摘要 :
To secure information systems, the security risks and requirements must be clearly'understood before the proper security mechanisms can be identified and designed. Today's security requirement specifications are generally incomple...
展开
To secure information systems, the security risks and requirements must be clearly'understood before the proper security mechanisms can be identified and designed. Today's security requirement specifications are generally incomplete and narrowly focused, which leads to ineffective security designs ofinformation systems. The author asserts that multiple views-management, threat, resource, process, assessment, and legal-of information systems provides an opportunity for a better understanding of security risks and requirements. In this paper, the author proposes a six-view perspective of a system security framework to identify a more complete set of security risks and requirements. The proposed framework presents a synergistic view of the system security in which the author presents an extensive list of heuristics/guidelines under each view, discussing security issues, risks, and requirements. Through a case study, the authors shows that a multiple view perspective of system security is effective in determining a more complete set of security requirements than the traditional approach of focusing on threats alone.
收起
摘要 :
As differing levels of security in forensic mental healthcare have evolved, there has been no clear or concise agreed definition of high, medium, or low secure care. This paper reviews the historical use and abuse of security as t...
展开
As differing levels of security in forensic mental healthcare have evolved, there has been no clear or concise agreed definition of high, medium, or low secure care. This paper reviews the historical use and abuse of security as treatment. More recent attempts to define security level and purpose are reviewed, and the trinitarian model of relational procedural and physical security is described. In Scotland there has been a need to define security levels for the purpose of private sector registration, service development, and, most particularly, appeals against excessive security made under new mental health law. The Matrix of Security which has been developed in Scotland, and those aspects of physical and procedural security that differ between security settings, are described.
收起
摘要 :
The essence and different approaches to the national security are explored in the article. The article interprets the objectives and provision methods of the national security. Different areas and vital interests that are the obje...
展开
The essence and different approaches to the national security are explored in the article. The article interprets the objectives and provision methods of the national security. Different areas and vital interests that are the objects of the national security are classified. According to this classification, the components of the national security, such as socio-political security, military security, information security, food security, energy security, education system security, scientific and technological security, health system security, transport system security, environmental security, mass media security, and cultural-moral security are differentiated. The development of ICT, the growing role and responsibilities of the information society in the national security system in connection with the formation of information security are described. The article also analyzes the relationship between the information security and other components of the national security. Application areas of ICT in each national security component and information security threats are identified. Their solution ways are described. The article uses analysis and synthesis, comparison, generalization and systematic approach. The results obtained in the article can be used for the development of new security concepts, strategies and other regulatory documents for the national security in the context of the information society.
收起
摘要 :
The enthusiasm to drive up standards in private security has generally been sought via various forms of statutory regulation. Important as these are, there are other drivers of standards that have received less attention. This art...
展开
The enthusiasm to drive up standards in private security has generally been sought via various forms of statutory regulation. Important as these are, there are other drivers of standards that have received less attention. This article reports on the crucial role played by buyers of security in determining the quality of private security provision. Via an online survey of 151 security specialists employed by companies, and 509 directors/managers of security, suppliers' attitudes towards current practices in security are discussed. It emerges that although buyers of security see in-house as higher quality, they recognise that contractors offer more value, because they are cheaper. It is suggested that a key driver for the focus on cost rather than quality is the low status of security within organisations. Indeed, despite aspirations for security in organisations to be viewed as business-enhancing, it is all too often an unwelcome purchase. The implications are discussed.
收起
摘要 :
Security—in air transportation is an issue of global importance. Since September 11, 2001 there have been numerous events where terrorists have successfully exploited vulnerabilities and weakness in the security system. The autho...
展开
Security—in air transportation is an issue of global importance. Since September 11, 2001 there have been numerous events where terrorists have successfully exploited vulnerabilities and weakness in the security system. The authors, both security practitioners and academics—contribute to the discussion of what security in air transportation means—by proposing that the existing system still remains vulnerable to future exploitation by terrorists and other threat groups. The essay proffers a framing device. The meaning of security is considered in terms of our knowledge of the system. It considers air transportation security from the position that our knowledge and understanding is limited by hubris; and explains how this can be improved so that system vulnerabilities are revealed and mitigated against before they are exploited. The essay concerns itself with the notion that air transportation security has a multitude of meanings, and that the system is in a critical state because it is perpetually reliant upon sophisticated technologies to retrospectively plug gaps in the defences. The essay concludes that complexity and hubris create a malign condition—which is not visible to lawmakers, regulators and system designers. And, to improve our understanding of what effective security means we need to look behind the hubristic curtain and grapple with the complexities and vagaries, which are the ingredients to the creation and incubation of system vulnerability and weakness.
收起
摘要 :
Cyber security is a global concern for the whole digital world because of increased reliance on information systems and services. Security threats can have negative impact on the reputation and assets of an organization as well as...
展开
Cyber security is a global concern for the whole digital world because of increased reliance on information systems and services. Security threats can have negative impact on the reputation and assets of an organization as well as adversely affect the legal and regulatory compliance of the organization. Security awareness is a primary pillar of security for any organization to avoid major security breaches. The increased importance and need for information security has however been met with very little research and publications that address the status of security in different organizations across the globe. This research continues a previous research that investigated security issues in public and private organizations in Amman, Jordan (Dahbur, Isleem, & Ismail, 2012). This research utilizes a modified version of questionnaire surveys that have been developed based on the current and common threat profiles. The surveys were dispersed to a large number of participants employed in diverse organizations to ensure statistical significance. The results were carefully analyzed and compared with previous research to study the persistence and changes in security factors and variables. The study also provides an assessment of security awareness to detect and address the main security issues such as vulnerability to threats, security training, and implemented security polices and measures. Conclusions and recommendations are proposed based on the results of this study and the comparison of the current results with the previous research.
收起
摘要 :
Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of sy...
展开
Security metrics have received significant attention. However, they have not been systematically explored based on the understanding of attack-defense interactions, which are affected by various factors, including the degree of system vulnerabilities, the power of system defense mechanisms, attack (or threat) severity, and situations a system at risk faces. This survey particularly focuses on how a system security state can evolve as an outcome of cyber attack-defense interactions. This survey concerns how to measure system-level security by proposing a security metrics framework based on the following four sub-metrics: (1) metrics of system vulnerabilities, (2) metrics of defense power, (3) metrics of attack or threat severity, and (4) metrics of situations. To investigate the relationships among these four sub-metrics, we propose a hierarchical ontology with four sub-ontologies corresponding to the four sub-metrics and discuss how they are related to each other. Using the four sub-metrics, we discuss the state-of-art existing security metrics and their advantages and disadvantages (or limitations) to obtain lessons and insight in order to achieve an ideal goal in developing security metrics. Finally, we discuss open research questions in the security metrics research domain and we suggest key factors to enhance security metrics from a system security perspective.
收起
摘要 :
Cloud computing offers multiple benefits to users by offloading them of the tasks of setting up complex infrastructure and costly services. However, these benefits come with a price, namely that the Cloud Service Customers (CSCs) ...
展开
Cloud computing offers multiple benefits to users by offloading them of the tasks of setting up complex infrastructure and costly services. However, these benefits come with a price, namely that the Cloud Service Customers (CSCs) need to trust the Cloud Service Providers (CSPs) with their data, and additionally being exposed to integrity and confidentiality related incidents on the CSPs. Thus, it is important for CSCs to know what security assurances the CSPs are able to guarantee by being able to quantitatively or qualitatively compare CSPs offers with respect to their own needs. On the other hand, it is also important for CSPs to assess their own offers by comparing them to the competition and with the CSCs needs, to consequently improve their offers and to gain better trust. Thus there is a basic need for techniques that address the Cloud security assessment problem. Although a few assessment methodologies have recently been proposed, their value comes only if they can be efficiently executed to support actual decisions at run time. For an assessment methodology to be practical, it should be efficient enough to allow CSCs to adjust their preferences while observing on the fly the current evaluation of CSPs' offers based on the preferences that are being chosen. Furthermore, for an assessment methodology to be useful in real-world applications, it should be efficient enough to support many requests in parallel, taking into account the growing number of CSPs and the variety of requirements that CSCs might have. In this paper, we develop a novel Cloud security assessment technique called Moving Intervals Process (MIP) that possesses all these qualities. Unlike the existing complex approaches (e.g., Quantitative Hierarchical Process - QHP) that are computationally too expensive to be deployed for the needed on-line real-time assessment, MIP offers both accuracy and high computational efficiency. Additionally, we also show how to make the existing QHP competitively efficient.
收起
摘要 :
Purpose - The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way. Design/methodology/approach - To defend against CIAs this approach involves detec...
展开
Purpose - The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way. Design/methodology/approach - To defend against CIAs this approach involves detecting attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context. Findings - The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results. Originality/value - Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by using a variety of languages and techniques. Hence, a generic approach that defends against such attacks would be a useful countermeasure. This approach can defend attacks that involve both domain-specific languages (e.g. SQL) and general purpose languages (e.g. JavaScript) and can be used both against client-side and server-side attacks.
收起
摘要 :
Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measur...
展开
Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures aimed to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness; (b) measures of organizational support; and (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizations.
收起