Three strategic dimensions of information security in ecommerce : a literature review based conceptual model

Important eCommerce requirements are a robust and secure technical infrastructure, and the ability to ensuring the security of information, and to satisfying certain related legal requirements. In this paper, based on a literature review, we present a high-level conceptual model of information security in eCommerce, consisting of three strategic dimensions: protecting organizations' information, satisfying certain legal requirements, and enabling trusted and secure electronic transactions. Our conceptual model can be used by eCommerce managers as a tool in the strategic planning and management process, to better understand and communicate the inter-dependencies between business and legal requirements. The model can also be used for devising the goals and objectives relevant to their specific organization, for designing the policies that are needed, and deciding how technology will be managed and what training is required.

The tri-dimensional role of information security in E-business : a managerial perspective

The effective management of information and its associated infrastructure is critical in electronic business. Failure to exercise due diligence in information assurance and security may lead to lost revenue or business opportunities, brand and reputation erosion, adverse media publicity, scrutiny from consumer advocates and even lawsuits. Traditionally, information security was approached in terms of goals. Yet, the goalsoriented approach may be a flawed one. In this paper, we adopt a conceptual analytical approach and propose a tri-dimensional understanding of information security in electronic business. Our approach can help managers better understand and communicate the information security’s role in e-business and the inter-dependencies between business and legal requirements, for devising the goals, objectives and policies relevant to their organization.

The multifaceted and ever-changing directions of information security - Australia get ready!

In recent years, we have witnessed many information security developmental trends. As a consequence, the dimensions of information security - once single disciplinary area - have become multifaceted and convoluted. This paper aims to (1) recapitulate these key developments: (2) argue that the emergence of many complex information security dimensions are the result of 'constant change agents' (CCAs); (3) discuss the implications on Australia's society, i. e. government, companies and individuals; and (4) propose key consideration areas and possible solutions thereof. We hope that the discussion presented here will position Australia to make better aligned information security and strategic plans, such as choosing appropriate investments and adopting effective solutions to strengthen and secure Australia's national information security posture.

The ascent of asymmetric risk in information security: an initial evaluation

Dramatic changes in the information security risk landscape over several decades have not yet been matched by similar changes in organizational information security which is still mainly based on a mindset that security is achieved through extensive preventive controls. As a result, maintenance cost of information security is increasing rapidly, but this increased expenditure has not really made an attack more difficult. The opposite seems to be true, information security attacks have become easier to perpetrate and appear more like information warfare tactics. At the same time, the damage caused by a successful attack has increased significantly and may sometimes become critical to an organization. In this paper we evaluate one particular extremely asymmetric risk where a strongly motivated attacker unleashes a prolonged attack on an organization with the aim to do maximum damage, and suggest that the probability of such an attack is increasing. We discuss how preventive controls are unlikely to ever be effective against such an attack and propose more advanced strategies that aim to limit the damage when such an attack occurs. One crucial lesson to be learned for those organizations that are dependant on their information security, such as critical infrastructure organizations, is the need to deny motivated attackers access to any information about the success of their attack. Successful deception in this area is likely to significantly reduce any potential escalation of the incident.

Information security, cyber crime, and infrastructure protection : information security management within Australian healthcare organisations

Information security is now recognised as critical factor within the healthcare industry. With the gradual move from paper -based to electronic information there is an even greater need for protection. However, financial and operational constraints often exist which influence the practicality of developing a secure system. A new baseline security standard, the Health Information Security Management Implementation Guide, has been drafted which applies specifically to the unique information security requirements of the healthcare industry. The aim of this paper is to look at the effectiveness of the health information security standard and the development of information security within the Australian healthcare industry.

Information security management curriculum development : an Australian example

The development of Information Security as a discipline has only occurred in recent years. Currently Information Security topics are widely taught at tertiary institutions but these topics are taught from a technical perspective and in other cases from a business perspective.

This paper discusses the development of a new security curriculum within Australia and how Australian tertiary institutions responded to that curriculum, the paper also puts forwards a framework that assists in curriculum development.

Towards a knowledge perspective in information security risk assessments - an illustrative case study

Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information for a given organisation. We argue that the traditional orientation of these methodologies, towards the identification and assessment of technical information assets, obscures key risks associated with the cultivation and deployment of organisational knowledge. Our argument is developed through an illustrative case study in which a well-documented methodology is applied to a complex data back-up process. This process is seen to depend, in subtle and often informal ways, on knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, we suggest a new approach might draw on more detailed accounts of individual knowledge, collective knowledge, and their relationship to organisational processes. Drawing on the knowledge management literature, we suggest mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies.

User preference of cyber security awareness delivery methods

Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.

A competitive three-level pruning technique for information security

The reduction of size of ensemble classifiers is important for various security applications. The majority of known pruning algorithms belong to the following three categories: ranking based, clustering based, and optimization based methods. The present paper introduces and investigates a new pruning technique. It is called a Three-Level Pruning Technique, TLPT, because it simultaneously combines all three approaches in three levels of the process. This paper investigates the TLPT method combining the state-of-the-art ranking of the Ensemble Pruning via Individual Contribution ordering, EPIC, the clustering of the K-Means Pruning, KMP, and the optimisation method of Directed Hill Climbing Ensemble Pruning, DHCEP, for a phishing dataset. Our new experiments presented in this paper show that the TLPT is competitive in comparison to EPIC, KMP and DHCEP, and can achieve better outcomes. These experimental results demonstrate the effectiveness of the TLPT technique in this example of information security application.

Application of rank correlation, clustering and classification in information security

This article is devoted to experimental investigation of a novel application of a clustering technique introduced by the authors recently in order to use robust and stable consensus functions in information security, where it is often necessary to process large data sets and monitor outcomes in real time, as it is required, for example, for intrusion detection. Here we concentrate on a particular case of application to profiling of phishing websites. First, we apply several independent clustering algorithms to a randomized sample of data to obtain independent initial clusterings. Silhouette index is used to determine the number of clusters. Second, rank correlation is used to select a subset of features for dimensionality reduction. We investigate the effectiveness of the Pearson Linear Correlation Coefficient, the Spearman Rank Correlation Coefficient and the Goodman--Kruskal Correlation Coefficient in this application. Third, we use a consensus function to combine independent initial clusterings into one consensus clustering. Fourth, we train fast supervised classification algorithms on the resulting consensus clustering in order to enable them to process the whole large data set as well as new data. The precision and recall of classifiers at the final stage of this scheme are critical for the effectiveness of the whole procedure. We investigated various combinations of several correlation coefficients, consensus functions, and a variety of supervised classification algorithms.

A methodology of health information security evaluation

With the conversion of paper health records to electronic health records, the health care sector is increasingly relying on technology to maintain the integrity of and update patients’ data. This reliance on technology requires an acute level of protection from technological disasters and/or threats of human error or sabotage. Research has shown there are inadequacies in the installation and use of security controls for health information records and that current methods of security analysis lack the techniques to analyse the technical and social aspects of security. This paper reports on progress towards development of a health information security evaluation methodology based on Unified Modelling Language techniques, and discusses an imminent case study that will be used for validation of the methodology.

Health information security evaluation: continued development of an object-oriented method

With the convergence of paper to electronic, the health industry is relying more on technology to maintain and update the well-being of patients. This reliance on technology requires an acute level of protection from
unwanted technological disasters and/or human threats. Research shows insufficiencies with the implementation and use of security controls; as well as current analysis methods lacking the techniques to analyse technical and social aspects of security. The aim of this paper is to introduce an information security evaluation methodology for health information systems based on UML.

Electronic negotiation and security of information exchanged in e-commerce

In settings such as electronic markets where trading partners have conflicting interests and a desire to cooperate, mobile agent mediated negotiation have become very popular. However, agent-based negotiation in electronic commerce involves the exchange of critical and sensitive data that must be highly safeguarded. Therefore, in order to give benefits of quick and safe trading to the trading partners, an approach that secures the information exchanged between the mobile agents during e-Commerce negotiations is needed. To this end, we discuss an approach that we refer to as Multi-Agent Security NEgotiation Protocol (MASNEP). To show that MASNEP protocol is free of attacks and thus the information exchanged throughout electronic negotiation is truly secured, we provide a formal proof on the correctness of the MASNEP.