Physical Sciences and Mathematics Commons^™

What Does Security Culture Look Like For Small Organizations?, Patricia A. Williams

Australian Information Security Management Conference

The human component is a significant factor in information security, with a large numbers of breaches occurring due to unintentional user error. Technical solutions can only protect information so far and thus the human aspect of security has become a major focus for discussion. Therefore, it is important for organisations to create a security conscious culture. However, currently there is no established representation of security culture from which to assess how it can be manoeuvred to improve the overall information security of an organization. This is of particular importance for small organizations who lack the resources in information security and …

Exploring The Relationship Between Organizational Culture And Information Security Culture, Joo S. Lim, Shanton Chang, Sean Maynard, Atif Ahmad

Australian Information Security Management Conference

Managing Information Security is becoming more challenging in today’s business because people are both a cause of information security incidents as well as a key part of the protection from them. As the impact of organizational culture (OC) on employees is significant, many researchers have called for the creation of information security culture (ISC) in organizations to influence the actions and behaviour of employees towards better organizational information security. Although researchers have called for the creation of ISC to be embedded in organizations, nonetheless, literature suggests that little past research examining the relationship between the nature of OC and ISC. …

Cyber Attacks: Does Physical Boundary Matter?, Qiu-Hong Wang, Seung-Hyun Kim

Research Collection School Of Computing and Information Systems

Information security issues are characterized with interdependence. Particularly, cyber criminals can easily cross national boundaries and exploit jurisdictional limitations between countries. Thus, whether cyber attacks are spatially autocorrelated is a strategic issue for government authorities and a tactic issue for insurance companies. Through an empirical study of cyber attacks across 62 countries during the period 2003-2007, we find little evidence on the spatial autocorrelation of cyber attacks at any week. However, after considering economic opportunity, IT infrastructure, international collaboration in enforcement and conventional crimes, we find strong evidence that cyber attacks were indeed spatially autocorrelated as they moved over time. …

Networks - Ii: Overhead Analysis Of Security Implementation Using Ipsec, Muhammad Awais Azam, Zaka -Ul- Mustafa, Usman Tahir, S. M. Ahsan, Muhammad Adnan Naseem, Imran Rashid, Muhammad Adeel

International Conference on Information and Communication Technologies

Authentication, access control, encryption and auditing make up the essential elements of network security. Researchers have dedicated a large amount of efforts to implement security features that fully incorporate the use of all these elements. Currently, data networks mainly provide authentication and confidentiality services. Confidentiality alone is not able to protect the system, thus, suitable security measures must be taken. However, this security is itself an overhead which must be accounted for. A trade-off must exist between performance and security. This trade-off must be carefully managed so as not to deteriorate the systems being secured. This calls for the true …

Prevention Is Better Than Prosecution: Deepening The Defence Against Cyber Crime, Jacqueline Fick

Journal of Digital Forensics, Security and Law

In the paper the author proposes that effectively and efficiently addressing cyber crime requires a shift in paradigm. For businesses and government departments alike the focus should be on prevention, rather than the prosecution of cyber criminals. The Defence in Depth strategy poses a practical solution for achieving Information Assurance in today’s highly networked environments. In a world where “absolute security” is an unachievable goal, the concept of Information Assurance poses significant benefits to securing one of an organization’s most valuable assets: Information. It will be argued that the approach of achieving Information Assurance within an organisation, coupled with the …

An Intelligent Face Features Generation System From Fingerprints, Şeref Sağiroğlu, Necla Özkaya

Turkish Journal of Electrical Engineering and Computer Sciences

In this study, a novel intelligent system based on artificial neural networks was designed and introduced for generating faces from fingerprints with high accuracy. The proposed system has a number of modules including two feature enrolment modules for acquiring the fingerprints and faces into the system, two feature extractors for extracting the feature sets of fingerprint and face biometrics, an artificial neural network module that was configured with the help of Taguchi experimental design method for establishing relationships among the biometric features, a face re-constructor for building up face features from the results of the system, and a test module …

Social And Organizational Aspects Of Information Security Management, Katina Michael

Professor Katina Michael

This paper aims to explore social and organizational aspects of information security management. The changing nature of security is revealed against the backdrop of globalization. It provides a thorough review of literature on the topics of cyberethics as related to information security and transnational law. The objective of the paper is to cover broadly socio-organizational themes providing for the purpose of definition and a basis for further research. It thus raises a number of pressing issues facing organizations today, and offers an overview discussion on potential solutions. The main outcome of the paper is in showing that successful security strategies …

Information Security Governance And Boards Of Directors: Are They Compatible?, Endre Bihari

Australian Information Security Management Conference

This paper presents a critique of emergent views on the roles of the boards of directors in relation to information security. The analysis highlights several concerns about the separation and validation of proper theory and business assertions of information security at board level. New requirements articulated by industry bodies – represented by a selected group of experts and evident in literature – are compared to the underlying theory of corporate governance to identify possible discrepancies. The discussion shows in particular the importance of staying within the theoretical underpinnings of corporate governance when discussing the topic of governance in general and …

Improving Information Security Management In Nonprofit Organisations With Action, Mark Carey-Smith, Karen Nelson, Lauren May

Australian Information Security Management Conference

Information security is vital for protecting important assets of organisations, including the information resources and the organisation’s reputation. In Australia, the nonprofit sector makes a significant contribution to society but is under represented in the information security literature. This paper describes research in progress that is investigating and improving information security management in some nonprofit organisations (NPOs), which incorporates a participatory action research methodology. This approach will enhance the skill set likely to be present in Australian nonprofit organisations, producing a more sustainable solution, as well as contributing to the open literature. The Technology Acceptance Model will be utilised as …

Medical Insecurity: When One Size Does Not Fit All, Patricia A. Williams

Australian Information Security Management Conference

Security is most commonly seen as a business concept. This is one reason for the poor uptake and implementation of standard security processes in non-business environments such as general medical practice. It is clear that protection of sensitive patient information is imperative yet the overarching conceptual business processes required to ensure this protection are not well suited to this context. The issue of sensitivity of information, together with the expectation that security can be effectively implemented by non-security trained professionals creates an insecure environment. The general security processes used by business, including those for risk assessment, are difficult to operationally …

Evolution Of A Database Security Course: Using Non-Enterprise Teaching Tools, Justin Brown

Australian Information Security Management Conference

This paper examines the issues in delivering a university unit of teaching in database security, examining problems in database environment selection and the ability to provide hands on training for students via oncampus and online modes. Initial problems with Linux and then Windows based enterprise database environments prompted the adoption of Microsoft Access as a database tool that was easier to deliver in-class and online. Though Access is file based and has fundamental flaws in its security implementation (within the enterprise context) it can be tweaked to emulate RDBMS level security, allowing students to see how a properly designed security …

The Common Body Of Knowledge: A Framework To Promote Relevant Information Security Research, Kenneth J. Knapp, F. N. Ford, Thomas E. Marshall, R. K. Rainer

Journal of Digital Forensics, Security and Law

This study proposes using an established common body of knowledge (CBK) as one means of organizing information security literature. Consistent with calls for more relevant information systems (IS) research, this industrydeveloped framework can motivate future research towards topics that are important to the security practitioner. In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK. Further, we distinguish articles as empirical research, frameworks, or tutorials. Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal …

Monitoring And Surveillance In The Workplace: Lessons Learnt? – Investigating The International Legal Position, Verine Etsebeth

Journal of Digital Forensics, Security and Law

When considering the legal implications of monitoring and surveillance in the workplace, the question may be asked why companies deploy computer surveillance and monitoring in the first place. Several reasons may be put forward to justify why more than 80% of all major American firms monitor employee e-mails and Internet usage. However, what most companies forget is the fact that the absence or presence of monitoring and surveillance activities in a company holds serious legal consequences for companies. From the discussion in this paper it will become apparent that there is a vast difference in how most countries approach this …

Education Organization Baseline Control Protection And Trusted Level Security, Wasim A. Al-Hamdani

Journal of Digital Forensics, Security and Law

Many education organizations have adopted for security the enterprise best practices for implementation on their campuses, while others focus on ISO Standard (or/and) the National Institution of Standards and Technology.

All these adoptions are dependent on IT personal and their experiences or knowledge of the standard. On top of this is the size of the education organizations. The larger the population in an education organization, the more the problem of information and security become very clear. Thus, they have been obliged to comply with information security issues and adopt the national or international standard. The case is quite different when …

Making Molehills Out Of Mountains: Bringing Security Research To The Classroom, Richard G. Taylor

Journal of Digital Forensics, Security and Law

Security research published in academic journals rarely finds its way to the business community or into the classroom. Even though the research is of high quality, it is written in a manner that is difficult to read and to understand. This paper argues that one way to get this academic research into the business community is to incorporate it into security classrooms. To do so, however, academic articles need to be adapted into a classroom-friendly format. This paper suggests ways to do this and provides an example of an academic article that was adapted for use in a security management …

Telemedicine And The Digital Door Doctor, Darren Webb, Patricia A. Williams

Australian Information Security Management Conference

Telemedicine is changing the way medicine can be practiced, and how medical knowledge is communicated, learnt and researched in today’s technologically oriented society. The adoption of internet based communication has significantly expanded the patients’ ability to access a multitude of world class medical information. Research has shown that patients would welcome the ability to consult a doctor using the same computing tools they use to communicate with family, friends and work colleagues. This paper discusses the use of telemedicine today and how it could be used to access medical services from home. Further, it investigates the incentives and barriers to …

Electronic Surveillance In Hospitals: A Review, Sue Kennedy

Australian Information Security Management Conference

This paper focuses on the increasing use of electronic surveillance systems in hospitals and the apparent lack of awareness of the implications of these systems for privacy of the individual. The systems are used for identification and tracking of equipment, staff and patients. There has been little public comment or analysis of these systems with regard to privacy as their implementation has been driven by security issues. The systems that gather this information include video, smart card and more recently RFID systems. The system applications include tracking of vital equipment, labelling of blood and other samples, tracking of patients, new …

Don't Be A Phish: Steps In User Education, Stefan Robila, James W. Ragucci

Department of Computer Science Faculty Scholarship and Creative Works

Phishing, e-mails sent out by hackers to lure unsuspecting victims into giving up confidential information, has been the cause of countless security breaches and has experienced in the last year an increase in frequency and diversity. While regular phishing attacks are easily thwarted, designing the attack to include user context information could potentially increase the user's vulnerability. To prevent this, phishing education needs to be considered. In this paper we provide an overview of phishing education, focusing on context aware attacks and introduce a new strategy for educating users by combining phishing IQ tests and class discussions. The technique encompasses …

Economics Of Information Security Investment In The Case Of Simultaneous Attacks, C. Derrick Huang, Qing Hu, Ravi S. Behara

Qing Hu

With billions of dollars being spent on information security related products and services each year, the economics of information security investment has become an important area of research, with significant implications for management practices. Drawing on recent studies that examine optimal security investment levels under various attack scenarios, we propose an economic model that considers simultaneous attacks from multiple external agents with distinct characteristics, and derive optimal investments based on the principle of benefit maximization. The relationships among the major variables, such as systems vulnerability, security breach probability, potential loss of security breach, and security investment levels, are investigated via …

A Quantitative Method For Iso 17799 Gap Analysis, Bilge Karabacak, Ibrahim Sogukpinar

All Faculty and Staff Scholarship

ISO/IEC 17799:2005 is one of the leading standards of information security. It is the code of practice including 133 controls in 11 different domains. There are a number of tools and software that are used by organizations to check whether they comply with this standard. The task of checking compliance helps organizations to determine their conformity to the controls listed in the standard and deliver useful outputs to the certification process. In this paper, a quantitative survey method is proposed for evaluating ISO 17799 compliance. Our case study has shown that the survey method gives accurate compliance results in a …

New Efficient Mds Array Codes For Raid Part I: Reed-Solomon-Like Codes For Tolerating Three Disk Failures, Gui-Liang Feng, Robert H. Deng, Feng Bao, Jia-Chen Shen

Research Collection School Of Computing and Information Systems

This paper presents a class of binary maximum distance separable (MDS) array codes for tolerating disk failures in redundant arrays of inexpensive disks (RAID) architecture based on circular permutation matrices. The size of the information part is m×n, the size of the parity-check part is m×3, and the minimum distance is 4, where n is the number of information disks, the number of parity-check disks is 3, and (m+1) is a prime integer. In practical applications, m can be very large and n is from 20 to 50. The code rate is R=n/(n+3). These codes can be used for tolerating …

Secured Network Model For Management Information System Based On Ip Security (Ipsec) Encryption Using Multilayered Approach Of Network Security, Dr. Amir Hassan Pathan, Muniza Irshad

International Conference on Information and Communication Technologies

Secured flow of information through the network and play important role in the management information systems. In this paper I describe Secured Network Model For Corporate & Business Organization In Based On Network Level IP Security (IPSec) Encryption & Its Physical Layout Using Multilayered Approach. I have four important considerations for adoption of secured network model as secured network model for management information system.

Identification Of Ip Information Of Pakistan & Vulnerability Assessment, Nizar Diamond Ali

International Conference on Information and Communication Technologies

Detailed IP information of Pakistan was not available prior to this study - at least not to the general public. It was not known how to harvest this information, from where and using which tools. This study came as answer to this challenge and shows how the IP information can be collected, what sources of information to use, methodologies to adopt and tools to utilize for this purpose. The next step was find out areas where network security lapses are present - i.e., to see which servers and which services are vulnerable to known attacks and vulnerabilities. In this way, …

Study Of Data Provenance And Annotation Model For Information Reliability Suggested For Pathological Laboratory Environment In Pakistan, Naila Aamir, Aslam Pervez

International Conference on Information and Communication Technologies

Trust and reliability of information is a very critical issue of today's information age. Keeping provenance of data not only ensures us about its origination but it also keeps track of all the changes that happen to the data through out its life cycle. In this paper we have discussed the importance of data provenance, difference between Where & Why Provenance and different models for keeping such information. The objective of this study is to select a provenance model which can be implemented in scientific environment of our country. For this purpose we have taken the annotation model and have …

Benchmarking E-Business Security: A Model And Framework, Graeme Pye, Matthew J. Warren

Research outputs pre 2011

The dynamic nature of threats and vulnerabilities within the E-business environment can impede online functionality, compromise organisational or customer information, contravene security implementations and thereby undermine online customer confidence. To negate these problems, E-business security has to become proactive, by reviewing and continuously improving security to strengthen E-business security measures and policies. This can be achieved through benchmarking the security measures and policies utilised within the E-business, against recognised information technology (IT) and information security (IS) security standards.

Information Security: A Misnomer, William Hutchinson

Research outputs pre 2011

This paper argues that the definition of 'information' is crucial to the understanding of 'information security'. At present, information security concentrates on the technological aspects of data, computer and network security. This computer-centric approach ignores the fact that the majority of information within an organisation is derived from other sources than computer stored data. The implications for security are that much data can be leaked from an organisation even if the computer and network systems are secured.

Isram: Information Security Risk Analysis Method, Bilge Karabacak, Ibrahim Sogukpinar

All Faculty and Staff Scholarship

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields …

Vertical Sensitivity For The Information Security Health Rating Of Enterprises, Arcot Desai Narasimhalu, Nagarajan Dayasindhu, Raghavan Subramanian

Research Collection School Of Computing and Information Systems

INFOSeMM Maturity model was developed jointly by SMU and Infosys. It is recognized that different industry verticals will have different levels of recommended maturity levels. This paper articulates the need for developing the industry vertical benchmarks.

Rating Information Security Maturity, Arcot Desai Narasimhalu, Nagarajan Dayasindhu

Research Collection School Of Computing and Information Systems

Most CEOs have difficulty relating to the information security investments in their companies. This article presents a summary of a the information security maturity model that the CEOs could use to determine the desired level of investments into information security infrastructure, tools and applications.

Enemy At The Gate: Threats To Information Security, Michael E. Whitman

Faculty Articles

A firm can build more effective security strategies by identifying and ranking the severity of potential threats to its IS efforts.