Benchmarking e-business security : a model and framework

The dynamic nature of threats and vulnerabilities within the E-business environment can impede online functionality, compromise organisational or customer information, contravene security implementations and thereby undermine online customer confidence. To negate these problems, E-business security has to become proactive, by reviewing and continuously improving security to strengthen E-business security measures and policies. This can be achieved through benchmarking the security measures and policies utilised within the Ebusiness, against recognised information technology (IT) and information security (IS) security standards.

A conceptual model for security outsourcing

This research analyses the current literature on IT security outsourcing and the organisational attitudes towards this approach to determine the applicability of outsourcing IT security in a commercial environment. A conceptual model is developed as the main goal of research which provides guidance in the process of outsourcing IT security functions to a third-party security service provider. The research conducted has established a complete process for outsourcing IT security.

Investigation of stakeholders commitment to information security awaremess programs

Organisations have become increasingly dependent on technology in order to compete in their respective markets. As IT technology advances at a rapid pace, so does its complexity, giving rise to new IT security vulnerabilities and methods of attack. Even though the human factors have been recognized to have a crucial role in information security management, the effects of weakness of will and lack of commitment on the stakeholders (i.e., employers and employees) parts has never been factored into the design and delivery of awareness programs. To this end, this paper investigates the impacts of the availability of awareness programs and end-user drive and lack of commitment to information security awareness program design, delivery and success.

Transitioning towards an improved I.T. security culture in organizations

The study developed a model to help Australian organisations transition toward an improved IT security culture. The IT Security Culture Transition Model improved organisations' IT security awareness, knowledge, attitude and behaviour allowing them to better protect their IT security. The model can be implemented face-to-face and as an e-learning program.

Security and privacy concerns for Australian SMEs cloud adoption: empirical study of metropolitan vs regional SMEs

New national infrastructure initiatives such as the National Broadband Network (NBN) allow small and medium-sized enterprises (SMEs) in Australia to have greater access to cost effective Cloud computing. However, the ability of Cloud computing to store data remotely and share services in a dynamic environment brings with it security and privacy concerns. Evaluating these concerns is critical to address the Cloud computing underutilisation issue and leverage the benefits of costly NBN investment. This paper examines the influence of privacy and security factors on Cloud adoption by Australian SMEs in metropolitan and regional area. Data were collected from 150 Australian SMEs (specifically, 79 metropolitan SMEs and 71 regional SMEs) and structural equation modelling was used for the analysis. The findings reveal that privacy and security factors do not significantly influence the decision-making of Australian SMEs in the adoption of Cloud computing. Moreover, the results indicate that Cloud computing adoption is not influenced by the geographical location (i.e., metropolitan or regional location) of the SMEs. The findings extend the current understanding of Cloud computing adoption by Australian SMEs. The results will be useful to SMEs, Cloud service providers and policy makers devising Cloud security and privacy policies.

Graphical authentication : an architectural design specification

Graphical authentication is proposed as an alternative to password, smartcard, and biometric authentication as it uses the innate ability of humans to recognise visual stimuli. Despite passionate debate surrounding their privacy and invasiveness issues, smartcards and biometrics require an excessive amount of extra hardware for widespread deployment. Conversely graphical authentication extends existing infrastructure as it builds largely on the foundations of passwords with one important difference: it takes humans into account as they are better at recognising visual stimuli than recalling text-based passwords. This paper follows a preceding proof of concept paper and essentially outlines the architectural and technical design for a graphical authentication solution.

Graphical authentication: justifications and objectives

Password authentication has failed to address the compounding business requirement for increased security. Biometric authentication is beginning to address the need for tighter security, but it costs several orders of magnitude more than basic password implementations. Biometric authentication also possesses several shortcomings that inhibit its widespread adoption. In this paper we describe the trends in the literature before presenting the justifications and objectives for graphical authentication: a viable alternative to both biometrics and passwords. We also intend the paper to serve as a
prelude to forthcoming implementation and validation research.

Securing small business - the role of information technology policy

As small and medium enterprises develop their capacity to trade  electronically, they and their trading partners stand to gain considerable benefit from the resulting transaction efficiencies and business  relationships. However, this raises the question of how well small business manages its IT security and the threats that security lapses may pose to the wider trading network. It is in the interest of all members of an electronic trading network, as well as governments, to assist smaller companies to secure their business data. This paper considers the relationship between IT security management and IT policy implementation among small  businesses involved in business-to-business eCommerce. It reports the results of a survey of 240 Australian small and medium businesses  operating in a cross-industry environment. The survey found a low level of strategic integration of eCommerce along with inadequate IT security among the respondents, despite the fact that 81% were doing business online and 97% identified their business data as confidential. Businesses which implemented satisfactory levels of security technologies were more likely than others to have an information technology policy within the organisation. The paper proposes a model that outlines the development of security governance and policy implementation for small and medium businesses.

User perceptions and acceptance of benevolent worms - a matter of fear?

Worms and other forms of malware have been considered by IT Security firms and large companies for many years as one of the leading threats to the integrity of their data and security. However, several researchers over recent years have been working on creating worms which, instead of causing harm to machines which they infect, or the networks on which the machines reside, actually aid the network and systems administrators. Several uses of these worms have been proposed by these researchers, including, but not limited to, rapid remote patching of machines, network and system administration through use of their unique discovery and propagation methods, actively hunting, and defending against, other forms of malware such as "malevolent" worms, viruses, spyware, as well as increasing reliable communication of nodes in distributed computing. However, there has been no hint of commercial adoption of these worms, which one researcher has described as being due to a fear factor'. This paper concentrates on assessing and delivering the findings of user attitudes towards these worms in an attempt to find out how users feel about these worms, and to try and define and overcome the factors which might contribute to the fear factor'.

The need for best practice standards in electronic governance of patient medical records to facilitate innovation

Background : Optimising the use of electronic data offers many opportunities to health services, particularly in rural and remote areas. These include reducing the effect of distance on access to clinical information and sharing information where there are multiple service providers for a single patient. The increasing compilation of large electronic databases of patient information and the ease with which electronic information can be transferred has raised concerns about the privacy and confidentiality of such records.
Aims & rationale/Objectives : This review aims to identify legal and ethical standards for areas of electronic governance where a lack of clarity may currently impede innovation in health service delivery.
Methods : This paper describes best practices for storage and transfer of electronic patient data based on an examination of Australian legislative requirements and a review of a number of current models. This will firstly allow us to identify basic legal requirements of electronic governance as well as areas of ambiguity not fully addressed by legislation. An examination of current models will suggest recommendations for best practice in areas lacking sufficient legal guidance.
Principal findings : We have identified the following four areas of importance, and shall discuss relevant details:
1) Patients' right of ownership to electronic patient records. 2) Custodial issues with data stored in centralised health care institutions 3) IT Security, including hierarchical level access, data encryption, data transfer standards and physical security 4) Software applications usage.
Discussion : Our examination of several models of best practice for the transfer of electronic patient data, both in Australia and internationally, identifies and clarifies many unresolved issues of electronic governance. This paper will also inform future policy in this area.
Implications : Clarification will facilitate the future development of beneficial technology-based innovations by rural health services.
Presentation type : Poster

An investigation into the usability of graphical authentication using AuthentiGraph

There is increasing coverage in the literature relating to the different facets surrounding the security service of authentication, but there is a need for further research into the usability of graphical authentication. Specifically, the usability and viability of graphical authentication techniques for providing increased security needs to be further explored. There is a significant amount of evidence relating to traditional authentication techniques which highlight the fact that as technological advances grip modern societies, the requirement for more advanced authentication and security approaches increases. The exponential growth in the number of people using the Internet carries with it the high potential for increased security threats, suggesting that there are needs for further techniques to increase security in online environments. This paper presents the findings of how various interface design approaches affect the usability of a previously developed alternative graphical authentication technique called AuthentiGraph. The security design provided by Authentigraph has been established and justified in previous research by the authors. The primary focus of this paper is the usability of this technique. Using an experimental laboratory based approach, combined with an online survey, 20 university students evaluated a combination of five varying graphical interfaces in three different screen sizes. The outcome provides the interface design criteria best suited for the implementation and use of the AuthentiGraph technique.

Teaching digital forensics to undergraduate students

Digital forensics isn't commonly a part of an undergraduate university degree, but Deakin University in Australia recently introduced the subject as part of an IT security course. As instructors, we've found that digital forensics complements our other security offerings because it affords insights into why and how security fails. A basic part of this course is an ethics agreement signed by students and submitted to the unit instructor. This agreement, approved by Deakin University's legal office and consistent with Barbara Endicott-Popovsky's approach, requires students to maintain a professional and ethical attitude to the subject matter and its applications. Assignments regularly cast students in the role of forensic professional. Our teaching team emphasizes throughout the course that professional conduct establishes credibility with employers and customers as well as colleagues, and is required to perform the job effectively. This article describes our experiences with this course.

Data protection and privacy: the Australian legislation and its implications for IT professionals

The notion of privacy takes on a completely different meaning when viewed from the perspective of an IT professional, an organisation using technology to support strategic directions or a member of the public. This paper looks past the technical issues involved in data protection and examines some of the business, social and regulatory aspects that have become important to those involved in the management, storage and dissemination of electronic information. The paper documents some of the legislative developments in privacy and data protection and examines what these developments mean for IT professionals for whom the link between data captured, stored and processed into information and the resulting effect on privacy is important. The Commonwealth Privacy Act 1988 based on work done by the Council of Europe, the OECD and the European Union provides some general guidelines but only for the public sector. However, new legislation imminent. Thus, IT professionals need to be aware of the changing situation and examine their organisation’s current practices to ensure compliance with future laws.