Information security service management : a service management approach to information security management

Rastogi, Rahul

January 2011

In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization.

CoreSec: uma ontologia para o domínio de segurança da informação

Ribeiro de Azevedo, Ryan

31 January 2008

Made available in DSpace on 2014-06-12T15:54:41Z (GMT). No. of bitstreams: 2 arquivo1991_1.pdf: 2164656 bytes, checksum: 1155c56e11920c8db2f44538c0dec97f (MD5) license.txt: 1748 bytes, checksum: 8a4605be74aa9ea9d79846c1fba20a33 (MD5) Previous issue date: 2008 / Em ambientes corporativos e heterogêneos, o compartilhamento de recursos para a resolução de problemas é fortemente associado à segurança da informação. Um aspecto crítico a ser considerado para as organizações é a exigência de uma eficaz e eficiente aquisição e distribuição de conhecimento a respeito de riscos, vulnerabilidades e ameaças que podem ser, portanto, exploradas e causar incidentes de segurança e impactar negativamente nos negócios. Os diversos ambientes de atuação humana necessitam de meios transparentes para planejar e gerenciar problemas relacionados à segurança da informação. Há um aumento significativo na complexidade de se projetar e planejar segurança necessitando que meios de manipulação da informação sejam adotados. Para isso, esta dissertação propõe uma ontologia para este domínio de segurança computacional, denominada CoreSec. O estudo visa demonstrar que uma vez que o conhecimento é formalizado, é possível reusá-lo, realizar inferência, processá-lo computacionalmente, como também torna-se passível de comunicação entre seres humanos e agentes inteligentes. Nossa proposta considera que a segurança da informação será mais eficiente se esta for baseada em um modelo formal de informações do domínio, tal como uma ontologia, podendo ser aplicada para auxiliar as atividades dos responsáveis de segurança, na análise e avaliação de riscos, elicitação de requisitos de segurança, análise de vulnerabilidades e desenvolvimento de ontologias mais específicas para o domínio de segurança da informação

Ontology

Information of Security

Semantic Web

A design theory for information security awareness

Puhakainen, P. (Petri)

01 August 2006

Abstract When implementing their information security solutions organizations have typically focused on technical and procedural security measures. However, from the information systems (IS) point of view, this is not enough: effective IS security requires that users are aware of and use the available security measures as described in their organizations' information security policies and instructions. Otherwise, the usefulness of the security measures is lost. The research question of this thesis is to explore how IS users' compliance with IS security policies and instructions can be improved. Solving this research question is divided into two steps. Since there is a lack of a comprehensive review of existing IS security awareness approaches, the first step aims at reviewing the existing IS security awareness approaches. This kind of analysis is useful for practitioners as they do not necessarily have the time to go through a large body of literature. For scholars, such an analysis shows what areas of IS security awareness have been studied, and to where the need for future research is of greatest importance. The second step in this dissertation is to address the shortcomings detected by the analysis by developing three novel design theories for improving IS users' security behavior: (1) IS security awareness training, (2) IS security awareness campaigns, and (3) punishment and reward. These design theories aim to help practitioners to develop their own IS security awareness approaches. Finally, testing of the design theory for IS security awareness training (1) in two action research interventions is described. The results of the interventions suggest that this design theory provides a useful and applicable means for developing a training program in organizations. In addition, the results provide empirically evaluated information regarding the obstacles to user compliance with IS security policies and instructions. In the action research studies described, the goal was to solve practical problems experienced by the host organizations and to understand them and the results achieved from the viewpoint of theory. Consequently, the results as such can not be generalized, but they are of use in the host organizations in planning and delivering subsequent IS security awareness training programs. In addition, the results are utilizable in similar organizations as a point of departure in planning IS security awareness training programs.

information systems security

information systems security - awareness

information systems security - training

Improving employees’ information systems (IS) security behavior:toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior

Karjalainen, M. (Mari)

18 October 2011

Abstract Employee non-compliance with information systems (IS) security procedures is a key concern for organizations. However, even though the importance of having effective IS security training is widely acknowledged by scholars and practitioners, the existing literature does not offer an understanding of the elementary characteristics of IS security training, nor does it explain how these elementary characteristics shape IS security training principles in practice. To this end, this thesis develops a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and sets a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing IS security training approaches. Then it points out that no existing IS security training approaches meet all these requirements. To address these shortcomings, the way in which to design an IS security training approach that meets all these requirements is demonstrated. In this thesis it is also argued that, along with an effective IS security training approach, reasons for employees’ IS security behavior need to be understood. The existing empirical research in the field of employees’ IS security behavior is dominated by theory-verification studies that test well-known theories developed in other fields in the context of IS security. Instead, it is argued that there is a need to focus the investigation on the phenomenon of employees’ compliance itself through an inductive and qualitative approach to complement the existing body of knowledge of this topic. As a result, a framework identifying reasons associated with compliance/non-compliance with security procedures is developed. A particularly interesting finding is that individuals’ violation of IS security procedures depends on the type of violation. Besides advancing a meta-theory for IS security training and developing the theoretical framework that points out reasons for employees’ IS security behavior, the thesis provides a future research agenda for IS security training and behavior. For practitioners, this thesis points out the limitations of the previous IS security training approaches and reasons for IS security behavior and, based on these observations, offers principles for designing effective IS security training approaches in practice. / Tiivistelmä Yhtenä keskeisenä ongelmana organisaatioissa pidetään sitä, että työntekijät laiminlyövät organisaation tietoturvakäytäntöjä. Vaikka tutkijat ja organisaatiot ovat tunnistaneet tietoturvakoulutuksen tärkeyden, olemassa oleva kirjallisuus ei tuo esiin tietoturvakoulutuksen perusominaisuuksia ja niiden asettamia vaatimuksia käytännön tietoturvakoulutukselle. Tässä väitöskirjassa kehitetään kolmitasoinen meta-teoria, joka huomioi nämä aikaisemmasta tietoturvakoulutusta käsittelevästä kirjallisuudesta puuttuvat kysymykset. Teorian ensimmäisellä tasolla määritellään tietoturvakoulutuksen perusominaisuudet, jotka erottavat sen muista koulutusmuodoista ja ohjaavat tietoturvakoulutuksen toteuttamista käytännössä. Teorian toisella tasolla määritellään neljä pedagogista vaatimusta tietoturvakoulutuksen suunnitteluun. Lisäksi kirjallisuusanalyysin perusteella osoitetaan, että olemassa oleva tietoturvakoulutusta käsittelevä kirjallisuus ei täytä kaikkia näitä vaatimuksia. Teorian kolmannella tasolla esitetään käytännön esimerkki siitä, kuinka tietoturvakoulutus voi täyttää tutkimuksessa määritellyt pedagogiset vaatimukset. Väitöskirjassa esitetään myös, että tehokkaan koulutusmenetelmän lisäksi on tärkeää ymmärtää työntekijöiden tietoturvakäyttäytymistä. Aikaisemmin tällä alueella on pääasiassa testattu muiden tieteenalojen teorioita tietoturvakontekstissa. Tässä väitöskirjassa sen sijaan tarkastellaan työntekijöiden tietoturvakäyttäytymisen syitä induktiivisen ja laadullisen tutkimusmenetelmän avulla. Tutkimuksen tuloksena kehitetään teoreettinen viitekehys, jonka avulla analysoidaan työntekijöiden tietoturvakäyttäytymistä. Tutkimuksen päätuloksena osoitetaan, kuinka tietoturvakäyttäytymiseen syyt eroavat rikkomustyypeittäin. Tietoturvakoulutuksen suunnittelua tukevan meta-teorian ja työntekijöiden tietoturvakäyttäytymistä selittävän teoreettisen viitekehyksen lisäksi väitöskirjassa esitetään uusia näkökulmia tietoturvakoulutuksen ja tietoturvakäyttäytymisen tutkimukselle. Käytännön tietoturva-ammattilaisille väitöskirja selventää olemassa olevien tietoturvakoulutuksen lähestymistapojen puutteita ja syitä työntekijöiden tietoturvakäyttäytymiselle. Näihin havaintoihin perustuen väitöskirjassa esitetään tekijöitä, joita tietoturvakoulutuksessa tulisi käytännössä ottaa huomioon.

information systems security

information systems security behavior

information systems security training

learning paradigms

oppimisparadigmat

tietoturva

tietoturvakoulutus

tietoturvakäyttäytyminen

Preservation of privacy in sensitive data publishing. / 隱私保護數據發佈 / Yin si bao hu shu ju fa bu

January 2008

Li, Jiexing. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2008. / Includes bibliographical references (leaves [105]-110). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Problem Statement --- p.1 / Chapter 1.2 --- Contributions --- p.3 / Chapter 1.3 --- Thesis Organization --- p.5 / Chapter 2 --- Background Study --- p.7 / Chapter 2.1 --- Generalization Algorithms --- p.7 / Chapter 2.2 --- Privacy Principles --- p.10 / Chapter 2.3 --- Other Related Research --- p.11 / Chapter 3 --- Anti-Corruption Privacy Preserving Publication --- p.13 / Chapter 3.1 --- Motivation --- p.13 / Chapter 3.2 --- Problem Settings --- p.14 / Chapter 3.3 --- Defects of Generalization --- p.18 / Chapter 3.4 --- Perturbed Generalization --- p.23 / Chapter 3.5 --- Modeling Privacy Attacks --- p.26 / Chapter 3.5.1 --- Corruption-Aided Linking Attacks --- p.26 / Chapter 3.5.2 --- Posterior Confidence Derivation --- p.28 / Chapter 3.6 --- Formal Results --- p.30 / Chapter 3.7 --- Experiments --- p.34 / Chapter 3.8 --- Summary --- p.37 / Chapter 4 --- Preservation of Proximity Privacy --- p.39 / Chapter 4.1 --- Motivation --- p.39 / Chapter 4.2 --- Formalization --- p.40 / Chapter 4.2.1 --- Privacy Attacks --- p.41 / Chapter 4.2.2 --- "(ε, m)-Anonymity" --- p.42 / Chapter 4.3 --- Inadequacy of the Existing Methods --- p.44 / Chapter 4.3.1 --- Inadequacy of Generalization Principles --- p.45 / Chapter 4.3.2 --- Inadequacy of Perturbation --- p.49 / Chapter 4.4 --- "Characteristics of (Epsilon, m) Anonymity" --- p.51 / Chapter 4.4.1 --- A Reduction --- p.51 / Chapter 4.4.2 --- Achievable Range of m Given e1and e2 --- p.53 / Chapter 4.4.3 --- Achievable e1 and e2 Given m --- p.57 / Chapter 4.4.4 --- Selecting the Parameters --- p.60 / Chapter 4.5 --- Generalization Algorithm --- p.61 / Chapter 4.5.1 --- Non-Monotonicity and Predictability --- p.61 / Chapter 4.5.2 --- The Algorithm --- p.63 / Chapter 4.6 --- Experiments --- p.65 / Chapter 4.7 --- Summary --- p.70 / Chapter 5 --- Privacy Preserving Publication for Multiple Users --- p.71 / Chapter 5.1 --- Motivation --- p.71 / Chapter 5.2 --- Problem Definition --- p.74 / Chapter 5.2.1 --- K-Anonymity --- p.75 / Chapter 5.2.2 --- An Observation --- p.76 / Chapter 5.3 --- The Butterfly Method --- p.78 / Chapter 5.3.1 --- The Butterfly Structure --- p.78 / Chapter 5.3.2 --- Anonymization Algorithm --- p.83 / Chapter 5.4 --- Extensions --- p.89 / Chapter 5.4.1 --- Handling More Than Two QIDs --- p.89 / Chapter 5.4.2 --- Handling Collusion --- p.91 / Chapter 5.5 --- Experiments --- p.93 / Chapter 5.6 --- Summary --- p.101 / Chapter 6 --- Conclusions and Future Work --- p.102 / Chapter A --- List of Publications --- p.104 / Bibliography --- p.105

Data protection

Computer security

Information-theoretic security under computational, bandwidth, and randomization constraints

Chou, Remi

21 September 2015

The objective of the proposed research is to develop and analyze coding schemes for information-theoretic security, which could bridge a gap between theory an practice. We focus on two fundamental models for information-theoretic security: secret-key generation for a source model and secure communication over the wire-tap channel. Many results for these models only provide existence of codes, and few attempts have been made to design practical schemes. The schemes we would like to propose should account for practical constraints. Specifically, we formulate the following constraints to avoid oversimplifying the problems. We should assume: (1) computationally bounded legitimate users and not solely rely on proofs showing existence of code with exponential complexity in the block-length; (2) a rate-limited public communication channel for the secret-key generation model, to account for bandwidth constraints; (3) a non-uniform and rate-limited source of randomness at the encoder for the wire-tap channel model, since a perfectly uniform and rate-unlimited source of randomness might be an expensive resource. Our work focuses on developing schemes for secret-key generation and the wire-tap channel that satisfy subsets of the aforementioned constraints.

Information-theoretic security

Information-theory

Coding theory

Polar codes

Information System Security

Yucel, Okan

01 January 2003

This thesis analyzes the physical, communicational, and organizational dimensions of information system security process by taking the four-layer approach, which is composed of the policy, model, architecture, and mechanisms into account. Within this scope, according to the results of the security analysis of information systems in METU Informatics Institute, the policy, model, architecture, and mechanisms necessary to prepare a new security process were proposed. As a subcomponent of this proposed security process, the network security of the IS100 course was partially established, and the generated results were evaluated.

Aplicação de metricas a analise de segurança em redes metropolitanas de acesso aberto / Metrics application in metropolitan broadband access network security analysis

Miani, Rodrigo Sanches,

03 May 2009

Orientador: Leonardo de Souza Mendes / Dissertação (mestrado) - Universidade Estdual de Campinas, Faculdade de Engenharia Eletrica e de Computação / Made available in DSpace on 2018-08-13T09:33:37Z (GMT). No. of bitstreams: 1 Miani_RodrigoSanches_M.pdf: 1458322 bytes, checksum: 8aae1af3ae9789f087bb70e07f08660a (MD5) Previous issue date: 2009 / Resumo: As questões relacionadas à garantia de segurança influenciam diretamente o sucesso da implantação de redes metropolitanas de acesso aberto. Dessa forma, são necessários métodos eficientes para analisar a segurança destas redes em todos os níveis (organizacional, físico e de sistemas), a fim de propor soluções e implementar melhorias. Nossa proposta consiste em criar métricas de segurança específicas para as redes metropolitanas de acesso aberto que visam medir a eficiência dos programas de segurança e apoiar o planejamento das ações contra os problemas detectados. Este trabalho apresenta um conjunto de doze métricas de segurança para tais redes e os parâmetros para a sua definição, tais como dois modelos para o cálculo do indicador de segurança de uma métrica. Também serão apresentados os resultados obtidos com a aplicação de tais métricas para o estabelecimento de políticas de segurança na rede metropolitana de acesso aberto de Pedreira, cidade localizada no interior do estado de São Paulo. Os resultados mostraram que a aplicação de métricas bem definidas pode ser eficiente na detecção de vulnerabilidades e correção de problemas de segurança. / Abstract: Information security has direct influence on any successful deployment of metropolitan broadband access networks. Efficient methods are required for security analysis of metropolitan networks in all levels: organization, structure and system. This work proposes the development and application of specific security metrics for metropolitan broadband access networks that aim to measure the efficiency of security programs and support action planning against detected problems. The approach presented in this work show metrics developed for these networks and parameters for metrics definition, such as a model for calculation of a security indicator of a metric. This paper also presents results achieved from application of the metrics reported here to establish security policies in the metropolitan broadband access network of Pedreira, a city located in the state of São Paulo, Brazil. These results show that well formed security metrics can be efficient in vulnerability detection and solutions of security issues. / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica

Uma arquitetura baseada em um modelo gerente-agente para análise integrada e automação da coleta dos dados de métricas de segurança / An architecture based on agent-manager model for integrated analysis and automated data collection of security metrics

Vieira, Liniquer Kavrokov, 1986-

23 August 2018

Orientador: Leonardo de Souza Mendes / Dissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação / Made available in DSpace on 2018-08-23T07:06:39Z (GMT). No. of bitstreams: 1 Vieira_LiniquerKavrokov_M.pdf: 2833674 bytes, checksum: cfa01ff7e4008f52022430c9b3fba925 (MD5) Previous issue date: 2013 / Resumo: A dependência cada vez maior das redes de computadores torna a segurança da informação um elemento chave para os avanços e a continuidade dos serviços em nossa sociedade. Métricas de segurança são desenvolvidas com o intuito de oferecer uma base quantitativa e objetiva para auxiliar o gerenciamento da segurança em uma organização. Porém, a utilização de métricas para medir o nível de segurança, quando realizada de uma forma manual, pode exigir uma grande quantidade de tempo e esforço para coleta dos dados. Este trabalho propõe uma arquitetura baseada em um modelo gerente-agente para permitir a automação da coleta dos dados de diversos componentes de uma rede de computadores, visando ampliar a aplicação das métricas e auxiliar no gerenciamento de segurança. Uma ferramenta para medição e coleta automatizada dos dados foi desenvolvida baseada na arquitetura proposta e aplicada em uma rede de computadores. A ferramenta, além de auxiliar o administrador de rede nas tomadas de decisões, também facilita o gerenciamento das métricas através de um modelo de visualização. Testes foram realizados e mostraram que a arquitetura proposta é capaz de integrar o controle das informações e auxiliar o processo de monitoramento da segurança / Abstract: The requirement of organizations on computer network makes information security a key element to the evolution and continuity of services in our society. Security metrics are developed in order to offer a quantitative and objective basis for security assurance. However, the use of metrics to measuring security level, when performed in manually, can require a higher time and effort for data collection. This study proposes architecture based on agent-manager management model to allow the automated data collection from several components in a computer network, aiming to expand the security metrics application and support the security management. A tool for measurement and automated data collection based on the proposed architecture were developed and applied in a real computer network. This tool helps the network administrator in decision making and also facilitates the metrics management through a visualization model. Tests were performed showing that the proposed architecture is able to integrate the control of information and support the security monitoring process / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica

An information security policy architecture with special reference to a tertiary institution.

Jordaan, Ansa

02 June 2008

This dissertation will be limited to the compilation of an Information Security Policy Architecture for a Tertiary Institution. An Information Security Policy Architecture for a Tertiary Institution is probably the most challenging architecture to develop in an environment where information accessibility is promoted. The Security Policy Architecture is a component of a complete Information Security Architecture, which will not be addressed in this dissertation. To mitigate and manage risks, it is essential to know what the information technology risks are and as a second step, to actively manage these risks to ensure that they stay within acceptable limits. The reporting and the monitoring of these risks open new fields of research and will not be discussed in this dissertation. / von Solms, S.H., Prof.

Information technology security measures

Computer security