| 1. |
- Björck, Fredrik, 1972-
(författare)
-
Discovering Information Security Management
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis is concerned with issues relating to the management of information security in organisations, motivated by the need for cost-efficient information security.It is based on the assumption that: in order to achieve cost-efficient information security, the point of departure must be knowledge about the empirical reality in which the management of information security takes place.The data gathering instruments employed are questionnaires with open-ended questions and unstructured research interviews. The empirical material is analysed, and conclusions are drawn following the principles of Grounded Theory. Data sources are professionals in the area of information security management, including information security consultants (n=13), certification auditors (n=8), and information security managers (n=8).The main contributions are: an integrated model illustrating the experts’ perceptions concerning the objectives, actors, resources, threats, and countermeasures of information security management; a framework for the evaluation, formation, and implementation of information security management systems; a new approach for the evaluation of information security in organisations; a set of success factors concerning the formation of information security management systems; and a problem inventory concerning the value and assessment of information security education and training.
|
|
| 2. |
- Kowalski, Stewart, et al.
(författare)
-
Information Security Metrics: Research Directions
- 2011
-
Konferensbidrag (refereegranskat)abstract
- This paper is largely based on a state of the art report covering the information security (IS) metrics area produced as part of the Controlled Information Security (COINS) research project funded by the Swedish Civil Contingencies Agency (MSB) and the comprehensive literature review conducted while compiling the report. The report's findings are summarized and some of the key issues discovered in the course of the literature review are reflected upon. Additionally, the paper describes a conceptual systemic scheme/model for the research process, while explaining its relevance to the subject area, that may help with resolution of the outlined issues in future research in the area. The paper is written principally with a management/governance (rather than engineering) perspective in mind
|
|
| 3. |
|
|
| 4. |
|
|
| 5. |
- Karokola, G., et al.
(författare)
-
Towards an information security maturity model for secure e-Government services : A stakeholders view
- 2011
-
Ingår i: Proceedings of the 5th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2011. ; , s. 58-73
-
Konferensbidrag (refereegranskat)abstract
- The paper proposes a comprehensive information security maturity model (ISMM) that addresses both technical and socio/non-technical security aspects. The model is intended for securing e-government services (implementation and service delivery) in an emerging and increasing security risk environment. The paper utilizes extensive literature review and survey study approaches. A total of eight existing ISMMs were selected and critically analyzed. Models were then categorized into security awareness, evaluation and management orientations. Based on the model's strengths-three models were selected to undergo further analyses and then synthesized. Each of the three selected models was either from the security awareness, evaluation or management orientations category. To affirm the findings-a survey study was conducted into six government organizations located in Tanzania. The study was structured to a large extent by the security controls adopted from the Security By Consensus (SBC) model. Finally, an ISMM with five critical maturity levels was proposed. The maturity levels were: undefined, defined, managed, controlled and optimized. The papers main contribution is the proposed model that addresses both technical and non-technical security services within the critical maturity levels. Additionally, the paper enhances awareness and understanding on the needs for security in e-government services to stakeholders.
|
|
| 6. |
- Abbas, Haider, et al.
(författare)
-
Architectural Description of an Automated System for Uncertainty Issues Management in Information Security
- 2010
-
Ingår i: International Journal of computer Science and Information Security. - USA. - 1947-5500. ; 8:3, s. 59-67
-
Tidskriftsartikel (refereegranskat)abstract
- Information technology evolves at a faster pace giving organizations a limited scope to comprehend and effectively react to steady flux nature of its progress. Consequently the rapid technological progression raises various concerns for the IT system of an organization i.e. existing hardware/software obsoleteness, uncertain system behavior, interoperability of various components/method, sudden changes in IT security requirements and expiration of security evaluations. These issues are continuous and critical in their nature that create uncertainty in IT infrastructure and threaten the IT security measures of an organization. In this research, Options theory is devised to address uncertainty issues in IT security management and the concepts have been developed/validated through real cases on SHS (Spridnings-och-Hämtningssystem) and ESAM (E-society) systems. AUMSIS (Automated Uncertainty Management System in Information Security) is the ultimate objective of this research which provides an automated system for uncertainty management in information security. The paper presents the architectural description of AUMSIS, its various components, information flow, storage and information processing details using options valuation techniques. It also presents heterogeneous information retrieval problems and their solution. The architecture is validated with examples from SHS system
|
|
| 7. |
- Karokola, Geoffrey Rwezaura, et al.
(författare)
-
Towards An Information Security Maturity Model for Secure e-Government Services: A Stakeholders View
- 2011
-
Ingår i: Proceedings of the 5th International Symposium on Human Aspects of Information Security & Assurance. - : HAISA. - 9781841022840 ; , s. 58-73
-
Konferensbidrag (refereegranskat)abstract
- The paper proposes a comprehensive information security maturity model (ISMM) that addresses both technical and socio/non-technical security aspects. The model is intended for securing e-government services (implementation and service delivery) in an emerging and increasing security risk environment. The paper applied inductive approach that utilizes extensive literature review and survey study approaches. A total of eight existing ISMMs were selected and critically analyzed. Models were then categorized into security awareness, evaluation and management orientations. Based on the model’s strengths – three models were selected to undergo further analyses and then they were synthesized. Each of the three selected models was either from the security awareness, evaluation or management orientations category. To affirm the findings – a survey study was conducted into six government organizations located in Tanzania. The study was structured to a large extent by the security controls adopted from the Security By Consensus (SBC) model. Finally, an ISMM with five critical maturity levels was proposed. The maturity levels were: undefined, defined, managed, controlled and optimized. The papers main contribution is the proposed model that addresses both technical and non-technical security services within the critical maturity levels. Additionally, the paper enhances awareness and understanding on the needs for security services be an integral part of e-government services to stakeholders.
|
|
| 8. |
- Hallberg, Jonas, et al.
(författare)
-
Controlled Information Security: How to recognize and improve organizational information security status
- 2010
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- This report is a compilation of the first three main reports of the COINS project (Yngström et al., 2009a, Yngström et al., 2009b, Hallberg & Lundholm 2009). The COntrolled INformation Security (COINS) research project was established to address the needs of understanding, learning and eventually managing information security (IS) in organizations. It has proved to be difficult for organizations, including government agencies, to reach adequate information security levels, as illustrated by a report from the Swedish national audit office published in 2007 (RiR, Swedish National Audit Office 2007). Despite much research and work conducted within the area, auditing and assessments frequently find inadequacies in how practical IS is handled, and, as it seems, there are frequent discrepancies in how IS is perceived by humans and what degree of IS that is actually performed. The three first reports of COINS present in detail the design, modeling and test of six constructs – frameworks and models – for assessing IS. The different constructs compute and discuss the metrics provided in three different ways. This report targets mainly the participants at the agency at which the tests of IS metrics were conducted. The concept of a IS metric is interpreted widely following the definition from Hallberg et al. (2004): “A security metric contains three main parts: a magnitude, a scale and an interpretation. The security values of systems are measured according to a specified magnitude and related to a scale. The interpretation prescribes the meaning of obtained security values”, and aims at the formulation of viable IS metrics. Therefore this report is also an input to a validation test of the practical results obtained, while the theoretical validation rests with the reasoning presented in the two first reports. The approach taken differs from the ordinary 27000-standard based analyses in that the idealized communication structure starts from demands of an information system in total, and views communication as equal to steering and control. Thereby, both the social and the technical layers in communication are included as are the strategic, tactic and operational decision levels and their equivalent life cycle stages. Metrics focusing the control system underline that complex information systems necessarily must handle existing variety including its IS. Some of the findings, which still have to be verified by the agency, are: 1. the relative focus for the agency’s documentation correlates rather well with the relative focus of the controls specified in appendix A of the standard ISO/IEC 27001, 2. the agency seems partly to fulfill the security policy, which it has defined itself, 3. the agency tend to focus on operative matters and on acting when something has happened, rather than emphasize planning and developing and carrying out proactive information security work. A general observation of all COINS’ constructs, on which metrics in the report are based, is that the standard may not explicitly identify senders respectively receivers of messages. This is illustrated by the metrics connected to ISO/IEC appendix A, which show that most of the controls listed (76%) do not have an entity assigned to it. Apart from COINS’ work with metrics being verified by the participating agency, future work involves developing a faster and eventually also recursive method for analyzing and extracting interesting data for metrics use, as well as providing more transparent views on the models. The research is planned to continue for one further year.
|
|
| 9. |
- Mwakalinga, Jeffy, 1962-
(författare)
-
A Framework for Adaptive Information Security Systems : A Holistic Investigation
- 2011
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This research proposes a framework for adaptive information security systems that considers both the technical and social aspects of information systems security. Initial development of information systems security focused on computer technology and communication protocols. Researchers and designers did not consider culture, traditions, ethics, and other social issues of the people using the systems when designing and developing information security systems. They also seemed to ignore environments where these systems run and concentrated only on securing parts of the information systems. Furthermore, they did not pay adequate attention to the enemies of information systemsand the need for adaption to a changing enviroment. The consequences of this lack of attentions to a number of important factors have given us the information security systems that we have today, which appear to be systemically insecure. To approach this systemic insecurity problem the research was divided into mini studies that were based on the Systemic-Holistic paradigm, Immune System concepts, and Socio-Technical System theory. Applying the holistic research process the author started first by exploring adaptation systems. After exploring these systems, the focus of the research was to understand the systems and features required for making information security systems learn to adapt to the changing environments. Designing and testing the adaptive framework were the next steps. The acquired knowledge from this research was structured into domains in accordance to ontological principles and relationship between domains was studied. These domains were then integrated with the security value-based chain concept, which include deterrence, prevention, detection, response, and recovery functions to create a framework for adaptive information security systems. The results of the mini studies were reported in a number of papers, which were published in proceedings of international conferences and a journal. For this work, 12 of the thesis papers are included. A framework for adaptive information security system was created. Trials to apply and validate the framework were performed using three methods. The first method was a panel validation, which showed that the framework could be used for providing adaptive security measures and structuring security work. The second method mapped the framework to the security standards, which showed that the framework was aligned with the major information systems security standards. The third and last validation method was to map the framework with reported ICT crimes cases. The results indicated that most crimes appear to occur because the security systems in place lacked deterrence security measures and had weak prevention, detection, and response security measures. The adaptive information security systems framework was also applied to a number of areas including a secure e-learning, social networks, and telemedicine systems. It is concluded in this thesis that this adaptive information security system framework can be applied to minimize a number of systemic insecurity problems and warrants more applied research and practical implementations.
|
|
| 10. |
- Abbas, Haider, et al.
(författare)
-
Addressing Dynamic Issues in Information Security Management
- 2011
-
Ingår i: Information Management & Computer Security. - UK : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 19:1, s. 5-24
-
Tidskriftsartikel (refereegranskat)abstract
- Ett ramverk för behandling av osäkerhet inom ledningssystem för informationssäkerhet presenteras. Ramverket baseras på teorier från corporate finance. En fallstudie visar hur ramverket kan appliceras.
|
|
