| 1. |
- Rocha Flores, Waldo, et al.
(författare)
-
Assessing Future Value of Investments in Security-Related IT Governance Control Objectives : Surveying IT Professionals
- 2011
-
Ingår i: Electronic Journal of Information Systems Evaluation. - 1566-6379. ; 14:2, s. 216-227
-
Konferensbidrag (refereegranskat)abstract
- Optimizing investments in IT governance towards a better information security is an understudied topic in the academic literature. Further, collecting empirical evidence by surveying IT professionals on their relative opinion in this matter has not yet been explored to its full potential. This paper has tried to somewhat overcome this gap by surveying IT professionals on the expected future value from investments in security-related IT governance control objectives. The paper has further investigated if there are any control objectives that provide more value than others and are therefore more beneficial to invest in. The Net Present Value (NPV) technique has been used to assess the IT professional’s relative opinion on the generated future value of investments in 19 control objectives. The empirical data was collected through a survey distributed to professionals from the IT security, governance and/or assurance domain and analyzed using standard statistical tools. The results indicate that the vast majority of investments in control objectives is expected to yield a positive NPV, and are beneficial to an organization. This result implies that investments in control objectives are expected to generate future value for a firm, which is an important finding since many of the benefits from an investment are indirectly related and may occur well into the future. The paper moreover contributes in strengthening the link between IT governance and information security.
|
|
| 2. |
- Holm, Hannes, et al.
(författare)
-
A quantitative evaluation of vulnerability scanning
- 2011
-
Ingår i: Information Management & Computer Security. - : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 19:4, s. 231-247
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – The purpose of this paper is to evaluate if automated vulnerability scanning accurately identifies vulnerabilities in computer networks and if this accuracy is contingent on the platforms used.Design/methodology/approach – Both qualitative comparisons of functionality and quantitative comparisons of false positives and false negatives are made for seven different scanners. The quantitative assessment includes data from both authenticated and unauthenticated scans. Experiments were conducted on a computer network of 28 hosts with various operating systems, services and vulnerabilities. This network was set up by a team of security researchers and professionals.Findings – The data collected in this study show that authenticated vulnerability scanning is usable. However, automated scanning is not able to accurately identify all vulnerabilities present in computer networks. Also, scans of hosts running Windows are more accurate than scans of hosts running Linux.Research limitations/implications – This paper focuses on the direct output of automated scans with respect to the vulnerabilities they identify. Areas such as how to interpret the results assessed by each scanner (e.g. regarding remediation guidelines) or aggregating information about individual vulnerabilities into risk measures are out of scope.Practical implications – This paper describes how well automated vulnerability scanners perform when it comes to identifying security issues in a network. The findings suggest that a vulnerability scanner is a useable tool to have in your security toolbox given that user credentials are available for the hosts in your network. Manual effort is however needed to complement automated scanning in order to get satisfactory accuracy regarding network security problems.Originality/value – Previous studies have focused on the qualitative aspects on vulnerability assessment. This study presents a quantitative evaluation of seven of the most popular vulnerability scanners available on the market.
|
|
| 3. |
- Rocha Flores, Waldo, et al.
(författare)
-
Investigating personal determinants of phishing and the effect of national culture
- 2015
-
Ingår i: Information Management & Computer Security. - : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 23:2
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – The purpose of the study was twofold: to investigating the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations.Design/methodology/approach – To measure potential determinants, a survey was distributed to 2099 employees of nine organizations in Sweden, USA, and India. Then, we conducted unannounced phishing exercises in where a phishing attack targeted the same sample.Findings – Intention to resist social engineering, general information security awareness, formal IS training, and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed phishing behavior differs between Swedish, US and Indian employees in six out of fifteen cases.Research limitations/implications – The identified determinants all had, even though not a strong, a significant positive correlation. This suggests that more work needs to be done in order to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, difference based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of our research is therefore to further explore the generalizability of our findings by collecting data from other nations with similar cultures as Sweden, USA and India.Originality/value – Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses these both two issues.
|
|
| 4. |
- Rocha Flores, Waldo, et al.
(författare)
-
An empirical investigation of the effect of target-related information in phishing attacks
- 2014
-
Ingår i: IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations EDOCW 2014: 1-2 September 2014 Ulm, Germany. - : IEEE Computer Society. - 9781479954704 - 9781479954674 ; , s. 357-363
-
Konferensbidrag (refereegranskat)abstract
- Analyzing the role of target-related information in a security attack is an understudied topic in the behavioral information security research field. This paper presents an empirical investigation of the effect of adding information about the target in phishing attacks. Data was collected by conducting two phishing experiments using a sample of 158 employees at five Swedish organizations. The first experiment included a traditional mass-email attack with no target-related information, and the second experiment was a targeted phishing attack in which we included specific information related to the targeted employees' organization. The results showed that the number of organizational employees falling victim to phishing significantly increased when target-related information was added in the attack. During the first experiment 5.1 % clicked on the malicious link compared to 27.2 % of the second phishing attack, and 8.9 % of those executed the binary compared to 3.2 % of the traditional phishing attack. Adding target-related information is an effective way for attackers to significantly increase the effectiveness of their phishing attacks. This is the first study that has showed this significant effect using organizational employees as a sample. The implications of the results are further discussed.
|
|
| 5. |
- Rocha Flores, Waldo, et al.
(författare)
-
Using Phishing Experiments and Scenario-based Surveys to Understand Security Behaviours in Practice
- 2013
-
Ingår i: Proceedings of the European Information Security Multi-Conference. - 9781841023458 ; , s. 79-90
-
Konferensbidrag (refereegranskat)abstract
- Threats from social engineering can cause organisations severe damage if they are not considered and managed. In order to understand how to manage those threats, it is important to examine reasons why organisational employees fall victim to social engineering. In this paper, the objective is to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator. In order to attain this objective, we collect data through a scenario-based survey and conduct phishing experiments in three organisations. The results from the experiment reveal that the degree of target information in an attack increases the likelihood that an organisational employee fall victim to an actual attack. Further, an individual’s trust and risk behaviour significantly affects the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), has a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the performance in the scenario-based survey and experiment was found. We argue that the result does not imply that one or the other method should be ruled out as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. Discussions of the findings, implications and recommendations for future research are further provided.
|
|
| 6. |
- Sommestad, Teodor, et al.
(författare)
-
Security mistakes in information system deployment projects
- 2011
-
Ingår i: Information Management & Computer Security. - : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 19:2, s. 80-94
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose - This paper aims to assess the influence of a set of human and organizational factors in information system deployments on the probability that a number of security-related mistakes are in the deployment. Design/methodology/approach - A Bayesian network (BN) is created and analyzed over the relationship between mistakes and causes. The BN is created by eliciting qualitative and quantitative data from experts of industrial control system deployments in the critical infrastructure domain. Findings - The data collected in this study show that domain experts have a shared perception of how strong the influence of human and organizational factors are. According to domain experts, this influence is strong. This study also finds that security flaws are common in industrial control systems operating critical infrastructure. Research limitations/implications - The model presented in this study is created with the help of a number of domain experts. While they agree on qualitative structure and quantitative parameters, future work should assure that their opinion is generally accurate. Practical implications - The influence of a set of important variables related to organizational/human aspects on information security flaws is presented. Social implications - The context of this study is deployments of systems that operate nations' critical infrastructure. The findings suggest that initiatives to secure such infrastructures should not be purely technical. Originality/value - Previous studies have focused on either the causes of security flaws or the actual flaws that can exist in installed information systems. However, little research has been spent on the relationship between them. The model presented in this paper quantifies such relationships.
|
|
| 7. |
- Rocha Flores, Waldo, et al.
(författare)
-
Using phishing experiments and scenario-based surveys to understand security behaviours in practice
- 2014
-
Ingår i: Information Management & Computer Security. - 0968-5227 .- 1758-5805. ; 22:4, s. 393-406
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose - The purpose of the study was threefold: to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator; to investigate if adding information about the victim to an attack increases the probability of the attack being successful; and, finally, to investigate if there is a correlation between self-reported and observed behaviour.Design/methodology/approach - Factors for investigation were identified based on a review of existing literature. Data were collected through a scenario-based survey, phishing experiments, journals and follow-up interviews in three organisations.Findings - The results from the experiment revealed that the degree of target information in an attack increased the likelihood that an organisational employee falls victim to an actual attack. Further, an individual's trust and risk behaviour significantly affected the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), had a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the results from the scenario-based survey and the experiments was found.Research limitations/implications - One limitation is that the scenario-based survey may have been interpreted differently by the participants. Another is that controlling how the participants reacted when receiving the phishing mail, and what actually triggered each and every participant to click on the attached link, was not possible. Data were however collected to capture these aspects during and after the experiments. In conclusion, the results do not imply that one or the other method should be ruled out, as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security.Originality/value - Two different methods to collect data to understand security behaviours have rarely been used in previous research. Studies that add target information to understand if such information could increase the probability of attack success is sparse. This paper includes both approaches.
|
|
| 8. |
- Holm, Hannes
(författare)
-
A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures
- 2014
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information Technology (IT) is a cornerstone of our modern society and essential for governments' management of public services, economic growth and national security. Consequently, it is of importance that IT systems are kept in a dependable and secure state. Unfortunately, as modern IT systems typically are composed of numerous interconnected components, including personnel and processes that use or support it (often referred to as an enterprise architecture), this is not a simple endeavor. To make matters worse, there are malicious actors who seek to exploit vulnerabilities in the enterprise architecture to conduct unauthorized activity within it. Various models have been proposed by academia and industry to identify and mitigate vulnerabilities in enterprise architectures, however, so far none has provided a sufficiently comprehensive scope.The contribution of this thesis is a modeling framework and calculation engine that can be used as support by enterprise decision makers in regard to cyber security matters, e.g., chief information security officers. In summary, the contribution can be used to model and analyze the vulnerability of enterprise architectures, and provide mitigation suggestions based on the resulting estimates. The contribution has been tested in real-world cases and has been validated on both a component level and system level; the results of these studies show that it is adequate in terms of supporting enterprise decision making.This thesis is a composite thesis of eight papers. Paper 1 describes a method and dataset that can be used to validate the contribution described in this thesis and models similar to it. Paper 2 presents what statistical distributions that are best fit for modeling the time required to compromise computer systems. Paper 3 describes estimates on the effort required to discover novel web application vulnerabilities. Paper 4 describes estimates on the possibility of circumventing web application firewalls. Paper 5 describes a study of the time required by an attacker to obtain critical vulnerabilities and exploits for compiled software. Paper 6 presents the effectiveness of seven commonly used automated network vulnerability scanners. Paper 7 describes the ability of the signature-based intrusion detection system Snort at detecting attacks that are more novel, or older than its rule set. Finally, paper 8 describes a tool that can be used to estimate the vulnerability of enterprise architectures; this tool is founded upon the results presented in papers 1-7.
|
|
