Organisational security requirements : an agile approach to ubiquitous information security

This paper proposes to address the need for more innovation in organisational information security by adding a security requirement engineering focus. Based on the belief that any heavyweight security requirements process in organisational security will be doomed to fail, we developed a security requirement approach with three dimensions. The use of a simple security requirements process in the first dimension has been augmented by an agile security approach. However, introducing this second dimension of agile security does provide support for, but does not necessarily stimulate, innovation. A third dimension is, therefore, needed to ensure there is a proper focus in the organisation's efforts to identify potential new innovations in their security. To create this focus three common shortcomings in organisational information security have been identified. The resulting security approach that addresses these shortcomings is called Ubiquitous Information Security. This paper will demonstrate the potential of this new approach by briefly discussing its possible application in two areas: Ubiquitous Identity Management and Ubiquitous Wireless Security.

Information security disclosure : a case study

New social networking systems such as Facebook are an ever evolving and developing means of social interaction, which is not only being used to disseminate information to family, friends and colleagues but as a way of meeting and interacting with "strangers" through the advent of a large number of social applications. This paper will focus upon the impact of Generation F - the Facebook Generation and their attitudes to security. The paper will be based around discussing the findings of a major UK case study and the implications that this has. The case study identifies 51 recommendations to improve the situation of data security within the military of the UK. These recommendations will be the data for the analysis and will form an overview of the case study’s point of view as regards the younger generation and data security. This paper will suggest another interpretation of the results supplied by Burton.

Management framework for corporate telecommunication and data centre information security

Network security, particularly Internet security, is at the forefront of business and government networks. This research has discovered weaknesses in current professional practice, particularly in mitigation strategies to reduce the impacts of security violations in corporate telecommunications and data centres. The importance of integrating security policies, processes and operational practice is demonstrated. Leadership models and innovation mechanisms best suited to improved security design are also identified.

Establishing information security culture in Australian small and medium enterprises

This thesis develops a framework of key influences that must be considered in order to enable development of an information security culture in Australian small and medium enterprises. The study argues that, by ensuring that key influences are in place, an effective information security culture will evolve.

Design and delivery of undergraduate IT security management course

Information technology has become the core tool of business organisations’. External and internal threats as well as legal, regulatory and contractual compliance requirements are all combining to make effective information security a key information technology management challenges. This paper describes an undergraduate information technology security management course that provides comprehensive knowledge and skills necessary to manage both strategic and operational aspects of information security. The course covers a broad range of managerial topics in information technology security and makes use of a number of security tools and techniques to complement the theory taught. In this paper, we describe our approach, our experiences and lessons learned for teaching information technology security management course. The paper details the content of the course and outlines how it is taught and assessed.

Performance analysis of cyber security awareness delivery methods

In order to decrease information security threats caused by human-related vulnerabilities, an increased concentration on information security awareness and training is necessary. There are numerous information security awareness training delivery methods. The purpose of this study was to determine what delivery method is most successful in providing security awareness training. We conducted security awareness training using various delivery methods such as text based, game based and a short video presentation with the aim of determining user preference delivery methods. Our study suggests that a combined delvery methods are better than individual secrity awareness delivery method.

Information security governance : when compliance becomes more important than security

Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself.

Information security disclosure : a Victorian case study

This paper will focus upon the impact of Generation Y and their attitudes to security. The paper will be based around discussing the findings of a recent report by the Office of Police Integrity (OPI) on “Information Security and the Victoria Police State Surveillance Unit”.
Issues that will be discussed include the context of Generation Y and how they contribute to the case study, their attitudes, or their perceived attitudes to security of information. A discussion of the OPI report itself, and the issues that have arisen. A brief overview of the key findings within this report and the implications of these findings.

Enabling information security culture : influences and challenges for Australian SMEs

An effective information security culture is vital to the success of information systems governance, risk management and compliance. Small and medium size enterprises (SMEs) face special challenges developing an information security culture as they may lack the information security knowledge, skills and behaviours of large organisations. This paper reports the main findings from an interpretive study of key influences enabling an effective information security culture for Australian SMEs. The paper provides a framework depicting external and internal influences on SME information security culture and a set of key challenges in the Australian context. The findings highlight that SME owner attitudes and behaviour – in turn influenced by government involvement - strongly influence information security culture for Australian SMEs. A surprising finding is the potential influence of the Australian culture. Practical and theoretical implications are discussed.

Does traditional security risk assessment have a future in information security?

The current information security standards still advocate the use of risk assessment in the prioritisation of security investments. However, prior research on the use of risk assessment methodologies in organisational security has shown that the use of the traditional monolithic risk assessment process described in the current risk management standard is simply not practical at the organisational level. This paper first examines the problems in performing a systematic risk assessment and then discusses the limitations of a traditional risk assessment. To address these limitations, this paper proposes splitting up the current monolithic risk assessment process. The result is an information security assessment framework that puts greater emphasis on situational awareness and allows for better decision making on the prioritization of security investments.

Evaluating Australian social media policies in relation to the issue of information disclosure

Information disclosure is a key concern for many organisations especially in the era of social media. Social media allows for information disclosure to occur easily due to the ubiquitous usage of technology such as mobile devices. Acceptable social media policies can be used by organisations and their employees to improve their decision making behaviours as well as being used as a controlling mechanism to mitigate the issue of information disclosure. Through a review of related research literature along with a content analysis of publicly available Australian social media policies, this paper identifies a perceived gap pertaining to the issue of information disclosure in current Australian social media use policies. To fill this gap, we have highlighted the key components when developing an organisational social media policy. An evaluation criteria is also proposed by the paper that organisations can use to assist in mitigating the information disclosure.

On the race of worms and patches: modeling the spread of information in wireless sensor networks

Sensor networks are a branch of distributed ad hoc networks with a broad range of applications in surveillance and environment monitoring. In these networks, message exchanges are carried out in a multi-hop manner. Due to resource constraints, security professionals often use lightweight protocols, which do not provide adequate security. Even in the absence of constraints, designing a foolproof set of protocols and codes is almost impossible. This leaves the door open to the worms that take advantage of the vulnerabilities to propagate via exploiting the multi-hop message exchange mechanism. This issue has drawn the attention of security researchers recently. In this paper, we investigate the propagation pattern of information in wireless sensor networks based on an extended theory of epidemiology. We develop a geographical susceptible-infective model for this purpose and analytically derive the dynamics of information propagation. Compared with the previous models, ours is more realistic and is distinguished by two key factors that had been neglected before: 1) the proposed model does not purely rely on epidemic theory but rather binds it with geometrical and spatial constraints of real-world sensor networks and 2) it extends to also model the spread dynamics of conflicting information (e.g., a worm and its patch). We do extensive simulations to show the accuracy of our model and compare it with the previous ones. The findings show the common intuition that the infection source is the best location to start patching from, which is not necessarily right. We show that this depends on many factors, including the time it takes for the patch to be developed, worm/patch characteristics as well as the shape of the network.

Asset identification in information security risk assessment: A business practice approach

Organizations apply information security risk assessment (ISRA) methodologies to systematically and comprehensively identify information assets and related security risks. We review the ISRA literature and identify three key deficiencies in current methodologies that stem from their traditional accountancy-based perspective and a limited view of organizational "assets". In response, we propose a novel rich description method (RDM) that adopts a less formal and more holistic view of information and knowledge assets that exist in modern work environments. We report on an in-depth case study to explore the potential for improved asset identification enabled by the RDM compared to traditional ISRAs. The comparison shows how the RDM addresses the three key deficiencies of current ISRAs by providing: 1) a finer level of granularity for identifying assets, 2) a broader coverage of assets that reflects the informal aspects of business practices, and 3) the identification of critical knowledge assets.

Planning, delivery and evaluation of information literacy training for engineering and technology students

Information literacy has become an important skill for undergraduate students due to societal changes that have seen information become a valuable commodity, the need for graduates to become lifelong learners, and the recognition that information literacy is an underpinning generic skill for effective learning in higher education. This paper describes a sequence of activities and technologies designed to help students learn and practice information literacy skills. These activities have been purposefully designed and integrated into a first-year engineering and technology study unit as a core syllabus element. A formal evaluation of aspects of these activities was planned and undertaken in semester one 2003.