An assurance-based model to holistically assess the information security posture

EXECUTIVE SUMMARY : Evaluating Information Security Posture within an organization is becoming a very complex task. Currently, the evaluation and assessment of Information Security are commonly performed using frameworks, methodologies and standards which often consider the various aspects of security independently. Unfortunately this is ineffective because it does not take into consideration the necessity of having a global and systemic multidimensional approach to Information Security evaluation. At the same time the overall security level is globally considered to be only as strong as its weakest link. This thesis proposes a model aiming to holistically assess all dimensions of security in order to minimize the likelihood that a given threat will exploit the weakest link. A formalized structure taking into account all security elements is presented; this is based on a methodological evaluation framework in which Information Security is evaluated from a global perspective. This dissertation is divided into three parts. Part One: Information Security Evaluation issues consists of four chapters. Chapter 1 is an introduction to the purpose of this research purpose and the Model that will be proposed. In this chapter we raise some questions with respect to "traditional evaluation methods" as well as identifying the principal elements to be addressed in this direction. Then we introduce the baseline attributes of our model and set out the expected result of evaluations according to our model. Chapter 2 is focused on the definition of Information Security to be used as a reference point for our evaluation model. The inherent concepts of the contents of a holistic and baseline Information Security Program are defined. Based on this, the most common roots-of-trust in Information Security are identified. Chapter 3 focuses on an analysis of the difference and the relationship between the concepts of Information Risk and Security Management. Comparing these two concepts allows us to identify the most relevant elements to be included within our evaluation model, while clearing situating these two notions within a defined framework is of the utmost importance for the results that will be obtained from the evaluation process. Chapter 4 sets out our evaluation model and the way it addresses issues relating to the evaluation of Information Security. Within this Chapter the underlying concepts of assurance and trust are discussed. Based on these two concepts, the structure of the model is developed in order to provide an assurance related platform as well as three evaluation attributes: "assurance structure", "quality issues", and "requirements achievement". Issues relating to each of these evaluation attributes are analysed with reference to sources such as methodologies, standards and published research papers. Then the operation of the model is discussed. Assurance levels, quality levels and maturity levels are defined in order to perform the evaluation according to the model. Part Two: Implementation of the Information Security Assurance Assessment Model (ISAAM) according to the Information Security Domains consists of four chapters. This is the section where our evaluation model is put into a welldefined context with respect to the four pre-defined Information Security dimensions: the Organizational dimension, Functional dimension, Human dimension, and Legal dimension. Each Information Security dimension is discussed in a separate chapter. For each dimension, the following two-phase evaluation path is followed. The first phase concerns the identification of the elements which will constitute the basis of the evaluation: ? Identification of the key elements within the dimension; ? Identification of the Focus Areas for each dimension, consisting of the security issues identified for each dimension; ? Identification of the Specific Factors for each dimension, consisting of the security measures or control addressing the security issues identified for each dimension. The second phase concerns the evaluation of each Information Security dimension by: ? The implementation of the evaluation model, based on the elements identified for each dimension within the first phase, by identifying the security tasks, processes, procedures, and actions that should have been performed by the organization to reach the desired level of protection; ? The maturity model for each dimension as a basis for reliance on security. For each dimension we propose a generic maturity model that could be used by every organization in order to define its own security requirements. Part three of this dissertation contains the Final Remarks, Supporting Resources and Annexes. With reference to the objectives of our thesis, the Final Remarks briefly analyse whether these objectives were achieved and suggest directions for future related research. Supporting resources comprise the bibliographic resources that were used to elaborate and justify our approach. Annexes include all the relevant topics identified within the literature to illustrate certain aspects of our approach. Our Information Security evaluation model is based on and integrates different Information Security best practices, standards, methodologies and research expertise which can be combined in order to define an reliable categorization of Information Security. After the definition of terms and requirements, an evaluation process should be performed in order to obtain evidence that the Information Security within the organization in question is adequately managed. We have specifically integrated into our model the most useful elements of these sources of information in order to provide a generic model able to be implemented in all kinds of organizations. The value added by our evaluation model is that it is easy to implement and operate and answers concrete needs in terms of reliance upon an efficient and dynamic evaluation tool through a coherent evaluation system. On that basis, our model could be implemented internally within organizations, allowing them to govern better their Information Security. RÉSUMÉ : Contexte général de la thèse L'évaluation de la sécurité en général, et plus particulièrement, celle de la sécurité de l'information, est devenue pour les organisations non seulement une mission cruciale à réaliser, mais aussi de plus en plus complexe. A l'heure actuelle, cette évaluation se base principalement sur des méthodologies, des bonnes pratiques, des normes ou des standards qui appréhendent séparément les différents aspects qui composent la sécurité de l'information. Nous pensons que cette manière d'évaluer la sécurité est inefficiente, car elle ne tient pas compte de l'interaction des différentes dimensions et composantes de la sécurité entre elles, bien qu'il soit admis depuis longtemps que le niveau de sécurité globale d'une organisation est toujours celui du maillon le plus faible de la chaîne sécuritaire. Nous avons identifié le besoin d'une approche globale, intégrée, systémique et multidimensionnelle de l'évaluation de la sécurité de l'information. En effet, et c'est le point de départ de notre thèse, nous démontrons que seule une prise en compte globale de la sécurité permettra de répondre aux exigences de sécurité optimale ainsi qu'aux besoins de protection spécifiques d'une organisation. Ainsi, notre thèse propose un nouveau paradigme d'évaluation de la sécurité afin de satisfaire aux besoins d'efficacité et d'efficience d'une organisation donnée. Nous proposons alors un modèle qui vise à évaluer d'une manière holistique toutes les dimensions de la sécurité, afin de minimiser la probabilité qu'une menace potentielle puisse exploiter des vulnérabilités et engendrer des dommages directs ou indirects. Ce modèle se base sur une structure formalisée qui prend en compte tous les éléments d'un système ou programme de sécurité. Ainsi, nous proposons un cadre méthodologique d'évaluation qui considère la sécurité de l'information à partir d'une perspective globale. Structure de la thèse et thèmes abordés Notre document est structuré en trois parties. La première intitulée : « La problématique de l'évaluation de la sécurité de l'information » est composée de quatre chapitres. Le chapitre 1 introduit l'objet de la recherche ainsi que les concepts de base du modèle d'évaluation proposé. La maniéré traditionnelle de l'évaluation de la sécurité fait l'objet d'une analyse critique pour identifier les éléments principaux et invariants à prendre en compte dans notre approche holistique. Les éléments de base de notre modèle d'évaluation ainsi que son fonctionnement attendu sont ensuite présentés pour pouvoir tracer les résultats attendus de ce modèle. Le chapitre 2 se focalise sur la définition de la notion de Sécurité de l'Information. Il ne s'agit pas d'une redéfinition de la notion de la sécurité, mais d'une mise en perspectives des dimensions, critères, indicateurs à utiliser comme base de référence, afin de déterminer l'objet de l'évaluation qui sera utilisé tout au long de notre travail. Les concepts inhérents de ce qui constitue le caractère holistique de la sécurité ainsi que les éléments constitutifs d'un niveau de référence de sécurité sont définis en conséquence. Ceci permet d'identifier ceux que nous avons dénommés « les racines de confiance ». Le chapitre 3 présente et analyse la différence et les relations qui existent entre les processus de la Gestion des Risques et de la Gestion de la Sécurité, afin d'identifier les éléments constitutifs du cadre de protection à inclure dans notre modèle d'évaluation. Le chapitre 4 est consacré à la présentation de notre modèle d'évaluation Information Security Assurance Assessment Model (ISAAM) et la manière dont il répond aux exigences de l'évaluation telle que nous les avons préalablement présentées. Dans ce chapitre les concepts sous-jacents relatifs aux notions d'assurance et de confiance sont analysés. En se basant sur ces deux concepts, la structure du modèle d'évaluation est développée pour obtenir une plateforme qui offre un certain niveau de garantie en s'appuyant sur trois attributs d'évaluation, à savoir : « la structure de confiance », « la qualité du processus », et « la réalisation des exigences et des objectifs ». Les problématiques liées à chacun de ces attributs d'évaluation sont analysées en se basant sur l'état de l'art de la recherche et de la littérature, sur les différentes méthodes existantes ainsi que sur les normes et les standards les plus courants dans le domaine de la sécurité. Sur cette base, trois différents niveaux d'évaluation sont construits, à savoir : le niveau d'assurance, le niveau de qualité et le niveau de maturité qui constituent la base de l'évaluation de l'état global de la sécurité d'une organisation. La deuxième partie: « L'application du Modèle d'évaluation de l'assurance de la sécurité de l'information par domaine de sécurité » est elle aussi composée de quatre chapitres. Le modèle d'évaluation déjà construit et analysé est, dans cette partie, mis dans un contexte spécifique selon les quatre dimensions prédéfinies de sécurité qui sont: la dimension Organisationnelle, la dimension Fonctionnelle, la dimension Humaine, et la dimension Légale. Chacune de ces dimensions et son évaluation spécifique fait l'objet d'un chapitre distinct. Pour chacune des dimensions, une évaluation en deux phases est construite comme suit. La première phase concerne l'identification des éléments qui constituent la base de l'évaluation: ? Identification des éléments clés de l'évaluation ; ? Identification des « Focus Area » pour chaque dimension qui représentent les problématiques se trouvant dans la dimension ; ? Identification des « Specific Factors » pour chaque Focus Area qui représentent les mesures de sécurité et de contrôle qui contribuent à résoudre ou à diminuer les impacts des risques. La deuxième phase concerne l'évaluation de chaque dimension précédemment présentées. Elle est constituée d'une part, de l'implémentation du modèle général d'évaluation à la dimension concernée en : ? Se basant sur les éléments spécifiés lors de la première phase ; ? Identifiant les taches sécuritaires spécifiques, les processus, les procédures qui auraient dû être effectués pour atteindre le niveau de protection souhaité. D'autre part, l'évaluation de chaque dimension est complétée par la proposition d'un modèle de maturité spécifique à chaque dimension, qui est à considérer comme une base de référence pour le niveau global de sécurité. Pour chaque dimension nous proposons un modèle de maturité générique qui peut être utilisé par chaque organisation, afin de spécifier ses propres exigences en matière de sécurité. Cela constitue une innovation dans le domaine de l'évaluation, que nous justifions pour chaque dimension et dont nous mettons systématiquement en avant la plus value apportée. La troisième partie de notre document est relative à la validation globale de notre proposition et contient en guise de conclusion, une mise en perspective critique de notre travail et des remarques finales. Cette dernière partie est complétée par une bibliographie et des annexes. Notre modèle d'évaluation de la sécurité intègre et se base sur de nombreuses sources d'expertise, telles que les bonnes pratiques, les normes, les standards, les méthodes et l'expertise de la recherche scientifique du domaine. Notre proposition constructive répond à un véritable problème non encore résolu, auquel doivent faire face toutes les organisations, indépendamment de la taille et du profil. Cela permettrait à ces dernières de spécifier leurs exigences particulières en matière du niveau de sécurité à satisfaire, d'instancier un processus d'évaluation spécifique à leurs besoins afin qu'elles puissent s'assurer que leur sécurité de l'information soit gérée d'une manière appropriée, offrant ainsi un certain niveau de confiance dans le degré de protection fourni. Nous avons intégré dans notre modèle le meilleur du savoir faire, de l'expérience et de l'expertise disponible actuellement au niveau international, dans le but de fournir un modèle d'évaluation simple, générique et applicable à un grand nombre d'organisations publiques ou privées. La valeur ajoutée de notre modèle d'évaluation réside précisément dans le fait qu'il est suffisamment générique et facile à implémenter tout en apportant des réponses sur les besoins concrets des organisations. Ainsi notre proposition constitue un outil d'évaluation fiable, efficient et dynamique découlant d'une approche d'évaluation cohérente. De ce fait, notre système d'évaluation peut être implémenté à l'interne par l'entreprise elle-même, sans recourir à des ressources supplémentaires et lui donne également ainsi la possibilité de mieux gouverner sa sécurité de l'information.

On site measurements of DC link electrolytic capacitor bank of frequency converter using constant DC magnetization of the motor

Preventive maintenance of frequency converters has been based on pre-planned replace-ment of wearing or ageing components. Exchange intervals follow component life-time expectations which are based on empirical knowledge or schedules defined by manufac-turer. However, the lifetime of a component can vary significantly, because drives are used in very different operating environments and applications. The main objective of the research was to provide information on methods, i.e. how in-verter's operating condition can be measured reliably under field conditions. At first, the research focused on critical components such as current transducers, IGBTs and DC link capacitor bank, because these aging have already been identified. Of these, the DC link capacitor measurement method was selected for closer examination. With this method, the total capacitance and its total series resistance can be measured. The suitability of the measuring procedure was estimated on the basis of practical measurements. The research was made by using so called triangulation method, including a literature review, simulations and practical measurements. Based on the results, the new measu-rement method seems suitable with some reservations to practical measurements. How-ever, the measuring method should be further developed in order to improve its reliability.

Matching Markets under (In)complete Information

We are the first to introduce incomplete information to centralized many-to-one matching markets such as those to entry-level labor markets or college admissions. This is important because in real life markets (i) any agent is uncertain about the other agents' true preferences and (ii) most entry-level matching is many-to-one (and not one-to-one). We show that for stable (matching) mechanisms there is a strong and surprising link between Nash equilibria under complete information and Bayesian Nash equilibria under incomplete information. That is,given a common belief, a strategy profile is a Bayesian Nash equilibrium under incomplete information in a stable mechanism if and only if, for any true profile in the support of the common belief, the submitted profile is a Nash equilibrium under complete information at the true profile in the direct preference revelation game induced by the stable mechanism. This result may help to explain the success of stable mechanisms in these markets.

Le journaliste dans le processus de recherche d'information sur le Web

Le présent mémoire cherche à comprendre et à cerner le lien entre la stratégie de recherche d’information par le journaliste sur le web et les exigences de sa profession. Il vise à appréhender les précautions que prend le journaliste lors de sa recherche d’information sur le web en rapport avec les contraintes que lui imposent les règles de sa profession pour assurer la qualité des sources d’informations qu’il exploite. Nous avons examiné cette problématique en choisissant comme cadre d’étude Radio-Canada où nous avons rencontré quelques journalistes. Ceux-ci ont été suivis en situation de recherche d’information puis questionnés sur leurs expériences de recherche. L’arrivée d’internet et la révolution technologique qui en a découlé ont profondément bouleversé les pratiques journalistiques. La recherche d’information représente ainsi une zone importante de cette mutation des pratiques. Cette transformation amène surtout à s’interroger sur la façon dont la nouvelle façon de rechercher les sources d’information influence le travail du journaliste, et surtout les balises que se donne celui-ci pour résister aux pièges découlant de sa nouvelle méthode de travail.

Uncover the Concealed Link: Gender & Ethnicity-Divided Local Knowledge on the Agro-Ecosystem of a Forest Margin

This research is a study about knowledge interface that aims to analyse knowledge discontinuities, the dynamic and emergent characters of struggles and interactions within gender system and ethnicity differences. The cacao boom phenomenon in Central Sulawesi is the main context for a changing of social relations of production, especially when the mode of production has shifted or is still underway from subsistence to petty commodity production. This agrarian change is not only about a change of relationship and practice, but, as my previous research has shown, also about the shift of knowledge domination, because knowledge construes social practice in a dialectical process. Agroecological knowledge is accumulated through interaction, practice and experience. At the same time the knowledge gained from new practices and experiences changes mode of interaction, so such processes provide the arena where an interface of knowledge is manifested. In the process of agro-ecological knowledge interface, gender and ethnic group interactions materialise in the decision-making of production and resource allocation at the household and community level. At this point, power/knowledge is interplayed to gain authority in decision-making. When authority dominates, power encounters resistance, whereas the dominant power and its resistance are aimed to ensure socio-economic security. Eventually, the process of struggle can be identified through the pattern of resource utilisation as a realisation of production decision-making. Such processes are varied from one community to another, and therefore, it shows uniqueness and commonalities, especially when it is placed in a context of shifting mode of production. The focus is placed on actors: men and women in their institutional and cultural setting, including the role of development agents. The inquiry is informed by 4 major questions: 1) How do women and men acquire, disseminate, and utilise their agro ecological knowledge, specifically in rice farming as a subsistence commodity, as well as in cacao farming as a petty commodity? How and why do such mechanisms construct different knowledge domains between two genders? How does the knowledge mechanism apply in different ethnics? What are the implications for gender and ethnicity based relation of production? ; 2) Using the concept of valued knowledge in a shifting mode of production context: is there any knowledge that dominates others? How does the process of domination occur and why? Is there any form of struggle, strategies, negotiation, and compromise over this domination? How do these processes take place at a household as well as community level? How does it relate to production decision-making? ; 3) Putting the previous questions in two communities with a different point of arrival on a path of agricultural commercialisation, how do the processes of struggle vary? What are the bases of the commonalities and peculiarities in both communities?; 4) How the decisions of production affect rice field - cacao plantation - forest utilisation in the two villages? How does that triangle of resource use reflect the constellation of local knowledge in those two communities? What is the implication of this knowledge constellation for the cacao-rice-forest agroecosystem in the forest margin area? Employing a qualitative approach as the main method of inquiry, indepth and dialogic interviews, participant observer role, and document review are used to gather information. A small survey and children’s writing competition are supplementary to this data collection method. The later two methods are aimed to give wider information on household decision making and perception toward the forest. It was found that local knowledge, particularly knowledge pertaining to rice-forest-cacao agroecology is divided according to gender and ethnicity. This constellation places a process of decision-making as ‘the arena of interface’ between feminine and masculine knowledge, as well as between dominant and less dominant ethnic groups. Transition from subsistence to a commercial mode of production is a context that frames a process where knowledge about cacao commodity is valued higher than rice. Market mechanism, as an external power, defines valued knowledge. Valued knowledge defines the dominant knowledge holder, and decision. Therefore, cacao cultivation becomes a dominant practice. Its existence sacrifices the presence of rice field and the forest. Knowledge about rice production and forest ecosystem exist, but is less valued. So it is unable to challenge the domination of cacao. Various forms of struggles - within gender an ethnicity context - to resist cacao domination are an expression of unequal knowledge possession. Knowledge inequality implies to unequal access to withdraw benefit from market valued crop. When unequal knowledge fails to construct a negotiated field or struggles fail to reveal ‘marginal’ decision, e.g. intensification instead of cacao expansion to the forest, interface only produces divergence. Gender and ethnicity divided knowledge is unabridged, since negotiation is unable to produce new knowledge that accommodates both interests. Rice is loaded by ecological interest to conserve the forest, while cacao is driven by economic interest to increase welfare status. The implication of this unmediated dominant knowledge of cacao production is the construction of access; access to the forest, mainly to withdraw its economic benefit by eliminating its ecological benefit. Then, access to cacao as the social relationship of production to acquire cacao knowledge; lastly, access to defend sustainable benefit from cacao by expansion. ‘Socio-economic Security’ is defined by Access. The convergence of rice and cacao knowledge, however, should be made possible across gender and ethnicity, not only for the sake of forest conservation as the insurance of ecological security, but also for community’s socio-economic security. The convergence might be found in a range of alternative ways to conduct cacao sustainable production, from agroforestry system to intensification.

INFO2009 Group23 CW2 Freedom of Information

the coursework2 for INFO2009 by group23. This resource contains a poster and a questionnaire(web page based).Please access following website for the questionnaire: http://users.ecs.soton.ac.uk/rrs4g10/info2009

Freedom Of Information Act

Link to various resources appropriate for revising the FOI

WAIS Seminar:Evaluating the Cognitive Side of Information Interaction

Abstract In this talk, I'll focus on the work we've been doing on evaluating the cognitive side of dealing with information resources and increasingly complex user interfaces. While we can build increasingly powerful user interfaces, they often come at the cost of simple design and ease of use. I'll describe two specific studies: 1) work on the ORCHID project focused on measuring mental workload during tasks using fNIRS (a blood-oxygen-based brain scanner), and 2) a evaluation metric for measuring how much people learn during tasks. Together these provide advances towards understanding the cognitive side of information interaction, in working towards building better tools for users.

Mendeley: background information

Quick overview of mendeley plus a video of a talk about the startup process from 2010. Interesting from a new business model perspective

The effects of information and communication technologies on the banking sector and the payments system

This dissertation studies the effects of Information and Communication Technologies (ICT) on the banking sector and the payments system. It provides insight into how technology-induced changes occur, by exploring both the nature and scope of main technology innovations and evidencing their economic implications for banks and payment systems. Some parts in the dissertation are descriptive. They summarise the main technological developments in the field of finance and link them to economic policies. These parts are complemented with sections of the study that focus on assessing the extent of technology application to banking and payment activities. Finally, it includes also some work which borrows from the economic literature on banking. The need for an interdisciplinary approach arises from the complexity of the topic and the rapid path of change to which it is subject. The first chapter provides an overview of the influence of developments in ICT on the evolution of financial services and international capital flows. We include main indicators and discuss innovation in the financial sector, exchange rates and international capital flows. The chapter concludes with impact analysis and policy options regarding the international financial architecture, some monetary policy issues and the role of international institutions. The second chapter is a technology assessment study that focuses on the relationship between technology and money. The application of technology to payments systems is transforming the way we use money and, in some instances, is blurring the definition of what constitutes money. This chapter surveys the developments in electronic forms of payment and their relationship to the banking system. It also analyses the challenges posed by electronic money for regulators and policy makers, and in particular the opportunities created by two simultaneous processes: the Economic and Monetary Union and the increasing use of electronic payment instruments. The third chapter deals with the implications of developments in ICT on relationship banking. The financial intermediation literature explains relationship banking as a type of financial intermediation characterised by proprietary information and multiple interactions with customers. This form of banking is important for the financing of small and medium-sized enterprises. We discuss the effects of ICT on the banking sector as a whole and then apply these developments to the case of relationship banking. The fourth chapter is an empirical study of the effects of technology on the banking business, using a sample of data from the Spanish banking industry. The design of the study is based on some of the events described in the previous chapters, and also draws from the economic literature on banking. The study shows that developments in information management have differential effects on wholesale and retail banking activities. Finally, the last chapter is a technology assessment study on electronic payments systems in Spain and the European Union. It contains an analysis of existing payment systems and ongoing or planned initiatives in Spain. It forms part of a broader project comprising a series of country-specific analyses covering ten European countries. The main issues raised across the countries serve as the starting point to discuss implications of the development of electronic money for regulation and policies, and in particular, for monetary-policy making.

Consumer welfare and the loss induced by withholding information: The case of BSE in Italy

The paper develops a measure of consumer welfare losses associated with withholding it formation about a possible link between BSE and vCJD. The Cost of Ignorance (COI) is measured by comparing the utility of the informed choice with the utility of the uninformed choice, under conditions of improved information. Unlike previous work that is largely based on a single equation demand model, the measure is obtained retrieving a cost,function from a dynamic Almost Ideal Demand System. The estimated perceived loss for Italian consumers due to delayed information ranges from 12 percent to 54 percent of total meat expenditure, depending on the month assumed to embody correct beliefs about the safety level of beef.

Parallel rule induction with information theoretic pre-pruning

In a world where data is captured on a large scale the major challenge for data mining algorithms is to be able to scale up to large datasets. There are two main approaches to inducing classification rules, one is the divide and conquer approach, also known as the top down induction of decision trees; the other approach is called the separate and conquer approach. A considerable amount of work has been done on scaling up the divide and conquer approach. However, very little work has been conducted on scaling up the separate and conquer approach.In this work we describe a parallel framework that allows the parallelisation of a certain family of separate and conquer algorithms, the Prism family. Parallelisation helps the Prism family of algorithms to harvest additional computer resources in a network of computers in order to make the induction of classification rules scale better on large datasets. Our framework also incorporates a pre-pruning facility for parallel Prism algorithms.

The link between temporal attention and emotion: a playground for psychology, neuroscience, and plausible artificial neural networks

In this paper, we will address the endeavors of three disciplines, Psychology, Neuroscience, and Artificial Neural Network (ANN) modeling, in explaining how the mind perceives and attends information. More precisely, we will shed some light on the efforts to understand the allocation of attentional resources to the processing of emotional stimuli. This review aims at informing the three disciplines about converging points of their research and to provide a starting point for discussion.