a variety of competing models and interpretations of the role concept have developed. The major contribution of this survey is a categorization of the complete underlying set of publications into different classes. The main part of the work is investigating 32 identified research directions, evaluating their importance and analyzing research tendencies. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution potential future developments in the area of role-research are considered.     

Measuring and visualizing cyber threat intelligence quality

The very raison d’être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts’ subjective perceptions are, where necessary, included in the quality assessment concept.

     

Modelling data secrecy and integrity

The paper describes a semantic data model used as a design environment for multilevel secure database applications. The proposed technique is built around the concept of security classification constraints (security semantics) and takes into account that security restrictions may either have effects on the static part of a system, on the behavior of the system (the system functions), or on both. As security constraints may influence each other appropriate integrity mechanisms are necessary and modelling of a multilevel application must be data as well as function driven. This functionality is included in the proposed semantic data model for multilevel security by developing secure data schemas, secure function schemas, a procedure for alternating iterative refinements on either schema, and a powerful integrity system to check the consistency of the classification constraints and of the multilevel secure database application.     

DEALER: decentralized incentives for threat intelligence reporting and exchange

International Journal of Information Security - The exchange of threat intelligence information can make a significant contribution to improving IT security in companies and has become increasingly...     

Eine verteilte Autorisierungsinfrastruktur unter Berücksichtigung von Datenschutzaspekten

Traditionelle Verfahren der Rechtezuweisung (Autorisierung) und Zugriffskontrolle sind nur eingeschr?nkt geeignet, die Anforderungen an das Management der Nutzerprivilegien und an die Durchsetzung einer Sicherheitsstrategie in skalierbaren und hoch flexiblen verteilten Systemen umzusetzen. Dafür besser geeignet sind Sicherheitsinfrastrukturen, genauer AAIs – authentication and authorization infrastructures – und PMIs – privilege management infrastructures – die in der Lage sind, umfassende Sicherheitsdienstleistungen in einer F?deration von Systemen aus unterschiedlichen Dom?nen anzubieten. Dieser Beitrag enth?lt die Darstellung einer datenschutzorientierten AAI im Umfeld von eGovernment, die attributbasierte Zugriffskontrolle, eine XACML-Sicherheitsarchitektur zur Umsetzung und eine besondere Berücksichtigung der Datenschutzaspekte bei der Weitergabe der Nutzerattribute beinhaltet.