Adaptive and service-oriented embedded system for information security applications
面向适应与服务的嵌入式信息安全应用系统
Computers & Electrical Engineering, Volume 73, January 2019, Pages 145-154
Chun-Hsian Huang, Huang-Yi Chen, Yao-Ying Tzeng, Peng-Yi Li
摘要:To provide a complete information protection mechanism, we propose an adaptive and service-oriented embedded system (ASOS) design. The access control policies are implemented as protection matrices and designed in hardware; thus, the information access method is specific and not generic, so that the risks of illegal access of information can be reduced. A layered and virtualizable design method is also introduced in the ASOS to enhance its scalability. Furthermore, the ASOS contains a system adaptation manager that can dynamically adapt its hardware functions to support various application requirements. Experiments show that compared to a pure software-based design, the ASOS can accelerate the access time by a factor of 8.75. Moreover, compared to a conventional embedded system design containing 13 hardware functions, the ASOS can reduce 26.42% of slice registers and 25.81% of slice LUTs in a Xilinx Virtex 6 XC6VLX240T FPGA.
Deterrence and prevention-based model to mitigate information security insider threats in organizations
基于威慑及预防的组织内部信息安全威胁“减缓”模型
Future Generation Computer Systems, In press, accepted manuscript, Available online 12 March 2019
Nader Sohrabi Safa, Carsten Maple, Steve Furnell, Muhammad Ajmal Azad, Mehdi Sookhak
摘要:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.
The establishment of collaboration in managing information security through multisourcing
通过多元外包建立信息安全管理协作
Computers & Security, Volume 80, January 2019, Pages 224-237
V Naicker, M Mafaiti
摘要:Purpose:As information security requirements evolve due to ever-changing business and regulatory requirements, and threat landscape, organisations have turned to multisourcing as a method of delivering information security services. This development has created opportunities for service providers which specialise in information security service provision to collaborate and deliver security services through multisourcing contracts. Therefore the research develops a collaboration framework for managing information security through multisourcing. Methodology:This paper explores collaboration in multisourcing information security contracts through a qualitative case study that investigated the phenomenon from the views and experiences of a client organisation and its six service providers. Findings:The research found that multisourcing contracts can effectively manage information security services through collaborative efforts from multiple service providers and technology vendors. Practical implications:Theoretical insights into the use of collaboration and partnerships in the multisourcing of information security are non-existent. Therefore, the research contributes to practice by introducing a tripartite collaboration framework for multisourcing information security. This tripartite collaboration consists of client, service provider and technology vendors. Originality value:The research demonstrates through the perspective of client organisation and service providers that collaboration in multisourcing information security contracts goes beyond the client and its service providers to include even technology vendors.
Examining the impact of deterrence factors and norms on resistance to Information Systems Security
威慑和准则对阻碍信息系统安全行为的冲击
Computers in Human Behavior, Volume 92, March 2019, Pages 37-46
Mohammad I. Merhi, Punit Ahluwalia
摘要:Numerous studies have found that employees are the principal source of adverse Information Systems Security (ISS) incidents in organizational settings. Consequently, the ISS research focuses on examining factors that affect employees' behaviour towards complying with ISS policy. Most of this research, based on the theory of reasoned action, considers that employees' intention to comply with ISS policies is a good predictor of their behaviour. This paper argues that the employees' compliance with ISS policies within organizations is usually enforced, and that the non-compliance is mainly due to the resistance towards these policies. This research examines the role of organizational punishment and organizational norms in impacting employees' resistance towards the ISS policies. The data were collected from 133 employees of 10 organizations spanning four industries and the hypotheses were tested and validated using PLS-SEM analytical procedures. The results show that moral and descriptive norms are useful in reducing the resistance.
An analysis on the dimensions of information security culture concept: A review
信息安全文化概念维度分析综述
Journal of Information Security and Applications, Volume 44, February 2019, Pages 12-22
Akhyari Nasir, Ruzaini Abdullah Arshah, Mohd Rashid Ab Hamid, Syahrul Fahmy
摘要:The cultivation of positive Information Security Culture (ISC) is an effective way to promote security behavior and practices among employees in the organization. However, there is yet a consensus on a standard set of dimensions for the ISC concept. ISC has been associated with many facets, with some overlapping dimensions found in the literature. There is little explanation, if any, as to why this happens or to what extent do variances of dimensions affects ISC concept and findings. This paper presents an analysis of the different dimensions in conceptualizing the ISC. Eight major databases including Web of Science, Scopus and Google Scholar were systematically exhausted using PRISMA and a total of 79 studies from 2000 to 2017 was selected for analysis. While different approaches such as adopted theories affect the dimensions of ISC, our analysis also covered other contributing factors such as the objective of the study, type of organization under study and the information security maturity level. In addition, we found no evidence of a set of widely accepted concepts and dimensions for ISC. This review provides substantial evidence on the numerous dimensions used in ISC and could be utilized by academicians as a reference in ISC-related studies.
HEART-IS: A novel technique for evaluating human error-related information security incidents
人为失误造成的信息安全事故评估技术
Computers & Security, Volume 80, January 2019, Pages 74-89
Mark Evans, Ying He, Leandros Maglaras, Helge Janicke
摘要:Organisations continue to suffer information security incidents and breaches as a result of human error even though humans are recognised as the weakest link with regard to information security. Despite this level of understanding organisations continue to focus their attention on technical security controls rather than the human factor and have not incorporated methods such as Human Reliability Analysis (HRA) which are used within high reliability sectors such as rail, aviation and energy. The objectives of our research are to define a human error related information security incident and create the novel HEART of Information Security (HEART-IS) technique which is an adaptation of the Human Error Assessment and Reduction Technique (HEART). We conducted a case study within a private sector organisation using HEART-IS to establish if HRA is applicable to information security. The novel HEART-IS technique comprises of a mapping component and an analysis component. In the case study, we applied HEART-IS to map HEART Error Producing Conditions (EPC) to twelve months of reported information security incidents and analysed the volumes of human error and underlying causes. We found that HEART-IS is applicable to the information security field with some minor amendments to the terminology. The mapping of information security incident causes to the HEART Error Producing Conditions (EPC) was successful but the in-built HEART human error probability calculations did not match the actual volumes of reported human error related incidents.
