A Reading Preference and Risk Taxonomy for Printed Proprietary Information Compromise in the Aerospace and Defense Industry

Stalker, Joshua D.

01 January 2012

The protection of proprietary information that users print from their information systems is a significant and relevant concern in the field of information security to both researchers and practitioners. Information security researchers have repeatedly indicated that human behaviors and perception are important factors influencing the information security of organizations and have called for more research. The aerospace and defense industry commonly deals with its own proprietary information as well its customers. Further, e-training is a growing practice in this industry, it frequently deals with proprietary information, and has unique information security challenge, thus, serves as additional context for this study. This study focused on the investigation of two constructs, user reading preference and user perceived risk of compromising printed proprietary information, as well as seven user demographics. These constructs reflect human behavior and risk perceptions associated with compromising printed proprietary information and, thus, provide valuable insights applicable into information security. This study developed a Reading Preference and Risk (RPR) Taxonomy, which allows users to be classified according to the aforementioned two constructs under investigation and provides insightful characterizations of information security risks. A survey based on existing literature, the primary constructs, and several demographics was implemented to assess two research questions and seven associated hypotheses. The survey was sent to 1,728 employees of an aerospace and defense organization. The response rate was 18% with 311 usable records. The results of the study showed that employees were dispersed across the RPR Taxonomy with 15.1% identified as potentially problematic to the protection of printed proprietary information. The overall results showed that the population had a reading preference for print materials and a high perceived risk for compromising printed proprietary information, as well as significantly higher print preference for e-training materials when it was necessary to retain the content in memory. Significant differences in the two constructs were also found across several demographics including age, gender, frequency of user exposure to proprietary information, the confidentiality level of the proprietary information a user is regularly exposed to, and previous user experience with the compromise of proprietary information. Recommendations for practice and research are provided. Moreover, several areas for future research are also presented.

cognitive load

e-training security

Information security

perceived risk

protection motivation

reading preference

Computer Sciences

An educational framework to support industrial control system security engineering

Benjuma, Nuria Mahmud

January 2017

Industrial Control Systems (ICSs) are used to monitor and control critical infrastructure such as electricity and water. ICS were originally stand-alone systems, but are now widely being connected to corporate national IT networks, making remote monitoring and more timely control possible. While this connectivity has brought multiple benefits to ICS, such as cost reductions and an increase in redundancy and flexibility, ICS were not designed for open connectivity and therefore are more prone to security threats, creating a greater requirement for adequate security engineering approaches. The culture gap between developers and security experts is one of the main challenges of ICS security engineering. Control system developers play an important role in building secure systems; however, they lack security training and support throughout the development process. Security training, which is an essential activity in the defence-indepth strategy for ICS security, has been addressed, but has not been given sufficient attention in academia. Security support is a key means by which to tackle this challenge via assisting developers in ICS security by design. This thesis proposes a novel framework, the Industrial Control System Security Engineering Support (ICS-SES), which aims to help developers in designing secure control systems by enabling them to reuse secure design patterns and improve their security knowledge. ICS-SES adapts pattern-based approach to guide developers in security engineering, and an automated planning technique to provide adaptive on-the-job security training tailored to personal needs. The usability of ICS-SES has been evaluated using an empirical study in terms of its effectiveness in assisting the design of secure control systems and improving developers’ security knowledge. The results show that ICS-SES can efficiently help control system designers to mitigate security vulnerabilities and improve their security knowledge, reducing the difficulties associated with the security engineering process, and the results have been found to be statically significant. In summary, ICS-SES provides a unified method of supporting an ICS security by design approach. It fosters a development environment where engineers can improve their security knowledge while working in a control system production line.