Abstract: Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.

Abstract: Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

Abstract: Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.

Abstract: The introduction of “smart grid” solutions imposes that cyber security and power system communication systems must be dealt with extensively. These parts together are essential for proper electricity transmission, where the information infrastructure is critical. The development of communication capabilities, moving power control systems from “islands of automation” to totally integrated computer environments, have opened up new possibilities and vulnerabilities. Since several power control systems have been procured with “openness” requirements, cyber security threats become evident. For refurbishment of a SCADA/EMS system, a separation of the operational and administrative computer systems must be obtained. The paper treats cyber security issues, and it highlights access points in a substation. Also, information security domain modeling is treated. Cyber security issues are important for “smart grid” solutions. Broadband communications open up for smart meters, and the increasing use of wind power requires a “smart grid system”.

Abstract: This paper examines user participation in information systems security risk management and its influence in the context of regulatory compliance via a multi-method study at the organizational level. First, eleven informants across five organizations were interviewed to gain an understanding of the types of activities and security controls in which users participated as part of Sarbanes-Oxley compliance, along with associated outcomes. A research model was developed based on the findings of the qualitative study and extant user participation theories in the systems development literature. Analysis of the data collected in a questionnaire survey of 228 members of ISACA, a professional association specialized in information technology governance, audit, and security, supported the research model. The findings of the two studies converged and indicated that user participation contributed to improved security control performance through greater awareness, greater alignment between IS security risk management and the business environment, and improved control development. While the IS security literature often portrays users as the weak link in security, the current study suggests that users may be an important resource to IS security by providing needed business knowledge that contributes to more effective security measures. User participation is also a means to engage users in protecting sensitive information in their business processes.

Abstract: Vehicular ad hoc network (VANET) can offer various services and benefits to users and thus deserves deployment effort. Attacking and misusing such network could cause destructive consequences. It is therefore necessary to integrate security requirements into the design of VANETs and defend VANET systems against misbehavior, in order to ensure correct and smooth operations of the network. In this paper, we propose a security system for VANETs to achieve privacy desired by vehicles and traceability required by law enforcement authorities, in addition to satisfying fundamental security requirements including authentication, nonrepudiation, message integrity, and confidentiality. Moreover, we propose a privacy-preserving defense technique for network authorities to handle misbehavior in VANET access, considering the challenge that privacy provides avenue for misbehavior. The proposed system employs an identity-based cryptosystem where certificates are not needed for authentication. We show the fulfillment and feasibility of our system with respect to the security goals and efficiency.

Abstract: The Handbook of Information and Communication Security covers some of the latest advances in fundamentals, cryptography, intrusion detection, access control, networking (including extensive sections on optics and wireless systems), software, forensics, and legal issues The editors intention, with respect to the presentation and sequencing of the chapters, was to create a reasonably natural flow between the various sub-topics This handbook will be useful to researchers and graduate students in academia, as well as being an invaluable resource for university instructors who are searching for new material to cover in their security courses In addition, the topics in this volume are highly relevant to the real world practice of information security, which should make this book a valuable resource for working IT professionals This handbook will be a valuable resource for a diverse audience for many years to come

Abstract: Providing security in a distributed system requires more than user authentication with passwords or digital certificates and confidentiality in data transmission. The Grid and Cloud Computing Intrusion Detection System integrates knowledge and behavior analysis to detect intrusions.

Abstract: Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization's assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations' information security policies and procedures.

Abstract: Information security is a fundamental concern for corporations operating in today's digital economy. The number of firms disclosing items concerning their information security on reports filed with the U.S. Securities and Exchange Commission (SEC) has increased in recent years. A question then arises as to whether or not there is value to the voluntary disclosures concerning information security. Thus, the primary objective of this paper is to assess empirically the market value of voluntary disclosures of items pertaining to information security. Based on a sample of 1,641 disclosing and 19,266 non-disclosing firm-years in a cross-sectional pooled model, our primary findings provide strong evidence that voluntarily disclosing items concerning information security is associated positively with the market value of a firm. These findings are based on the use of a market-value relevance model, as well as a bid-ask spread analysis. The study's findings are robust to alternative statistical analyses. The findings also provide support for the signaling argument, which states that managers disclose information in a manner consistent with increased firm value. Finally, the study findings provide some insight into the strategic choice that firms make regarding voluntary disclosures about information security.

Abstract: Key transfer protocols rely on a mutually trusted key generation center (KGC) to select session keys and transport session keys to all communication entities secretly. Most often, KGC encrypts session keys under another secret key shared with each entity during registration. In this paper, we propose an authenticated key transfer protocol based on secret sharing scheme that KGC can broadcast group key information to all group members at once and only authorized group members can recover the group key; but unauthorized users cannot recover the group key. The confidentiality of this transformation is information theoretically secure. We also provide authentication for transporting this group key. Goals and security threats of our proposed group key transfer protocol will be analyzed in detail.

Abstract: Purpose – The problem of protecting information and data flows has existed from the very first day of information exchange. Various approaches have been devised to protect and transfer such information securely. However, as technology and communications advance and information management systems become more and more powerful and distributed, the problem has taken on new and more complex dimensions and has become a major challenge. The widespread use of wired and wireless communication networks, internet, web applications and computing has increased the gravity of the problem. Organizations are totally dependent on reliable, secure and fault‐tolerant systems, communications, applications and information bases. Unfortunately, serious security and privacy breaches still occur every day, creating an absolute necessity to provide secure and safe information security systems through the use of firewalls, intrusion detection and prevention systems (ID/PSs), encryption, authentication and other hardware and softw...

Abstract: : This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (SM) (OCTAVE (trademark)) method.

Abstract: Information systems face several security threats, some of which originate by insiders. This paper presents a novel, interdisciplinary insider threat prediction model. It combines approaches, techniques, and tools from computer science and psychology. It utilizes real time monitoring, capturing the user's technological trait in an information system and analyzing it for misbehavior. In parallel, the model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The model combines the above mentioned information, categorizes users, and identifies those that require additional monitoring, as they can potentially be dangerous for the information system and the organization.

Abstract: Electronic devices have pervaded our everyday life to a previously unseen extent, and will likely continue to do so in the future. But their ubiquity also makes them a potential target for adversaries and brings about privacy and information security issues.

Abstract: Embedding small devices into everyday objects like toasters and coffee mugs creates a wireless network of objects. These embedded devices can contain a description of the underlying objects, or other user defined information. In this paper, we present Snoogle, a search engine for such a network. A user can query Snoogle to find a particular mobile object, or a list of objects that fit the description. Snoogle uses information retrieval techniques to index information and process user queries, and Bloom filters to reduce communication overhead. Security and privacy protections are also engineered into Snoogle to protect sensitive information. We have implemented a prototype of Snoogle using off-the-shelf sensor motes, and conducted extensive experiments to evaluate the system performance.

Abstract: Steganography is the art and science of concealing information in unremarkable cover media so as not to arouse an eavesdropper's suspicion. It is an application under information security field. Being classified under information security, steganography will be characterized by having set of measures that rely on strengths and counter measures (attacks) that are driven by weaknesses and vulnerabilities. Today, computer and network technologies provide easy,to,use communication channels for steganography. The aim of this paper is to propose a modified high,capacity image steganography technique that depends on wavelet transform with acceptable levels of imperceptibility and distortion in the cover image and high level of overall security.

Abstract: Concerns on widespread use of biometric authentication systems are primarily centered around template security, revocability, and privacy. The use of cryptographic primitives to bolster the authentication process can alleviate some of these concerns as shown by biometric cryptosystems. In this paper, we propose a provably secure and blind biometric authentication protocol, which addresses the concerns of user's privacy, template protection, and trust issues. The protocol is blind in the sense that it reveals only the identity, and no additional information about the user or the biometric to the authenticating server or vice-versa. As the protocol is based on asymmetric encryption of the biometric data, it captures the advantages of biometric authentication as well as the security of public key cryptography. The authentication protocol can run over public networks and provide nonrepudiable identity verification. The encryption also provides template protection, the ability to revoke enrolled templates, and alleviates the concerns on privacy in widespread use of biometrics. The proposed approach makes no restrictive assumptions on the biometric data and is hence applicable to multiple biometrics. Such a protocol has significant advantages over existing biometric cryptosystems, which use a biometric to secure a secret key, which in turn is used for authentication. We analyze the security of the protocol under various attack scenarios. Experimental results on four biometric datasets (face, iris, hand geometry, and fingerprint) show that carrying out the authentication in the encrypted domain does not affect the accuracy, while the encryption key acts as an additional layer of security.

Abstract: Nowadays, critical control systems are a fundamental component contributing to the overall performance of critical infrastructures in our society, most of which belong to the industrial sector. These complex systems include in their design different types of information and communication technology systems, such as wireless (mesh) sensor networks, to carry out control processes in real time. This fact has meant that several communication standards, such as Zigbee PRO, WirelessHART, and ISA100.11a, have been specified to ensure coexistence, reliability, and security in their communications. The main purpose of this paper has been to review these three standards and analyze their security. We have identified a set of threats and potential attacks in their routing protocols, and we consequently provide recommendations and countermeasures to help Industry protect its infrastructures.

Abstract: For many years, we've been trying to measure "security" so that we can increase accountability, demonstrate compliance, and determine whether and by how much our investments in products and processes are making our systems more secure. This article investigates why security measurement is difficult and what strategies might help address our needs.

Abstract: As technology such as the Internet, computers and mobile devices become ubiquitous throughout society, the need to ensure our information remains secure is imperative. Unfortunately, it has long been understood that good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect yourself is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations, with a few national programs focused upon home users. Given people's use of technology is primarily focused upon those two areas: the workplace and home, this paper seeks to understand the knowledge and practice relationship between these environments. Through the survey that was developed, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. It was also found that user’s were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that, whilst deployed in the organization, will develop an all-round individual security culture for users independent of the environment within which they are operating.

Abstract: The objective of this study was to investigate people's perception of information security and to unveil the factors that influence people's perception of different threats to information security. In the survey study, 602 respondents were asked to evaluate one of 21 common threats to information security with regard to its rank related to each of the 20 threat-related features. An exploratory factor analysis was then conducted, and a six-factor structure was derived, which includes factors of Knowledge, Impact, Severity, Controllability, Possibility and Awareness. Using this factor structure, the characteristics of the five most dangerous threats (hackers, worms, viruses, Trojan horses and backdoor programs) and the five least dangerous threats (spam, piratical software, operation accidents, users' online behaviour being recorded and deviation in quality of service) were discussed and compared. The relationships between the factors and the perceived overall danger of threats were found and then tested by multiple regression analyses. Significant effects were also found in people's perception of information security related to computer experience and types of loss.

Abstract: Purpose – The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program. Design/methodology/approach – A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents’ behavior. Two different class groups of students at a university were used as a sample. Findings – The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed. Originality/value – The paper introduces a new approach to evaluate people’s information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.