ISCP: In-depth model for selecting critical security controls
信息安全优先级控制:选择关键安全控制的深度模型
Computers & Security, Volume 77, August 2018, Pages 565-577
Nadher Al-Safwani, Yousef Fazea, Huda Ibrahim
摘要:The primary goal of all organizations worldwide is to reduce potential threats and vulnerabilities. An information security control assessment is a far-reaching way to deal with control analysis that can help organizations to measure the adequacy and effectiveness of their present and planned security controls. Availability of adequate resources and proper risk analysis practices should be considered in preventing security breaches in order to achieve returns on security investments. Nonetheless, and despite the necessity for a competent security analysis framework, present frameworks and methodologies for security control analysis lack practical guidelines and mostly depend on subjective judgment and qualitative approaches. This paper proposes an information security control prioritization (ISCP) model that can determine the critical vulnerable controls based on a number of assessment criteria. The model uses techniques from the Order Performance by Similarity to Ideal Solution (TOPSIS) method, which is a sub-method of multiple attribute decision making. The proposed model provides clear guidelines on how to accomplish control analysis in a structured, self-organizing and constituent manner, with minimal overlap. Evaluation of information security controls using TOPSIS as the prioritization method involves a cost-effectiveness analysis, an effective and efficient assessment in terms of testing and selecting information security controls in organizations.
Security enhancement of optical encryption based on biometric array keys
基于生物数组钥的光学加密增强安全
Optics Communications, Volume 419, 15 July 2018, Pages 134-140
Aimin Yan, Yang Wei, Jingtao Zhang
摘要:A novel optical image encryption method is proposed by using Dammann grating and biometric array keys. Dammann grating is utilized to create a 2D finite uniform-intensity spot array. In encryption, a fingerprint array is used as private encryption keys. An original image can be encrypted by a scanning Fresnel zone plate array. Encrypted signals are processed by an optical coherent heterodyne detection system. Biometric array keys and optical scanning cryptography are integrated with each other to enhance information security greatly. Numerical simulations are performed to demonstrate the feasibility and validity of this method. Analyses on key sensitivity and the resistance against to possible attacks are provided.
Balancing data protection and privacy – The case of information security sensor systems
平衡数据保护与隐私---信息安全传感器系统实例
Computer Law & Security Review, In press, corrected proof, Available online 25 May 2018
Markus Naarttijärvi
摘要:This article analyses government deployment of information security sensor systems from primarily a European human rights perspective. Sensor systems are designed to detect attacks against information networks by analysing network traffic and comparing this traffic to known attack-vectors, suspicious traffic profiles or content, while also recording attacks and providing information for the prevention of future attacks. The article examines how these sensor systems may be one way of ensuring the necessary protection of personal data stored in government IT-systems, helping governments fulfil positive obligations with regards to data protection under the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights (The Charter), as well as data protection and IT-security requirements established in EU-secondary law. It concludes that the implementation of sensor systems illustrates the need to balance data protection against the negative privacy obligations of the state under the ECHR and the Charter and the accompanying need to ensure that surveillance of communications and associated metadata reach established principles of legality and proportionality. The article highlights the difficulty in balancing these positive and negative obligations, makes recommendations on the scope of such sensor systems and the legal safeguards surrounding them to ensure compliance with European human rights law and concludes that there is a risk of privatised policymaking in this field barring further guidance in EU-secondary law or case law.
Motivation and opportunity based model to reduce information security insider threats in organizations
基于动机与机会的减少组织机构信息安全内部威胁模型
Journal of Information Security and Applications, Volume 40, June 2018, Pages 247-257
Nader Sohrabi Safa, Carsten Maple, Tim Watson, Rossouw Von Solms
摘要:Information technology has brought with it many advantages for organisations, but information security is still a major concern for organisations which rely on such technology. Users, whether with intent or through negligence, are a great source of potential of risk to information assets. A lack of awareness, negligence, resistance, disobedience, apathy and mischievousness are root causes of information security incidents in organisations. As such, insider threats have attracted the attention of a number of experts in this domain. Two particularly important considerations when exploring insider threats are motivation and opportunity. Two fundamental theories relating to these phenomena, and on which the research presented in this paper relies, are Social Bond Theory (SBT), which can be used to help undermine motivation to engage in misbehaviour, and Situational Crime Prevention Theory (SCPT), which can be used to reduce opportunities for misbehaviour. The results of our data analysis show that situational prevention factors such as increasing the effort and risk involved in a crime, reducing the rewards and removing excuses can significantly promotes the adoption of negative attitudes towards misbehaviour, though reducing provocations does not have any effect on attitudes. Further, social bond factors such as a commitment to organisational policies and procedures, involvement in information security activities and personal norms also significantly promotes the adoption of negative attitudes towards misbehaviour. However, attachment does not significantly promote an attitude of misbehaviour avoidance on the part of employees. Finally, our findings also show that a negative attitude towards misbehaviour influences the employees’ intentions towards engaging in misbehaviour positively, and this in turn reduces insider threat behaviour. The outputs of this study shed some light on factors which play a role in reducing misbehaviour in the domain of information security for academics and practitioners.
