| 1. |
- Abbas, Haider, et al.
(författare)
-
A Structured Approach for Internalizing Externalities Caused by IT Security Mechanisms
- 2010
-
Ingår i: IEEE ETCS 2010. - Wuhan, China. ; , s. 149-153
-
Konferensbidrag (refereegranskat)abstract
- Organizations relying on Information Technology for their business processes have to employ various Security Mechanisms (Authentication, Authorization, Hashing, Encryption etc) to achieve their organizational security objectives of data confidentiality, integrity and availability. These security mechanisms except from their intended role of increased security level for this organization may also affect other systems outside the organization in a positive or negative manner called externalities. Externalities emerge in several ways i.e. direct cost, direct benefit, indirect cost and indirect benefit. Organizations barely consider positive externalities although they can be beneficial and the negative externalities that could create vulnerabilities are simply ignored. In this paper, we will present an infrastructure to streamline information security externalities that appear dynamically for an organization
|
|
| 2. |
- Abbas, Haider, et al.
(författare)
-
Adaptability Infrastructure for Bridging IT Security Evaluation and Options Theory
- 2009
-
Ingår i: ACM- IEEE SIN 2009 International Conference on Security of Information and Networks. - North Cyprus : ACM Press. - 9781605584126
-
Konferensbidrag (refereegranskat)abstract
- The constantly rising threats in IT infrastructure raise many concerns for an organization, altering security requirements according to dynamically changing environment, need of midcourse decision management and deliberate evaluation of security measures are most striking. Common Criteria for IT security evaluation has long been considered to be victimized by uncertain IT infrastructure and considered resource hungry, complex and time consuming process. Considering this aspect we have continued our research quest for analyzing the opportunities to empower IT security evaluation process using Real Options thinking. The focus of our research is not only the applicability of real options analysis in IT security evaluation but also observing its implications in various domains including IT security investments and risk management. We find it motivating and worth doing to use an established method from corporate finance i.e. real options and utilize its rule of thumb technique as a road map to counter uncertainty issues for evaluation of IT products. We believe employing options theory in security evaluation will provide the intended benefits. i.e. i) manage dynamically changing security requirements ii) accelerating evaluation process iii) midcourse decision management. Having all the capabilities of effective uncertainty management, options theory follows work procedures based on mathematical calculations quite different from information security work processes. In this paper, we will address the diversities between the work processes of security evaluation and real options analysis. We present an adaptability infrastructure to bridge the gap and make them coherent with each other. This liaison will transform real options concepts into a compatible mode that provides grounds to target IT security evaluation and common criteria issues. We will address ESAM system as an example for illustrations and applicability of the concepts.
|
|
| 3. |
|
|
| 4. |
- Abbas, Haider, et al.
(författare)
-
Addressing Dynamic Issues in Information Security Management
- 2011
-
Ingår i: Information Management & Computer Security. - UK : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 19:1, s. 5-24
-
Tidskriftsartikel (refereegranskat)abstract
- Ett ramverk för behandling av osäkerhet inom ledningssystem för informationssäkerhet presenteras. Ramverket baseras på teorier från corporate finance. En fallstudie visar hur ramverket kan appliceras.
|
|
| 5. |
|
|
| 6. |
- Abbas, Haider, et al.
(författare)
-
Architectural Description of an Automated System for Uncertainty Issues Management in Information Security
- 2010
-
Ingår i: International Journal of computer Science and Information Security. - USA. - 1947-5500. ; 8:3, s. 59-67
-
Tidskriftsartikel (refereegranskat)abstract
- Information technology evolves at a faster pace giving organizations a limited scope to comprehend and effectively react to steady flux nature of its progress. Consequently the rapid technological progression raises various concerns for the IT system of an organization i.e. existing hardware/software obsoleteness, uncertain system behavior, interoperability of various components/method, sudden changes in IT security requirements and expiration of security evaluations. These issues are continuous and critical in their nature that create uncertainty in IT infrastructure and threaten the IT security measures of an organization. In this research, Options theory is devised to address uncertainty issues in IT security management and the concepts have been developed/validated through real cases on SHS (Spridnings-och-Hämtningssystem) and ESAM (E-society) systems. AUMSIS (Automated Uncertainty Management System in Information Security) is the ultimate objective of this research which provides an automated system for uncertainty management in information security. The paper presents the architectural description of AUMSIS, its various components, information flow, storage and information processing details using options valuation techniques. It also presents heterogeneous information retrieval problems and their solution. The architecture is validated with examples from SHS system
|
|
| 7. |
|
|
| 8. |
|
|
| 9. |
- Abbas, Haider, et al.
(författare)
-
Option Based Evaluation: Security Evaluation of IT Products Based on Options Theory
- 2009
-
Ingår i: IEEE ECBS-EERC 2009. - New York : IEEE. - 9781424446773 ; , s. 134-141
-
Konferensbidrag (refereegranskat)abstract
- Reliability of IT systems and infrastructure is a critical need for organizations to trust their business processes. This makes security evaluation of IT systems a prime concern for these organizations. Common Criteria is an elaborate, globally accepted security evaluation process that fulfills this need. However CC rigidly follows the initial specification and security threats and takes too long to evaluate and as such is also very expensive. Rapid development in technology and with it the new security threats further aggravates the long evaluation time problem of CC to the extent that by the time a CC evaluation is done, it may no longer be valid because new security threats have emerged that have not been factored in. To address these problems, we propose a novel Option Based Evaluation methodology for security of IT systems that can also be considered as an enhancement to the CC process. The objective is to address uncertainty issues in IT environment and speed up the slow CC based evaluation processes. OBE will follow incremental evaluation model and address the following main concerns based on options theory i.e. i) managing dynamic security requirement with mid-course decision management ii) devising evaluation as an improvement process iii) reducing cost and time for evaluation of an IT product.
|
|
| 10. |
- Abbas, Haider, 1979-
(författare)
-
Options-Based Security-Oriented Framework for Addressing Uncerainty Issues in IT Security
- 2010
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Continuous development and innovation in Information Technology introduces novel configuration methods, software development tools and hardware components. This steady state of flux is very desirable as it improves productivity and the overall quality of life in societies. However, the same phenomenon also gives rise to unseen threats, vulnerabilities and security concerns that are becoming more critical with the passage of time. As an implication, technological progress strongly impacts organizations’ existing information security methods, policies and techniques, making obsolete existing security measures and mandating reevaluation, which results in an uncertain IT infrastructure. In order to address these critical concerns, an options-based reasoning borrowed from corporate finance is proposed and adapted for evaluation of security architecture and decision- making to handle them at organizational level. Options theory has provided significant guidance for uncertainty management in several domains, such as Oil & Gas, government R&D and IT security investment projects. We have applied options valuation technique in a different context to formalize optimal solutions in uncertain situations for three specific and identified uncertainty issues in IT security. In the research process, we formulated an adaptation model for expressing options theory in terms useful for IT security which provided knowledge to formulate and propose a framework for addressing uncertainty issues in information security. To validate the efficacy of this proposed framework, we have applied this approach to the SHS (Spridnings- och Hämtningssystem) and ESAM (E-Society) systems used in Sweden. As an ultimate objective of this research, we intend to develop a solution that is amenable to automation for the three main problem areas caused by technological uncertainty in information security: i) dynamically changing security requirements, ii) externalities caused by a security system, iii) obsoleteness of evaluation. The framework is general and capable of dealing with other uncertainty management issues and their solutions, but in this work we primarily deal with the three aforementioned uncertainty problems. The thesis presents an in-depth background and analysis study for a proposed options-based security-oriented framework with case studies for SHS and ESAM systems. It has also been assured that the framework formulation follows the guidelines from industry best practices criteria/metrics. We have also proposed how the whole process can be automated as the next step in development.
|
|
| 11. |
|
|
| 12. |
- Abbas, Haider, et al.
(författare)
-
Security Evaluation of IT Products : Bridging the Gap between Common Criteria (CC) and Real Option Thinking
- 2008
-
Ingår i: WCECS 2008. - 9789889867102 ; , s. 530-533
-
Konferensbidrag (refereegranskat)abstract
- Information security has long been considered as a key concern for organizations benefiting from the electronic era. Rapid technological developments have been observed in the last decade which has given rise to novel security threats, making IT, an uncertain infrastructure. For this reason, the business organizations have an acute need to evaluate the security aspects of their IT infrastructure. Since many years, CC (Common Criteria) has been widely used and accepted for evaluating the security of IT products. It does not impose predefined security rules that a product should exhibit but a language for security evaluation. CC has certain advantages over ITSEC1, CTCPEC2 and TCSEC3 due to its ability to address all the three dimensions: a) it provides opportunity for users to specify their security requirements, b) an implementation guide for the developers and c) provides comprehensive criteria to evaluate the security requirements. Among the few notable shortcomings of CC is the amount of resources and a lot of time consumption. Another drawback of CC is that the security requirements in this uncertain IT environment must be defined before the project starts. ROA is a well known modern methodology used to make investment decisions for the projects under uncertainty. It is based on options theory that provides not only strategic flexibility but also helps to consider hidden options during uncertainty. ROA comes in two flavors: first for the financial option pricing and second for the more uncertain real world problems where the end results are not deterministic. Information security is one of the core areas under consideration where researchers are employing ROA to take security investment decisions. In this paper, we give a brief introduction of ROA and its use in various domains. We will evaluate the use of Real options based methods to enhance the Common Criteria evaluation methodology to manage the dynamic security requirement specification and reducing required time and resources. We will analyze the possibilities to overcome CC limitations from the perspective of the end user, developer and evaluator. We believe that with the ROA enhanced capabilities will potentially be able to stop and possibly reverse this trend and strengthen the CC usage with a more effective and responsive evaluation methodology.
|
|
| 13. |
|
|
| 14. |
- Al Sabbagh, Bilal, 1978-
(författare)
-
Cybersecurity Incident Response : A Socio-Technical Approach
- 2019
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis examines the cybersecurity incident response problem using a socio-technical approach. The motivation of this work is the need to bridge the knowledge and practise gap that exists because of the increasing complexity of cybersecurity threats and our limited capability of applying cybersecurity controls necessary to adequately respond to these threats. Throughout this thesis, knowledge from Systems Theory, Soft Systems Methodology and Socio-Technical Systems is applied to examine and document the socio-technical properties of cybersecurity incident response process. The holistic modelling of cybersecurity incident response process developed concepts and methods tested to improve the socio-technical security controls and minimise the existing gap in security controls.The scientific enquiry of this thesis is based on pragmatism as the underpinning research philosophy. The thesis uses a design science research approach and embeds multiple research methods to develop five artefacts (concept, model, method, framework and instantiation) outlined in nine peer-reviewed publications. The instantiated artefact embraces the knowledge developed during this research to provide a prototype for a socio-technical security information and event management system (ST-SIEM) integrated with an open source SIEM tool. The artefact relevance was validated through a panel of cybersecurity experts using a Delphi method. The Delphi method indicated the artefact can improve the efficacy of handling cybersecurity incidents.
|
|
| 15. |
- Bakari, Jabiri Kuwe, 1970-
(författare)
-
A Holistic Approach for Managing ICT Security in Non-Commercial Organisations : A Case Study in a Developing Country
- 2007
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The research reported here is about improvement of the ICT security management process in non-commercial organisations in order to reduce possible financial damage, taking into consideration the realities found in developing countries. The research took place in a developing country—Tanzania, where five organisations were involved. The study is organised into seven papers covering: the state of ICT security management in the organisations; prerequisites when utilising the existing ICT security management approaches in attaining a solution for managing ICT security in the organisations; issues and challenges of managing ICT security; important aspects to be taken into consideration in order to successfully manage ICT security; and how the management of ICT security in non-commercial organisations could be improved. Among others, the research was motivated by the observed need for bridging the perception gap between the management and technicians when dealing with the ICT security problem, and consequently extending to a common understanding by the staff in the various departments and specialities within and between the departments. The thesis contributes to increased empirical knowledge on the importance of the holistic ICT security management process. Particularly, our main contribution is the proposed holistic approach for managing ICT security in non-commercial organisations, organised in the form of guidelines with two main phases: the initialisation phase which involved the introduction of the ICT security management process in the organisation; and the internalised and continuous phase.
|
|
| 16. |
|
|
| 17. |
- Bakari, Jabiri Kuwe, et al.
(författare)
-
State of ICT security management in the institutions of higher learning in developing countries : Tanzania case study
- 2005
-
Ingår i: 5th IEEE International Conference on Advanced Learning Technologies, Proceedings. - 0769523382 ; , s. 1007-1011
-
Konferensbidrag (refereegranskat)abstract
- Information and Communication Technology (ICT) is of strategic importance and essential functional requirements for many institutions of higher learning. In the developing world, ICT is achieving a breakthrough in management and teaching of online learning, which helps to cater for the increased student population. However the security of the information being processed, stored and exchanged is a growing concern to the management as the dependence on ICT for most of the institutions' core services functions is increasing. This paper discusses the current state of ICT security management practices in three institutions Of higher learning in Tanzania. The discussion includes the problems and consequences of ICT risks.
|
|
| 18. |
- Bakari, Jabiri Kuwe, et al.
(författare)
-
The mitigation of ICT risks using EMITL tool : An empirical study
- 2005
-
Ingår i: Security Management, Integrity, and Internal Control in Information Systems. - 9780387298269 - 9780387311678 ; , s. 157-173
-
Konferensbidrag (refereegranskat)abstract
- As the dependence on ICT in running organisations' core services is increasing, so is the exposure to the associated risks due to ICT use. In order to meet organisational objectives in ICT dependent organisations, risks due to ICT insecurity need to be addressed effectively and adequately. To achieve this, organisations must have effective means for the management of ICT risks. This involves assessment of the actual exposure to ICT risks relevant to their environment and implementation of relevant countermeasures based on the assessment results. On the contrary, in most organisations, ICT security (or ICT risk management) is perceived by the top management as a technical problem. As a result, measures for ICT risk mitigation that are ultimately put in place in such organisations tend to be inadequate. Furthermore, the traditional way of managing risks by transferring them to the insurance companies is not yet working, as it is difficult to estimate the financial consequences due to ICT-related risks. There is, therefore, a need to have methods or ways which can assist in interpreting ICT risks into a financial context (senior management language) thereby creating a common understanding of ICT risks among technical people and the management within ICT-dependent organisations. With a common understanding, it would be possible to realise a coordinated approach towards ICT risk mitigation. This paper is an attempt to investigate whether ICT risk mitigation can be enhanced using a customised software tool. A software tool for converting financial terminologies (financial risk exposure) to corresponding ICT security terminologies (countermeasures) is presented. The Estimated Maximum Information Technology Loss (EMitL) tool is investigated for its suitability as an operational tool for the above-mentioned purpose. EMitL is a tool utilised in a framework (Business Requirements on Information Technology Security BRITS) to bridge the understanding gap between senior management and the technical personnel (when it comes to ICT risk management). This work is based on an empirical study which involved interviews and observations conducted in five non-commercial organisations in Tanzania. The study was designed to establish the state of ICT security management practice in the studied organisations. The results of the study are being used here to investigate the applicability of the EMitL tool to address the observed state. The results from this study show that it is possible to customise EMitL into a usefully operational tool for interpreting risk exposure due to ICT into corresponding countermeasures. These results underline the need to further improve EMitL for wider use.
|
|
| 19. |
|
|
| 20. |
- Björck, Fredrik, 1972-
(författare)
-
Discovering Information Security Management
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis is concerned with issues relating to the management of information security in organisations, motivated by the need for cost-efficient information security.It is based on the assumption that: in order to achieve cost-efficient information security, the point of departure must be knowledge about the empirical reality in which the management of information security takes place.The data gathering instruments employed are questionnaires with open-ended questions and unstructured research interviews. The empirical material is analysed, and conclusions are drawn following the principles of Grounded Theory. Data sources are professionals in the area of information security management, including information security consultants (n=13), certification auditors (n=8), and information security managers (n=8).The main contributions are: an integrated model illustrating the experts’ perceptions concerning the objectives, actors, resources, threats, and countermeasures of information security management; a framework for the evaluation, formation, and implementation of information security management systems; a new approach for the evaluation of information security in organisations; a set of success factors concerning the formation of information security management systems; and a problem inventory concerning the value and assessment of information security education and training.
|
|
| 21. |
- Caroline Kiondo, Caroline, et al.
(författare)
-
Exploring Security Risks in Virtual Economies
- 2011
-
Ingår i: First International Conference on Social Eco-Informatics.
-
Konferensbidrag (refereegranskat)abstract
- A most recent, phenomenon within new socio-eco-systems is the so called Virtual Economies. This paper presents an exploratory study of information security risks that are inherent with the Virtural Economies. A Dynamic Network Analysis Tools (DNAT) was used to perform a risk analysis in the Second life virtual world. The analysis indicates that the currency and user account are the most important assets. User accounts provide access to virtual trading and are critical to the flow of currency within the virtual economy. The removal of both of these from the system will affect the dynamics of the system and defeat the whole purpose of the system. The analysis further identified selling and creation of virtual goods to be important tasks in order to maintain a successful Virtual Economy. If a threat occurs that manipulates the creation of virtual goods then it would affect the trading of virtual goods between the users of the system hence affecting the economy. It is important that users who invest in such an economy to be aware of possible risks associated with this. As the field expands and more internet communities adopt this business model all parties involved need to think of strategies to protect assets that exist within this type of environment.
|
|
| 22. |
- Casmir, Respickius, 1969-
(författare)
-
A Dynamic and Adaptive Information Security Awareness (DAISA) Approach
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information systems fail not only because of problems with technology used and technical incompetence of professionals administering them but also because of lack of security awareness to the end users. In addition, various research results have revealed that security and reliability of IS/IT systems is a function of technology, processes and people.This research has focused on the latter aiming at developing an integrated information security education, training and awareness learning continuum. Particularly, the research has focused on developing countries where a little has been done to address information security learning continuum. The research has been done in two cyclic phases in which cycle one has chiefly addressed security education and training aspects whereas cycle two has mainly focused on security awareness aspects. Based on empirical analysis of security practices in organisations; the thesis proposes a Dynamic and Adaptive Information Security Awareness (DAISA) approach. Founded on six interdependent pillars, the approach delineates high level guidelines for establishing and maintaining information security awareness programs at workplaces.
|
|
| 23. |
- Chaula, Job Asheri, 1968-
(författare)
-
A Socio-technical Analysis of Information Systems Security Assurance : A Case Study for Effective Assurance
- 2006
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis examines the concepts of Information System (IS) security assurance using a socio-technical framework. IS security assurance deals with the problem of estimating how well a particular security system will function efficiently and effectively in a specific operational environment. In such environments, the IS interact with other systems such as ethical, legal, operational and administrative. Security failure in any of these systems may result in security failure of the whole system. In this thesis a socio-technical framework is used to examine culture, usability problems, security internal controls, security requirements and re-use of security requirements of TANESCO information systems. TANESCO is the energy utility company in Tanzania where the case study was conducted. Results show that culture affects the way people approach IS security. Also results show that the socio-technical framework is effective in modeling systems security and its environment. The re-use of security requirements is also shown to significantly minimise the time taken when developing and improving security requirements for an IS. The overall purpose of this thesis has been to develop a framework for information systems security assurance. The resulting framework of thinking brings together numerous assurance concepts into a coherent explanation that should be useful for any organisation or evaluators seeking to understand the underlying principals of systems security assurance. It contains organisational, cultural, and technical issues that should be looked at when considering and applying systems security assurance methods and techniques.
|
|
| 24. |
- Ciobanu Morogan, Matei, 1973-
(författare)
-
Security system for ad-hoc wireless networks based on generic secure objects
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- As computing devices and wireless connectivity become ubiquitous, new usage scenarios emerge, where wireless communication links between mobile devices are established in an ad-hoc manner. The resulting wireless ad-hoc networks differ from classical computer networks in a number of ways, lack of permanent access to the global network and heterogeneous structure being some of them. Therefore, security services and mechanisms that have been designed for classical computer networks are not always the optimal solution in an ad-hoc network environment. The research is focused on analyzing how standard security services that are available in classical networks can be provided in an ad-hoc wireless network environment. The goal is to design a security system optimized for operation in ad-hoc wireless networks that provides the same security services – authentication, access control, data confidentiality and integrity, non-repudiation – currently available in classic wired networks. The first part of the thesis is the design and implementation of a security platform based on generic secure objects. The flexible and modular nature of this platform makes it suitable for deployment on devices that form ad-hoc networks – ranging from Java-enabled phones to PDAs and laptops. We then investigate the problems that appear when implementing in ad-hoc networks some of the security technologies that are standard building blocks of secure systems in classical computer networks. Two such technologies have been found to present problems, namely the areas of certification and access control. In a series of articles, we have described the problems that appear and devised solutions to them by designing protocols, techniques and extensions to standards that are optimized for usage in the ad-hoc network environment. These techniques, together with the functionality provided by the underlying security platform, are used to implement all standard security services – confidentiality, authentication, access control, non repudiation and integrity, allowing to integrate ad-hoc networks into the existing security infrastructure.
|
|
| 25. |
- Davidson, Alan, et al.
(författare)
-
A Swedish IT forensics course – expert opinions
- 2009
-
Ingår i: International Journal of Electronic Security and Digital Forensics. - 1751-911X .- 1751-9128. ; 2:3, s. 322-333
-
Tidskriftsartikel (refereegranskat)abstract
- There is mounting pressure for institutes of higher education to fill society's need for qualified IT forensics practitioners. Despite that pressure, it is not clear how that need should be filled, for whom, and by whom. There are many published texts available on which one might base a course, though they are primarily written for English speaking countries. Given the differences in legal practices in different countries, and forensic's dependency on legal procedures, it is not clear how applicable such texts are to Swedish education in the subject. This paper summarises some of the ongoing work at the Department of Computer and Systems Sciences at Stockholm University where we seek to define what the primary elements of a Swedish IT forensics education should be. Interviews conducted with specialists in IT law and IT forensics indicate that there are discrepancies between how representatives from on the one hand the public legal system and on the other private enterprise view the need and the subject matter.
|
|
| 26. |
- Dayarathna, Rasika, et al.
(författare)
-
Attitudes toward Privacy amongst Young International Academics
- 2006
-
Ingår i: Innovations for a Knowledge Economy. - 9558974048 ; , s. 66-72
-
Konferensbidrag (refereegranskat)abstract
- Article 17 and 25 of the EU Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, state that the nature of the data should be taken into account in determining the appropriate level of security for processing and transferring personal data. Except Article 8, which mentions special category of personal data called sensitive data, the directive is silent on the nature of the data. The main objective of this study was to identify the relationship between the level of protection required for the personal data and the nature of the data. Another aspect of this study was to identify under what circumstances individuals were willing to compromise their information privacy. A survey was conducted among young academics in the field of information and communication technology. The participants demanded a higher level of protection for their bank account details, credit and debit card transaction details, income tax details, medical reports on serious illnesses, credit report details and general medical reports. On the other hand, age, both academic and professional qualifications, marital status, hobbies and occupations were considered as low privacy concerned items. Other interesting finding was that the participants prefer to compromise their privacy for public safety and health care rather than compromise their privacy for national security. A large number of participants were not willing to compromise their privacy for research activities. More than one third of the participants were willing to pay for privacy enhancing technologies while one third of the participants were willing to compromise their privacy for short term financial benefits. Even though article 8 of the EU Directive 95/46/EC imposes strict rules for processing sensitive data, the participants did not demand much protection for such data. This study shows the importance of introducing sector specific guidelines for personal data protection. It also highlights the demand for more user friendly privacy enhancing technologies and more privacy awareness among the future driving forces of the Information Technology.
|
|
| 27. |
- Dayarathna, Rasika, 1974-
(författare)
-
Discovering Constructs and Dimensions for Information Privacy Metrics
- 2013
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Privacy is a fundamental human right. During the last decades, in the information age, information privacy has become one of the most essential aspects of privacy. Information privacy is concerned with protecting personal information pertaining to individuals.Organizations, which frequently process the personal information, and individuals, who are the subjects of the information, have different needs, rights and obligations. Organizations need to utilize personal information as a basis to develop tailored services and products to their customers in order to gain advantage over their competitors. Individuals need assurance from the organizations that their personal information is not changed, disclosed, deleted or misused in any other way. Without this guarantee from the organizations, individuals will be more unwilling to share their personal information.Information privacy metrics is a set of parameters used for the quantitative assessment and benchmark of an organization’s measures to protect personal information. These metrics can be used by organizations to demonstrate, and by individuals to evaluate, the type and level of protection given to personal information. Currently, there are no systematically developed, established or widely used information privacy metrics. Hence, the purpose of this study is to establish a solid foundation for building information privacy metrics by discovering some of the most critical constructs and dimensions of these metrics. The research was conducted within the general research strategy of design science and by applying research methods such as data collection and analysis informed by grounded theory as well as surveys using interviews and questionnaires in Sweden and in Sri Lanka. The result is a conceptual model for information privacy metrics including its basic foundation; the constructs and dimensions of the metrics.
|
|
| 28. |
- Erixon, Cecilia
(författare)
-
Information System Providers and Business Relationships : A Study on the Impact of Connections
- 2012
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information systems are integrated in the daily business of companies, to support the exchanges with its counterparts. To manage these information systems, companies often turn to third parties: information system providers (IS-providers). IS-providers have competences that the companies become dependent on and they are therefore important for maintaining the company’s business performance. The companies develop dependencies on their information systems and thereby also on their IS-providers. This thesis studies the connection between a company’s relationships with IS-providers and its other business relationships.A single case study of how a focal company’s IS-providers impact the company’s customer relationships is conducted. The applied analytical framework combines an information system’s perspective and a business relationship perspective. The analytical level is guided by the concept of connection, which has its origin in the business relationship perspective. The information system’s perspective illustrates the characteristics of the information systems that the IS-providers manage. The business relationship perspective studies each business relationship as unique, originating in different exchanges and behaviour.The single case study involves five customer relationships and four IS-provider relationships, creating twenty within-cases. The results show that IS-providers impact differently on the business relationships of companies. The impact on companies is contingent on the information exchanges with the IS-providers, which integrate the information systems in their customer business relationships. The impact is explained by the strength of the connection and the degree of continuity of the connection. The strength of the connection depends on how the information system is used and which of the IS-providers are connected. The impact from one IS-provider can be described as a homogenous impact on all the connected business relationships. However, different IS-providers have different types of impacts, meaning that when a company has several IS-providers, the impact is heterogeneous. The study shows that the impact is most commonly positive.The thesis is of interest for researchers who wish to understand the interconnectedness between business relationships, and of value for business professionals, who wish to increase their understanding of the complex situation of using IS-providers for management of their information systems and the impact they have on their other business relationships.
|
|
| 29. |
- Fischer Hübner, Simone, et al.
(författare)
-
Security and Privacy in Dynamic Environments : Proceedings of the IFIP TC-11 21st International Information Security Conference (SEC 2006)
- 2006
-
Bok (refereegranskat)abstract
- This book contains the Proceedings of the 21st IFIP TC-11 International Information Security Conference (IFIP/SEC 2006) on Security and Privacy in Dynamic Environments held in May 2224 2006 in Karlstad, Sweden. The first IFIP/SEC conference was arranged in May 1983 in Stockholm, Sweden, one year before TC-11 was founded, with the active participation of the Swedish IT Security Community. The IFIP/SEC conferences have since then become the flagship events of TC-11.We are very pleased that we succeeded with our bid to after 23 years hold the IFIP/SEC conference again in Sweden. The IT environment now includes novel, dynamic approaches such as mobility, wearability, ubiquity, ad hoc use, mind/body orientation, and business/market orientation. This modern environment challenges the whole information security research community to focus on interdisciplinary and holistic approaches whilst retaining the benefit of previous research efforts. Papers offering research contributions focusing on dynamic environments in addition to other aspects of computer security and privacy were solicited for submission to IFIP/SEC 2006. We received 141 submissions which were all reviewed by at least three members of the international program committee. At a one-day program committee meeting, the submitted papers were discussed, and 35 papers were selected for presentation at the conference, which means an acceptance rate of 24.8%. A special emphasis of IFIP/SEC 2006 is on Privacy and Privacy Enhancing Technologies, which is addressed by 9 of the 35 accepted papers. Further topics addressed include security in mobile and ad hoc networks, access control for dynamic environments, new forms of attacks, security awareness, intrusion detection and network forensics.These Proceedings also include the papers of the following two workshops that are associated with SEC 2006: the workshop on Security Culture organized by IFIP Working Group 11.1/11.8 as well as the I-NetSec06 workshop on Privacy and Anonymity Issues in Networked and Distributed Systems organized by IFIP Working Group 11.4. Both workshops were organized autonomously by the respective IFIP Working Groups. They had their own call for papers, program committees, and selection processes with acceptance rates of papers similar to the one of the main IFIP/SEC 2006 conference.IFIP/SEC 2006 is organized in cooperation with Karlstad University, SIG Security, and Dataföreningen i Sverige. We would like to thank Microsoft AB, Karlstads kommun, SAAB AB, and TietoEnator, who are sponsoring IFIP/SEC 2006. Furthermore, we gratefully thank all authors, members of the program committees, and additional reviewers for their contributions to the scientific quality of this conference and the two workshops. Last but not least, we owe thanks to the organizing committee, and especially to its chair Dr. Albin Zuccato, for all the efforts and dedication in preparing this conference
|
|
| 30. |
- Futcher, L., et al.
(författare)
-
A review of IFIP TC 11 WG 11.8 publications through the ages
- 2013
-
Ingår i: IFIP Advances in Information and Communication Technology. - Berlin, Heidelberg : Springer Berlin Heidelberg. - 9783642393761 ; , s. 113-122
-
Konferensbidrag (refereegranskat)abstract
- IFIP WG 11.8 established a series of conferences in 1999 entitled World Information Security Education (WISE). These conferences have been held every second year since then, with the eighth one being held in 2013. Not surprisingly, there has been numerous high quality papers presented and published in the WISE conference proceedings over the years. However, many of these publications are not easily accessible and are therefore not being readily cited. One of the reasons for the inaccessibility of these papers is that they have not been made widely available through either print or a well-known repository on the Web. Furthermore, a need exists to reflect on what has been done in the past in order to realize the future of these conferences and related events. In order to begin the process of addressing this need, this paper presents a review of the IFIP WG 11.8 publications through the ages. It also reflects briefly on the problems relating to the inaccessibility of these publications, the decline in paper submissions and the lack of citations.
|
|
| 31. |
- Hallberg, Jonas, et al.
(författare)
-
Controlled Information Security: How to recognize and improve organizational information security status
- 2010
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- This report is a compilation of the first three main reports of the COINS project (Yngström et al., 2009a, Yngström et al., 2009b, Hallberg & Lundholm 2009). The COntrolled INformation Security (COINS) research project was established to address the needs of understanding, learning and eventually managing information security (IS) in organizations. It has proved to be difficult for organizations, including government agencies, to reach adequate information security levels, as illustrated by a report from the Swedish national audit office published in 2007 (RiR, Swedish National Audit Office 2007). Despite much research and work conducted within the area, auditing and assessments frequently find inadequacies in how practical IS is handled, and, as it seems, there are frequent discrepancies in how IS is perceived by humans and what degree of IS that is actually performed. The three first reports of COINS present in detail the design, modeling and test of six constructs – frameworks and models – for assessing IS. The different constructs compute and discuss the metrics provided in three different ways. This report targets mainly the participants at the agency at which the tests of IS metrics were conducted. The concept of a IS metric is interpreted widely following the definition from Hallberg et al. (2004): “A security metric contains three main parts: a magnitude, a scale and an interpretation. The security values of systems are measured according to a specified magnitude and related to a scale. The interpretation prescribes the meaning of obtained security values”, and aims at the formulation of viable IS metrics. Therefore this report is also an input to a validation test of the practical results obtained, while the theoretical validation rests with the reasoning presented in the two first reports. The approach taken differs from the ordinary 27000-standard based analyses in that the idealized communication structure starts from demands of an information system in total, and views communication as equal to steering and control. Thereby, both the social and the technical layers in communication are included as are the strategic, tactic and operational decision levels and their equivalent life cycle stages. Metrics focusing the control system underline that complex information systems necessarily must handle existing variety including its IS. Some of the findings, which still have to be verified by the agency, are: 1. the relative focus for the agency’s documentation correlates rather well with the relative focus of the controls specified in appendix A of the standard ISO/IEC 27001, 2. the agency seems partly to fulfill the security policy, which it has defined itself, 3. the agency tend to focus on operative matters and on acting when something has happened, rather than emphasize planning and developing and carrying out proactive information security work. A general observation of all COINS’ constructs, on which metrics in the report are based, is that the standard may not explicitly identify senders respectively receivers of messages. This is illustrated by the metrics connected to ISO/IEC appendix A, which show that most of the controls listed (76%) do not have an entity assigned to it. Apart from COINS’ work with metrics being verified by the participating agency, future work involves developing a faster and eventually also recursive method for analyzing and extracting interesting data for metrics use, as well as providing more transparent views on the models. The research is planned to continue for one further year.
|
|
| 32. |
- Juell-Skielse, Gustaf, 1964-
(författare)
-
ERP adoption in small and medium sized enterprises
- 2006
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Enterprise resource planning (ERP) is established among a majority of small and medium sized companies in Kista Science City and seems to have a positive effect on organizational effectiveness. Kista Science City is Sweden’s largest corporate centre, with more companies and employees in a limited area than anywhere else in Europe. This study looks at the level of adoption of ERP functions, perceived organizational effectiveness and critical success factors. The most common use of ERP is for financial control and reporting, followed by order entry and purchasing. A significant relationship between the level of adoption and organizational effectiveness was found. Although Enterprise Resource Planning has become an established phenomenon the investments in ERP software are far from fully utilized. Most companies have started to use ERP to integrate functional areas but few companies have moved to extended ERP (ERPII). The adoption of functionality for customer relationship management seems to have started, but the use of e-commerce, business intelligence and supply chain management is very low. Different reasons for the low level of adoption are discussed and it is suggested that the interrelationship between SMEs and ERP-consultants be investigated further. ERP-consultants are important change agents and knowledge transfers for ERP and one way to interpret the data is that ERP-consultants are caught in a negative spiral where they focus on installations and technical maintenance of core ERP, which prevents them from developing new, extended ERP competence. An analysis of critical success factors showed that although technical competence was important socially oriented factors such as project teamwork and composition as well as communication had a greater effect on organizational effectiveness. Surprisingly enough, project management did not have any effect on organizational effectiveness. Common implementation methods for ERP focus on project management. It is suggested to further analyse if these methods could be improved by an increased adaptability to differences in company settings and requirements as well as through a better use of critical success factors. Organizational effectiveness can be measured in many ways and it was found that the success factors varied in terms of how they correlated with different measures. In the next step, the doctorial thesis, it is suggested that a prototype environment is developed to stimulate an increased use of extended ERP among small and medium sized companies. Several actors, such as SMEs, consultants, vendors and students would be involved. The prototype environment could facilitate enhancements of implementation methods and reduction of implementation costs through the development of reusable objects such as add-on solutions, process maps and system configurations. It could also help small and medium sized companies to investigate the business benefits of ERP by increasing involvement and familiarity while on the same time decrease costs and risks.
|
|
| 33. |
- Karokola, Geoffrey, et al.
(författare)
-
Evaluating A Framework for Securing e-Government Services – A Case of Tanzania
- 2013
-
Ingår i: Hawaii International Conference on System Sciences. - : IEEE Computer Society. - 9781467359337 ; , s. 1792-1801
-
Konferensbidrag (refereegranskat)abstract
- The current and emerging security threats poses a variety of security risks to e-government services. The Tanzanian national e-government strategy recognizes the importance and use of e-government maturity models (eGMMs) as a tool for guiding and benchmarking egovernment implementation and service delivery. However, the models lack security services (technical and non-technical) in their maturity stages – leading to misalignment of strategic objectives between e-government services and security services. To bridge the existing security services gap in eGMMs – a framework for securing e-government services which integrates IT security services into maturity stages of eGMMs was proposed. The goal of this paper is to present an outline of the evaluation results for the proposed framework, in the context of a developing world environment. In the process, seven evaluation criteria were developed; thereafter, a casestudy was conducted into six government organizations located in Tanzania. The overall results show that the framework was accepted in the studied environment. The framework usefulness was perceived highest at 95%; the framework dynamics & flexibility was perceived lowest at 76%.
|
|
| 34. |
- Karokola, Geoffrey Rwezaura, 1970-
(författare)
-
A Framework for Securing e-Government Services : The Case of Tanzania
- 2012
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- e-Government services are becoming one of the most important and efficient means by which governments (G) interact with businesses (B) and citizens (C). This has brought not only tremendous opportunities but also serious security challenges. Critical information assets are exposed to current and emerging security risks and threats. In the course of this study, it was learnt that e-government services are heavily guided and benchmarked by e-Government maturity models (eGMMs). However, the models lack built-in security services, technical as well as non-technical; leading to lack of strategic objectives alignment between e-government services and security services. Information security has an important role in mitigating security risks and threats posed to e-government services. Security improves quality of the services offered.In light of the above, the goal of this research work is to propose a framework that would facilitate government organisations to effectively offer appropriate secure e-government services. To achieve this goal, an empirical investigation was conducted in Tanzania involving six government organizations. The investigations were inter-foiled by a sequence of structural compositions resulting in a proposition of a framework for securing e-government services which integrates IT security services into eGMMs. The research work was mainly guided by a design science research approach complemented in parts by systemic-holistic and socio-technical approaches.The thesis contributes to the empirical and theoretical body of knowledge within the computer and systems sciences on securing e-government structures. It encompasses a new approach to secure e-government services incorporating security services into eGMMs. Also, it enhances the awareness, need and importance of security services to be an integral part of eGMMs to different groups such as researched organizations, academia, practitioners, policy and decision makers, stakeholders, and the community.
|
|
| 35. |
|
|
| 36. |
|
|
| 37. |
- Karokola, Geoffrey Rwezaura, et al.
(författare)
-
Lessons learnt in the process of computerization, automation and management of ICT security in the developing world: a case study of the University of Dar-es-Salaam
- 2008
-
Ingår i: ISSA. - South Africa : ISSA. - 9781868546930
-
Konferensbidrag (refereegranskat)abstract
- This paper intends to discuss and sift out current and important challenges in Information and Communication Technology (ICT) security for developing countries in the Sub-Saharan Africa where Tanzania will be taken as a case study. As a background we analyze lessons learnt in the processes of computerization, automation and the management of ICT security at the University of Dar es Salaam (UDSM) since it is one of the first higher learning institutions in Tanzania. The backbone of UDSM currently connects more than three thousand workstations and twenty five heavy duty servers that are centrally managed and which support different institutional core services. In the evolution process of computerization and automation of Information and Communication Technology (ICT) at the UDSM that started way back in the early 1990’s ICT security was of no priority. While in the western world computerization and automation processes have gradually been incorporating security into ICT infrastructures, developing countries have not experienced a similar evolution – neither in technical nor in practical circumstances. In practice, developing countries need to conform to international developments within ICT security at the same time as they are trying to conform to their own environments and also learn about the totally new situation created. Simultaneously there are also local and specific restrictions – well known by the developing countries - but usually not experienced by the developed world.
|
|
| 38. |
|
|
| 39. |
|
|
| 40. |
- Karokola, Geoffrey Rwezaura, et al.
(författare)
-
Towards An Information Security Maturity Model for Secure e-Government Services: A Stakeholders View
- 2011
-
Ingår i: Proceedings of the 5th International Symposium on Human Aspects of Information Security & Assurance. - : HAISA. - 9781841022840 ; , s. 58-73
-
Konferensbidrag (refereegranskat)abstract
- The paper proposes a comprehensive information security maturity model (ISMM) that addresses both technical and socio/non-technical security aspects. The model is intended for securing e-government services (implementation and service delivery) in an emerging and increasing security risk environment. The paper applied inductive approach that utilizes extensive literature review and survey study approaches. A total of eight existing ISMMs were selected and critically analyzed. Models were then categorized into security awareness, evaluation and management orientations. Based on the model’s strengths – three models were selected to undergo further analyses and then they were synthesized. Each of the three selected models was either from the security awareness, evaluation or management orientations category. To affirm the findings – a survey study was conducted into six government organizations located in Tanzania. The study was structured to a large extent by the security controls adopted from the Security By Consensus (SBC) model. Finally, an ISMM with five critical maturity levels was proposed. The maturity levels were: undefined, defined, managed, controlled and optimized. The papers main contribution is the proposed model that addresses both technical and non-technical security services within the critical maturity levels. Additionally, the paper enhances awareness and understanding on the needs for security services be an integral part of e-government services to stakeholders.
|
|
| 41. |
- Karokola, Geoffrey, et al.
(författare)
-
Secure e-government services : Towards a framework for integrating IT security services into e-government maturity models
- 2011
-
Ingår i: 2011 Information Security for South Africa - Proceedings of the ISSA 2011 Conference. - : IEEE/HAISA2011. - 9781457714832
-
Konferensbidrag (refereegranskat)abstract
- e-Government maturity models (eGMMs) lack security services (technical and socio/non-technical) in its critical maturity stages. The paper proposes a comprehensive framework for integrating IT security services into eGMM critical stages. The proposed framework is a result of integrating information security maturity model (ISMM) critical levels into e-government maturity model (eGMM) critical stages. The research utilizes Soft Systems Methodology (SSM) of scientific inquiry adopted from Checkland and Scholes. The paper contributes to the theoretical and empirical knowledge in the following ways: firstly, it introduces a new approach that shows how government's can progressively secure their e-government services; secondly, it outlines the security requirements (technical and non-technical) for critical maturity stages of eGMM; and thirdly, it enhances awareness and understanding to the governments and stakeholders such as practitioners, experts and citizens on the importance of security requirements being clearly defined within eGMM critical stages.
|
|
| 42. |
- Karokola, Geoffrey, et al.
(författare)
-
Secure e-government services : A comparative analysis of e-government maturity models for the developing regions - The need for security services
- 2012
-
Ingår i: International Journal of Electronic Government Research. - : IGI Global. - 1548-3886 .- 1548-3894. ; 8:1, s. 1-25
-
Tidskriftsartikel (refereegranskat)abstract
- E-Government offers many benefits to government agencies, citizens and the business community. However, e-Government services are prone to current and emerging security challenges posing potential threats to critical information assets. Securing it appears to be a major challenge facing governments globally. Based on the international security standards - the paper thoroughly investigates and analyzes eleven e-government maturity models (eGMMs) for security services. Further, it attempts to establish a common frame of reference for eGMM critical stages. The study utilizes the Soft Systems Methodology (SSM) of scientific inquiry/ learning cycle adopted from Checkland and Scholes. The findings show that security services (technical and non-technical) are lacking in eGMMs - implying that eGMMs were designed to measure more quantity of offered e-government services than the quality of security services. Therefore, as a step towards achieving secure e-government services the paper proposes a common frame of reference for eGMM with five critical stages. These stages will later be extended to include the required security services.
|
|
| 43. |
- Karokola, Geoffrey, et al.
(författare)
-
State of e-Government Development in the Developing World : Case of Tanzania - Security vie
- 2009
-
Ingår i: PROCEEDINGS OF 5TH INTERNATIONAL CONFERENCE ON E-GOVERNMENT. - NR READING : ACADEMIC CONFERENCES LTD. - 9781906638504 ; , s. 92-100
-
Konferensbidrag (refereegranskat)abstract
- Given the fact that more governments are heavily investing in implementing and use of e-government applications - the major concern has always been on how to ensure secure prevention, detection and recovery of critical information being stored, processed, and transmitted between domains (government, business, and citizens). Traditionally, interactions between government, business communities and citizens require a physical visit to the government offices - hence little threats to paper based information assets; while with the advent of e-government application - it is possible to virtually locate the service closer to citizens - hence create needs for security. As part of an ongoing research on e-government security maturing for developing world - the current state of e-government development along with specific security issues and challenges is presented; where Tanzania is taken as a case study. The study involved six institutions located in the area, namely: President's Office, Public Service Management (PO-PSM) - responsible for administration of Tanzanian public sector; Prime Minister's Office, Regional Administration and Local Government (PMO-RALG) - responsible for instilling good governance to all level of local governments; Ministry of Lands, Housing and Human Settlements Development (MLHHSD) - responsible for land management; and Ministry of Finance and Economic Affairs (MoFEA) - responsible for manages the overall revenue, expenditure and financing of the Government. Others are Tanzania Revenue Authority (TRA) - agency responsible for government revenue collection; and the Tanzania Ports Authority (TPA) - responsible for all ports and cargo management. In the process, we used Systemic-Holistic-Approach (SHA) to explicitly investigate, evaluate, and analyze the specific security (technical and non-technical) related issues and challenges. The findings were: the level of security awareness among IT and non-IT staff; level of e-government application protection; and level of Security technical threats and nontechnical threats - 63%, 30%, 54%, 45%, 55%; 65%, 20%, 51%, 50%, 60%; and 60%, 23%, 53%, 48%, 54%; for PO-PSM; PMO-RALG; and MLHHSD respectively. Similarly the findings for MoFEA; TRA; and TPA were - 67%, 33%, 55%, 58%, 60%; 73%, 40%, 74%, 68%, 76%; and 70%, 20%, 70%, 65%, 73% respectively. Also the findings shows that to enhance security for e-government application - e-government development models need to have built in stage-wise security layers. Therefore, as most of developing countries are at their infant stages of e-government development - developers of e-government maturity models should explicitly consider integrating security as part of the model's critical requirements at all stages. This will not only ensure security for e-government critical information but also strengthen the level of trust between government and citizen.
|
|
| 44. |
- Karokola, G., et al.
(författare)
-
Towards an information security maturity model for secure e-Government services : A stakeholders view
- 2011
-
Ingår i: Proceedings of the 5th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2011. ; , s. 58-73
-
Konferensbidrag (refereegranskat)abstract
- The paper proposes a comprehensive information security maturity model (ISMM) that addresses both technical and socio/non-technical security aspects. The model is intended for securing e-government services (implementation and service delivery) in an emerging and increasing security risk environment. The paper utilizes extensive literature review and survey study approaches. A total of eight existing ISMMs were selected and critically analyzed. Models were then categorized into security awareness, evaluation and management orientations. Based on the model's strengths-three models were selected to undergo further analyses and then synthesized. Each of the three selected models was either from the security awareness, evaluation or management orientations category. To affirm the findings-a survey study was conducted into six government organizations located in Tanzania. The study was structured to a large extent by the security controls adopted from the Security By Consensus (SBC) model. Finally, an ISMM with five critical maturity levels was proposed. The maturity levels were: undefined, defined, managed, controlled and optimized. The papers main contribution is the proposed model that addresses both technical and non-technical security services within the critical maturity levels. Additionally, the paper enhances awareness and understanding on the needs for security in e-government services to stakeholders.
|
|
| 45. |
- Kowalski, Stewart, et al.
(författare)
-
Information Security Metrics: Research Directions
- 2011
-
Konferensbidrag (refereegranskat)abstract
- This paper is largely based on a state of the art report covering the information security (IS) metrics area produced as part of the Controlled Information Security (COINS) research project funded by the Swedish Civil Contingencies Agency (MSB) and the comprehensive literature review conducted while compiling the report. The report's findings are summarized and some of the key issues discovered in the course of the literature review are reflected upon. Additionally, the paper describes a conceptual systemic scheme/model for the research process, while explaining its relevance to the subject area, that may help with resolution of the outlined issues in future research in the area. The paper is written principally with a management/governance (rather than engineering) perspective in mind
|
|
| 46. |
|
|
| 47. |
- Lönn, Carl-Mikael, 1980-
(författare)
-
An m-Government Solution for Complaint and Problem Management : Designing a Solution for Government 2.0
- 2014
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In recent years emphasis has been placed on opening up governments and empowering and engaging citizens in governmental activities: this view of e-government is referred to as government 2.0. Government 2.0 focuses on governments becoming more transparent, accessible, and responsive, and on governments promoting increased collaboration and participation. There is also an increasing demand from citizens to interact and gain access to government services through mobile devices. Adopting mobile and wireless technology within the public sector is referred to as mobile government (m-government) and this new phenomenon is expected to become an important part of the development of e-government. By combining government 2.0 and m-government, The Organisation for Economic Co-operation and Development (OECD) and the research community envisages benefits and calls for action within this field.This research answers this call, and addresses the research problem of how to design an m-government solution for complaint and problem management that enables government 2.0. Challenges that inhibit Swedish municipalities from adopting and utilizing such a solution are also identified in this research.Citizens in Sweden can submit complaints and problems concerning a community, such as broken streetlights, to municipalities. By enabling complaints and problems to be reported through mobile devices it facilitates reporting at the point and time of discovery of the issue. Complaint and problem reporting is therefore a suitable m-government service. The m-government solution for complaint and problem management was designed and evaluated within a research project. This compilation thesis builds on and communicates research performed within the research project. By following a design science research methodology, the complaint and problem management solution is designed and evaluated. The solution (Munizapp) comprises a mobile application (app) and an integration platform (ePlatform). The app is the front-end that enables citizens to report complaints and problems to municipalities. The ePlatform facilitates seamless two-way communication between the app and back-end case management system in municipalities. A theoretical evaluation shows that the solution has functionalities that enable all aspects of government 2.0. Additional evaluations indicate evidence of citizens finding the solution valuable and easy to use. There is willingness among municipalities to adopt and utilize the designed m-government solution, but there are challenges that inhibit them from realizing the full potential of the solution. The challenges identified in this research are described and related to business process management and to government 2.0. Future research should investigate how to overcome these challenges.
|
|
| 48. |
|
|
| 49. |
- Magnusson, Christer, et al.
(författare)
-
Method for insuring IT risks
- 2004
-
Konferensbidrag (refereegranskat)abstract
- This paper explains in detail the method behind the insurance database Estimated Maximum information technology Loss (EMitL). The database has been a crucial tool to make it possible to insure IT perils. It helps to insure IT-perils financially in the same professional way as consequences of traditional perils like fire, flood, and robbery are insured, and thereby secures shareholders' investments. EMitL estimates the security awareness in an existing IT-platform. Based on that information, existing security measures can be "priced" as they may reduce the estimated maximum loss figures - and thereby the costs for the insurance. In addition, a more cost-effective decision can be made on additional security measures. Furthermore, the costs for the loss exposure inherent in a business service/product can be estimated in a better way, and thereby be incorporated in the product's price. The IT insurances are based on the traditional industries' classes: Liability, Loss of Property, and Business Interruption. The insurance class Liability is divided into insurance policies for: Business Interruption, Fraud and Embezzlement, Robbery and Theft, Defamation, Infringement of Privacy, and Infringement of code, trademark etc. The insurance policies in the class Loss of Property are: Fraud and Embezzlement, and Robbery and Theft. The database EMitL layers insurance covers, which is a common method in the insurance industry. This means that the insurance policies are layered according to the amount of financial cover they provide. The insurance levels relate and are converted to security levels. These levels are built on the IT security properties Integrity, Availability and Confidentiality, and are utilized differently, depending on the insurance level and the type of insurance policy. The properties and the levels constitute the base of the Security Polices produced by EMitL; they are used for the estimation of security awareness and as terms of insurance.
|
|
| 50. |
- Monfelt, Yngve, et al.
(författare)
-
The 14 layered framework for including social and organisational aspects in security management
- 2010
-
Ingår i: Proceedings of the South African Information Security Multi-Conference, SAISMC 2010, pp90-99. - : Center for Security, Communications & Network Research, University of Plymouth. - 9781841022567
-
Konferensbidrag (övrigt vetenskapligt/konstnärligt)abstract
- The ultimate aim of the COINS - COntrolled INformation Security – project is to investigate, assess, and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within the organizations, specifically underlining that communication is control in a cybernetic sense. The project is carried out in a number of steps embracing to design modelling techniques and metrics for information security issues in organizations (1), collect data from Swedish governmental agencies (2), use the modelling techniques to model communication of information security in organizations from different perspectives (3), to apply metrics on the data in order to assess information security levels in the agencies (4), identify gaps (5) and needs for improvement (6). The 14 layered framework, which is based on well established knowledge within information security: frameworks, models, standards, and terminology is presented. The scientific base is cybernetics, including variety engineering and recursion to provide adaptation and learning. The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT-security and information security work are weak, which prohibits the organization from learning and adapting in its security work. This is a report on research in progress.
|
|
