Information security policy: An organizational-level process model

To protect information systems from increasing levels of cyber threats, organizations are compelled to institute security programs. Because information security policies are a necessary foundation of organizational security programs, there exists a need for scholarly contributions in this important area. Using a methodology involving qualitative techniques, we develop an information security policy process model based on responses from a sample of certified information security professionals. As the primary contribution of this research study, the proposed model illustrates a general yet comprehensive policy process in a distinctive form not found in existing professional standards or academic publications. This study's model goes beyond the models illustrated in the literature by depicting a larger organizational context that includes key external and internal influences that can materially impact organizational processes. The model that evolved from the data in this research reflects the recommended practices of our sample of certified professionals, thus providing a practical representation of an information security policy process for modern organizations. Before offering our concluding comments, we compare the results of the study with the literature in both theory and practice and also discuss limitations of the study. To the benefit of the practitioner and research communities alike, the model in this study offers a step forward, as well as an opportunity for making further advancements in the increasingly critical area of information security policy.     

Peers matter: The moderating role of social influence on information security policy compliance

Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command‐and‐control and self‐regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules‐oriented ethical climate (employee perception of a rules‐adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command‐and‐control and self‐regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command‐and‐control and self‐regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed.     

A security policy language for wireless sensor networks

Authenticated computer system users are only authorized to access certain data within the system. In the future, wireless sensor networks (WSNs) will need to restrict access to data as well. To date, WSN security has largely been based on encryption and authentication schemes. The WSN Authorization Specification Language (WASL) is a mechanism-independent composable WSN policy language that can specify arbitrary and composable security policies that are able to span and integrate multiple WSN policies. Using WASL, a multi-level security policy for a 1000 node network requires only 60 bytes of memory per node.     

策略化的安全策略集中管理模型研究

分析了现存安全策略集中管理模型,提出了一种更为灵活的策略化的安全集中管理模型,并就此模型实现的关键技术做论述。最后就本模型和既有模型作出对比。     

A baseline security policy for distributed healthcare information systems

In this paper, the need for identifying and analyzing the generic security characteristics of a healthcare information system is, first, demonstrated. The analysis of these characteristics is based upon a decision-support roadmap. The results from this profiling work are then analyzed in the light of the fact that more than 1000 accidental deaths happened due to computer system failures. As a result of this analysis, a set of recommendations is drawn up, leading to the development of a baseline security policy for healthcare institutions. Such a policy should be flexible enough to reflect the local needs, expectations and user requirements, as well as strict enough to comply with international recommendations. An example of such a baseline policy is then provided. The policy refers to a given security culture and has been based upon an abstract approach to the security needs of a healthcare institution.     

Information systems security policy compliance: An empirical study of the effects of socialisation,influence, and cognition

This study investigated employees’ information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ISSP compliance has been based on deterrence theory, this study seeks to augment and diversify research on ISSP compliance through its theoretical perspective. Relevant hypotheses were developed to test the research conceptualisation. Data from a survey of business managers and IS professionals confirmed that social bonds that are formed at work largely influence attitudes towards compliance and subjective norms, with both constructs positively affecting employees’ ISSP compliance. Employees’ locus of control and capabilities and competence related to IS security issues also affect ISSP compliance behavioural intentions. Overall, the constructs in the research model enhance our understanding of the social-organisational and psychological factors that might encourage or accentuate employees’ ISSP compliance in the workplace.     

Threats and countermeasures for information system security: A cross-industry study

IS security threats have increased significantly in recent years. We identified the gaps between manager perceptions of IS security threats and the security countermeasures adopted by firms by collecting empirical data from 109 Taiwanese enterprises. Industry type and organizational use of IT were seen as the two factors that affected the motivation of firms to adopt security countermeasures, but their implementation did not necessarily affect the threat perceptions of the managers. Analyses of responses suggested that the scope of the countermeasures adopted were not commensurate with the severity of the perceived threats. Among the threats, networks were rated as contributing the most severe threat and yet had the lowest level of protection, this was followed by threats due to personnel and administrative issues. We therefore addressed threat mitigation strategies, specifically in terms of the differences between industries.     

FSP：一种基于风险的安全策略

针对基于角色的访问控制模型（RBAC）和职责分离（SoD）这一重要的安全原则,提出了一种基于风险的安全策略—Fuzzy Security Policy（FSP）,采用资质表达式限定执行敏感任务的用户数量和身份,采用风险度向量方法量化用户角色授权风险,运用模糊综合评估法分析满足资质约束的用户集执行多项任务的聚集风险;进一步讨论了给定系统配置和风险阈值的安全策略的可满足性,并给出了判定用户集是否满足安全策略的算法。这种安全策略可以为组织选择符合安全需求的用户集执行任务。     

有效的IPSec安全策略管理方案*

针对IPSec协议在安全策略管理存在的问题,引入信任管理的思想,介绍了一种基于信任管理的IPSec安全策略管理方案。该方案对分布式网络中的策略可以进行统一的描述,并通过一致性证明能够实现策略的委托授权管理,这样大大提高了IPSec安全策略管理效率和IPSec的灵活性。     

The effects of multilevel sanctions on information security violations: A mediating model

We proposed and empirically tested a mediating model for examining the effects of multilevel sanctions on preventing information security violations in the workplace. The results of the experiment suggested that personal self-sanctions and workgroup sanctions have significant deterrent effects on employee security violations, but that the effect of organizational sanctions becomes insignificant when the other two types of sanctions are taken into account. Theoretically, the study pointed out the importance of personal self-sanctions and informal workgroup sanctions. Practically, our results suggested that an “influencing” strategy may be more effective than an “enforcing” one in information security management.     

Virtual organization security policies: An ontology-based integration approach

This paper addresses the specification of a security policy ontology framework to mediate security policies between virtual organizations (VO) and real organizations (RO). The goal is to develop a common domain model for security policy via semantic mapping. This mitigates interoperability problems that exist due to heterogeneity in security policy data among various (VO) and (RO) in the semantic web. We propose to carry out integration or mapping for only one aspect of security policy, which is authorization policy. Other aspects such as integrity, repudiation and confidentiality will be addressed in future work. We employ various tools such as Protégé, RacerPro and PROMPT to show proof of concept.

云计算环境下的信息安全问题及策略

本文介绍了云计算的概念、体系架构,分析了云计算环境下可能存在的信息安全风险和隐患,着重探讨了应对安全风险的一系列策略。     

The Theory of Planned Behavior and Information Security Policy Compliance

ABSTRACT

Much of the research on security policy compliance has tested the relationships posited by the theory of planned behavior. This theory explains far from all of the measurable variance in policy compliance intentions. However, it is associated with something called the sufficiency assumption, which essentially states that no variable is missing from the theory. This paper addresses this assumption in the context of information security policy compliance. A meta-analysis of published tests on information security behavior and a review of the literature in related fields are used to identify variables that have the potential to improve the theory’s predictions. These results are tested using a random sample of 645 white-collar workers. The results suggest that the variables anticipated regret and habit improve the predictions. The variables increase the explained variance by 3.4 and 2.6 percentage points, respectively, when they are added individually, and by 5.4 percentage points when both are added.     

面向IPsec安全策略的VPN性能评估模型

IPsec安全策略复杂的语义增加了IPsec VPN性能分析的难度,为了解决IPsec VPN性能分析过程中缺乏框架结构而无法保证评估有效性的问题,提出了基于IPsec安全策略的VPN性能评估模型。模型构建了可扩展的虚拟VPN环境,通过维护IPsec安全策略提高VPN性能的可控性,利用多线程并发控制实现数据的并行统计。最后通过实验验证了模型在VPN性能评估中的可靠性和可用性。     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

基于向量空间模型的信息安全过滤系统

信息过滤是指通过监控信息源以找到满足用户需求的信息的过程。详细地论述了基于向量空间模型的信息过滤系统,系统由训练和自适应过滤两个阶段组成,在训练阶段,通过主题处理和特征抽取建立初始的过滤模板,设置初始阈值;在过滤阶段,则根据用户的反馈信息自适应地调整模板和阈值,最后给出了评估方法和实验结果。     

ACTEN: A conceptual model for security systems design

This paper describes ACTEN, a conceptual model for the design of security systems. Security information is represented by action-entity pairs and organized into a framework composed of graphs and tables. The rules permitting the building and management of this framework are introduced.The model describes both static and dynamic aspects of the security system; in fact, it shows the access modalities between objects in the system and the evolution of such modalities due to grant and revocation of rights within the security system.ACTEN also allows the identification of the authority and protection level of each component of the system. The tools for this analysis are introduced and an example is given.     

带有约束的"长城"安全策略模型及其实现

"长城"安全策略模型是商业信息领域中重要的安全策略模型之一,它能够巧妙地将自由选择与强制访问控制结合在一起,既具有自主控制的灵活性,又能对存取操作加以限制.但是"长城"安全策略模型仍不能很好地满足实际的需要,存在着一定的缺陷,因此增加时间约束,职责分离约束和基数约束,对"长城"安策略模型进行扩展,提出一种带有约束的"长城"安全策略模型.     

Employee responses to information security related stress: Coping and violation intention

Studies on employee responses to the information security policy (ISP) demands to show that employees who experience stress over the demands would resort to emotion-focused coping to alleviate the stress and subsequently violate the ISP. However, their intent to engage in problem-focused coping to meet the ISP demands and possibly reduce ISP violations has yet to be analysed. We argue that both types of coping responses coexist in employee responses to ISP demands and they together influence ISP violation intention. Drawing upon the Transactional Model of Stress and Coping, we examine how security-related stress (SRS) triggers inward and outward emotion-focused coping, and problem-focused coping to the ISP demands, which together influence employee ISP violations. We also examine how ISP-related self-efficacy and organisational support moderate the effects of SRS on coping responses. We surveyed 200 employees in the United States to test our model. The results indicate that SRS triggers all three coping responses, and ISP-related self-efficacy and organisational support reduce the effects of SRS on inward and outward emotion-focused coping. Problem-focused coping then decreases ISP violation intention, whereas inward and outward emotion-focused coping increases it. The model was further verified with ISP compliance as the outcome construct, which yielded consistent results. Understanding various coping responses to SRS and the factors that facilitate or inhibit the responses can assist managers in effectively designing and implementing the ISP to reduce employee ISP violations.     

信息安全风险控制的PROMETHEE决策方法研究

在成本效益分析的基础上,引入“级别高于关系”的PROMETHEE多属性偏好指数,提出了基于PROMETHEE方法的信息安全风险控制模型。该模型利用决策者给出的偏好,设置偏好函数、准则值和准则权重,从方案优劣程度入手,计算备选方案的“优势流”和“劣势流”,得到方案集的部分或完全排序,并基于此对安全控制措施的备选方案进行有效地筛选。还对该模型的灵敏度进行了分析和验证,最后结合实例分析了该风险控制模型的有效性。