DIVERGENCE IN STAKEHOLDER PERCEPTIONS OF SECURITY POLICIES: A REPGRID ANALYSIS FOR NORM-RULE COMPLIANCE

Almusharraf, Ahlam

01 January 2016

Many organizations have a problem with synchronizing individual values regarding information security with expectations set by the relevant security policy. Such discordance leads to failure in compliance or simply subversion of existing or imposed controls. The problem of the mismatch in understanding the security policies amongst individuals in an organization has devastating effect on security of the organization. Different individuals hold different understanding and knowledge about IS security, which is reflected on IS security policies design and practice (Vaast, 2007). Albrecthsen and Hovdena (2009) argue that users and managers practice IS security differently because they have different rationalities. This difference in rationalities may reflect the mismatch between the security policies and individuals’ values. In this research, we argue that occurrence of security breach can change individuals’ values in light of security policy of organization. These changes in the values can be reflected on the compliance between individuals’ norms and security rules and standards. Indeed, organizations need to guarantee the compliance between security policy and values of their employees. Thus, they can alleviate or prevent violations of security of organization. However, it is difficult to find a common method that all organizations can adopt to guarantee the synch between security rules and individuals’ norms. The main aim of this research is to investigate how people perceive information security policy and how their perceptions change in response to security breaches. Besides, this research aims to investigate the relationship between individuals’ values and security policy. Thus, organizations can have the intended level of compliance between individual norms and security rules and standards. With the aid of the Repertory Grid technique, this research examines how a security breach shapes people’s values with respect to security policy of an organization. To conduct the argument, this research offers an assessment mechanism that aids the organization to evaluate employees’ values in regard to security policy. Based on that evaluation, the organization can develop a proper mechanism to guarantee compliance between individuals’ norms and security rules. The results of this research show that employees in an organization hold different perceptions regarding the security policy. These perceptions change in response to security incident. This change in perceptions dose not necessarily result in better compliance with the security policy. Factors like the type of breach and people’s experience can affect the amount of change in the perceptions. Contributions, implications, and directions for future research of this study will be discussed.

information system security policy

Repertory Grid

Action Design Research

security rules

norms

values

norm-rule compliance.

Business

Management Information Systems

A trust framework for multi-organization environments / Un système de confiance pour les environnements multi-organisationnels

Toumi, Khalifa

01 April 2014

De nos jours, la propagation rapide des technologies de communication, de stockage de données et des web services encouragent les entreprises à collaborer entre elles formant ainsi un environnement multi-organisationnels. Ces entreprises participent à cet environnement afin de profiter des opportunités offertes tels que: (1) la possibilité d'utilisation des ressources et des services externes et professionnels (2) la réduction du temps de production et (3) les bénéfices résultant des effets de synergie. Toutefois, cette collaboration n'est pas parfaite. Des nombreux problèmes peuvent apparaître tels que l'utilisation malveillante des ressources, la divulgation des données ou des services inadéquats. Par conséquent, la sécurité est une préoccupation importante des participants. Les principaux défis de sécurité pour un participant sont la gestion de la confiance et le contrôle d'accès. Dans cette thèse, nous avons abordé en particulier ces deux domaines et nous proposons une nouvelle approche de gestion de la confiance pour les systèmes mutli-organisationnels. Notre approche est divisée en quatre parties. Tout d'abord, nous avons défini un modèle de confiance basé sur la notion des vecteurs. Ces derniers sont composés d'un ensemble de paramètres qui permettent de fournir un degré de confiance sous certaines conditions. Dans notre approche, nous envisageons deux types de vecteurs. D'une part, un vecteur lié à une relation entre un utilisateur et une organisation et d'autre part un vecteur qui relie deux organisations. De plus, nous avons montré comment évaluer et partager ces vecteurs entre les organisations, et comment utiliser les informations évaluées pour améliorer la sécurité. Concernant notre deuxième contribution, nous avons intégré ce nouveau modèle de confiance dans le modèle de contrôle d'accès OrBAC (Organization Based Access Control). Cette intégration a donné naissance à notre modèle TRUST-OrBAC. En outre, nous avons appliqué cette solution à un cas d'étude de collaboration entre des entreprises. Troisièmement, nous avons proposé une nouvelle ontologie de confiance basée sur des concepts de contrôle d'accès. Cette ontologie sera utilisée pour partager les degrés de confiance entre les participants et pour définir l'équivalence entre leurs objectifs. Ainsi, comment définir cette relation de confiance, comment comprendre l'objectif de la confiance d'un demandeur, et comment évaluer la valeur de la recommandation sont toutes des problématiques auxquelles nous avons essayé de répondre dans le cadre de ce travail. Quatrièmement, nous avons amélioré notre travail par la conception d'une approche de test passif afin d'évaluer le comportement d'un utilisateur. Cette contribution a été basée sur l'outil de test MMT (Montimage Monitoring Tool). Finalement, nous avons conçu une architecture sécurisée d'un système distribué en se basant sur nos contributions / The widespread of inexpensive communication technologies, distributed data storage and web services mechanisms currently urge the collaboration among organizations. Partners are participating in this environment motivated by several advantages such as: (1) the ability to use external and professional resources, services and knowledge, (2) the reduction of time-consuming requirements and (3) the benefaction of experts experience. However, this collaboration is not perfect since several problems can arise such as the misuse of resources, disclosure of data or inadequate services. Therefore, security is an important concern of the participants. In particular trust management and access control are one of the major security issues for an organization. This thesis addresses these two areas in particular. It proposes a novel and comprehensive trust framework for Multi-Organization Environments. Our approach is organized in four parts. First, we propose a vector based model approach for defining trust vectors. These vectors evaluate a set of requirements, under conditions, and provide a degree of confidence. In our approach, we consider two different types of vectors. On the one hand, a vector that links a user to an organization and, on the other hand, a vector that links two organizations. We also show how these vectors are evaluated and shared among the different organizations, and how we combine the provided trust information in order to enhance the security. Second, the TRUST-OrBAC model was designed to add the previous trust approach to the ORBAC model. Moreover, this solution was applied with a real collaboration network between companies. Third, we present a trust ontology methodology based on access control concepts. This ontology will be used to share the trust beliefs between participants and to make equivalence between their trust objectives. How to define this trust relationship, how to understand the trust objective of a requester, and how to evaluate the recommendation value is addressed in this thesis. Fourth, we improve our work by designing a passive testing approach in order to evaluate the behavior of a user. This contribution is based on the monitoring tool MMT. Finally the entire architecture of our system is proposed

Gestion de la confiance

Politique de sécurité

Règles de sécurité

Modèle OrBAC

Test passif

Collecte des traces

Analyse des traces

Trust management

Security policy

Security rules

OrBAC

Passive testing

Trace analysis

Trace collection

A trust framework for multi-organization environments

Toumi, Khalifa

01 April 2014

The widespread of inexpensive communication technologies, distributed data storage and web services mechanisms currently urge the collaboration among organizations. Partners are participating in this environment motivated by several advantages such as: (1) the ability to use external and professional resources, services and knowledge, (2) the reduction of time-consuming requirements and (3) the benefaction of experts experience. However, this collaboration is not perfect since several problems can arise such as the misuse of resources, disclosure of data or inadequate services. Therefore, security is an important concern of the participants. In particular trust management and access control are one of the major security issues for an organization. This thesis addresses these two areas in particular. It proposes a novel and comprehensive trust framework for Multi-Organization Environments. Our approach is organized in four parts. First, we propose a vector based model approach for defining trust vectors. These vectors evaluate a set of requirements, under conditions, and provide a degree of confidence. In our approach, we consider two different types of vectors. On the one hand, a vector that links a user to an organization and, on the other hand, a vector that links two organizations. We also show how these vectors are evaluated and shared among the different organizations, and how we combine the provided trust information in order to enhance the security. Second, the TRUST-OrBAC model was designed to add the previous trust approach to the ORBAC model. Moreover, this solution was applied with a real collaboration network between companies. Third, we present a trust ontology methodology based on access control concepts. This ontology will be used to share the trust beliefs between participants and to make equivalence between their trust objectives. How to define this trust relationship, how to understand the trust objective of a requester, and how to evaluate the recommendation value is addressed in this thesis. Fourth, we improve our work by designing a passive testing approach in order to evaluate the behavior of a user. This contribution is based on the monitoring tool MMT. Finally the entire architecture of our system is proposed

[INFO:INFO_OH] Computer Science/Other

[INFO:INFO_OH] Informatique/Autre

[SPI:OTHER] Engineering Sciences/Other

Trust management

Security policy

Security rules

OrBAC

Passive testing

Trace analysis

Trace collection

PUPSI :uma proposta de processo unificado para pol?ticas de seguran?a da informa??o / PUPSI: A proposal of processo unificado para pol?ticas de seguran?a da informa??o

Anjos, Ivano Miranda dos

30 April 2004

Made available in DSpace on 2014-12-17T15:48:07Z (GMT). No. of bitstreams: 1 IvanoMS.pdf: 3097163 bytes, checksum: bd3961677e236c9bf0982f3d9ccf0f64 (MD5) Previous issue date: 2004-04-30 / The way to deal with information assets means nowadays the main factor not only for the success but also for keeping the companies in the global world. The number of information security incidents has grown for the last years. The establishment of information security policies that search to keep the security requirements of assets in the desired degrees is the major priority for the companies. This dissertation suggests a unified process for elaboration, maintenance and development of information security policies, the Processo Unificado para Pol?ticas de Seguran?a da Informa??o - PUPSI. The elaboration of this proposal started with the construction of a structure of knowledge based on documents and official rules, published in the last two decades, about security policies and information security. It's a model based on the examined documents which defines the needed security policies to be established in the organization, its work flow and identifies the sequence of hierarchy among them. It's also made a model of the entities participating in the process. Being the problem treated by the model so complex, which involves all security policies that the company must have. PUPSI has an interative and developing approach. This approach was obtained from the instantiation of the RUP - Rational Unified Process model. RUP is a platform for software development object oriented, of Rational Software (IBM group). Which uses the best practice known by the market. PUPSI got from RUP a structure of process that offers functionality, diffusion capacity and comprehension, performance and agility for the process adjustment, offering yet capacity of adjustment to technological and structural charges of the market and the company / () trato com os ativos de informa??o representa hoje principal fator deteminante para o sucesso e, at? mesmo, perman?ncia das organiza??es no mundo globalizado. () n?mero de incidentes de seguran?a da informa??o est? crescendo nos ?ltimos anos. A implanta??o de pol?ticas de seguran?a da informa??o que busquem manter os requisitos de seguran?a dos ativos nos n?veis desejados, caracteriza-se como prioridade maior para as organiza??es. Esta disserta??o prop?e um processo unificado para elabora??o, manuten??o e desenvolvimento de pol?ticas de seguran?a da informa??o, o Processo Unificado para Pol?ticas de Seguran?a da informa??o PUPSI. A elabora??o dessa proposta foi iniciada com a constru??o de uma base de conhecimento fundamentada em documentos e normas oficiais, publicados nas ?ltimas duas d?cadas, que tratam sobre o tema seguran?a da informa??o e pol?ticas de seguran?a. Trata-se de um modelo elaborado a luz dos documentos pesquisados, que define as pol?ticas de seguran?a necess?rias a serem implantadas em uma organiza??o, seus fluxos de trabalho e identifica uma sequ?ncia e hierarquia entre elas, bem como ? feito uma modelagem das entidades participantes do processo. Diante da dimens?o e complexidade do problema que o modelo trata, o qual envolve todas as pol?ticas ele seguran?a que uma organiza??o deve possuir, o PUPSI possui uma abordagem interativa e incremental. Esta abordagem foi adquirida com a instancia??o do modelo ao RUP - Rational Unified Process. O RUP ? uma plataforma para desenvolvimento de software orientado a objeto, da Rational Software (grupo IBM) que utiliza as melhores pr?ticas reconhecidas pelo mercado. O PUPSI herdou do RUP uma estrutura de processo que oferece funcionalidade, capacidade de difus?o e compreens?o, desempenho e agilidade na readequa??o do processo, possuindo capacidade de se adequar as mudan?as tecnol?gicas e estruturais do mercado e da organiza??o

Seguran?a da informa??o

Pol?ticas de seguran?a

Processo unificado

RUP

Normas de seguran?a

Information security

Security policies

Unified process

RUP, Security rules

Požadavky EU na ochranu letectví před protiprávními činy a jejich aplikovatelnost na regionální letiště / EU requirements for aviation security and its applicability to regional airports

Šumpela, David

January 2011

Diploma thesis is focused on summary of EU security requirements. Especially it is about EU regulations, security programs and international conventions. These regulations are applicated on Airport České Budějovice, which is now in the process of modernization and expansion. From this view is thesis concentrated on airport area segregation, their border, security check planing, capacity of each part of airport and comparison of appropriate security devices. It deals about possibility of deviation from common security rules and accept alternative security rules. There is a small mention about kinds of airport threats and theirs consequences.