Search results

Top management is responsible for the wellbeing of the organization. Most organizations nowadays are dependent totally on the availability and effectiveness of their information service resources. For this reason it is imperative that top management gets involved and stays involved in the protection of the information service assets of the organization. This can only be accomplished through a process of continuous information security evaluation and reporting. An information security evaluation and reporting tool, representing the information security status in a concise, clear manner, will help a great deal in ensuring top management involvement. Suggests implementation of an information security management model by means of an evaluation tool. This tool will provide top management with information security status reporting in a clear, non‐technical format.

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.

A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.

Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.

The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.

This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.

The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns.

In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy.

The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level.

To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings‐och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice.

This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology.

Reports on the evaluation of a set of commercial PC‐security products. Argues how, and why, this analysis differs from the kind of security evaluation described in the IT security evaluation criteria published recently by some national security agencies. Draws on an in‐depth examination down to the hardware level, based on the actual executable code and covers even attack scenarios where the attacker can manipulate the hardware of the PC. Summarizes the major findings, pointing out some frequent design faults in PC‐security systems.

This paper aims at presenting a cyclical evaluation model of information security (IS) maturity. The lack of a security evaluation method might expose organizations to several risky situations.

This model was developed through the definition of a set of steps to be followed to obtain periodical evaluation of maturity and continuous improvement of controls.

This model, based on controls present in ISO/IEC 27002, provides a means to measure the current situation of IS management through the use of a maturity model and provides a subsidy to take appropriate and feasible improvement actions, based on risks. A case study is performed, and the results indicate that the method is efficient for evaluating the current state of IS, to support IS management, risks identification and business and internal control processes.

It is possible that modifications to the process may be needed where there is less understanding of security requirements, such as in a less mature organization.

This paper presents a generic model applicable to all kinds of organizations. The main contribution of this paper is the use of a maturity scale allied to the cyclical process of evaluation, providing the generation of immediate indicators for the management of IS.

With the widespread of e‐services, provided by different organizations at the internal intranet level, the business extranet level, and the public internet level, compliance with international information security management standards is becoming of increasing importance for establishing a common and safe environment for such services. The purpose of this paper is to examine the development of a mathematical model that enables the investigation of compliance of organizations with the widely acknowledged international information security management standard ISO 17799‐2005.

The model is based on the strategy, technology, organization, people and environment – STOPE – framework that provides an integrated well‐structured view of the various factors involved. The paper addresses the use of the model for practical investigations; it describes a practical example illustrating possible practical results.

The results show the strengths and the weaknesses of compliance, with the standard, at different levels: from the level of the measures associated with each of the “131” standard protection controls, up to the level of the STOPE domains.

The paper addresses the use of a mathematical model for practical investigations of compliance with the international information security management standard.

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.

Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Trust is one of the main pillars of many communication and interaction domains. Computing is no exception. Fog computing (FC) has emerged as mitigation of several cloud computing limitations. However, selecting a trustworthy node from the fog network still presents serious challenges. This paper aims to propose an algorithm intended to mitigate the trust and the security issues related to selecting a node of a fog network.

The proposed model/algorithm is based on two main concepts, namely, machine learning using fuzzy neural networks (FNNs) and the weighted weakest link (WWL) algorithm. The crux of the proposed model is to be trained, validated and used to classify the fog nodes according to their trust scores. A total of 2,482 certified computing products, in addition to a set of nodes composed of multiple items, are used to train, validate and test the proposed model. A scenario including nodes composed of multiple computing items is designed for applying and evaluating the performance of the proposed model/algorithm.

The results show a well-performing trust model with an accuracy of 0.9996. Thus, the end-users of FC services adopting the proposed approach could be more confident when selecting elected fog nodes. The trained, validated and tested model was able to classify the nodes according to their trust level. The proposed model is a novel approach to fog nodes selection in a fog network.

Certainly, all data could be collected, however, some features are very difficult to have their scores. Available techniques such as regression analysis and the use of the experts have their own limitations. Experts might be subjective, even though the author used the fuzzy group decision-making model to mitigate the subjectivity effect. A methodical evaluation by specialized bodies such as the security certification process is paramount to mitigate these issues. The author recommends the repetition of the same study when data form such bodies is available.

The novel combination of FNN and WWL in a trust model mitigates uncertainty, subjectivity and enables the trust classification of complex FC nodes. Furthermore, the combination also allowed the classification of fog nodes composed of diverse computing items, which is not possible without the WWL. The proposed algorithm will provide the required intelligence for end-users (devices) to make sound decisions when requesting fog services.

This paper aims to clarify the uncertainty reflected in the current state of information security maturity evaluation where it has not enough matured and converged so that a generic approach or many specfics approaches become the go-to choice. In fact, in the past decade, many secruity maturity models are still being produced and remain unproven regardless of the existence of ISO 21827.

The authors have used the systematic literature review to summarize existing research, help identify gaps in the existing literature and provide background for positioning new research studies.

The authors highlighted the prevalent influence of the ISO/IEC 27001/27002 standard but raised the necessity for an in-depth investigation of ISO 21827. The authors also made the implementation facet a central topic of our review. The authors found out that, compared to the number of proposed models, implementation experiments are lacking. This could be due to the arduous task of validation and it could also be the reason why specific models are dominant.

While the research literature contains many experience reports and a few case studies on information security maturity evaluation, a systematic review and synthesis of this growing field of research is unavailable as far as the authors know. In fact, the authors only picked-up one bodywork [Maturity models in cyber security A systematic review (2017)] carrying out a literature review on security maturity models between 2012 and 2017, written in Spanish.

Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In the background a few information security management‐oriented maturity criteria have been laid down. These criteria can be regarded as the latest promising innovations on the information security checklist‐standard family tree. Whereas information security maturity criteria have so far received inadequate attention in information security circles, software maturity endeavours have been the focus of constructive debate in software engineering circles. Aims to analyze what the alternative maturity criteria for developing secure information systems (IS) and software can learn from these debates on software engineering maturity criteria. First, advances a framework synthesized from the information systems (IS) and software engineering literatures, including six lessons that information security maturity criteria can learn from. Second, pores over the existing information security maturity criteria in the light of this framework. Third, presents, on the basis of results of this analysis, implications for practice and research.