Aligning IT Teams' Risk Management to Business Requirements

Achieving alignment of risk perception, assessment, and tolerance among and between management teams within an organisation is an important foundation upon which an effective enterprise information security management strategy can be built .We argue the importance of such alignment based on information security and risk assessment literature. Too often lack of alignment dampens clean execution of strategy, eroding support during development and implementation of information security programs . We argue that alignment can be achieved by developing an understanding of enterprise risk management plans and actions, risk perceptions and risk culture. This is done by examining context, context and process. We illustrate this through the case of LeCroy Corp., illustrating how LeCroy managers perceive risk in practice, and how LeCroy fosters alignment in risk perception and execution of risk management strategy as part of an overall information security program. We show that in some circumstances diversity of risk tolerance profiles aide a management teams’ function. In other circumstances, variances lead to dysfunction. We have uncovered and quantified nonlinearities and special cases in LeCroy executive management’s risk tolerance profiles.

CAPTCHAs

The Internet has established firm deep roots in our day to day life. It has brought many revolutionary changes in the way we do things. One important consequence has been the way it has replaced human to human contact. This has also presented us with a new issue which is the requirement for differentiating between real humans and automated programs on the Internet. Such automated programs are usually written with a malicious intent. CAPTCHAs play an important role in solving this problem by presenting users with tests which only humans can solve. This chapter looks into the need, the history, and the different kinds of CAPTCHAs that researchers have come up with to deal with the security implications of automated bots pretending to be humans. Various schemes are compared and contrasted with each other, the impact of CAPTCHAs on Internet users is discussed, and to conclude, the various possible attacks are discussed. The author hopes that the chapter will not only introduce this interesting field to the reader in its entirety, but also simulate thought on new schemes.

Security Usability Challenges for End-Users

This chapter highlights the need for security solutions to be usable by their target audience, and examines the problems that can be faced when attempting to understand and use security features in typical applications. Challenges may arise from system-initiated events, as well as in relation to security tasks that users wish to perform for themselves, and can occur for a variety of reasons. This is illustrated by examining problems that arise as a result of reliance upon technical terminology, unclear or confusing functionality, lack of visible status and informative feedback to users, forcing users to make uninformed decisions, and a lack of integration amongst the different elements of security software themselves. The discussion draws upon a number of practical examples from popular applications, as well as results from survey and user trial activities that were conducted in order to assess the potential problems at first hand. The findings are used as the basis for recommending a series of top-level guidelines that may be used to improve the situation, and these are used as the basis assessing further examples of existing software to determine the degree of compliance.

Information Security Culture as a Social System

The purpose of this chapter is to increase understanding of the complex nature of information security culture in a networked working environment. Viewpoint is comprehensive information exchange in a social system. The aim of this chapter is to raise discussion about information security culture development challenges when acting in a multicultural environment. This chapter does not introduce a method to handle complex cultural situation, but gives some notes to gain understanding, what might be behind this complexity. Understanding the nature of this complex cultural environment is essential to form evolving and proactive security practices. Direct answers to formulate practices are not offered in this chapter, but certain general phenomena of the activity of a social system are pointed out. This will help readers to apply these ideas to their own solutions.

Security Requirements Elicitation

Information security is becoming increasingly important and more complex as organizations are increasingly adopting electronic channels for managing and conducting business. However, state-of-the-art systems design methods have ignored several aspects of security that arise from human involvement or due to human factors. The chapter aims to highlight issues arising from coalescence of fields of systems requirements elicitation, information security, and human factors. The objective of the chapter is to investigate and suggest an agenda for state of human factors in information assurance requirements elicitation from perspectives of both organizations and researchers. Much research has been done in the area of requirements elicitation, both systems and security, but, invariably, human factors are not been taken into account during information assurance requirements elicitation. The chapter aims to find clues and insights into acquisition behavior of human factors in information assurance requirements elicitation and to illustrate current state of affairs in information assurance and requirements elicitation and why inclusion of human factors is required.

Security Configuration for Non-Experts

End users often find that security configuration interfaces are difficult to use. In this chapter, we explore how application designers can improve the design and evaluation of security configuration interfaces. We use IEEE 802.11 network configuration as a case study. First, we design and implement a configuration interface that guides users through secure network configuration. The key insight is that users have a difficult time translating their security goals into specific feature configurations. Our interface automates the translation from users’ high-level goals to low-level feature configurations. Second, we develop and conduct a user study to compare our interface design with commercially available products. We adapt existing user research methods to sidestep common difficulties in evaluating security applications. Using our configuration interface, non-expert users are able to secure their networks as well as expert users. In general, our research addresses prevalent issues in the design and evaluation of consumer-configured security applications.

A Social Ontology for Integrating Security and Software Engineering

As software becomes more and more entrenched in everyday life in today’s society, security looms large as an unsolved problem. Despite advances in security mechanisms and technologies, most software systems in the world remain precarious and vulnerable. There is now widespread recognition that security cannot be achieved by technology alone. All software systems are ultimately embedded in some human social environment. The effectiveness of the system depends very much on the forces in that environment. Yet there are few systematic techniques for treating the social context of security together with technical system design in an integral way. In this chapter, we argue that a social ontology at the core of a requirements engineering process can be the basis for integrating security into a requirements driven software engineering process. We describe the i* agent-oriented modelling framework and show how it can be used to model and reason about security concerns and responses. A smart card example is used to illustrate. Future directions for a social paradigm for security and software engineering are discussed.

Do Information Security Policies Reduce the Incidence of Security Breaches

Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy (InSPy) in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated, and then targeted at IT managers within large organizations in the UK. The findings presented in this chapter are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.

Social Aspects of Information Security

This chapter looks at information security as a primarily technological domain, and asks what could be added to our understanding if both technology and human activity were seen to be of equal importance. The aim is therefore, to ground the domain both theoretically and practically from a technological and social standpoint. The solution to this dilemma is seen to be located in social theory, various aspects of which deal with both human and technical issues, but do so from the perspective of those involved in the system of concern. The chapter concludes by offering a model for evaluating information security from a social theoretical perspective, and guidelines for implementing the findings.

Bridging the Gap between Employee Surveillance and Privacy Protection

This chapter addresses the issue of electronic workplace monitoring and its implications for employees’ privacy. Organisations increasingly use a variety of electronic surveillance methods to mitigate threats to their information systems. Monitoring technology spans different aspects of organisational life, including communications, desktop and physical monitoring, collecting employees’ personal data, and locating employees through active badges. The application of these technologies raises privacy protection concerns. Throughout this chapter, we describe different approaches to privacy protection followed by different jurisdictions. We also highlight privacy issues with regard to new trends and practices, such as teleworking and use of RFID technology for identifying the location of employees. Emphasis is also placed on the reorganisation of work facilitated by information technology, since frontiers between the private and the public sphere are becoming blurred. The aim of this chapter is twofold: we discuss privacy concerns and the implications of implementing employee surveillance technologies and we suggest a framework of fair practices which can be used for bridging the gap between the need to provide adequate protection for information systems, while preserving employees’ rights to privacy.