A study of foreign acquisition of U.S. firms prior to the Exon-Floria Amendment

Schellhammer, Fred O.

January 1990

Thesis (M.S. in Management)--Naval Postgraduate School, December 1990. / Thesis Advisor: Doyle, Richard. Second Reader: Fitzgerald, David. "December 1990." Description based on title screen as viewed on April 2, 2010. DTIC Identifier(s): Foreign acquisition, national security, foreign investment, defense industrial base, semiconductors, Exon-Florida Amendment, economics, Congress, theses, United States. Author(s) subject terms: Foreign investment, industrial base. Includes bibliographical references (p. 37-39). Also available in print.

Information Security on the Web and App Platforms : An Economic and Socio-Behavioral Perspective

Chia, Pern Hui

January 2012

Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.

Information Security

Security Economics

Usable Security

Japanese technology and U.S. national security

Dukat, Robert J.

January 1990

Thesis (M.A. in National Security Affairs)--Naval Postgraduate School, December 1990. / Thesis Advisor(s): Olsen, Edward. Second Reader: Looney, Robert. "December 1990." Description based on title screen as viewed on March 30, 2010. DTIC Identifier(s): International Trade, Western Security (International), United States, Critical Technology, Asia-Pacific Region, Theses. Author(s) subject terms: Japanese Technologly, U.S. National Security, U.S.-Japan Relations, U.S. Foreign Policy, U.S. Economic Policy, U.S. Technological Policy, Japanese Economic Policy, Japanese Foreign Policy, Japanese Governmental Policy, U.S.-Japan Trade, U.S. Trade Problems, U.S. Defense Policy, U.S. Industrial Policy. Includes bibliographical references (p. 143-156). Also available in print.

The Economics of Data Breach: Asymmetric Information and Policy Interventions

Garcia, Michael Erik

23 July 2013

No description available.

Economics

Information Technology

cybersecurity

cyber security

data breach

economics

data breach notification

information security

information security economics

Model-based Evaluation: from Dependability Theory to Security

Alaboodi, Saad Saleh

21 June 2013

How to quantify security is a classic question in the security community that until today has had no plausible answer. Unfortunately, current security evaluation models are often either quantitative but too specific (i.e., applicability is limited), or comprehensive (i.e., system-level) but qualitative. The importance of quantifying security cannot be overstated, but doing so is difficult and complex, for many reason: the “physics” of the amount of security is ambiguous; the operational state is defined by two confronting parties; protecting and breaking systems is a cross-disciplinary mechanism; security is achieved by comparable security strength and breakable by the weakest link; and the human factor is unavoidable, among others. Thus, security engineers face great challenges in defending the principles of information security and privacy. This thesis addresses model-based system-level security quantification and argues that properly addressing the quantification problem of security first requires a paradigm shift in security modeling, addressing the problem at the abstraction level of what defines a computing system and failure model, before any system-level analysis can be established. Consequently, we present a candidate computing systems abstraction and failure model, then propose two failure-centric model-based quantification approaches, each including a bounding system model, performance measures, and evaluation techniques. The first approach addresses the problem considering the set of controls. To bound and build the logical network of a security system, we extend our original work on the Information Security Maturity Model (ISMM) with Reliability Block Diagrams (RBDs), state vectors, and structure functions from reliability engineering. We then present two different groups of evaluation methods. The first mainly addresses binary systems, by extending minimal path sets, minimal cut sets, and reliability analysis based on both random events and random variables. The second group addresses multi-state security systems with multiple performance measures, by extending Multi-state Systems (MSSs) representation and the Universal Generating Function (UGF) method. The second approach addresses the quantification problem when the two sets of a computing system, i.e., assets and controls, are considered. We adopt a graph-theoretic approach using Bayesian Networks (BNs) to build an asset-control graph as the candidate bounding system model, then demonstrate its application in a novel risk assessment method with various diagnosis and prediction inferences. This work, however, is multidisciplinary, involving foundations from many fields, including security engineering; maturity models; dependability theory, particularly reliability engineering; graph theory, particularly BNs; and probability and stochastic models.

security

reliability

dependability

failure model

security engineering

security economics

ISMM model

asset-control graph

security model

Bayesian Networks

failure interdependency

risk assessment

cloud risk

multi-state systems

Universal Generating Function

Electrical and Computer Engineering

Model-based Evaluation: from Dependability Theory to Security

Alaboodi, Saad Saleh

21 June 2013

How to quantify security is a classic question in the security community that until today has had no plausible answer. Unfortunately, current security evaluation models are often either quantitative but too specific (i.e., applicability is limited), or comprehensive (i.e., system-level) but qualitative. The importance of quantifying security cannot be overstated, but doing so is difficult and complex, for many reason: the “physics” of the amount of security is ambiguous; the operational state is defined by two confronting parties; protecting and breaking systems is a cross-disciplinary mechanism; security is achieved by comparable security strength and breakable by the weakest link; and the human factor is unavoidable, among others. Thus, security engineers face great challenges in defending the principles of information security and privacy. This thesis addresses model-based system-level security quantification and argues that properly addressing the quantification problem of security first requires a paradigm shift in security modeling, addressing the problem at the abstraction level of what defines a computing system and failure model, before any system-level analysis can be established. Consequently, we present a candidate computing systems abstraction and failure model, then propose two failure-centric model-based quantification approaches, each including a bounding system model, performance measures, and evaluation techniques. The first approach addresses the problem considering the set of controls. To bound and build the logical network of a security system, we extend our original work on the Information Security Maturity Model (ISMM) with Reliability Block Diagrams (RBDs), state vectors, and structure functions from reliability engineering. We then present two different groups of evaluation methods. The first mainly addresses binary systems, by extending minimal path sets, minimal cut sets, and reliability analysis based on both random events and random variables. The second group addresses multi-state security systems with multiple performance measures, by extending Multi-state Systems (MSSs) representation and the Universal Generating Function (UGF) method. The second approach addresses the quantification problem when the two sets of a computing system, i.e., assets and controls, are considered. We adopt a graph-theoretic approach using Bayesian Networks (BNs) to build an asset-control graph as the candidate bounding system model, then demonstrate its application in a novel risk assessment method with various diagnosis and prediction inferences. This work, however, is multidisciplinary, involving foundations from many fields, including security engineering; maturity models; dependability theory, particularly reliability engineering; graph theory, particularly BNs; and probability and stochastic models.

security

reliability

dependability

failure model

security engineering

security economics

ISMM model

asset-control graph

security model

Bayesian Networks

failure interdependency

risk assessment

cloud risk

multi-state systems

Universal Generating Function

Electrical and Computer Engineering