Information Security Framework Research Articles

The establishment of collaboration in managing information security through multisourcing

PurposeAs information security requirements evolve due to ever-changing business and regulatory requirements, and threat landscape, organisations have turned to multisourcing as a method of delivering information security services. This development has created opportunities for service providers which specialise in information security service provision to collaborate and deliver security services through multisourcing contracts. Therefore the research develops a collaboration framework for managing information security through multisourcing. MethodologyThis paper explores collaboration in multisourcing information security contracts through a qualitative case study that investigated the phenomenon from the views and experiences of a client organisation and its six service providers. FindingsThe research found that multisourcing contracts can effectively manage information security services through collaborative efforts from multiple service providers and technology vendors. Practical implicationsTheoretical insights into the use of collaboration and partnerships in the multisourcing of information security are non-existent. Therefore, the research contributes to practice by introducing a tripartite collaboration framework for multisourcing information security. This tripartite collaboration consists of client, service provider and technology vendors. Originality valueThe research demonstrates through the perspective of client organisation and service providers that collaboration in multisourcing information security contracts goes beyond the client and its service providers to include even technology vendors.

Legal and regulatory framework of Information security of automated process control systems

Nowadays protection of automated process control systems in the Russian Federation is one of the most important problems in the field of information security. Number of cyberthreats is increasing dramatically that has critical value for an ecological, social and macroeconomic component of the state.

Mapping the coverage of security controls in cyber insurance proposal forms

Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper, we examine 24 proposal forms, offered by insurers based in the UK and the US, to determine which security controls are present in the forms. Our aim is to establish whether the collection of security controls mentioned in the analysed forms corresponds to the controls defined in ISO/IEC 27002 and the CIS Critical Security Controls; these two control sets are generally held to be best practice. This work contains a novel research direction as we are the first to systematically analyse cyber insurance proposal forms. Our contributions include evidence regarding the assumption that the insurance industry will promote security best practice. To address the problem of adverse selection, we suggest the number of controls that proposal forms should include to be in alignment with the two information security frameworks. Finally, we discuss the incentives that could lead to this disparity between insurance practice and information security best practice, emphasising the importance of information security economics in studying cyber insurance.

Information security risks management framework – A step towards mitigating security risks in university network

Information is one of the most prominent assets for Universities and must be protected from security breach. This paper analyzed the security threats specifically evolve in University's network, and with consideration of these issues, proposed information security framework for University network environment. The proposed framework reduces the risk of security breach by supporting three phase activities; the first phase assesses the threats and vulnerabilities in order to identify the weak point in educational environment, the second phase focuses on the highest risk and create actionable remediation plan, the third phase of risk assessment model recognizes the vulnerability management compliance requirement in order to improve University's security position. The proposed framework is applied on Vikram University Ujjain India's, computing environment and the evaluation result showed the proposed framework enhances the security level of University campus network. This model can be used by risk analyst and security manager of University to perform reliable and repeatable risk analysis in realistic and affordable manner.

Developing a comprehensive information security framework for mHealth: a detailed analysis

It has been clearly shown that mHealth solutions, which is the use of mobile devices and other wireless technology to provide healthcare services, deliver more patient-focused healthcare, and improve the overall efficiency of healthcare systems. In addition, these solutions can potentially reduce the cost of providing healthcare in the context of the increasing demands of the aging populations in advanced economies. These solutions can also play an important part in intelligent environments, facilitating real-time data collection and input to enable various functionalities. However, there are several challenges regarding the development of mHealth solutions: the most important of these being privacy and data security. Furthermore, the use of cloud computing is becoming an option for the healthcare sector to store healthcare data; but storing data in the cloud raises serious concerns. This paper investigates how data are managed both on mHealth devices as well as in the cloud. Firstly, a detailed analysis of the entire mHealth domain is undertaken to determine domain-specific features and a taxonomy for mHealth, from which a set of security requirements are identified in order to develop a new information security framework. It then examines individual information security frameworks for mHealth devices and the cloud, noting similarities and differences. Furthermore, key mechanisms to implement the new framework are discussed and the new framework is then presented. Finally, the paper presents how the new framework could be implemented in order to develop an Advanced Digital Medical Platform.

The effectiveness of COBIT 5 Information Security Framework for reducing Cyber Attacks on Supply Chain Management System

Cyber espionage and malware attacks pose a great danger to many organisations, particularly those that embrace the use of modern technology to enhance efficiency. Although new off-the-shelf applications for enterprise resources planning (ERP) and management provide higher availability and better service, they are often customised, that can leave some scope for security gaps. While organisations have put in place tight security measures, malicious end users use security loopholes found in various systems to commit common cybercrimes such as denial of services, web hacking and defacement, malware, spam and phishing. The Supply Chain Management System (SCMS) is no stranger to such cybercrimes and certainly requires an Information Systems (IS) Security Framework in fighting off malware attacks. This paper investigates the effectiveness of the implementation of the COBIT 5 Information Security Framework in the reduction of risk of Cyber Attacks on SCMS. In this effort, qualitative data was gathered for a comprehensive security questionnaire targeted to IS administrators and managers responsible for Supply Chain organizations that use COBIT 5 framework for security. The results indicated that COBIT 5 added a new dimension for IS security governance via strict policies and rule set that further strengthened enterprise applications security. Overall, we found that organization benefited from implementing the COBIT 5 framework security measures in SCMS and ERP systems.

A new feature selection model based on ID3 and bees algorithm for intrusion detection system

Intrusion detection systems (IDSs) have become a necessary component of computers and information security framework. IDSs commonly deal with a large amount of data traffic and these data may contain redundant and unimportant features. Choosing the best quality of features that represent all of the data and exclude the redundant features is a crucial topic in IDSs. In this paper, a new combination approach based on the ID3 algorithm and the bees algorithm (BA) is proposed to select the optimal subset of features for an IDS. The BA is used to generate a subset of features, and the ID3 algorithm is used as a classifier. The proposed model is applied on KDD Cup 99 dataset. The obtained results show that the feature subset generated by the proposed ID3-BA gives a higher accuracy and detection rate with a lower false alarm rate when compared to the results obtained by using all features.

Information Security Evolution, Impact and Design Factors

Securing the business critical information is the major concern that an organization is facing with the enormous growth in the internet. This paper explores the evolution of information security and the need for protecting the information from unauthorised access. This paper also explains how the information security problem increases with the development in the technology. The technological solutions for the security problem were also discussed with their current issues. This paper also suggests the design factors to be considered when developing an information security framework and presents the key issues that the researchers can focus on in this field.

Design and Application of the Information Security Framework for Electric System Lifecycle

With the further promotion of electric enterprise information construction, industrialization and informationization have been deeply integrated. Power system safety and stability is highly dependent upon electric information system. However, as the electric business higher integrated, data more interactive, and structures more complex, electric information system would face serious security risks. Any simple system may become the "short board" of enterprise information security protection architecture, and any vulnerability may bring serious consequences. In this paper, we propose an information security framework for electric system lifecycle based on typical information security model. As the framework widely applied, the overall safety capacity of electric enterprise has increased substantially.

A Design of Information Security Curriculum Based on Social Networks and Edutainment

According to the existing training framework of Information Security, Jianqiao Colledge conducted a needs analysis and instructional design of information security. In addition, it offers the realization of the vulnerability network and independent learning strategies based on the idea of edutainment.

A Conceptual Model to Understand Information Security Culture

The purpose of the paper is to examine the conceptualization of information security culture in order to develop an information security culture measurement model. In order to do so, a comprehensive literature analysis of current information security culture models and frameworks were examined. The outcome of the comprehensive review is a top constructs candidate that conceptualizes security culture. The current paper found no mutual agreement on what factors conceptualize a security culture. Our contribution is being able to identify a clear gap on the existing literature of a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. The distinction clearly has not been made by academic literature on the information security culture. The current study assists academic researchers to identify research gaps in the information security culture field, including identifying further empirical research needed in this area.

Toward an Effective Information Security Risk Management of Universities’ Information Systems Using Multi Agent Systems, Itil, Iso 27002,Iso 27005

Universities in the public and private sectors depend on information technology and information systems to successfully carry out their missions and business functions. Information systems are subject to serious threats that can have adverse effects on organizational operations and assets, and individuals by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processes, stored or transmitted by those systems. Threats to information systems can include purposeful attacks, environmental disruptions, and human/machine errors, and can result in harm to the integrity of data. Therefore, it is imperative that all the actors at all levels in a university information system understand their responsibilities and are held accountable for managing information security risk-that is the risk associated with the operation and use of information systems that support the missions and business functions of their university. The purpose of this paper is to propose an information security toolkit namely URMIS (University Risk Management Information System) based on multi agent systems and integrating with existing information security frameworks and standards, to enhance the security of universities information systems.

Evaluating and enriching information and communication technologies compliance frameworks with regard to privacy

PurposeThe aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.Design/methodology/approachThe paper draws conceptually upon an existing security standard's framework and omissions in information privacy compliance frameworks are recognized. As a result, an extended framework of information security and privacy standards is developed. Moreover, taking into account the different attributes and focus of information privacy as compared to information security, the elicitation of usability criteria for web applications and interfaces that will assist users to protect their privacy, is being proposed.FindingsWithin ICT standards numerous information security standards exist, which enable a common understanding of security requirements and promote global rules and practices for security mechanisms. Through their usage, designed information systems ultimately reach a commonly accepted security level and interoperate with other systems in an efficient and secure way. Nevertheless, a similar compliance environment is missing with regard to information privacy. Often security controls are seen as the solution to privacy protection and security compliance frameworks are regarded as guidance to information privacy as well. This is clearly the wrong approach since the main security and privacy attributes are different; information security refers to information stored, processed and transmitted for completing the information system's functions and purpose, while information privacy is the protection of the information's subject identity.Research limitations/implicationsThe identified gaps in compliance environments are based on extensive literature review, while the proposed enhancements for the information privacy standards are, at this stage, an opinion‐based piece of work.Originality/valueCurrently, information privacy is treated mostly as a legal compliance requirement and thus is not adequately handled by security standards. The paper provides recommendations and further guidance in managerial, procedural and technical level for handling information privacy.

Perceived information security of internal users in Indian IT services industry

Information security governance dominates the senior management's agenda in overall organizational informance technology (IT) governance. The globalization trends encompassing all businesses, and risks of information leakage forces organizations to institute mechanisms to protect it. In order to achieve adequate level of protection, organizations implement information security management systems (ISMS). The effectiveness of ISMS depends on the implementation strength of security controls. Several studies have detailed out the qualitative nature of information security measurements and quantitative studies have always remained a challenge. This empirical study focuses on the information security perceptions of internal users of the organization on the security controls, customer influence and the support provided by the top management. The perception of internal users referred as perceived information security is measured based on the degree of confidence expressed by the internal users towards the security objectives namely, confidentiality, integrity, availability, accountability and reliability. In an attempt to align the interest of researchers and practitioners, the study surveys major developments in the field of ISMS and proposes a construct for a holistic comprehension of `Perceived Information Security'. The survey based research methodology focuses on the perceptions of the internal users such as Security program Implementers, Business Users and Senior Management. The findings of the study in the context of Indian IT services industry have been presented. The contributions of the research paper include providing insights into perceived information security of internal users of the organization, an empirical approach for studying perceived information security and a holistic framework for information security in Indian IT organizations.

SAFETY OF INFORMATION AND COMMUNICATION SYSTEMS. QUESTIONS OF TERMINOLOGY AND BASIC DEFINITIONS

The article analyzes the regulatory provision and describes the basic questions of terminology' and definitions of information security. Studied history and legal steps to create a regulatory framework of information technology and security.

Design E-SCM Information Security Framework

Electronic Business (e-Business) is revolutionizing the way of communication between Internal and external stakeholders in an organization. E-business can lead to competitive advantage and at the same time, increase profitability. There are several factors resulting on the success of e-business. One of the most important factors is Security. It is thus clear that information technology (IT) and the emerging e-business application and related to security are gaining a pivotal role in managing supply chain. This paper examines the impact of E-business on supply chain on information security aspect among other types of supply chains. The current paper reviews security and supply chain literatures and then investigates framework of information technology in supply chain management. Areas of supply chain which need security attention are then proposed in e-supply chain information security framework and this will be considered as a guideline for managers to find out if their e-supply chain network is secure enough. Through the paper, one realizes that Information Security in every information based-system will be vital.

A SUSTAINABLE INFORMATION SECURITY FRAMEWORK FOR E-GOVERNMENT – CASE OF TANZANIA

The government of Tanzania adopted an e-Government strategy in 2009 that is aimed at improving efficiency in government and providing better services to citizens. Information security is identified as one of the requirements for the successful e-Government implementation although the government has not adopted any standards or issued guidelines to government agencies with regards to information security. Comprehensive addressing of information security can be an expensive undertaking and without guidelines information security implementations may be more prone to failure. In a resource poor country such as Tanzania, there is a need for a cost effective and sustainable means of addressing information security in e-Government implementations. In this paper the authors present a case study of an e-Government interaction between a ministry and a government agency and the information security challenges identified in the implementation. In order to address these challenges an information security framework is conceptualized using action research. The framework is applied in the case study to address the identified challenges and the means to address future challenges in a sustainable manner is identified. Finally, the proposed framework is evaluated against Tanzanian and international metrics.

Research of Information Security Framework in Ubiquitous Environment

Ubiquitous Computing has been viewed as the promising computing mode and noticed universally. The security problem gets more important. This article first gives the features of the ubiquitous environment and then analyzes the information security requirements in ubiquitous environment and finally designs the security framework for ubiquitous environment.

A Development of Comprehensive Framework for Continuous Information Security

The growth in computer use has ushered increased concerns of information security throughout the world. Historically, researchers interested in the security of information systems have long investigated extensively themselves with building technological countermeasures in order to prevent several information security problems. However, due to infusion of more procedures and logical or physical devices within the information environment, no system can be completely secure. Therefore, keeping IT environment safe demands a more comprehensive understanding of the phenomenon, which requires broadening information security far beyond the technical aspects. This study is aimed at proposing a information security framework from holistic view.

Security, privacy and ethics in electronic records management in the South African public sector

Computers have become such valuable tools for conducting businessthat today people would have difficulty imagining work without them.One great advantage of the computers is the ease with which a largequantity of data can be analysed, manipulated and shared amongpeople. However, there are a number of compelling security, privacyand ethical dilemmas raised by computer systems. For example, themonitoring of employee e-mails by employers to prevent them fromwasting organisation’s resources on non-business activities. Thisarticle seeks to investigate security, privacy and ethical dilemmas inthe electronic records management environment in the South Africanpublic sector. In order to draw inferences and recommendations, asurvey was conducted on existing national government departmentsin South Africa. Firstly, findings of the literature review (contentanalysis) are discussed. Secondly, the results from the survey areanalysed and interpreted. The article concludes by arguing that withouta proper information security framework and professional code ofethics that embrace electronic records management, governmentdepartments could expose themselves to unnecessary financiallosses due to litigations resulting from invasion of privacy and unethical behaviour, and urges government departments in South Africa to implement Electronic Document and Records Management Systems that are able to capture records in read-only format and generate a non-editable audit trail of all actions to address security dilemmas of electronic records.