Search results
1 – 10 of over 16000Sung-Hwan Kim, Nam-Uk Kim and Tai-Myoung Chung
The purpose of this paper is to provide a model for quantitatively analyzing the security profile of an organization’s IT environment. The model considers the security risks…
Abstract
Purpose
The purpose of this paper is to provide a model for quantitatively analyzing the security profile of an organization’s IT environment. The model considers the security risks associated with stored data, as well as services and devices that can act as channels for data leakages. The authors propose a sensitive information (SI) leakage vulnerability model.
Design/methodology/approach
Factors identified as having an impact on the security profile are identified, and scores are assigned based on detailed criteria. These scores are utilized by mathematical models that produce a vulnerability index, which indicates the overall security vulnerability of the organization. In this chapter, the authors verify the model result extracted from SI leakage vulnerability weak index by applying the proposed model to an actual incident that occurred in South Korea in January 2014.
Findings
The paper provides vulnerability result and vulnerability index. They are depends on SI state in information systems.
Originality/value
The authors identify and define four core variables related to SI leakage: SI, security policy, and leakage channel and value of SI. The authors simplify the SI leakage problem. The authors propose a SI leakage vulnerability model.
Details
Keywords
Stefan Taubenberger, Jan Jürjens, Yijun Yu and Bashar Nuseibeh
In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly…
Abstract
Purpose
In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.
Design/methodology/approach
Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.
Findings
Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.
Originality/value
It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.
Details
Keywords
Zhengbiao Han, Shuiqing Huang, Huan Li and Ni Ren
This paper uses the GB/T20984-2007 multiplicative method to assess the information security risk of a typical digital library in compliance with the principle and thought of ISO…
Abstract
Purpose
This paper uses the GB/T20984-2007 multiplicative method to assess the information security risk of a typical digital library in compliance with the principle and thought of ISO 27000. The purpose of this paper is to testify the feasibility of this method and provide suggestions for improving information security of the digital library.
Design/methodology/approach
This paper adopts convenience sampling to select respondents. The assessment of assets is through analyzing digital library-related business and function through a questionnaire which collects data to determine asset types and the importance of asset attributes. The five-point Likert scale questionnaire method is used to identify the threat possibility and its influence on the assets. The 12 respondents include directors and senior network technicians from the editorial department, comic library, children’s library, counseling department and the learning promotion centre. Three different Guttman scale questionnaires, tool testing and on-site inspection are combined to identify and assess vulnerabilities. There were different Guttman scale questionnaires for management personnel, technical personnel and general librarian. In all, 15 management librarians, 7 technical librarians and 72 ordinary librarians answered the vulnerability questionnaire. On-site inspection was conducted on the basis of 11 control domains of ISO 27002. Vulnerabilities were scanned using remote security evaluation system NSFOCUS. The scanning covered ten IP sections and a total of 81 hosts.
Findings
Overall, 2,792 risk scores were obtained. Among them, 282 items (accounting for 10.1 per cent of the total) reached the high risk level; 2 (0.1 per cent) reached the very high risk level. High-risk items involved 26 threat types (accounting for 44.1 per cent of all threat types) and 13 vulnerability types (accounting for 22.1 per cent of all vulnerability types). The evaluation revealed that this digital library faces seven major hidden dangers in information security. The assessment results were well accepted by staff members of this digital library, which testified to the applicability of this method to a Chinese digital library.
Research limitations/implications
This paper is only a case study of a typical Chinese digital library using a digital library information security assessment method. More case-based explorations are necessary to prove the feasibility of the assessing strategy proposed in this study.
Originality/value
Based on the findings of recent literature, the authors found that very few researchers have made efforts to develop methods for calculating the indicators for digital library information security risk assessment. On the basis of ISO 27000 and other related information security standards, this case study proposed an operable method of digital library information security risk assessment and used it to assess a the information security of a typical Chinese digital library. This study can offer insights for formulating a digital library information security risk assessment scale.
Details
Keywords
Qais Saif Qassim, Norziana Jamil, Maslina Daud, Ahmed Patel and Norhamadi Ja’affar
The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape…
Abstract
Purpose
The common implementation practices of modern industrial control systems (ICS) has left a window wide open to various security vulnerabilities. As the cyber-threat landscape continues to evolve, the ICS and their underlying architecture must be protected to withstand cyber-attacks. This study aims to review several ICS security assessment methodologies to identify an appropriate vulnerability assessment method for the ICS systems that examine both critical physical and cyber systems so as to protect the national critical infrastructure.
Design/methodology/approach
This paper reviews several ICS security assessment methodologies and explores whether the existing methodologies are indeed sufficient to meet the cyber security assessment exercise required to validate the security of electrical power control systems.
Findings
The study showed that most of the examined methodologies seem to concentrate on vulnerability identification and prioritisation techniques, whilst other security techniques received noticeably less attention. The study also showed that the least attention is devoted to patch management process due to the critical nature of the SCADA system. Additionally, this review portrayed that only two security assessment methodologies exhibited absolute fulfilment of all NERC-CIP security requirements, whilst the others only partially fulfilled the essential requirements.
Originality/value
This paper presents a review and a comparative analysis of several standard SCADA security assessment methodologies and guidelines published by internationally recognised bodies. In addition, it explores the adequacy of the existing methodologies in meeting cyber security assessment practices required for electrical power networks.
Details
Keywords
Dimitrios Patsos, Sarandis Mitropoulos and Christos Douligeris
The paper proposes looking at the automation of the incident response (IR) process, through formal, systematic and standardized methods for collection, normalization and…
Abstract
Purpose
The paper proposes looking at the automation of the incident response (IR) process, through formal, systematic and standardized methods for collection, normalization and correlation of security data (i.e. vulnerability, exploit and intrusion detection information).
Design/methodology/approach
The paper proposes the incident response intelligence system (IRIS) that models the context of discovered vulnerabilities, calculates their significance, finds and analyzes potential exploit code and defines the necessary intrusion detection signatures that combat possible attacks, using standardized techniques. It presents the IRIS architecture and operations, as well as the implementation issues.
Findings
The paper presents detailed evaluation results obtained from real‐world application scenarios, including a survey of the users' experience, to highlight IRIS contribution in the area of IR.
Originality/value
The paper introduces the IRIS, a system that provides detailed security information during the entire lifecycle of a security incident, facilitates decision support through the provision of possible attack and response paths, while deciding on the significance and magnitude of an attack with a standardized method.
Details
Keywords
Bharadwaj R.K. Mantha and Borja García de Soto
The aim of this study is o examine the advantages and disadvantages of different existing scoring systems in the cybersecurity domain and their applicability to the AEC industry…
Abstract
Purpose
The aim of this study is o examine the advantages and disadvantages of different existing scoring systems in the cybersecurity domain and their applicability to the AEC industry and to systematically apply a scoring system to determine scores for some of the most significant construction participants.
Design/methodology/approach
This study proposes a methodology that uses the Common Vulnerability Scoring System (CVSS) to calculate scores and the likelihood of occurrence based on communication frequencies to ultimately determine risk categories for different paths in a construction network. As a proof of concept, the proposed methodology is implemented in a construction network from a real project found in the literature.
Findings
Results show that the proposed methodology could provide valuable information to assist project participants to assess the overall cybersecurity vulnerability of construction and assist during the vulnerability-management processes. For example, a project owner can use this information to get a better understanding of what to do to limit its vulnerability, which will lead to the overall improvement of the security of the construction network.
Research limitations/implications
It has to be noted that the scoring systems, the scores and categories adopted in the study need not necessarily be an exact representation of all the construction participants or networks. Therefore, caution should be exercised to avoid generalizing the results of this study.
Practical implications
The proposed methodology can provide valuable information and assist project participants to assess the overall cyber-vulnerability of construction projects and support the vulnerability-management processes. For example, a project owner can use this approach to get a better understanding of what to do to limit its cyber-vulnerability exposure, which will ultimately lead to the overall improvement of the construction network's security. This study will also help raise more awareness about the cybersecurity implications of the digitalization and automation of the AEC industry among practitioners and construction researchers.
Social implications
Given the amount of digitized services and tools used in the AEC industry, cybersecurity is increasingly becoming critical for society in general. In some cases, (e.g. critical infrastructure) incidents could have significant economic and societal or public safety implications. Therefore, proper consideration and action from the AEC research community and industry are needed.
Originality/value
To the authors' knowledge, this is the first attempt to measure and assess the cybersecurity of individual participants and the construction network as a whole by using the Common Vulnerability Scoring System.
Details
Keywords
The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons.
Abstract
Purpose
The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons.
Design/methodology/approach
A web vulnerability testing tool was used to analyze 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems.
Findings
Analysis results from surveying the libraries show the majority have serious security flaws in their web applications. The research shows that despite country‐specific laws mandating secure sites, system librarians have not implemented appropriate measures to secure their online information systems.
Research limitations/implications
Further research on library vulnerability throughout the world can be taken to educate librarians in other countries of the serious nature of protecting their systems.
Practical implications
The findings serve to remind librarians of the complexity in providing a secure online environment for their patrons and that a disregard or lack of awareness of securing systems could lead to serious vulnerabilities of the patrons' personal data and systems. Lack of consumer trust may result in a decreased use of online commerce and have serious repercussions for the municipal libraries. Several concrete examples of methods to improve security are provided.
Originality/value
The paper serves as a current paper on data security issues at Western European municipal library web sites. It serves as a useful summary regarding technical and managerial measures librarians can take to mitigate inadequacies in their security implementation.
Details
Keywords
W. Pieters and L. Consoli
The purpose of this paper is to analyze information security assessment in terms of cultural categories and virtue ethics, in order to explain the cultural origin of certain types…
Abstract
Purpose
The purpose of this paper is to analyze information security assessment in terms of cultural categories and virtue ethics, in order to explain the cultural origin of certain types of security vulnerabilities, as well as to enable a proactive attitude towards preventing such vulnerabilities.
Design/methodology/approach
Vulnerabilities in information security are compared to the concept of “monster” introduced by Martijntje Smits in philosophy of technology. The applicability of different strategies for dealing with monsters to information security is discussed, and the strategies are linked to attitudes in virtue ethics.
Findings
It is concluded that the present approach can form the basis for dealing proactively with unknown future vulnerabilities in information security.
Research limitations/implications
The research presented here does not define a stepwise approach for implementation of the recommended strategy in practice. This is future work.
Practical implications
The results of this paper enable computer experts to rethink their attitude towards security threats, thereby reshaping their practices.
Originality/value
This paper provides an alternative anthropological framework for descriptive and normative analysis of information security problems, which does not rely on the objectivity of risk.
Details
Keywords
Edson dos Santos Moreira, Luciana Andréia Fondazzi Martimiano, Antonio José dos Santos Brandão and Mauro César Bernardes
This paper aims to show the difficulties involved in dealing with the quantity, diversity and the lack of semantics security information. It seeks to propose the use of ontologies…
Abstract
Purpose
This paper aims to show the difficulties involved in dealing with the quantity, diversity and the lack of semantics security information. It seeks to propose the use of ontologies to tackle the problem.
Design/methodology/approach
The paper describes the general methodology to create security ontologies and illustrates the case with the design and validation of two ontologies: system vulnerabilities and security incidents.
Findings
Two examples of ontologies, one related to systems vulnerability and the other related to security incidents (designed to illustrate this proposal) are described. The portability/reusability propriety is demonstrated, inferring that the information structured at lower levels (by security management tools and people) can be successfully used and understood at higher levels (by security governance tools and people).
Research limitations/implications
Work in the area of managing privacy policies, risk assessment and mitigation management, as well as CRM, business alignment and business intelligence, could be greatly eased by using an ontology to properly define the concepts involved in the area.
Practical implications
Ontologies can facilitate the interoperability among different security tools, creating a unique way to represent security data and allow the security data from any security tool (for instance, Snort) to be mapped into an ontology, such as the security incident one described in the paper. An example showing how the two ontologies could be plugged into a high level decision‐making system is described at the end.
Originality/value
Although several previous papers examined the value of using ontologies to represent security information, this one looks at their properties for a possible integrated use of management and governance tools.
Details
Keywords
One of the problems facing systems administrators and security auditors is that a security test/audit can generate a vast quantity of information that needs to be stored, analysed…
Abstract
Purpose
One of the problems facing systems administrators and security auditors is that a security test/audit can generate a vast quantity of information that needs to be stored, analysed and cross referenced for later use. The current state‐of‐the‐art in security audit tools does not allow for information from multiple different tools to be shared and integrated. This paper aims to develop an Extensible Markup Language (XML)‐based architecture that is capable of encoding information from a variety of disparate heterogeneous sources and then unifying and integrating them into a single SQL database schema.
Design/methodology/approach
The paper demonstrates how, through the application of the architecture, large quantities of security related information can be captured within a single database schema. This database can then be used to ensure that systems are conforming to an organisation's network security policy.
Findings
This type of data integration and data unification within a vulnerability assessment/security audit is currently not possible; this leads to confusion and omissions in the security audit process.
Originality/value
This paper develops a data integration and unification architecture that will allow data from multiple vulnerability assessment tools to be integrated into a single unified picture of the security state of a network of interconnected computer systems.
Details