General Misconceptions about Information Security Lead to an Insecure World

ABSTRACT

It is becoming clear that the underground hacking industry as a whole (not just individual hackers) is continually gaining ground despite the best efforts of the information security industry. It seems the latter should have an overwhelming advantage, as a multibillion dollar industry staffed with hundreds of thousands of security professionals. However, the efforts of the information security industry are almost always reactive, and in most cases amount to losing ground on the defensive. The unfortunate and seldom acknowledged truth is that the underground hacking industry is always one step ahead. Why are we so slow to respond when all evidence indicates that such delays lead to enormous business losses? Is it possible that the fundamental way our information system security is organized has some inherited deficiencies which are prohibiting us from successfully mounting an effective defense?

Today's losses are becoming too great to say that we are just in need of some evolutionary improvements. Instead, we need to reevaluate the way we go about security business as a whole. In this article, we consider various processes common to both information systems and information system security based on both well-known cases and personal experience. This is our initial attempt to analyze how information system security is organized and to suggest some core changes to its processes.     

An information security knowledge sharing model in organizations

Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security.     

Assuring Data Security Integrity at Ford Motor Company

Abstract

Security auditing methods have not changed markedly from those first developed for the stand-alone computer environments of the 1960s. These methods were adequate for their time, but modern information system technology has made auditing computer security a much more imposing problem. There are numerous reasons for this. Personal computers have placed powerful tools for exploration and hacking onto everyone's desk. Networks have revolutionized the exchange of information, but they have also provided a direct path for hackers to attack and compromise critical computer assets. Even more threatening, employees and contractors can often readily gain unrestricted access to even the most sensitive information simply because standards for protection have not been designed or implemented. In this environment, bookkeeping-based auditing methods not only fall short, but can create a misleading impression that security is under control.     

The effects of knowledge mechanisms on employees' information security threat construal

Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.     

iMeasure Security (iMS): A Framework for Quantitative Assessment of Security Measures and its Impacts

ABSTRACT

As business systems are getting interconnected, the importance of security is growing at an unprecedented pace. To protect information, strong security measures need to be implemented and continuously updated and monitored to ensure their promise against present and future security breaches. However, the growth of networked systems and the increasing availability of sophisticated hacking tools make the task of securing business systems challenging. To enhance the security strength and to justify any investment in security-related products, it becomes mandatory to assess the security measures in place and estimate the level of security provided by them. The existing standards to certify the strength of a security system are qualitative, lack consideration of the countermeasures and do not consider the impact of security breaches. Consequently, there is a need for an alternative approach to estimate the security strength of a system in a quantitative manner. This paper aims to provide an extensible framework called iMeasure Security (iMS) that quantifies the security strength of an enterprise system by considering the countermeasures deployed in its network, analyzes the business impact of the security breaches, and provides insights as to how the level of security can be improved from current levels.     

The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory

Explaining the influence of management leadership on employees' information security behaviour is an important focus in information systems research and for companies and organizations. Unfortunately, the role of leadership has remained largely unexplored in the information security context. Our study addresses this gap in literature: how the dimensions of full‐range leadership influence employees' intended information security behaviour. Consequently, our study takes an interactional psychology perspective and links the dimensions of the full‐range model of leadership to employees' security compliance intention and security participation intention. We tested our multitheoretical model using Smart PLS 3.2.7 on a proprietary data set of 322 professionals in more than 14 branches throughout different regions worldwide. Our study contributes to the literature on information security, management, and leadership by exploring how and why different leadership styles enhance employees' intended information security behaviour. Our empirical findings emphasize the importance of transformational leaders because they are capable of directly influencing employees on the extra‐role and in‐role behaviour levels. Our results indicate new directions for information security and leadership research and implications for leadership practices.     

User preference of cyber security awareness delivery methods

Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.     

An advanced approach for modeling and detecting software vulnerabilities

ContextPassive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.ObjectiveIn this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.MethodOur method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.ResultsWe present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.ConclusionAlthough the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.     

Hacking into the Minds of Hackers

ABSTRACT

This study presents results of a survey of self-proclaimed computer hackers about their perceptions in regards to illegal hacking. Results show that hackers continue to engage in illegal hacking activities despite the perception of severe judicial punishment. A closer look shows that hackers perceive a high utility value from hacking, little informal sanctions, and a low likelihood of punishment. These perceptions coupled with a high level of moral disengagement partially explain the hacker's illegal behavior.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

基于证据理论物联网安全态势感知方法研究

社会物联网技术迅速发展,安全问题日益严重,对简便易用的物联网安全态势感知方法进行了研究.针对当前物联网安全态势感知系统缺乏通用性、过分依赖专家知识的缺点,提出了一种基于改进D-S证据理论的物联网安全态势感知方法.利用模糊高斯隶属函数计算漏洞信息隶属度矩阵,归一化后作为证据分布矩阵;利用改进Topsis方法衡量证据可信度...     

Cyber crime risk awareness in Kyrgyz Republic

ABSTRACT

In this paper we present the information security awareness rate of students in Kyrgyz Republic, where there is a rapid pace of formation and development of the information society. The survey was conducted with a sample of 172 students from different departments of the university. Our research study showed that despite the huge number of reports about computer crimes in the web, the knowledge about cybercrime is quite low and students are mostly not aware of many aspects of computer crime. Analysis was done to determine dependence of information security awareness rate on computer literacy rate and the education field of students. We conclude that although information technology is of wide usage, the information security topics need to be taught to prevent them from becoming victims of cyber crime.     

Impact Metrics of Security Vulnerabilities: Analysis and Weighing

ABSTRACT

The number of vulnerabilities discovered and reported during the recent decades is enormous, making an improved ranking and prioritization of vulnerabilities’ severity a major issue for information technology (IT) management. Although several methodologies for ranking and scoring vulnerabilities have been proposed, the Common Vulnerability Scoring System (CVSS) is the open standard with wide acceptance from the information security community. Recently, the Weighted Impact Vulnerability Scoring System (WIVSS) has been proposed as an alternative scoring methodology, which assigns different weights to impact factors of vulnerability in order to achieve higher diversity of values and thus improvement in flexibility of ranking in comparison to CVSS. The purpose of this paper is to expand the idea of WIVSS by defining the sets of weights which provide higher diversity of values. For this reason, an algorithm that finds all the possible combinations of optimal weights within a specified range and under certain constrains is presented. The algorithm results in 14 different combinations of impact weights that are applied to a sample of 20,496 vulnerabilities and statistically analyzed for associations among impact factors. The results suggest that one specific combination of impact weights can achieve highest diversity of values.     

Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT

The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.     

Predicting Cyber Risks through National Vulnerability Database

ABSTRACT

Software vulnerabilities are the major cause of cyber security problems. The National Vulnerability Database (NVD) is a public data source that maintains standardized information about reported software vulnerabilities. Since its inception in 1997, NVD has published information about more than 43,000 software vulnerabilities affecting more than 17,000 software applications. This information is potentially valuable in understanding trends and patterns in software vulnerabilities so that one can better manage the security of computer systems that are pestered by the ubiquitous software security flaws. In particular, one would like to be able to predict the likelihood that a piece of software contains a yet-to-be-discovered vulnerability, which must be taken into account in security management due to the increasing trend in zero-day attacks. We conducted an empirical study on applying data-mining techniques on NVD data with the objective of predicting the time to next vulnerability for a given software application. We experimented with various features constructed using the information available in NVD and applied various machine learning algorithms to examine the predictive power of the data. Our results show that the data in NVD generally have poor prediction capability, with the exception of a few vendors and software applications. We suggest possible reasons for why the NVD data have not produced a reasonable prediction model for time to next vulnerability with our current approach, and suggest alternative ways in which the data in NVD can be used for the purpose of risk estimation.     

Corporate Expectations of the IT Department in an Age of Terrorism: Ensuring “Battle Readiness”

ABSTRACT

Contemporary businesses face many new and unprecedented challenges including the threat of terrorism. The impact of a terrorist attack can undermine an organization's success and survival. A significant area of organizational vulnerability to acts of terrorism involves the information systems infrastructure of the organization. This article discusses the mission-critical expectations that corporate executives have for their information technology departments with respect to securing and protecting these essential resources.     

Meeting the Enemy

Abstract

My idea is that talking to the computer security underground is a good thing for security practitioners to do. It has been problematic, though. The theory is that understanding vulnerabilities, the threats of exploiting them, the risks that these threats pose, and the appropriate countermeasures to use against them includes talking to the “enemy” (the computer security underground). After all, the enemy includes those who freely trade vulnerability information — often well before it becomes known to the legitimate security community. Despite the obvious appeal of this approach, the road to a forum for the exchange of information with the enemy has not been a smooth one. Therein lies a tale.     

The impact of close monitoring on creativity and knowledge sharing: The mediating role of leader‐member exchange

We examine the influence of supervisors' close monitoring on employees' creativity and knowledge sharing, both of which are important to the enhanced performance and survival of organizations in this era of uncertainty and change. We also identify the mechanism through which supervisors' close monitoring affects employees' creativity and knowledge sharing. A survey was conducted with military officers in South Korea, among whom supervisor–employee interactions occur daily. A regression analysis of 163 supervisor‐employee dyads shows that supervisors' close monitoring has a negative impact on employees' creativity and knowledge sharing; a mediation test using a bootstrapping methodology shows that supervisors' close monitoring has a significantly negative indirect impact on employees' creativity and knowledge sharing with leader‐member exchange (LMX) as the mediator. Our theoretical contribution is to provide an improved understanding of the relationships among the variables. We also offer a practical implication because our findings show that supervisors' close monitoring may hinder employees' creativity and knowledge sharing by undermining LMX.