Assessing the impact of refactoring on security-critical object-oriented designs

Refactoring focuses on improving the reusability, maintainability and performance of programs. However, the impact of refactoring on the security of a given program has received little attention. In this work, we focus on the design of object-oriented applications and use metrics to assess the impact of a number of standard refactoring rules on their security by evaluating the metrics before and after refactoring. This assessment tells us which refactoring steps can increase the security level of a given program from the point of view of potential information flow, allowing application designers to improve their system’s security at an early stage.

How HCI design influences web security decisions

Even though security protocols are designed to make computer communication secure, it is widely known that there is potential for security breakdowns at the human machine interface. This paper reports on a diary study conducted in order to investigate what people identify as security decisions that they make while using the web. The study aimed to uncover how security is perceived in the individual's context of use. From this data, themes were drawn, with a focus on addressing security goals such as confidentiality and authentication. This study is the first study investigating users' web usage focusing on their self-documented perceptions of security and the security choices they made in their own environment.

Developing a knowledge-based urban development analysis framework : the case of multimedia super corridor, Malaysia

Purpose: In the global knowledge economy, investment in knowledge-intensive industries and information and communication technology (ICT) infrastructures are seen as significant factors in improving the overall socio-economic fabric of cities. Consequently knowledge-based urban development (KBUD) has become a new paradigm in urban planning and development, for increasing the welfare and competitiveness of cities and regions. The paper discusses the critical connections between KBUD strategies and knowledge-intensive industries and ICT infrastructures. In particular, it investigates the application of the knowledge-based urban development concept by discussing one of South East Asia’s large scale manifestations of KBUD; Malaysia’s Multimedia Super Corridor. ----- ----- Design/methodology/approach: The paper provides a review of the KBUD concept and develops a knowledge-based urban development assessment framework to provide a clearer understanding of development and evolution of KBUD manifestations. Subsequently the paper investigates the implementation of the KBUD concept within the Malaysian context, and particularly the Multimedia Super Corridor (MSC). ----- ----- Originality/value: The paper, with its KBUD assessment framework, scrutinises Malaysia’s experince; providing an overview of the MSC project and discussion of the case findings. The development and evolution of the MSC is viewed with regard to KBUD policy implementation, infrastructural implications, and the agencies involved in the development and management of the MSC. ----- ----- Practical implications: The emergence of the knowledge economy, together with the issues of globalisation and rapid urbanisation, have created an urgent need for urban planners to explore new ways of strategising planning and development that encompasses the needs and requirements of the knowledge economy and society. In light of the literature and MSC case findings, the paper provides generic recommendations, on the orchestration of knowledge-based urban development, for other cities and regions seeking to transform to the knowledge economy.

Enhancing security and continuity management at international airports

Operators of busy contemporary airports have to balance tensions between the timely flow of passengers, flight operations, the conduct of commercial business activities and the effective application of security processes. In addition to specific onsite issues airport operators liaise with a range of organisations which set and enforce aviation-related policies and regulations as well as border security agencies responsible for customs, quarantine and immigration, in addition to first response security services. The challenging demands of coordinating and planning in such complex socio-technical contexts place considerable pressure on airport management to facilitate coordination of what are often conflicting goals and expectations among groups that have standing in respect to safe and secure air travel. What are, as yet, significantly unexplored issues in large airports are options for the optimal coordination of efforts from the range of public and private sector participants active in airport security and crisis management. A further aspect of this issue is how airport management systems operate when there is a transition from business-as-usual into an emergency/crisis situation and then, on recovery, back to ‘normal’ functioning. Business Continuity Planning (BCP), incorporating sub-plans for emergency response, continuation of output and recovery of degraded operating capacity, would fit such a context. The implementation of BCP practices in such a significant high security setting offers considerable potential benefit yet entails considerable challenges. This paper presents early results of a 4 year nationally funded industry-based research project examining the merger of Business Continuity Planning and Transport Security Planning as a means of generating capability for improved security and reliability and, ultimately, enhanced resilience in major airports. The project is part of a larger research program on the Design of Secure Airports that includes most of the gazetted ‘first response’ international airports in Australia, key Aviation industry groups and all aviation-related border and security regulators as collaborative partners. The paper examines a number of initial themes in the research, including: ? Approaches to integrating Business Continuity & Aviation Security Planning within airport operations; ? Assessment of gaps in management protocols and operational capacities for identifying and responding to crises within and across critical aviation infrastructure; ? Identification of convergent and divergent approaches to crisis management used across Austral-Asia and their alignment to planned and possible infrastructure evolution.

Review of Apple iPad news applications : new media service

The launch of the Apple iPad on January 2010 has seen considerable interest from the newspaper and publishing industry in developing content and business models for the tablet PC device that can address the limits of both the print and online news and information media products. It is early days in the iPad’s evolution, and we wait to see what competitor devices will emerge in the near future. It is apparent, however, that it has become a significant “niche” product, with considerable potential for mass market expansion over the next few years, possibly at the expense of netbook sales. The scope for the iPad and tablet PCs to become a “fourth screen” for users, alongside the TV, PC and mobile phone, is in early stages of evolution. The study used five criteria to assess iPad apps: • Content: timeliness; archive; personalisation; content depth; advertisements; the use of multimedia; and the extent to which the content was in sync with the provider brand. • Useability: degree of static content; ability to control multimedia; file size; page clutter; resolution; signposts; and customisation. • Interactivity: hyperlinks; ability to contribute content or provide feedback to news items; depth of multimedia; search function; ability to use plug-ins and linking; ability to highlight, rate and/or save items; functions that may facilitate a community of users. • Transactions capabilities: ecommerce functionality; purchase and download process; user privacy and transaction security. • Openness: degree of linking to outside sources; reader contribution processes; anonymity measures; and application code ownership.

A hierarchical security assessment model for object-oriented programs

We present a hierarchical model for assessing an object-oriented program's security. Security is quantified using structural properties of the program code to identify the ways in which `classified' data values may be transferred between objects. The model begins with a set of low-level security metrics based on traditional design characteristics of object-oriented classes, such as data encapsulation, cohesion and coupling. These metrics are then used to characterise higher-level properties concerning the overall readability and writability of classified data throughout the program. In turn, these metrics are then mapped to well-known security design principles such as `assigning the least privilege' and `reducing the size of the attack surface'. Finally, the entire program's security is summarised as a single security index value. These metrics allow different versions of the same program, or different programs intended to perform the same task, to be compared for their relative security at a number of different abstraction levels. The model is validated via an experiment involving five open source Java programs, using a static analysis tool we have developed to automatically extract the security metrics from compiled Java bytecode.

Information security management : a case study of an information security culture

This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation's information security systems in a socio- technical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and non- technical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals' behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context. The theoretical foundation for the study is based on organisational and national culture theories. A conceptual framework for this study was constructed based on Peterson and Smith's (1997) model of national culture. This framework guides the study of national, organisational and technological values and their relationships to the development of information security culture. Further, the study seeks to better understand how these values might affect the development and deployment of an organisation's information security culture. Drawing on evidence from three exploratory case studies, an emergent conceptual framework was developed from the traditional human behaviour and the social environment perspectives used in social work, This framework contributes to in- formation security management by identifying behaviours related to four modes of information security practice. These modes provide a sound basis that can be used to evaluate individual organisational members' behaviour and the adequacy of ex- isting security measures. The results confirm the plausibility of the four modes of practice. Furthermore, a final framework was developed by integrating the four modes framework into the research framework. The outcomes of the three case stud- ies demonstrate that some of the national, organisational and technological values have clear impacts on the development and deployment of organisations' informa- tion security culture. This research, by providing an understanding the in uence of national, organi- sational and technological values on individuals' information security behaviour, contributes to building a theory of information security culture development within an organisational context. The research reports on the development of an inte- grated information security culture model that highlights recommendations for developing an information security culture. The research framework, introduced by this research, is put forward as a robust starting point for further related work in this area.

Knowledge-based urban development of multimedia super corridor, Malaysia : an overview

In recent years, with the impact of the global knowledge economy, a more comprehensive urban development approach, so called 'knowledge-based urban development', has gained significant popularity. This paper discusses the critical connections among knowledge-based urban development strategies, knowledge-intensive industries and information and communication technology infrastructures. In particular, the research focuses on investigating the application of the knowledge-based urban development concept by discussing one of the South East Asia's large scale knowledge-based urban development manifestations of Malaysia's Multimedia Super Corridor. The paper scrutinises Malaysia's experience in the development and evolution of the Multimedia Super Corridor from the angle of knowledge-based urban development policy implementation, infrastructural implications, and actors involved in its development and management. This paper provides a number of lessons learned from the Multimedia Super Corridor on the orchestration of knowledge-based development that is a necessity for cities seeking successful knowledge city and knowledge economy transformations.

Security analysis and enhancement of one-way hash based low-cost authentication protocol (OHLCAP)

Choi et al. recently proposed an efficient RFID authentication protocol for a ubiquitous computing environment, OHLCAP(One-Way Hash based Low-Cost Authentication Protocol). However, this paper reveals that the protocol has several security weaknesses : 1) traceability based on the leakage of counter information, 2) vulnerability to an impersonation attack by maliciously updating a random number, and 3) traceability based on a physically-attacked tag. Finally, a security enhanced group-based authentication protocol is presented.

Teaching new dogs old tricks. How the move to 24/7 interactive, integrated multimedia, multi-platform news and feature delivery is not really changing the skills employers demand of graduates

The journalism revolution is upon us. In a world where we are constantly being told that everyone can be a publisher and challenges are emerging from bloggers, Twitterers and podcasters, journalism educators are inevitably reassessing what skills we now need to teach to keep our graduates ahead of the game. QUT this year tackled that question head-on as a curriculum review and program restructure resulted in a greater emphasis on online journalism. The author spent a week in the online newsrooms of each of two of the major players – ABC online news and thecouriermail.com to watch, listen and interview some of the key players. This, in addition to interviews with industry leaders from Fairfax and news.com, lead to the conclusion that while there are some new skills involved in new media much of what the industry is demanding is in fact good old fashioned journalism. Themes of good spelling, grammar, accuracy and writing skills and a nose for news recurred when industry players were asked what it was that they would like to see in new graduates. While speed was cited as one of the big attributes needed in online journalism, the conclusion of many of the players was that the skills of a good down-table sub or a journalist working for wire service were not unlike those most used in online newsrooms.

A learning-based approach to reactive security

Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst-case assumptions about the attacker: we grant the attacker complete knowledge of the defender’s strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker’s incentives and knowledge.