NPP-Smart Grid Mutual Safety and Cyber Security Assurance

The smart grid (SG) is a movement to bring the electrical power grid up to date so it can meet current and future requirements to fit customer needs. Disturbances in SG operation can originate from natural disasters, failures, human factors, terrorism, and so on. Outages and faults will cause serious problems and failures in the interconnected power systems, propagating into critical infrastructures such as nuclear industries, telecommunication systems, etc. Nuclear power plants (NPP) are an intrinsic part of the future smart grid. Therefore, it is of high priority to consider SG safety, mutual influence between NPP and SG, forecast possible accidents and failures of this interaction, and consider the strategies to avoid them.

Security Assurance in Agile Software Development Methods

Agile software development was introduced in the beginning of the 2000s to increase the visibility and efficiency software projects. Since then it has become as an industry standard. However, fitting sequential security engineering development models into iterative and incremental development practices in agile methods has caused difficulties in defining, implementing, and verifying the security properties of software. In addition, agile methods have also been criticized for decreased quality of documentation, resulting in decreased security assurance necessary for regulative purposes and security measurement. As a consequence, lack of security assurance can complicate security incident management, thus increasing the software's potential lifetime cost. This chapter clarifies the requirements for software security assurance by using an evaluation framework to analyze the compatibility of established agile security development methods: XP, Scrum, and Kanban. The results show that the agile methods are not inherently incompatible with security engineering requirements.

Transparency order versus confusion coefficient: a case study of NIST lightweight cryptography S-Boxes

Side-channel resistance is nowadays widely accepted as a crucial factor in deciding the security assurance level of cryptographic implementations. In most cases, non-linear components (e.g. S-Boxes) of cryptographic algorithms will be chosen as primary targets of side-channel attacks (SCAs). In order to measure side-channel resistance of S-Boxes, three theoretical metrics are proposed and they are reVisited transparency order (VTO), confusion coefficients variance (CCV), and minimum confusion coefficient (MCC), respectively. However, the practical effectiveness of these metrics remains still unclear. Taking the 4-bit and 8-bit S-Boxes used in NIST Lightweight Cryptography candidates as concrete examples, this paper takes a comprehensive study of the applicability of these metrics. First of all, we empirically investigate the relations among three metrics for targeted S-boxes, and find that CCV is almost linearly correlated with VTO, while MCC is inconsistent with the other two. Furthermore, in order to verify which metric is more effective in which scenarios, we perform simulated and practical experiments on nine 4-bit S-Boxes under the non-profiled attacks and profiled attacks, respectively. The experiments show that for quantifying side-channel resistance of S-Boxes under non-profiled attacks, VTO and CCV are more reliable while MCC fails. We also obtain an interesting observation that none of these three metrics is suitable for measuring the resistance of S-Boxes against profiled SCAs. Finally, we try to verify whether these metrics can be applied to compare the resistance of S-Boxes with different sizes. Unfortunately, all of them are invalid in this scenario.

Decision-Making Behavior and Risk Perception of Chinese Female Wildlife Tourists

Prior to the global pandemic, wildlife tourism was increasing rapidly globally but was in the early stages of development in China, where it faces great challenges and opportunities. Women comprise a substantial proportion of the market but their decision-making behavior and their perceptions of risk in wildlife tourism have not yet been explored. This paper explores relationships between risk perception and decision-making in tourism. A survey of female tourists was undertaken at non-captive and semi-captive wildlife sites in western China, as well as through internet website posting, resulting in 415 completed questionnaires. Quantitative methods were used to examine four sequential stages of decision-making in wildlife tourism: destination selection, trip itinerary, travel mode and security assurance, and entertainment consumption. Three dimensions of risk perception in wildlife tourism were identified: physical safety, personal comfort, and quality of experience. Decision-making behavior and risk perceptions are related. Perceived risks greatly impact tourists’ travel mode and security assurance decisions. The higher the perceived risk, the greater the likelihood of female tourists participating in decisions on destination selection, travel methods and other entertainment activities undertaken on their wildlife tourism trips. Concerns regarding personal comfort positively influence destination selection, the trip itinerary, and recreation and consumption decisions. Assurance of acquiring a quality experience influences entertainment consumption decisions. The study contributes to the understanding of risk, decision-making behavior and gender research, and confirms the practical importance of safety considerations at wildlife destinations.

Information disclosure willingness and mobile cloud computing collaboration apps: the impact of security and assurance mechanisms

PurposeIn this research, the authors focus on mobile cloud computing (MCC) collaboration apps that are multiplatform and send the users’ data to the cloud. Despite their benefits, MCC collaboration apps raise privacy concerns, as the users’ information is sent to the cloud where users lack direct control. This study aims to investigate why users disclose information to MCC apps despite privacy concerns and examine the effect of security and assurance mechanisms (i.e. privacy policies and ISO/IEC 27018 certification) on users’ perceptions and information disclosure. Based on three surveys conducted in 2016 (n = 515), 2017 (n = 505) and 2018 (n = 543), this study finds mixed results regarding the relationships among security, assurance mechanisms, utilitarian benefits and information disclosure.Design/methodology/approachThis study conducted three scenario-based surveys in the USA in 2016 (n = 515), 2017 (n = 505) and 2018 (n = 543).FindingsThis study finds mixed results of relationships among security, assurance mechanisms, utilitarian benefit and information disclosure.Originality/valueWith proliferation of MCC apps, the investigation of how users make privacy decision to disclose personal information to these apps is sparse. This study, for the first time, investigates whether the signals of assurance mechanism decrease users’ privacy concerns. This study also examines the interplay between security and privacy within information disclosure behavior. Finally, this study was conducted in 3 years to enhance the generalizability and robustness of findings.

Analysis and Implementation of Threat Agents Profiles in Semi-Automated Manner for a Network Traffic in Real-Time Information Environment

Threat assessment is the continuous process of monitoring the threats identified in the network of the real-time informational environment of an organisation and the business of the companies. The sagacity and security assurance for the system of an organisation and company’s business seem to need that information security exercise to unambiguously and effectively handle the threat agent’s attacks. How is this unambiguous and effective way in the present-day state of information security practice working? Given the prevalence of threats in the modern information environment, it is essential to guarantee the security of national information infrastructure. However, the existing models and methodology are not addressing the attributes of threats like motivation, opportunity, and capability (C, M, O), and the critical threat intelligence (CTI) feed to the threat agents during the penetration process is ineffective, due to which security assurance arises for an organisation and the business of companies. This paper proposes a semi-automatic information security model, which can deal with situational awareness data, strategies prevailing information security activities, and protocols monitoring specific types of the network next to the real-time information environment. This paper looks over analyses and implements the threat assessment of network traffic in one particular real-time informational environment. To achieve this, we determined various unique attributes of threat agents from the Packet Capture Application Programming Interface (PCAP files/DataStream) collected from the network between the years 2012 and 2019. We used hypothetical and real-world examples of a threat agent to evaluate the three different factors of threat agents, i.e., Motivation, Opportunity, and Capability (M, O, C). Based on this, we also designed and determined the threat profiles, critical threat intelligence (CTI), and complexity of threat agents that are not addressed or covered in the existing threat agent taxonomies models and methodologies.

Information Security Assurance and the Role of Security Configuration Management: Substantive and Symbolic Perspectives

This paper explores whether IT and audit professionals have different perceptions of the substantive and symbolic perspectives of information security assurance and the role of security configuration management (SCM) using a mixture of qualitative and quantitative approaches. Importance performance analysis (IPA) is utilized to identify differences in perceived importance and perceived controllability from both substantive and symbolic perspectives between these two professional groups. Our results suggest that SCM plays a vital role in maintaining consistency between the IT and audit professionals by enhancing their confidence in controlling and managing information security control sets. IPA also helps determine an information security program's strengths and weaknesses and supports remedial strategic actions more efficiently. Implications for both research and practice are discussed.