Catálogo de publicaciones - libros

This paper puts forward the view that an individual’s perception of the risks associated with information systems determines the likelihood and extent to which she or he will engage in risk taking behaviour when using a computer. It is suggested that this behavior can be manipulated by ‘framing’ a communication concerning information system risk in a particular manner. In order to achieve major effectiveness in getting an information security message across to a computer user, this paper discusses and demonstrates how his or her individual cognitive style should be considered when framing the risk message. It then follows that if the risk taking bchaviour of computer users becomes less risky due to an increase in the level of perceived risk, then the level of information security increases.

Risk analysis is used during the planning of information security to identify security requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consuming and costly. Third, the traditional risk analysis method employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks, or to promote security-awareness throughout an organization. This paper proposes an alternative, holistic method to conducting risk analysis. A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by focusing equally on technology, information, people, and processes. The method is driven by critical business processes, which provides focus and relevance to the analysis. Key aspects of the method include a business-driven analysis, user participation in the analysis, architecture and data flow diagrams as a means to identify relevant IT assets, risk scenarios to capture procedural and security details, and qualitative estimation. The mixture of people and tools involved in the analysis is expected to result in a more comprehensive set of identified risks and a significant increase in security awareness throughout the organization.

This paper demonstrates that information security is more than a technical issue, through the development of an information security responsibility framework that shows consideration for strategic and legal issues as well. It is important that information security be viewed as both a governance challenge and a management responsibility. In order to achieve this this paper addresses information security governance and the board’s participation in directing and controlling security efforts. Furthermore information security management is addressed in order to demonstrate how information security should be implemented. Once a comprehensive picture of the information security function has been established, the roles of various individuals in terms of information security are discussed and mapped out in the responsibility framework in order to demonstrate the true scope of an organizations information security function.

Information is a fundamental asset of any organization and needs protection. Consequently, Information Security Governance has emerged as a new discipline, requiring the attention of Boards of Directors and Executive Management for effective information security. This paper investigates the literature on Corporate Governance, IT Governance and Information Security Governance to identify the components towards a definition of Information Security Governance. The paper concludes by defining Information Security Governance and discussing the definition, identifying and addressing all important issues that need to be taken into account to properly govern information security in an organization.

This paper intends to stimulate discussion, research and new points-of-action for IS/IT security management from the background of corporate governance, contemporary debates of how to express observable consequences of IT and IT security, and of didactic issues. It is concluded that empirical research within IT security management is rare as compared to theoretical approaches but needed in order to have IS/IT security management on par with general management.

In order to better understand the information security performance in products, processes, technical systems or organizations as a whole, and to plan, control, and improve it, security engineers, system developers and business managers must be able to get early feedback information from the achieved security situation. Systematic security metrics provides the means for managing security-related measurements comprehensively. We reflect on the use of information security metrics by presenting the results of an interview study carried out in Finnish industrial companies and State institutions. Furthermore, we discuss the application of security measurements from the business process and technical points of view. The role of technical security metrics is analyzed using mobile ad hoc networks as a case example.

Performing a Risk Analysis has long been considered necessary security practice for organisations, however surveys indicate that Small and Medium Enterprises do not tend to undertake one. Some of the main reasons behind this have been found to be the lack of funds, expertise and awareness within such organisations, this paper describes a methodology that aims to assess these issues and be appropriate for the needs of this SMEs by utilising a protection profiles and threat trees approach to perform the assessment instead of lengthy questionnaires and incorporating other elements such as financial considerations and creation of a security policy.

The paper deals with the modelling of the Information Security Management System (ISMS). The ISMS, based on the PDCA (Plan-Do-Check-Act) model, was defined in the BS7799-2:2002 standard. The general model of the ISMS was presented. The paper focuses on the Plan stage elaboration only, basing on the previously identified ISMS business environment. The UML approach allows to achieve more consistent and efficient implementations of the ISMS, supported by the computer tools. The paper shows the possibility of the UML use in the information security domain.

Traditional database integrity control is focused on handling integrity constraint violations caused by failures and operator mistakes. However, as there are more and more malicious attacks on database systems, the traditional integrity control concept becomes too to handle data integrity degradation caused by malicious attacks. In this talk, we present a framework of attack-aware database integrity control, where the concept of is investigated, a set of new integrity control problems are identified and the corresponding solutions are explored.

Personal mobile devices, as mobile phones, smartphones, and communicators can be easily lost or stolen. Due to the functional abilities of these devices, their use by an unintended person may result in a severe security incident concerning private or corporate data and services. Organizations develop their security policy and mobilize preventive techniques against unauthorized use. Current solutions, however, are still breakable and there still exists strong need for means to detect user substitution when it happens. A crucial issue in designing such means is to define what measures to monitor.

In this paper, an attempt is made to identify suitable characteristics and measures for mobile-user substitution detection. Our approach is based on the idea that aspects of user behavior and environment reflect user’s personality in a recognizable way. The paper provides a tentative list of individual behavioral and environmental aspects, along with characteristics and measures to represent them.