Does traditional security risk assessment have a future in information security?

The current information security standards still advocate the use of risk assessment in the prioritisation of security investments. However, prior research on the use of risk assessment methodologies in organisational security has shown that the use of the traditional monolithic risk assessment process described in the current risk management standard is simply not practical at the organisational level. This paper first examines the problems in performing a systematic risk assessment and then discusses the limitations of a traditional risk assessment. To address these limitations, this paper proposes splitting up the current monolithic risk assessment process. The result is an information security assessment framework that puts greater emphasis on situational awareness and allows for better decision making on the prioritization of security investments.

Benchmarks for critical infrastructure systems modelling

This paper draws together previous security assessment research and builds upon the current systems modelling research investigation into the application of potential modelling styles that can be applied to model critical infrastructure systems, networks, their inter-relationships and functionality. The emphasis here is to develop appropriate benchmarks as a means of assessment to determine the appropriateness of various systems modelling styles and techniques and their suitability for modelling critical infrastructure systems. The benchmarks are applicable on a number of differing levels to determine the ‘best fit’ for modelling critical infrastructure systems, to aid in identifying potential system or inter-network vulnerabilities.

Supply chain security: the need for continuous assessment

Ease of Internet accessibility has offered business the opportunity to incorporate this electronic infrastructure technology into establishing electronic-based supply chains. With the improved efficiency that this brings to the management and functionality of the supply chain, there are also security considerations that should be taken into account for protecting the integrity of the electronic supply chain, not only within each business node, but also across the entire supply chain. Such security vulnerabilities can be negated with the implementation of security measures and policies, however these need to be consistent throughout the supply chain and regularly assessed against security benchmarks in order to ensure they meet dequate security standards.

Security as an element in environmental assessment and decision making

he prominence of global warming as an environmental issue has illustrated the close relationship between natural resources, ecosystems and global security. Whilst environmental decision making often uses techniques such as economic valuation and risk management, the security component is often not considered, at least not from a security analyst’s perspective. Yet environmental security considerations can be global, regional and/or national in impact. Environmental change and policy can effect human health and well being as well as initiating conflict; it can affect the existence of life itself. These aspects are firmly in the domain of the security discipline although the protection of the global ecosystem has not traditionally been considered by those who create security policy. The idea of environmental/ecological security ranges from the eco-centric approach which examines the impact of human activities that impact on the security of the natural systems to the more traditional anthropocentric perspectives that look at varied issues such as conflict caused by natural resource competition and environmental degradation, and the greening of military operations. This paper will assert that the inclusion of the security factor in policy creation and environmental assessments is essential to give richer solutions to these complex socio-economic and ecological situations. Systems theory over the last few decades has emphasised the inclusion of as many perspectives on messy problems as possible to provide truly systemic outcomes. It is posited that the addition of such concepts as threat analyses will produce more effective and sustainable outcomes.

An agile IT security model for project risk assessment

There are two fundamental challenges in effectively performing security risk assessment in today's IT projects.The first is the project manager's need to know what IT security risks face the project before the project begins. At this stage IT security staff are unable to answer this question without first knowing the system requirements for the project which are yet to be defined. Second organisations that deal with a large project throughput each year find the current IT security risk assessment process to be tedious and expensive, especially when the same process has to be repeated for each individual project. This also makes it difficult for an organisation to prioritise which projects require more investment in IT security in order to fit within budget constraints. This paper presents a conceptual model that is based on an agile approach to alleviate these challenges. We do this by first analysing two online database resources of vulnerabilities by comparing them to each other, and then compare them to the agile criteria of the conceptual model which we define. The conceptual model is then presented and an example is given of how it can be applied to an actual project. We then briefly discuss what further work needs to be done to implement the conceptual model and validate it against an existing IT project.

Asset identification in information security risk assessment: A business practice approach

Organizations apply information security risk assessment (ISRA) methodologies to systematically and comprehensively identify information assets and related security risks. We review the ISRA literature and identify three key deficiencies in current methodologies that stem from their traditional accountancy-based perspective and a limited view of organizational "assets". In response, we propose a novel rich description method (RDM) that adopts a less formal and more holistic view of information and knowledge assets that exist in modern work environments. We report on an in-depth case study to explore the potential for improved asset identification enabled by the RDM compared to traditional ISRAs. The comparison shows how the RDM addresses the three key deficiencies of current ISRAs by providing: 1) a finer level of granularity for identifying assets, 2) a broader coverage of assets that reflects the informal aspects of business practices, and 3) the identification of critical knowledge assets.

A virtual clinic : telemetric assessment and monitoring for rural and remote areas

This article reports the establishment of a pilot ‘virtual clinic’ in a rural region of Victoria, Australia. Using low-cost videophones that work across ordinary phone lines, together with off-the-shelf (mostly automatic) clinical tools, local volunteers have been trained to mediate a virtual consultation between simulated patients and local GPs. This system has the potential to save long trips into town by such patients since the traditional ‘home visit’ is not feasible, as well as to provide regular home monitoring for those with chronic conditions. This in turn should impact favourably on ambulance deployment, sometimes enabling patients to avoid going to hospital or allowing them to come home sooner than otherwise would be the case, and generally to offer a sense of medical security to those living in isolated regions.

Committing to quality learning through adaptive online assessment

With advances in computer-based technologies and the emergence of e-learning, there are unprecedented opportunities to reconsider assessment of learning (and, axiomatically, of teaching) and how this can be undertaken. One approach is adaptive assessment. Although it has existed in the tertiary environment since the time of the oral examination, advanced technologies allow much fuller exploitation of the possibilities inherent in a dynamic system of testing that responds to the user. Having described the characteristics of adaptive assessment, this paper considers how it can achieve significant pedagogical aims within the sector. The paper differentiates between adaptive assessment to assist learning and adaptive assessment to assess achievement. How adaptive assessment can be put in place and salient issues, such as security and system integrity, when such assessment is used for credit, are then discussed. The paper concludes that the capability exists but it has yet to be exploited within higher education as a viable approach to assessment and as a contributor to quality learning.

A retail supply chain risk assessment conceptual model

Supply chains are increasingly relying on information and communications technologies and in particular electronic commerce to facilitate transactions between supply chain partners. The adoption of these enabling technologies brings several enhancements to the conduct of business including gains in efficiency. However there are also drawbacks inherent in these technologies that include threats that are imposed on businesses that use them. This paper presents a study on retail supply chains and the risks and vulnerabilities that cooperating supply chain partners are exposed to when adopting these technologies. In particular, the paper discusses the various threats and vulnerabilities of retail supply and presents a conceptual model of such risks.

E-business security management for Australian small SMEs - a case study

Small and Medium sized Enterprises (SMEs) play an important role within the Australian economy. There is a strong business case for Australian SMEs to be involved in e-business, which has been realised as the use of the Internet for performing business activities continues to increase. The evidence available indicates the uptake and advancement of performing e-business activities shall be dependent on the ability of Australian SMEs to secure their e-business systems. This paper presents the results of a case study, which applied a previously developed methodology to a small SME e-business system. The purpose was to validate the ability of the Australian Small to Medium Enterprise E-business Security Methodology (ASME-EBSM) to provide an effective security management strategy for Australian SMEs. The outcome demonstrated that this approach was both feasible and realistic for providing recommendations to secure the e-business activities performed and to protect the small SME e-business system.

Political Islam and human security

Summary: "In the wake of the September 11 and subsequent terrorist attacks, the academic and media commentaries on Islam the religion and Islam the basis for political ideology haves received an unprecedented high level of exposure and attention. The acts of political violence by extremist groups and the omnipresent war on terror have added fresh uncertainties to an already complex global order. Just as terrorism and counter-terrorism are locked in a mutually re-enforcing symbiosis, the sense of insecurity felt by Muslims and non-Muslims alike is mutually dependent and has the potential to escalate. This general assessment holds true for Muslims living in the Muslim world and beyond. The pervasive sense of being under attack physically and culturally by the United States and its allies has contributed to a growing unease among Muslims and re-enforced deep-seated mistrust of the ʻWestʼ. Public articulation of such misgivings has in turn, lent credence to Western observers who posit an inherent antipathy between the West and the Muslim world. The subsequent policies that have emerged in this context of fear and mutual distrust have contributed to the vicious cycle of insecurity. The present volume is anchored in the current debates on the uneasy and potentially mutually destructive relationship between the Muslim world and certain West countries. It brings together leading international scholars in this interdisciplinary field to deal with such inter-related questions as the nature of Islamism, the impact of the ʻwar on terrorʼ on the spread of militancy, the growing sense of being under siege by Muslim Diasporas and the many unintended ramifications of a security-minded world order. This volume deliberately focuses on these issues both at a broad theoretical level but more importantly in the form of a number of prominent case studies including Indonesia, Algeria and Turkey."--Publisher description.

User participation in the performance assessment of school buildings : a study of six primary schools in the Bellarine Peninsula region

Young children spend a significant portion of their lives at primary school. This research traces the development of school facilities in Victoria and examines the performance of six primary schools from the users' perspective. Performance assessments were carried out using participatory evaluation methods that included Touring Interviews with small groups of students aged from six to twelve years. The study found that participatory evaluation methods with both student and staff users generate significant information to improve school facilities. User comments were analysed with respect to 14 aspects of building quality and serviceability including character, thermal environment, privacy and flexibility. The study concludes that school buildings do not meet a number of key user requirements. Children expressed dissatisfaction with furniture and equipment in their classrooms and the playground, and to a lesser extent with student toilets, security of their school bags and personal privacy. Staff were dissatisfied with the provision of withdrawal areas and specialist spaces. Department of School Education facilities guidelines do not address the concerns of school users or meet user needs.

The relationship among malingering, psychopathy, and the MMPI-2 validity scales in maximum security forensic psychiatric inpatients

The records of 392 men hospitalized in a maximum security forensic psychiatric hospital were reviewed. Demographic information was collected as well as data from the men's performance on the Psychopathy Checklist-Revised (PCL-R) and Minnesota Multiphasic Personality Inventory-2 (MMPI-2). Prevalence rates for malingering were low across the sample. However, results of chi-square analysis revealed that those who scored high on the PCL-R received a diagnosis of malingering significantly more frequently than those who scored low on the PCL-R. Clinical applications and theoretical implications of the results are discussed.

Towards a knowledge perspective in information security risk assessments - an illustrative case study

Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information for a given organisation. We argue that the traditional orientation of these methodologies, towards the identification and assessment of technical information assets, obscures key risks associated with the cultivation and deployment of organisational knowledge. Our argument is developed through an illustrative case study in which a well-documented methodology is applied to a complex data back-up process. This process is seen to depend, in subtle and often informal ways, on knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, we suggest a new approach might draw on more detailed accounts of individual knowledge, collective knowledge, and their relationship to organisational processes. Drawing on the knowledge management literature, we suggest mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies.

Incorporating a knowledge perspective into security risk assessments

Purpose – Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.

Design/methodology/approach – The argument was developed through an illustrative case study in which a well-documented traditional methodology is applied to a complex data backup process. Follow-up interviews were conducted with the organisation’s security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.

Findings – It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.

Originality/value – Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.