Relationships between Information Security Concerns and National Cultural Dimensions

This study investigates the relationships between the contextual factor of national culture and information security concerns in the global financial services industry (GFSI). Essentially, this study attempts to expand the breath of information provided in the recent 2009 Deloitte Touche Tohmatsu (DTT) survey, which reported such issues in the financial services industry. The inference from the 2009 DTT survey was that information security concerns across GFSI are being informed solely by industry-related standards or imperatives. As such, perceptions and attitudes towards such issues were thought to remain unchanged in differing contexts. Results from this study’s analysis showed that the perceptions of information security concerns in GFSI compared reasonably well, but also varied by some national cultural attributes to debunk such a claim. Corporate managers in the industry may benefit from this research’s findings as they formulate country-wide information security policies and strategies. As well, insights from this current effort indicate that it would be erroneous for practitioners to accept that entities in the financial services hold exactly the same view on information security issues in their industry. Future research avenues are discussed.

Information Systems Security Assurance Management at Municipal Software Solutions, Inc.

Based on an actual company, this case focuses on Business Continuity Planning issues for a small but growing software company, Municipal Software Solutions, Inc. (MSS). The firm experienced a catastrophic fire which completely eliminated all aspects of the information systems infrastructure, including the software product code repository, the client access infrastructure, the hardware operations center, and the software design facility. Fortunately, no one was harmed, and the firm survived despite the fact that it did not have a formal disaster recovery plan in place. MSS was very lucky. The case can be used in conjunction with coverage of risk assessment concepts in the context of the availability component of systems reliability and trust of services management. Accordingly, it is appropriate for use in courses covering information systems security, accounting information systems, or IT audit.

Understanding User Behavior towards Passwords through Acceptance and Use Modelling

The security of computer systems that store our data is a major issue facing the world. This research project investigated the roles of ease of use, facilitating conditions, intention to use passwords securely, experience and age on usage of passwords, using a model based on the Unified Theory of Acceptance and Use of Technology. Data was collected via an online survey of computer users, and analyzed using PLS. The results show there is a significant relationship between ease of use of passwords, intention to use them securely and the secure usage of passwords. Despite expectations, facilitating conditions only had a weak impact on intention to use passwords securely and did not influence actual secure usage. Computing experience was found to have an effect on intention to use passwords securely, but age did not. The results of this research lend themselves to assisting in policy design and better understanding user behavior.

Preserving Privacy in Mining Quantitative Associations Rules

Association rule mining is an important data mining method that has been studied extensively by the academic community and has been applied in practice. In the context of association rule mining, the state-of-the-art in privacy preserving data mining provides solutions for categorical and Boolean association rules but not for quantitative association rules. This article fills this gap by describing a method based on discrete wavelet transform (DWT) to protect input data privacy while preserving data mining patterns for association rules. A comparison with an existing kd-tree based transform shows that the DWT-based method fares better in terms of efficiency, preserving patterns, and privacy.

Cloak and Dagger

One of the most devastating forms of attack on a computer is when the victim doesn’t even know an attack occurred. After some background material, various forms of man in the middle (MITM) attacks, including ARP spoofing, fake SSL certificates, and bypassing SSL are explored. Next, rootkits and botnets, two key pieces of crimeware, are introduced and analyzed. Finally, general strategies to protect against such attacks are suggested.

Multimedia Information Security and Privacy

Information security has traditionally been ensured with data encryption techniques. Different generic data encryption standards, such as DES, RSA, AES, have been developed. These encryption standards provide high level of security to the encrypted data. However, they are not very efficient in the encryption of multimedia contents due to the large volume of digital image/video data. In order to address this issue, different image/video encryption methodologies have been developed. These methodologies encrypt only the key parameters of image/video data instead of encrypting it as a bitstream. Joint compression-encryption is a very promising direction for image/video encryption. Nowadays, researchers start to utilize information hiding techniques to enhance the security level of data encryption methodologies. Information hiding conceals not only the content of the secret message, but also its very existence. In terms of the amount of data to be embedded, information hiding methodologies can be classified into low bitrate and high bitrate algorithms. In terms of the domain for embedding, they can be classified into spatial domain and transform domain algorithms. In this chapter, the authors have reviewed various data encryption standards, image/video encryption algorithms, and joint compression-encryption methodologies. Besides, the authors have also presented different categories of information hiding methodologies as well as data embedding strategies for digital image/video contents.

Security and Privacy Issues in Secure E-Mail Standards and Services

Secure e-mail standards, such as Pretty Good Privacy (PGP) and Secure / Multipurpose Internet Mail Extension (S/MIME), apply cryptographic algorithms to provide secure and private e-mail services over the public Internet. In this article, we first review a number of cryptographic ciphers, trust and certificate systems, and key management systems and infrastructures widely used in secure e-mail standards and services. We then focus on the discussion of several essential security and privacy issues, such as cryptographic cipher selection and operation sequences, in both PGP and S/MIME. This work tries to provide readers a comprehensive impression of the security and privacy provided in the current secure e-mail services.

Information Security by Words Alone

Effective information security extends beyond using software controls that are so prominently discussed in the popular and academic literature. There must also be management influence and control. The best way to control information security is through formal policy and measuring the effectiveness of existing policies. The purpose of this research is to determine 1) what security elements are embedded in Web-based information security policy statements and 2) what security-related keywords appear more frequently. The authors use these findings to propose a density measure (the extent to which each policy uses security keywords) as an indicator of policy strength. For these purposes, they examine the security component of privacy policies of Fortune 100 Web sites. The density measure may serve as a benchmark that can be used as a basis for comparison across companies and the development of industry norms.

Do You Know Where Your Data Is?

Numerous countries around the world have enacted privacy-protection legislation, in an effort to protect their citizens and instill confidence in the valuable business-to-consumer E-commerce industry. These laws will be most effective if and when they establish a standard of practice that consumers can use as a guideline for the future behavior of e-commerce vendors. However, while privacy-protection laws share many similarities, the enforcement mechanisms supporting them vary hugely. Furthermore, it is unclear which (if any) of these mechanisms are effective in promoting a standard of practice that fits with the social norms of those countries. We present a large-scale empirical study of the role of legal enforcement in standardizing privacy protection on the Internet. Our study is based on an automated analysis of documents posted on the 100,000 most popular websites (as ranked by Alexa.com). We find that legal frameworks have had little success in creating standard practices for privacy-sensitive actions.

PAKE on the Web

Unlike existing password authentication mechanisms on the web that use passwords for client-side authentication only, password-authenticated key exchange (PAKE) protocols provide mutual authentication. In this article, we present an architecture to integrate existing PAKE protocols to the web. Our integration design consists of the client-side part and the server-side part. First, we implement the PAKE client-side functionality with a web browser plug-in, which provides a secure implementation base. The plug-in has a log-in window that can be customized by a user when the plug-in is installed. By checking the user-specific information in a log-in window, an ordinary user can easily detect a fake log-in window created by mobile code. The server-side integration comprises a web interface and a PAKE server. After a successful PAKE mutual authentication, the PAKE plug-in receives a one-time ticket and passes it to the web browser. The web browser authenticates itself by presenting this ticket over HTTPS to the web server. The plug-in then fades away and subsequent web browsing remains the same as usual, requiring no extra user education. Our integration design supports centralized log-ins for web applications from different web sites, making it appropriate for digital identity management. A prototype is developed to validate our design. Since PAKE protocols use passwords for mutual authentication, we believe that the deployment of this design will significantly mitigate the risk of phishing attacks.