Tim McCreight,Doug Leece

Abstract:The convergence of physical security devices into the corporate network is increasing, due to the perceived economic benefits and efficiencies gained from using one enterprise network. Bringing these two networks together is not without risk. Physical devices like closed circuit television cameras (CCTV), card access readers, and heating, ventilation and air conditioning controllers (HVAC) are typically not secured to the standards we expect for corporate computer networks. These devices can pose significant risks to the corporate network by creating new avenues to exploit vulnerabilities in less-than-secure implementations of physical systems. The ASIS Information Technology Security Council (ITSC) developed a white paper describing steps organisations can take to reduce the risks this convergence can pose, and presented these concepts at the 2015 ASIS/ISC2 Congress in Anaheim, California.<xref ref-type="fn" rid="fn1">1</xref> This paper expands upon the six characteristics described by ITSC, and provides business continuity planners with information on how to apply these recommendations to physical security devices that use the corporate network.

Jingjun Lü,Shuzhen Yao,He Huang,Ming Zhou

DOI: https://doi.org/10.1109/ICITIS.2010.5689604

2010-01-01

Abstract:On the basis of converged network features and aimed at specific military security protection needs, an information security policy in converged network environment was proposed in the paper. Referred to three core security control areas of ISO/IEC 17799:2005, including asset management, access control and information security incident management, the thesis focuses on following four aspects: intrusion detection, secure session, access control and risk assessment, which promise the security of converged network environment. © 2010 IEEE.

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Kyle Dees,Shawon Rahman

DOI: https://doi.org/10.48550/arXiv.1512.00064

2015-11-30

Computers and Society

Abstract:As a result of the increased dependency on obtaining information and connecting each computer together for ease of access or communication, organizations risk being attacked and losing private information through breaches or insecure business activities. To help protect organizations and their assets, companies need to develop a strong understanding of the risks imposed on their company and the security solutions designed to prevent or minimize vulnerabilities. To reduce the impact threats have on a network, organizations need to: design a defense layer system that provides multiple instances of protection to prevent unauthorized access to core information, implement a strong network hardware/intrusion prevention system, and create all-inclusive network or security policies that detail user rules and company rights. In order to enhance the overall security of a basic infrastructure, this paper will provide a detailed look into gathering the organizational requirements, designing and implementing a secure physical network layout, and selecting the standards needed to prevent unauthorized access

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Bassam Zahran,Adamu Hussaini,Aisha Ali-Gombe

DOI: https://doi.org/10.48550/arXiv.2302.09426

2023-02-19

Abstract:IoT is undoubtedly considered the future of the Internet. Many sectors are moving towards the use of these devices to aid better monitoring, controlling of the surrounding environment, and manufacturing processes. The Industrial Internet of things is a sub-domain of IoT and serves as enablers of the industry. IIoT is providing valuable services to Industrial Control Systems such as logistics, manufacturing, healthcare, industrial surveillance, and others. Although IIoT service-offering to ICS is tempting, it comes with greater risk. ICS systems are protected by isolation and creating an air-gap to separate their network from the outside world. While IIoT by definition is a device that has connection ability. This creates multiple points of entry to a closed system. In this study, we examine the first automated risk assessment system designed specifically to deal with the automated risk assessment and defining potential threats associated with IT/OT convergence based on OCTAVE Allegro- ISO/IEC 27030 Frameworks.

Cryptography and Security

Joseph H. Schuessler

DOI: https://doi.org/10.1080/15536548.2013.10845676

2013-04-01

Journal of Information Privacy and Security

Abstract:Information Systems Security (ISS) is of major concern to not only network administrators, but also for managers of organizations for a variety of reasons including: the need for organizations to comply with various regulatory agencies, the reliance on information systems to provide the organizational backbone to the organization, and rising operational dependence on ecommerce to conduct daily business activities. These aspects create challenges for network managers who are tasked with balancing the needs of stakeholders with protection of sensitive information and valuable hardware. Despite ISS being largely a managerial issue, managerial concern for ISS is inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys. This research seeks to examine the current state of threats faced by organizations and the countermeasures they employ by examining prior research on the subject and comparing the results of that research to interview responses from “experts” in positions that required both a technical and managerial understanding of the threats and countermeasures faced and used respectively. Results suggest that, based on interview responses from experts, both threats and countermeasure responses have changed over time. Interpretation of the results will help systems administrators and network managers better understand modern threats and point towards potential remedies to mitigate the risk generated by such threats.

Allan Lam,Pradeep K. Ray

2004-01-01

Abstract:Security management has become a major concern in today's e-business systems due to ever-increasing attacks on enterprise servers. This has led to the increasing sophistication of network security tools and systems in e-business networks that involve a number of organizational entities cooperating over computer communication networks. Many large organizations are outsourcing the management of e-business networks. This paper examines the problem of security management in the context of an Management Service Provider (an organization that provides remote management of e-business networks). Existing security tools (e.g., Intrusion Detection Systems (IDS)) assist us in detecting attempts by unauthorized users to get access to networked information resources. However, the management of IDSs offers some interesting challenges (e.g., false alerts). This paper presents a policy-based management framework to solve this problem.

Sayed Abu Sayeed,Mir Mehedi Rahman,Samiul Alam,Naresh Kshetri

2024-10-20

Abstract:The financial sector's dependence on digital infrastructure increases its vulnerability to cybersecurity threats, requiring strong IT security protocols with other entities. This collaboration, however, is often identified as the most vulnerable link in the chain of cybersecurity. Adopting both symbolic and substantive measures lessens the impact of IT security spending on decreasing the frequency of data security breaches in the long run. The Protection Motivation Theory clarifies actions triggered by data sharing with other organizations, and the Institutional theory aids in comprehending the intricate relationship between transparency and organizational conduct. We investigate how things like regulatory pressure, teamwork among institutions, and people's motivations to protect themselves influence cybersecurity. By using simple theories to understand these factors, this research aims to provide insights that can help financial institutions make better decisions to protect. We have also included the discussion, conclusion, and future directions in regard to collaboration in financial sector cybersecurity for exploring impact of resource sharing.

Cryptography and Security

Wajeb Gharibi,Abdulrahman Mirza

DOI: https://doi.org/10.48550/arXiv.1105.2002

2011-05-10

Cryptography and Security

Abstract:This article aims to highlight current trends on the market of corporate antivirus solutions. Brief overview of modern security threats that can destroy IT environment is provided as well as a typical structure and features of antivirus suits for corporate users presented on the market. The general requirements for corporate products are determined according to the last report from av-comparatives.org [1]. The detailed analysis of new features is provided based on an overview of products available on the market nowadays. At the end, an enumeration of modern trends in antivirus industry for corporate users completes this article. Finally, the main goal of this article is to stress an attention about new trends suggested by AV vendors in their solutions in order to protect customers against newest security threats.

Anthony Bisong,Syed,M. Rahman

DOI: https://doi.org/10.48550/arXiv.1101.5613

2011-01-28

Cryptography and Security

Abstract:Deploying cloud computing in an enterprise infrastructure bring significant security concerns. Successful implementation of cloud computing in an enterprise requires proper planning and understanding of emerging risks, threats, vulnerabilities, and possible countermeasures. We believe enterprise should analyze the company/organization security risks, threats, and available countermeasures before adopting this technology. In this paper, we have discussed security risks and concerns in cloud computing and enlightened steps that an enterprise can take to reduce security risks and protect their resources. We have also explained cloud computing strengths/benefits, weaknesses, and applicable areas in information risk management.

Fariborz Farahmand,Mikhail J. Mike Atallah,Eugene H. Spafford,Mikhail J. Atallah

DOI: https://doi.org/10.1109/tem.2012.2185801

IF: 8.702

2013-05-01

IEEE Transactions on Engineering Management

Abstract:Technologies and procedures for effectively securing the enterprise in cyberspace exist, but are largely underdeployed. Reasons for this shortcoming include the neglect of the role of stakeholder perceptions in organizational reward systems, and misaligned incentives for effective allocation of resources. We present a methodology for practitioners to employ, with examples for identification of perverse incentives—situations where the interests of a manager or employee are not aligned with those of the organization—and for estimation of the damage caused by incentive misalignment. We present our revision to the risk perception model developed by Fischhoff and Slovic. We also present the results of our findings from our interviews of 42 information security executives across the U.S. about the role of risk perception and incentives in information security decisions. We discuss how to identify and to correct misalignments, to develop efficient incentive structures, and to include perceptual principles and security governance in making information security a property of the organizational environment. This research contributes to the practice and theory of information security, and has several implications for practitioners and researchers in the alignment of incentives and symmetrization of information across organizations.

management,business,engineering, industrial

Muhammad Fakhrul Safitra,Muharman Lubis,Hanif Fakhrurroja

DOI: https://doi.org/10.3390/su151813369

IF: 3.9

2023-09-07

Sustainability

Abstract:Amidst the rapid advancements in the digital landscape, the convergence of digitization and cyber threats presents new challenges for organizational security. This article presents a comprehensive framework that aims to shape the future of cyber security. This framework responds to the complexities of modern cyber threats and provides guidance to organizations to enhance their resilience. The primary focus lies in the integration of capabilities with resilience. By combining these elements into cyber security practices, organizations can improve their ability to predict, mitigate, respond to, and recover from cyber disasters. This article emphasizes the importance of organizational leadership, accountability, and innovation in achieving cyber resilience. As cyber threat challenges continue to evolve, this framework offers strategic guidance to address the intricate dynamics between digitization and cyber security, moving towards a safer and more robust digital environment in the future.

environmental sciences,environmental studies,green & sustainable science & technology

Nenad Jevtić,Ibrahim Alhudaidi

DOI: https://doi.org/10.5937/sjem2302048j

2023-01-01

Serbian Journal of Engineering Management

Abstract:Information security is a key aspect of organizations' operations in today's digital age. This paper aims to analyze the importance of information security for organizations, investigating its impact on preserving the integrity, confidentiality and availability of data. Organizations are increasingly faced with complex challenges in explaining cyber threats, which emphasizes the necessity of implementing effective information security strategies. Effective data protection is the key to maintaining the trust of clients and partners, reducing financial losses and preserving the organization's reputation. In addition, information security has a significant impact on maintaining a competitive advantage, allowing organizations to innovate without fear of data loss or privacy breaches. A secure infrastructure also provides a foundation for compliance with regulatory requirements, thereby reducing the risk of legal consequences. Considering the rapid development of technology and increasingly sophisticated cyber threats, organizations face the constant challenge of adapting their security strategies. Employee education is becoming a key component of the overall information security system, and organizations that invest resources in training and security awareness have a better ability to respond to potential threats. Information security is becoming a necessary pillar of modern business, protecting organizations from cyber risk, enhancing their reputation and providing the foundation for long-term success.

LI Yufeng,LAN Julong,XUE Xiangyang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2011.04.007

2011-01-01

Abstract:This paper proposes a Common Security and Control Framework(CSCF) for application security,network security,information security,and behavioral security in tri-network convergence.CSCF has an independent architecture and can be operated transparently across the whole network.It treats the network link as the control object and can perform functions such as link traffic identification and link traffic analysis.It can also check and control a security problem at one point and initiate a whole-system response.CSCF is based on a distributed security and control platform with high scalability.This paper discusses the development of techniques used to establish a security system that proactively defends against threats,flexibly reacts to and blocks threats as they occur,and traces threats.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

Morgan Reece,Theodore Lander Jr.,Sudip Mittal,Nidhi Rastogi,Josiah Dykstra,Andy Sampson

2023-11-02

Abstract:As organizations increasingly use cloud services to host their IT infrastructure, there is a need to share data among these cloud hosted services and systems. A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. When an organization grows their multi-cloud environment, the threat vectors and vulnerabilities for their cloud systems and services grow as well. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures to best defend a multi-cloud environment against attacks. Utilizing multiple industry standard risk analysis tools, we conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures. The prioritizations from the analysis showed that authentication and architecture are the highest risk areas of threat vectors. Armed with this data, IT managers are able to more appropriately budget cybersecurity expenditure to implement the most impactful mitigations and countermeasures.

Cryptography and Security

David Hood,Syed Shawon Rahman

DOI: https://doi.org/10.48550/arXiv.1111.1770

2011-11-07

Cryptography and Security

Abstract:Information security is one of the most important aspects of technology, we cannot protect the best interests of our organizations' assets (be that personnel, data, or other resources), without ensuring that these assetsare protected to the best of their ability. Within the Defense Department, this is vital to the security of not just those assets but also the national security of the United States. Compromise insecurity could lead severe consequences. However, technology changes so rapidly that change has to be made to reflect these changes with security in mind. This article outlines a growing technological change (virtualization and cloud computing), and how to properly address IT security concerns within an operating environment. By leveraging a series of encrypted physical and virtual systems, andnetwork isolation measures, this paper delivered a secured high performance computing environment that efficiently utilized computing resources, reduced overall computer processing costs, and ensures confidentiality, integrity, and availability of systems within the operating environment.

Jenner Lavalle Sandoval,Domingo Hernández Celis,Michael Cabanillas-Carbonell,Laberiano Andrade-Arenas

DOI: https://doi.org/10.11591/ijeecs.v31.i3.pp1589-1604

2023-09-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:Currently, computer security or cybersecurity is a relevant aspect in the area of networks and communications of a company, therefore, it is important to know the risks and computer security policies that allow a unified management of cyber threats that only seek to affect the reputation or profit from the confidential information of organizations in the business sector. The objective of the research is to conduct a systematic review of the literature through articles published in databases such as Scopus and Dimension. Thus, in order to perform a complete documentary analysis, inclusion and exclusion criteria were applied to evaluate the quality of each article. Then, using a quantitative scale, articles were filtered according to author, period and country of publication, leaving a total of 86 articles from both databases. The methodology used was the one proposed by Kitchenham, and the conclusion reached was that the vast majority of companies do not make a major investment in the purchase of equipment and improvement of information technology (IT) infrastructure, exposing themselves to cyber-attacks that continue to grow every day. This research provides an opportunity for researchers, companies and entrepreneurs to consult so that they can protect their organization's most important assets.

Joseph Elias Mbowe,Irina Zlotnikova,Simon S. Msanjila,George S. Oreku

DOI: https://doi.org/10.4236/jis.2014.54016

2014-01-01

Journal of Information Security

Abstract:The security breaches of sensitive information have remained difficult to solve due to increased malware programs and unauthorized access to data stored in critical assets. As risk appetite differ from one organization to another, it prompts the threat analysis tools be integrated with organization’s information security policy so as to ensure security controls at local settings. However, it has been noted that the current tools for threat assessment processes have not encompassed information security policy for effective security management (i.e. confidentiality, integrity and availability) based on organization’s risk appetite and culture. The information security policy serves as a tool to provide guidance on how to manage and secure all business operations including critical assets, infrastructure and people in the organization. This guidance (e.g. usage and controls) facilitates the provisions for threat assessment and compliance based on local context. The lack of effective threat assessment frameworks at local context have promoted the exposure of critical assets such as database servers, mails servers, web servers and user smart-devices at the hand of attackers and thus increase risks and probability to compromise the assets. In this paper we have proposed a conceptual framework for security threat assessment based on organization’s information security policy. Furthermore, the study proposed the policy automation canvas for provision of a methodology to alert the security managers what possible threats found in their organizations for quick security mitigation without depending on security expertise.