Information security governance : when compliance becomes more important than security

Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself.

Information security governance: the art of detecting hidden malware

Detecting malicious software or malware is one of the major concerns in information security governance as malware authors pose a major challenge to digital forensics by using a variety of highly sophisticated stealth techniques to hide malicious code in computing systems, including smartphones. The current detection techniques are futile, as forensic analysis of infected devices is unable to identify all the hidden malware, thereby resulting in zero day attacks. This chapter takes a key step forward to address this issue and lays foundation for deeper investigations in digital forensics. The goal of this chapter is, firstly, to unearth the recent obfuscation strategies employed to hide malware. Secondly, this chapter proposes innovative techniques that are implemented as a fully-automated tool, and experimentally tested to exhaustively detect hidden malware that leverage on system vulnerabilities. Based on these research investigations, the chapter also arrives at an information security governance plan that would aid in addressing the current and future cybercrime situations.

The geo-historical legacies of urban security governance and the Vancouver 2010 Olympics

In 2004, the discourse of ‘legacy’ was woven into the constitutional fabric of the International Olympic Committee (IOC). Bidding for Olympic events is now premised on procuring post-event legacies that will resonate through local communities and host countries long after the flame is extinguished. Given vast expenditures in security, policing, and emergency management operations at major sporting events, it is notable that the IOC and its official partners have disproportionately under-represented security and policing legacies. This paper addresses research into security and policing legacies of major events by turning much needed empirical attention towards institutional level geographies of security and policing – particularly on legacies of policing and militarisation in Olympic host cities. Accordingly, the paper traces the institutional trajectory of the Military Liaison Unit (MLU) in the Vancouver Police Department who were heavily involved in coordinating the joint civilian–military effort throughout the lifecycle of the Vancouver 2010 Winter Games. Theoretically, the paper furthers Stephen Graham’s (2010) New Military Urbanism that considers the circulation of military expertise between neo-colonial frontiers of military intervention with Western urban spaces. In doing so, this paper unpacks an empirically guided temporal approach that discerns key drivers of militarisation as localised, empirical-based ‘trajectories’ of development of security and policing institutions, which are linked to, and circumscribed by, critical juncture episodes in the context of mega event security. The paper traces processes of the MLU to explain how conditions underpinning the civil–military divide in urban policing, as a series of jurisdictional, institutional, and by extension, geographical configurations have continued, changed or been abandoned in the context of the Vancouver 2010 Olympics. As such, this paper contributes to much needed debate on the controversies and opportunities inherent in security legacies and major events, which implicate the wider securitisation and militarisation of Western cities.

The geo-historical legacies of urban security governance and the Vancouver 2010 Olympics

In 2004, the discourse of ‘legacy’ was woven into the constitutional fabric of the International Olympic Committee (IOC). Bidding for Olympic events is now premised on procuring post-event legacies that will resonate through local communities and host countries long after the flame is extinguished. Given vast expenditures in security, policing, and emergency management operations at major sporting events, it is notable that the IOC and its official partners have disproportionately under-represented security and policing legacies. This paper addresses research into security and policing legacies of major events by turning much needed empirical attention towards institutional level geographies of security and policing – particularly on legacies of policing and militarisation in Olympic host cities. Accordingly, the paper traces the institutional trajectory of the Military Liaison Unit (MLU) in the Vancouver Police Department who were heavily involved in coordinating the joint civilian–military effort throughout the lifecycle of the Vancouver 2010 inter Games. Theoretically, the paper furthers Stephen Graham’s (2010) New Military Urbanism that considers the circulation of military expertise between neo-colonial frontiers of military intervention with Western urban spaces. In doing so, this paper unpacks an empirically guided temporal approach that discerns key drivers of militarisation as localised, empirical-based ‘trajectories’ of development of security and policing institutions, which are linked to, and circumscribed by, critical juncture episodes in the context of mega event security. The paper traces processes of the MLU to explain how conditions underpinning the civil–military divide in urban policing, as a series of jurisdictional, institutional, and by extension, geographical configurations have continued, changed or been abandoned in the context of the Vancouver 2010 Olympics. As such, this paper contributes to much needed debate on the controversies and opportunities inherent in security legacies and major events, which implicate the wider securitisation and militarisation of Western cities.

Interrogating national security, surveillance, and terror in Canada and Australia

In this chapter the co-editors introduce the comparative volume and its rationales, provide context about national security, surveillance and terror in both Canada and Australia, describe contributions found in the volume, and conclude with an overview of the volume.

Securing small business - the role of information technology policy

As small and medium enterprises develop their capacity to trade  electronically, they and their trading partners stand to gain considerable benefit from the resulting transaction efficiencies and business  relationships. However, this raises the question of how well small business manages its IT security and the threats that security lapses may pose to the wider trading network. It is in the interest of all members of an electronic trading network, as well as governments, to assist smaller companies to secure their business data. This paper considers the relationship between IT security management and IT policy implementation among small  businesses involved in business-to-business eCommerce. It reports the results of a survey of 240 Australian small and medium businesses  operating in a cross-industry environment. The survey found a low level of strategic integration of eCommerce along with inadequate IT security among the respondents, despite the fact that 81% were doing business online and 97% identified their business data as confidential. Businesses which implemented satisfactory levels of security technologies were more likely than others to have an information technology policy within the organisation. The paper proposes a model that outlines the development of security governance and policy implementation for small and medium businesses.

Good governance and market-based reforms : a study of Bangladesh

‘Good governance’ is increasingly regarded as pivotal to development in developing countries. The six indicators recognized as the most effective measurement tools of ‘good governance’ across the world are: voice and accountability; political stability and absence of violence; government effectiveness; regulatory quality; rule of law and control of corruption (Kaufmann, Kraay and Lobaton, 2003: 8–9). This paper investigates how lack of ‘good governance’ affects the success and sustainability of the market-based reforms undertaken in the agriculture sector of Bangladesh. The reforms have been associated with increased food grain production, improved food security conditions and easy access by farmers to agricultural inputs. However, a significant problem has arisen recently: the sale of low quality and underweight agricultural inputs sometimes at higher prices has become common. Not only is this problem undermining the positive impact of the reforms, it is also threatening their sustainability. The paper argues that the problems with regulatory quality, rule of law and control of corruption – indicators of good governance – are the underlying reasons for this problem. In the context of increasing pressures from donors to pursue market-based reforms, this paper stresses the need for integrated governance linking government, business and civil society as paramount for promoting good governance for the success and sustainability of the reforms.

The need for best practice standards in electronic governance of patient medical records to facilitate innovation

Background : Optimising the use of electronic data offers many opportunities to health services, particularly in rural and remote areas. These include reducing the effect of distance on access to clinical information and sharing information where there are multiple service providers for a single patient. The increasing compilation of large electronic databases of patient information and the ease with which electronic information can be transferred has raised concerns about the privacy and confidentiality of such records.
Aims & rationale/Objectives : This review aims to identify legal and ethical standards for areas of electronic governance where a lack of clarity may currently impede innovation in health service delivery.
Methods : This paper describes best practices for storage and transfer of electronic patient data based on an examination of Australian legislative requirements and a review of a number of current models. This will firstly allow us to identify basic legal requirements of electronic governance as well as areas of ambiguity not fully addressed by legislation. An examination of current models will suggest recommendations for best practice in areas lacking sufficient legal guidance.
Principal findings : We have identified the following four areas of importance, and shall discuss relevant details:
1) Patients' right of ownership to electronic patient records. 2) Custodial issues with data stored in centralised health care institutions 3) IT Security, including hierarchical level access, data encryption, data transfer standards and physical security 4) Software applications usage.
Discussion : Our examination of several models of best practice for the transfer of electronic patient data, both in Australia and internationally, identifies and clarifies many unresolved issues of electronic governance. This paper will also inform future policy in this area.
Implications : Clarification will facilitate the future development of beneficial technology-based innovations by rural health services.
Presentation type : Poster

Enabling information security culture : influences and challenges for Australian SMEs

An effective information security culture is vital to the success of information systems governance, risk management and compliance. Small and medium size enterprises (SMEs) face special challenges developing an information security culture as they may lack the information security knowledge, skills and behaviours of large organisations. This paper reports the main findings from an interpretive study of key influences enabling an effective information security culture for Australian SMEs. The paper provides a framework depicting external and internal influences on SME information security culture and a set of key challenges in the Australian context. The findings highlight that SME owner attitudes and behaviour – in turn influenced by government involvement - strongly influence information security culture for Australian SMEs. A surprising finding is the potential influence of the Australian culture. Practical and theoretical implications are discussed.

Surveillance, Governance and Professional Sport

The surveillance capacities of professional sports clubs and Leagues are directly related to their modes of governance. This paper identifies how private sports clubs enact surveillance through processes of inclusion and exclusion. Using three examples to demonstrate these processes, we argue that the surveillance mechanisms associated with sports governance at times replicate, at other times contradict, and at other times influence those associated with broader law enforcement and security developments. These examples also suggest potential increases in surveillance activities that emerge in club governance often flow from external concerns regarding allegations of crime, national security breaches and corruption. These context-specific case studies (Flyvbjerg 2001) demonstrate how surveillance and identity authentication are closely tied to the complex, multi-tiered governance structures and practices in three distinct sports. We then explore how these patterns can be interpreted as either connected to or distinct from equivalent developments involving the surveillance surge (Murakami Wood 2009) and concepts of inclusion and exclusion under the criminal law. We conclude by discussing how both internal and external regulatory forces can shape interrelated facets of surveillance, governance and exclusion in elite sports.

Security networks and occupational culture: understanding culture within and between organisations

Security networks are organisational forms involving public, private and hybrid actors or nodes that work together to pursue security-related objectives. While we know that security networks are central to the governance of security, and that security networks exist at multiple levels across the security field, we still do not know enough about how these networks form and function. Based on a detailed qualitative study of networks in the field of ‘high’ policing in Australia, this article aims to advance our knowledge of the relational properties of security networks. Following the organisational culture literature, the article uses the concept of a ‘group’ as the basis with which to analyse and understand culture. A group can apply to networks (‘network culture’), organisations (‘organisational culture’) and sections within and between organisations (‘occupational subcultures’). Using interviews with senior members of security, police and intelligence agencies, the article proceeds to analyse how cultures form and function within such groups. In developing a network perspective on occupational culture, the article challenges much of the police culture(s) literature for concentrating too heavily on police organisations as independent units of analysis. The article moves beyond debates between integrated or differentiated organisational cultures and questions concerning the extent to which culture shapes particular outcomes, to analyse the ways in which security nodes relate to one another in security networks. If there is one thing that should be clear it is that security nodes experience cultural change as they work together in and through networks.

The passage of authority: imagining the political transformation of Australia’s Christmas Island, from sovereignty to governance

In 2012, Australia’s Christmas Island is best known as an island of immigration detention, a key component of Australia’s growing offshore border security apparatus, where interdicted boat arrivals seeking asylum are detained and processed. This article offers one account of how the Island came to be what it is, by providing two snapshots of the operable set of power relations on Christmas Island, then and now: ‘Island in the Sun’, and ‘Tropics of Governance’. Side by side, their stark contrast reveals the passage of authority through time and place, from the embodied, unified voice of the sovereignty of the British Empire to the palliative communication and bureaucratic sincerity that characterise governance. By disclosing shifting patterns of emergence and decay and showing border security’s intimate relation to governance, this article seeks to offer a deepened understanding of the current detention situation in its immanence. What can now be seen as Christmas Island’s past follies also reveals the restless work of successive political imaginations, the shifting ways and means by which an island can be translated into a solution to a political problem, and how successive solutions tend toward wreck and ruin.