Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Michael D. Norman,Matthew T. K. Koehler,Matthew T.K. Koehler

DOI: https://doi.org/10.48550/arXiv.1706.08598

2017-06-19

Physics and Society

Abstract:In a world of ever-increasing systems interdependence, effective cybersecurity policy design seems to be one of the most critically understudied elements of our national security strategy. Enterprise cyber technologies are often implemented without much regard to the interactions that occur between humans and the new technology. Furthermore, the interactions that occur between individuals can often have an impact on the newly employed technology as well. Without a rigorous, evidence-based approach to ground an employment strategy and elucidate the emergent organizational needs that will come with the fielding of new cyber capabilities, one is left to speculate on the impact that novel technologies will have on the aggregate functioning of the enterprise. In this paper, we will explore a scenario in which a hypothetical government agency applies a complexity science perspective, supported by agent-based modeling, to more fully understand the impacts of strategic policy decisions. We present a model to explore the socio-technical dynamics of these systems, discuss lessons using this platform, and suggest further research and development.

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Marek Amanowicz,Mariusz Kamola

DOI: https://doi.org/10.3390/electronics11223835

IF: 2.9

2022-11-22

Electronics

Abstract:Protection against a growing number of increasingly sophisticated and complex cyberattacks requires the real-time acquisition of up-to-date information on identified threats and their potential impact on an enterprise's operation. However, the complexity and variety of IT/OT infrastructure interdependencies and the business processes and services it supports significantly complicate this task. Hence, we propose a novel solution here that provides security awareness of critical infrastructure entities. Appropriate measures and methods for comprehensively managing cyberspace security and resilience in an enterprise are provided, and these take into account the aspects of confidentiality, availability, and integrity of the essential services offered across the underlying business processes and IT infrastructure. The abstraction of these entities as business objects is proposed to uniformly address them and their interdependencies. In this paper, the concept of modeling the cyberspace of interdependent services, business processes, and systems and the procedures for assessing and predicting their attributes and dynamic states are depicted. The enterprise can build a model of its operation with the proposed formalism, which takes it to the first level of security awareness. Through dedicated simulation procedures, the enterprise can anticipate the evolution of actual or hypothetical threats and related risks, which is the second level of awareness. Finally, simulation-driven analyses can serve in guiding operations toward improvement with respect to resilience and threat protection, bringing the enterprise to the third level of awareness. The solution is also applied in the case study of an essential service provider.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Anastasia Kalita,Marina Ozhiganova,Evgeny Tishchenko

DOI: https://doi.org/10.15688/nbit.jvolsu.2019.1.2

2019-08-01

NBI Technologies

Abstract:Over the past few decades, there has been a tendency to minimize the participation of the human factor in various production and other processes. This process is implemented through the mass introduction of automated systems. Man-machine complexes are currently the most common and productive model of activity. At the current stage of technology development, the process of human activity automation is only an intermediate link on the way to excluding human intervention. This direction is the most relevant for systems that have a potential and real threat to human health and life (for example, manufacturing plants) or systems that are threatened by a person (for example, transport systems). The second group includes the sphere of information security. There is a need to move to the next level of excluding the human factor – introducing adaptive systems that will transfer the process of information protection in a completely different plane. The organization of adaptive information security systems is based on applying existing methods of adaptation from other areas of scientific knowledge in relation to information security issues. Features of such application of the generalized principles of adaptation reflect the specifics of the subject area without violating generally accepted norms. This article discusses the general principles of adaptive systems. It investigates the existing approaches to the organization of adaptive information security systems as well.

Rainer Diesch,Matthias Pfaff,Helmut Krcmar

DOI: https://doi.org/10.1016/j.cose.2020.101747

2020-05-01

Abstract:<p>Decision-making in the context of organizational information security is highly dependent on various information. For information security managers, not only relevant information has to be clarified but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors influencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance &amp; policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependencies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.</p>

computer science, information systems

Partha Saha,Nandan Parameswaran,Pradeep Ray,Ambuj Mahanti

DOI: https://doi.org/10.1109/DASC.2011.37

2011-01-01

Abstract:Interconnected network centric environment is governed by a complex web of regulatory standards across wide geographical boundaries. With increasing trend of globalization and e-governance initiatives sweeping across different industrial sectors the multi-national corporations are forced to conform to multiple government regulations demanded by numerous stakeholders comprising regulatory authorities, legal entities, consumer forum and partners. In a heterogeneous, multi-regulated, multi-disciplined and global environment, corporations are often required to adhere to more than one standard and best practice method. Compliance auditing (CA) is the process that identifies and analyses any misalignment and non-compliance of the organization's rules and policies vis-a-vis government regulations. A distinct challenge in compliance auditing is the repetitive, resource intensive process of identifying non-compliant organizational issues based on company policies, controls or industrial standards. In this paper, we propose a framework for building a multi-agent information model that captures the notion of compliance semantics and presents it using ontology. We further present a methodology for computing the compliance metric of organizational practices with regulatory standards/ requirements capturing the relevance of the ontological concepts using fuzzy weights for estimating the compliance.

Richard M. Bookstaber,Richard Bookstaber

DOI: https://doi.org/10.2139/ssrn.2642420

2012-01-01

SSRN Electronic Journal

Abstract:Existing models of financial instability tend to be based on top-down, partial-equilibrium views of markets and their interactions; they are unable to incorporate the complexity of behavior among heterogeneous firms or the tendency for all types of firms to change their behavior during a crisis. This paper argues that agent-based models (ABMs) — which seek to explain how the behavior of individual firms or “agents” can affect outcomes in complex systems — can make an important contribution to our understanding of potential vulnerabilities and paths through which risks can propagate across the financial system.

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Thamer Alhussain,Ahmad Ali AlZubi,Osama AlFarraj,Salem Alkhalaf,Musab S. Alkhalaf

DOI: https://doi.org/10.1007/978-3-030-44041-1_108

2020-01-01

Abstract:This article proposes an information security management system (ISMS) model for automated data processing systems of critical applications (ADPS-CAs). The model allows users to carry out an assessment of the risk level for information security (IS) purposes and provides support for decision-making related to countering unauthorized access to the information circulating in an ADPS-CA. Further, this article analyzes the effect of a control parameter on the probability of launching an information integrity monitoring service (IMS) during a procedure that launches a typical ADPS-CA and its IS subsystem. The results present system quality indicators for protecting information from unauthorized access. The simulation was performed in relation to automated workstations as part of the ADPS-CA of a large enterprise.

Wang Peng,Xing Li-ning

DOI: https://doi.org/10.4028/www.scientific.net/kem.460-461.428

2011-01-01

Key Engineering Materials

Abstract:Business use of Internet has exposed security as one of the key-factors for successful online competition. There are very few sound existing ISG frameworks that can effectively guide most organizations in their information security governance endeavors. This paper presents a collaborative framework for information security management system in order to elucidate how information security should be addressed at an executive level. The advanced intelligent multi-agent technology is applied in this proposed framework. In order to evaluate the proposed framework, this paper describes a prototype system based on this proposed collaborative framework. This prototype system suggests that the proposed collaborative framework is feasible, correct and valid.

W. Alec Cram,Jeffrey G. Proudfoot,John D’Arcy

DOI: https://doi.org/10.1057/s41303-017-0059-9

2017-11-01

European Journal of Information Systems

Abstract:A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

information science & library science,management,computer science, information systems

Ji Wu,Chaoqun Ye,Shiyao Jin

DOI: https://doi.org/10.1007/11689522_9

2006-01-01

Abstract:To appropriately address the problem of large-scale distributed cyber attacks and defenses, issues such as information exchange, work division and coordination must be addressed. We believe that focusing on logical foundations for information assurance construction provides the theme that drives how various defense components work together. This paper proposes an opponent agent’s mental model based on the theory of Belief-Desire-Intention, adopts the notions of agent, group and role to specify the organizational structure of distributed network attacks/defenses, and applies the computational framework of agent team to model organizational dynamics of network attacks/defenses.

Zhang Baowen,Chang Xiao,Li Jianhua

DOI: https://doi.org/10.1049/cje.2020.02.017

IF: 1.019

2020-01-01

Chinese Journal of Electronics

Abstract:As a new security defense theory, Cyberspace mimic defense（CMD） provides an architecture named Dynamic heterogeneous redundancy（DHR） to enhance the defense level of system security. Due to the new dynamic defense mechanism DHR introduced in CMD systems, traditional security modelling and analysis methods can hardly be used for them. In this paper, we propose a Security ontology-based modelling method for CMD systems（SOCMD）, which uses ontology to represent DHR components and to define their inner relationships. SOCMD also connects information components including DHRs with security vulnerabilities,threats and attackers in cyberspace. Next, attacking rules,multi-mode arbitration mechanism and combination rules are designed with SOCMD for CMD systems and a new logical-checking method is proposed to make judgement about the security state of SOCMD. Finally, different use cases and performance tests are developed to demonstrate the application process for the model and to verify the validity of our method.

Kwo‐Shing Hong,Yen‐Ping Chi,Louis R. Chao,Jih‐Hsing Tang

DOI: https://doi.org/10.1108/09685220310500153

2003-12-01

Abstract:With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Chaitanya Joshi,Jesus Rios Aliaga,David Rios Insua

DOI: https://doi.org/10.1109/tifs.2020.3029898

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Insider threats entail major security issues in many organizations. Game theoretic models of insider threats so far proposed do not take into account important factors such as the organizational culture and whether the attacker was detected or not. They also fail to model defensive mechanisms already put in place by an organization to mitigate insider attacks. We propose two new models which incorporate these settings and, hence, are more realistic, and use adversarial risk analysis to find their solutions. Our models and solutions are general and can be applied to most insider threat scenarios. A data security example illustrates the discussion.

computer science, theory & methods,engineering, electrical & electronic

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Yakubu Ajiji Makeri

DOI: https://doi.org/10.30630/joiv.4.1.280

2020-02-17

Abstract:Information Security is a crucial asset within an organization, and it needs to be protected, Information System (IS) Security is still threats a significant concern for many organizations. Is profoundly crucial for any organization to preserve Information System (IS) Security and computer resources, hardware, software, and networks, etc.The Information System (IS)assets against malicious attacks such as unauthorized access and improper use. This research, we developed a theoretical model for the adoption process of IS Security innovations in organizations, are numerous measures available that provides protection for organization IS assets, including (hardware, software, networks, etc.) and antivirus, firewall, filters, Intrusion Detection System (IDS), encryption tools, authorization mechanisms, authentication systems, and proxy devices. The model is to derive by the four combining theoretical models of innovation adoption, namely, the Theory of Planned Behaviour (TPB, Diffusion of Innovation theory (DOI), the Technology Acceptance Model (TAM),) and the Technology-Organisation-Environment (TOE) framework. The Computer security education needs to consider as a means of to combat against threats Arachchilage and Arachchilage et al., 2016). (Arachchilage and Love, 2013; While the process of innovation assimilation is as a result of the user acceptance of innovation within the organization. This model depicts security innovation adoption in organizations, as a two decision proceeding for any organization. The stage until its acquisition of innovation and adoption process from the initiation is considered as a decision made any organization. The The model also introduces several factors that influence the different stages of information Security and the innovation adoption process Adoption of IS security measures by the individuals and organizations

AJ Burns,Tom Roberts,Clay Posey,Paul Benjamin Lowry,Bryan Fuller,AJ Burns,Tom Roberts,Clay Posey,Paul Benjamin Lowry,Bryan Fuller

DOI: https://doi.org/10.2139/ssrn.4079801

2022-01-01

SSRN Electronic Journal

Abstract:Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances and nearly a third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) (2) and expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA (R2 = 0.462). Specifically, our results indicate that both instrumental and expressive motives were positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did (f2self-control = 0.195; f2org.det. = 0.048) but they also help us identify the limits of deterrence in ICA research.