Search results

Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In the background a few information security management‐oriented maturity criteria have been laid down. These criteria can be regarded as the latest promising innovations on the information security checklist‐standard family tree. Whereas information security maturity criteria have so far received inadequate attention in information security circles, software maturity endeavours have been the focus of constructive debate in software engineering circles. Aims to analyze what the alternative maturity criteria for developing secure information systems (IS) and software can learn from these debates on software engineering maturity criteria. First, advances a framework synthesized from the information systems (IS) and software engineering literatures, including six lessons that information security maturity criteria can learn from. Second, pores over the existing information security maturity criteria in the light of this framework. Third, presents, on the basis of results of this analysis, implications for practice and research.

The aim of this research is to analyse the impact of relative advantage, compatibility, ease of use, visibility, voluntariness, image, result demonstrability and trialability on intention to use internet security software using a model developed based on perceived characteristics of innovation by Moore and Benbasat (1991) among undergraduate students.

Using an intercept survey method, 425 responses were collected from a Malaysian public university using a closed questionnaire which was gotten from the literature. The authors used the SmartPLS software which is a second-generation structural equation modelling software that can be used to model latent variables with negligible requirements.

The results show that relative advantage, compatibility, visibility, voluntariness, result demonstrability and trialability had a positive effect on use of internet security software while ease of use and image was not significant.

The most important predictor was trialability which sends a clear signal to software developers that users would like to be able to try the software before making a decision to purchase and use. However, the research is limited to students only. Therefore, future research can be extended to wider population.

The result of this paper provides beneficial information to the internet security software developers about what factors affect users’ intentions to buy their products.

The authors used the comprehensive innovation diffusion theory to test the security behaviour of under graduate students from a developing country’s perspectives. Many other similar studies have been done in the developed country’s context. Thus, this paper adds to the literature from a developing country’s perspective.

Nowadays, most of the software development processes still does not provide appropriate support for the development of secure systems. Rational Unified Process (RUP) is a well‐known software engineering process that provides a disciplined approach to assigning tasks and responsibilities; however, it has little support for development of secure systems. This work aims to present a proposal of RUP for the development of secure systems.

In order to obtain the proposed RUP, the authors consider security as a knowledge area (discipline) and they define workflow, activities and roles according to the architecture of process engineering Unified Method Architecture (UMA). A software development was used to assess qualitatively the extended RUP.

Based on the development, the authors find that the proposed process produces security requirements in a more systematic way and results in the definition of better system architecture.

The proposed extension requires specific adaptation if other development processes such as agile process and waterfall are employed.

The extension facilitates, the management of execution, and control of the activities and tasks related to security and the development teams can benefit by constructing better quality software.

The originality of the paper is the proposal of extension to RUP in order to consider security in a disciplined and organized way.

Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices.

Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews.

Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product.

Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker.

The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.

This paper aims to investigate the impact of perceived price level and information security awareness on computer users’ attitude. Moreover, this study aims to investigate the effect of attitude, subjective norms and perceived behavioral control (PBC) on intention to use anti-malware software.

Data were collected using a structured questionnaire from 225 students of five public universities in Malaysia. Purposive sampling technique was used in this study. AMOS 24 was used to test the research framework using a two-step approach.

Findings give support to some of the hypotheses developed with R2 values of 0.521 for attitude and 0.740 for intention. Perceived price level had a negative effect on attitude while information security awareness had a positive effect on attitude and intention. Attitude, subjective norms and PBC were all positively related to intention, but perceived price level did not affect intention. This suggests that benefits of using anti-malware are more than its price value. Therefore, the price has no direct effect on intention to use.

University computer networks are as open and inviting as their campuses. Therefore, this research can be helpful to the universities to safeguard their networks and encourage the students to use anti-malware. However, using anti-malware software will enable an individual to identify and prioritize security risks, quickly detect and mitigate security breaches, improve the understanding of security gaps and safeguard the sensitive data by minimizing the risks related to malware.

This study ventured to model the information security behavior of anti-malware usage by individual users by using the theory of planned behavior with the addition of two new variables, perceived price level and information security awareness to explain the behavior better.

Development of Web‐based e‐commerce systems has posed challenges in different dimensions of the software development process including design, maintenance and performance. Non‐functional requirements such as performance added to the system as an after thought would lead to extremely high cost and undesirable effects. Security, rarely regarded in the past as one of the non‐functional requirements, has to be integrated into the software development process due to its impact on e‐commerce systems. In this paper, a design methodology based on systems security engineering capability maturity model (SSE‐CMM) is proposed to specify design details for the three defined processes: risk, engineering and assurance. By means of an object‐oriented security design pattern, security design covering impact, threats, risks and countermeasures for different parts of an e‐commerce system can be examined systematically in the risk process. The proposed software development process for secured systems (SDPSS), representing the engineering process, consists of four steps: object and collaboration modeling, tier identification, component identification and deployment specification. Selected unified modeling language notations and diagrams are used to support the SDPSS. Using a simplified supply‐chain e‐commerce system as an example, integration of security design into the software development process is shown with discussions of possible security assurance activities that can be performed on a design.

The purpose of this paper is to develop and test a model of the relative performance of open source software (OSS) projects.

This paper evaluates the relative performance of OSS projects by evaluating multiple project inputs and multiple project outputs by using a data envelopment analysis (DEA) model. The DEA model produces an efficiency score for each project based on project inputs and outputs. The method of producing an efficiency score is based on the convex envelopment technology structure. The efficiency measure quantifies a “distance” to an efficient frontier.

The DEA model produced an index of corresponding intensities linking an inefficient project to its benchmark efficient project(s). The inefficiency measures produced an ordering of inefficient projects. Eight projects were found to be “efficient” and used as benchmarking projects.

This research is limited to only security‐based OSS projects. Future research on other areas of OSS projects is warranted.

The result of this research is a practical model that can be used by OSS project developers to evaluate the relative performance of their projects and make resource decisions.

This research extends the work of previous studies that have examined the relative performance of software development projects in a traditional development environment. As a result of this research, OSS projects can now be adequately benchmarked and evaluated according to project performance. An OSS project manger can effectively use these results to critically evaluate resources for their project and judge the relative efficiency of the resources.

With the rapid growth of e‐commerce, governmental and corporate agencies are taking extra precautions when it comes to protecting information. The development of e‐security as a discipline has enabled organisations to discover a wider array of similarities between attacks occurring across their security environment and develop appropriate countermeasures. To further improve the security of information, there is a need for conceptualising the interrelationships between e‐security and the major elements involved in changing a company's infrastructure. Organisations should act in an ethical manner, especially when it comes to e‐security and e‐privacy policies, procedures, and practices. The consequential theory of utilitarianism is used and applied to a conceptual model to help explain how organisations may develop better secured information in an information‐sharing and globally networked environment.

Highly sensitive information pertaining to citizens and government transactions is processed in an electronic format, making information security a critical part of e-Government applications and architectures. Information security measures should ideally span from authentication to authorisation and from logical/physical access control to auditing of electronic transactions and log books. The lack of such measures compromises confidentiality, integrity and availability of information. Today, most e-Government projects in developing countries in Southern Africa Developing Community (SADC) face challenges in two main areas, namely, information security and application software integration. This paper aims to discuss and analyse the information security requirements for e-Government projects and proposes an information security governance model for service-based architectures (SBAs).

The current state of information security in emerging economies in SADC countries was researched. The main problems identified were the lack of software integration and information security governance, policy and administration. The design consists of three basic layers: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures, implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study.

The main problems identified were the lack of software integration and information security governance, policy and administration. These challenges are causing e-government projects to stagnate.

The proposed approach for implementing information security in e-Government systems will ensure a holistic approach to ensuring confidentiality, integrity and non-repudiation, allowing e-Government maturity to progress from “interaction” to “online transaction” stage in emerging economies.

Research has not focused on developing a solution for emerging economies which are facing difficulties in integration software applications to deploy end-to-end e-services and to produce an underlying identity management architecture and information security governance to secure the e-services developed and deployed using an SBA. The work produced in this paper is specific to SBAs in e-government environments where legacy systems already exist. The work includes: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study.

Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.

The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.

Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.

Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.

The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.

Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.