Physical Sciences and Mathematics Commons^™

An Economical Method For Securely Disintegrating Solid-State Drives Using Blenders, Brandon J. Hopkins Phd, Kevin A. Riggle

Journal of Digital Forensics, Security and Law

Pulverizing solid-state drives (SSDs) down to particles no larger than 2 mm is required by the United States National Security Agency (NSA) to ensure the highest level of data security, but commercial disintegrators that achieve this standard are large, heavy, costly, and often difficult to access globally. Here, we present a portable, inexpensive, and accessible method of pulverizing SSDs using a household blender and other readily available materials. We verify this approach by pulverizing SSDs with a variety of household blenders for fixed periods of time and sieve the resulting powder to ensure appropriate particle size. Among the 6 household …

How Much Should We Spend To Protect Privacy?: Data Breaches And The Need For Information We Do Not Have, Richard Warner, Robert Sloan

All Faculty Scholarship

A cost/benefit approach to privacy confronts two tradeoff issues. One is making appropriate tradeoffs between privacy and many goals served by the collection, distribution, and use of information. The other is making tradeoffs between investments in preventing unauthorized access to information and the variety of other goals that also make money, time, and effort demands. Much has been written about the first tradeoff. We focus on the second. The issue is critical. Data breaches occur at the rate of over three a day, and the aggregate social cost is extremely high. The puzzle is that security experts have long explained …

The Efficacy Of Cybersecurity Regulation, David Thaw

Articles

Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do – and should – deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the state legislatures. My analysis suggests that a blend of these …

Enlightened Regulatory Capture, David Thaw

Articles

Regulatory capture generally evokes negative images of private interests exerting excessive influence on government action to advance their own agendas at the expense of the public interest. There are some cases, however, where this conventional wisdom is exactly backwards. This Article explores the first verifiable case, taken from healthcare cybersecurity, where regulatory capture enabled regulators to harness private expertise to advance exclusively public goals. Comparing this example to other attempts at harnessing industry expertise reveals a set of characteristics under which regulatory capture can be used in the public interest. These include: 1) legislatively-mandated adoption of recommendations by an advisory …

Information Security Challenge Of Qr Codes, Nik Thompson, Kevin Lee

Journal of Digital Forensics, Security and Law

The discipline of information security must adapt to new technologies and methods of interaction with those technologies. New technologies present both challenges and opportunities for the security professional, especially for areas such as digital forensics. Challenges can be in the form of new devices such as smartphones or new methods of sharing information, such as social networks. One such rapidly emerging interaction technology is the use of Quick Response (QR) codes. These offer a physical mechanism for quick access to Web sites for advertising and social interaction. This paper argues that the common implementation of QR codes potentially presents security …

Case Study On An Investigation Of Information Security Management Among Law Firms, Sameera Mubarak, Elena Sitnikova

Australian Information Security Management Conference

The integrity of lawyers trust accounts as come under scrutiny in the last few years. There have been many incidents of trust account fraud reported internationally, including a case in Australia, where an employee of a law firm stole $4,500,000 from the trust funds of forty-two clients. Our study involved interviewing principles of ten law companies to find out solicitors’ attitudes to computer security and the possibility of breaches of their trust accounts. An overall finding highlights that law firms were not current with technology to combat computer crime, and inadequate access control was a major concern in safeguarding account …

Prevention Is Better Than Prosecution: Deepening The Defence Against Cyber Crime, Jacqueline Fick

Journal of Digital Forensics, Security and Law

In the paper the author proposes that effectively and efficiently addressing cyber crime requires a shift in paradigm. For businesses and government departments alike the focus should be on prevention, rather than the prosecution of cyber criminals. The Defence in Depth strategy poses a practical solution for achieving Information Assurance in today’s highly networked environments. In a world where “absolute security” is an unachievable goal, the concept of Information Assurance poses significant benefits to securing one of an organization’s most valuable assets: Information. It will be argued that the approach of achieving Information Assurance within an organisation, coupled with the …

The Common Body Of Knowledge: A Framework To Promote Relevant Information Security Research, Kenneth J. Knapp, F. N. Ford, Thomas E. Marshall, R. K. Rainer

Journal of Digital Forensics, Security and Law

This study proposes using an established common body of knowledge (CBK) as one means of organizing information security literature. Consistent with calls for more relevant information systems (IS) research, this industrydeveloped framework can motivate future research towards topics that are important to the security practitioner. In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK. Further, we distinguish articles as empirical research, frameworks, or tutorials. Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal …

Monitoring And Surveillance In The Workplace: Lessons Learnt? – Investigating The International Legal Position, Verine Etsebeth

Journal of Digital Forensics, Security and Law

When considering the legal implications of monitoring and surveillance in the workplace, the question may be asked why companies deploy computer surveillance and monitoring in the first place. Several reasons may be put forward to justify why more than 80% of all major American firms monitor employee e-mails and Internet usage. However, what most companies forget is the fact that the absence or presence of monitoring and surveillance activities in a company holds serious legal consequences for companies. From the discussion in this paper it will become apparent that there is a vast difference in how most countries approach this …

Education Organization Baseline Control Protection And Trusted Level Security, Wasim A. Al-Hamdani

Journal of Digital Forensics, Security and Law

Many education organizations have adopted for security the enterprise best practices for implementation on their campuses, while others focus on ISO Standard (or/and) the National Institution of Standards and Technology.

All these adoptions are dependent on IT personal and their experiences or knowledge of the standard. On top of this is the size of the education organizations. The larger the population in an education organization, the more the problem of information and security become very clear. Thus, they have been obliged to comply with information security issues and adopt the national or international standard. The case is quite different when …

Making Molehills Out Of Mountains: Bringing Security Research To The Classroom, Richard G. Taylor

Journal of Digital Forensics, Security and Law

Security research published in academic journals rarely finds its way to the business community or into the classroom. Even though the research is of high quality, it is written in a manner that is difficult to read and to understand. This paper argues that one way to get this academic research into the business community is to incorporate it into security classrooms. To do so, however, academic articles need to be adapted into a classroom-friendly format. This paper suggests ways to do this and provides an example of an academic article that was adapted for use in a security management …