Information Security Risk Research Articles

Industrial espionage from a human factor perspective

Industrial espionage is a significant threat in a fiercely competitive environment which increases the risk of information security and safety being compromised and leads to concerns about business ethics. The main aim of this paper is to examine industrial espionage from the perspective of the insider human factor, explore the motivations that may lead to industrial espionage, and identify ways of maintaining information security and safety to reduce insider threats. The research involved qualitative in-depth interviews among twenty-one stakeholders from seven European countries. The transcripts were analysed using grounded theory methodology. Results show that main factors that may lead to industrial espionage include intensifying market competition, financial compensation offered in exchange for information, decreasing loyalty among the younger generation, psychological issues of personal grievance and psychological disorders, and poorly developed information-security infrastructure. This study recommends that managers and policymakers plan and implement protection and prevention measures, undertake risk analyses to reduce the potential consequences of insider threats, and establish a critical business information tracking system. Further recommendations include maintaining an appropriate company culture, ensuring employee satisfaction, and fostering information safety education while creating adequate security infrastructure.

Enterprise information security risks: a systematic review of the literature

Currently, computer security or cybersecurity is a relevant aspect in the area of networks and communications of a company, therefore, it is important to know the risks and computer security policies that allow a unified management of cyber threats that only seek to affect the reputation or profit from the confidential information of organizations in the business sector. The objective of the research is to conduct a systematic review of the literature through articles published in databases such as Scopus and Dimension. Thus, in order to perform a complete documentary analysis, inclusion and exclusion criteria were applied to evaluate the quality of each article. Then, using a quantitative scale, articles were filtered according to author, period and country of publication, leaving a total of 86 articles from both databases. The methodology used was the one proposed by Kitchenham, and the conclusion reached was that the vast majority of companies do not make a major investment in the purchase of equipment and improvement of information technology (IT) infrastructure, exposing themselves to cyber-attacks that continue to grow every day. This research provides an opportunity for researchers, companies and entrepreneurs to consult so that they can protect their organization's most important assets.

Building an Electronic Medical Record System Exchanged in FHIR Format and Its Visual Presentation.

Currently, the Taiwan Electronic Medical Record Exchange Center uses the Clinical Document Architecture (CDA) framework, which is based on the international medical standard. The CDA R2 standard, defined in 2005, is used for cross-institution retrieval of electronic medical records (Ministry of Health and Welfare, Information Department, 2021). However, CDA R2 only supports the exchange of clinical documents and is limited to the XML format. Due to the lack of a standardized framework for medical data exchange in Taiwan, different standards and specifications result in different data interface methods between systems, requiring customization for each system by healthcare institutions or the government. The inconsistency in data formats requires healthcare institutions and the government to spend more time on data parsing and mapping, resulting in slow integration of medical data. In this study, we simulated healthcare institutions using Fast Healthcare Interoperability Resources (FHIR) for medical information exchange and utilized the exchanged medical information to create a dynamic dashboard to assist healthcare professionals in making medical decisions. To ensure information security, we employed Hyper Text Transfer Protocol Secure (HTTPS) for secure transmission, which encrypts the transmitted medical record data using the Transport Layer Security (TLS) protocol, preventing deliberate interception and tampering of medical record data between the two systems. Finally, to test the load and performance of static and dynamic resources and web applications, we conducted a system performance evaluation using Apache JMeter. The results of this study demonstrate that replacing the gateway of the Electronic Medical Record Exchange Center with an FHIR server effectively reduces the time and cost spent by developers on data format conversion while also mitigating the information security risks associated with the previous VPN solution. Additionally, by utilizing dynamic charts, healthcare professionals are assisted in making medical decisions.

Research on Robust Digital Watermarking Based on Reversible Information Hiding

The development of modern Internet communication technology and the popularization of multimedia technology have brought convenience to the sharing and storage of multimedia information such as images, videos, and audio. However, at the same time, it has brought about the problem of copyright theft of multimedia information, causing serious information security risks. Digital watermarking technology embeds copyright information in multimedia information in an invisible way, which can effectively realize copyright protection and traceability of infringement. Aiming at the problem that the existing learning model-based methods cannot fully extract and fuse the features of carrier images and watermark images, a robust digital watermarking method based on reversible information hiding is proposed. First, a watermark embedding model based on reversible information hiding is established, and the features of the download volume image and the watermark image in different dimensions are fully extracted and fused to generate a dense image with excellent visual quality. Then, a watermark extraction model based on reversible information hiding is established, and a noise layer is added between the embedding and the extraction model, and the attacked dense image is input to the watermark extraction model to extract the watermark. Under the constraint of the loss function, the network model learns to embed watermark information in the area that is more robust to the attack and is not easy to cause visual quality degradation, so as to optimize the comprehensive performance of the method. Experimental results show that the proposed method effectively improves the imperceptibility and robustness.

Institutional innovation essence and knowledge innovation goal of intellectual property law in the big data era

This work aims to expand the understanding on the nature of institutional innovation and the goal of knowledge innovation of intellectual property (IP) law in the era of big data (BD) and to avoid the risks of information security in the IP service system. On the basis of the era of BD, the nature of institutional innovation and the goal of knowledge innovation in IP law are systematically discussed. Combined with smart contract (SC) technology, an IP service system based on blockchain technology is designed to ensure the security of IP services. The SC is optimized from the perspective of concurrency, and the contract transactions (CTs) are clustered. Moreover, considering the execution time (ET) and available resources of CTs, a speculative concurrency control algorithm that can realize intelligent contract scheduling is proposed. On the basis of the ciphertext-policy attribute-based encryption (CP-ABE) algorithm, a policy-updatable attribute encryption algorithm is designed. The improved CP-ABE algorithm includes six steps: system initialization, attribute private key generation, encryption, decryption, ciphertext policy generation, and ciphertext policy update. The identity parameter of the traceability manager is introduced into the improved CP-ABE scheme, which significantly increases the amount of computation of bilinear mapping, thus resulting in the time cost of encryption and decryption being approximately 350 ms and 300 ms higher than that of the CP-ABE scheme. Using the technical mode of “blockchain + SC,” the design of the IP service system is realized, which has important reference value for the institutional innovation of IP law.

Design of network information visualization security cognition system based on QSOFM network and FR algorithm

ABSTRACT Network information is complex, there is no lack of hidden risks of information to the user caused by bad effects. But analyzing and evaluating them is complex and requires more diverse and powerful techniques. This research will combine Fruchterman-Reingold (FR) information visualization algorithm and information security risk assessment method based on Quantum self-organizing feature map (QSOFM) network to build information visualization security cognitive system. By introducing quantum neurons into self-organizing feature mapping network (SOFM), a network information security evaluation model is constructed. The system can evaluate the security level of network information and visualize the evaluation results. The experimental results show that the system has fast response speed and strong interactivity. The accuracy of QSOFM algorithm is 86%, 12% higher than the traditional algorithm, which can provide more powerful technical support for the visual security cognition of network information.

Assessment of information security risks of automated system using neuro-fuzzy logic

Objective. Automated systems are widely used in production, and an important criterion for their reliability is information security. The aim of the study is to provide a balance between possible losses as a result of the implementation of threats and the cost of protection tools that reduce risks using neuro-fuzzy logic.Method. The developed model is based on the use of fuzzy logic.Result. A model of integrated information security risk assessment has been obtained, which can be practically applied for a comprehensive analysis of the effectiveness of organizing a protection system for automated systems operating in various fields of activity. The risk indicators of information security of an automated system, described with the help of linguistic variables, are revealed. Based on these indicators, information security risk assessments were obtained from the state of: software; technical support; information support; organizational and methodological support; the level of training and motivation of employees. The fuzzy production rules of the model are formulated to determine the integrated assessment of the information security of an automated system, providing a full account of all factors that have a significant impact on the level of security of an automated system.Conclusions. A feature of the proposed approach is the formalization of the assessment process, reducing the level of subjectivity in the formation of risk assessments.

Problems of risk management in the field of information security

Objective. The purpose of the study is to collect publicly available information to identify the main problems that hinder the effective management of information security risks in the business sector.Method. The following research methods are used: systematization, description and analysis. The necessary data are formed on the basis of information obtained from the analysis of the regulatory framework and research in the field.Result. In this paper, the relevance of the issue under consideration was substantiated; the significant effectiveness of the risk-based approach in information security management was noted. The key stages of the information security risk management process were described. Next, the main problems of information security risk management for all stages of the holistic process are identified.Conclusion. The conducted research is of an overview nature. The materials presented in the paper can serve as a basis for further research on the topic, as well as for the formation of recommendations for resolving the identified problems.

Industrial Internet Intrusion Detection Based on Res-CNN-SRU

Nowadays, the industrial Internet is developing rapidly, but at the same time it faces serious information security risks. At present, industrial Internet data generally have the problems of complex attack sample types, large numbers, and high feature dimensions. When training a model, the complexity and quantity of attack samples will result in a long detection time for the intrusion detection algorithm, which will fall short of the system’s real-time performance. Due to the high feature dimension of the data, shallow feature extraction will be unable to extract the data’s more significant features, which will render the model’s overall detection capacity insufficient. Aiming at the above problems, an industrial Internet intrusion detection method based on Res-CNN-SRU is proposed. This method not only considers the temporality of network traffic data but can also effectively capture the local features in the data. The dataset used in the experiment is the gas pipeline industry dataset proposed by Mississippi State University in 2014. Experiments show that the algorithm can effectively improve the recognition rate of the system and reduce the false-alarm rate. At the same time, the training time required for this method is also greatly shortened, and it can perform efficient intrusion detection on the industrial Internet.

The Application of Big Data and Artificial Intelligence Technology in Enterprise Information Security Management and Risk Assessment

With the development of digitalization and Internet technology, enterprise information security is facing more and more challenges. Many enterprises have begun to adopt big data (BD) and artificial intelligence (AI) technology for risk assessment (RA) and prediction to effectively manage information security risks. This article discusses the application of BD and AI technology in enterprise information security management (ISM) and RA from two aspects. Firstly, the mobile payment signature scheme based on number theory research unit is used to improve the security of the mobile payment system. This scheme uses lattice algorithms to achieve fast key generation, signing, and verification and can resist traditional cryptographic attacks. Secondly, a set of enterprise ISM and RA system is established, including risk identification, RA, monitoring and early warning, emergency response, and other links. BD and AI technology is used to analyze internal and external data to provide accurate RA results to achieve automated RA.

Study On Risk Identification of Corporate Supply Chain Finance Based on ISM-MICMAC Model

It is crucial to accurately identify the main influencing factors of supply chain finance risk, analyze their mechanism of action and construct a system of influencing factors for risk management of supply chain finance. This paper examines the three parties involved in supply chain finance, including the financial institution, the core enterprise, and the SMEs, and screens out 21 major risk factors from them. This study calculates the adjacency matrix and accessibility matrix by using SPSSPRO, then constructs the interpretative structural modeling method (ISM) and the recursive structure diagram. Combining the Matrix-based Multiplication Applied to a Classification (MICMAC), this paper classifies the influencing factors into four categories: autonomous category, dependent category, linkages category, and independent category. The results show that: (1) the factors that constitute the deepest level of risk in supply chain finance are crediting false trade, non-standard bill of lading, data information security risk, imperfection of business process design, et cetera. (2) Among all factors, three factors are identified as the autonomous category, nine as the independent category, and nine as the dependent category with no linkages category.

Evaluation Of Information System Governance Capability Level Of Engineering Construction Services Firm Using Cobit Framework 5

Engineering Construction Services Firm Instrument Engineering is a company in engineering construction services. Not only construction services Engineering Construction Services Firm Instrument Engineering also has services in the field of non-construction such as operation and maintenance. There is no quality management standard in the company expected to increase productivity and superiority over competitors; the company needs a schedule to conduct periodic audits of information security management. It requires recommendations for improving the Information Security Management System), and the company hopes to make a standard document for data and information security risk governance aimed at supervision and review of the Information Security Management System. To make sure that SI operations within the Company have been carried out and objectives have been supported as effectively as possible, it is required to conduct an information system audit using the Control Objectives for Information and Related Technology (COBIT) framework based on the needs that have been described. The research on evaluating IT governance abilities using the COBIT 5 framework APO13 process ends at level 1 with a status of 82.12. EDM03 and APO12 processes terminate at level 2, with a Largely achieved status of 82.12 for EDM03 and 84.41 for APO12.

Risk Analysis of Information Security in Balikpapan International Airport Service Desk Plus (SDP) Using The Octave Allegro Method

Indonesia, as a developing country, is not exempt from the advancements in information and communication technology. However, these advancements in information and communication technology can bring negative impacts, such as an increasing threat of misuse. SDP (Service Desk Plus) is a system that serves as a management tool for IT services, facilitating employees from various departments in requesting services and reporting ICT (Information Communication Technology) incidents. SDP has faced challenges or obstacles that have hindered its optimal use, such as IT services experiencing downtime, inaccessible ICT services, and SDP users frequently sharing usernames and passwords. Based on these threats, it is necessary to conduct a further analysis of information security risks regarding the security of implementing SDP centrally using the OCTAVE Allegro method. OCTAVE Allegro is a framework that utilizes the OCTAVE approach with a primary focus on information assets, designed to provide faster results without requiring in-depth knowledge of risk assessment. The results of this research identified three risks that can be mitigated, namely user data password errors with a relative risk score of 27, internet downtime with a relative risk score of 31, and file intrusion with a relative risk score of 38, considering the likelihood of threats occurring. Additionally, there is one accepted risk, which is the input error of incident data, with a relative risk score of 19.

OVERCOMING THE BARRIERS TO THE DIGITAL TRANSFORMATION OF INDUSTRIAL ENTERPRISES THROUGH THE BUSINESS MODEL SELECTION MECHANISM

The article describes the main barriers to digital transformation faced by industrial enterprises in various industries, such as: lack of appropriate funding, information security risks, insufficient digital skills of employees, insufficient maturity of current processes, internal resistance to change, insufficient awareness of managers, lack of certainty over the future of digital standards. To analyse the barriers, the author used a three-step approach, including a literature review, a primary research with representatives of the companies, and a qualitative comparative analysis that are based on the Kruskal – Wallis test and used to identify differences between groups of enterprises. To overcome the barriers identified by the author it was offered to use a mechanism of a business model selection, which takes into account the assessment of obtained competitive advantages (improvement of operational, financial and technical efficiency), digital maturity (digital culture level, staff qualifications, the quality of business process organisation and access to digital infrastructure) and risks (non-receipt of expected income from business model implementation, information security, reputational and personnel). The novelty of the proposed business model selection mechanism for an industrial enterprise is to improve the classification and develop a multi-criteria mechanism for choosing a business model, which would be implemented using a knowledge-based system incorporating a fuzzy inference mechanism.

Evaluating Individual Involvement in Shaping Information Security Culture

In the increasingly advanced digital era, information security has become a crucial aspect for various organizations worldwide. In facing these challenges, organizations rely not only on sophisticated security technologies but also on active participation and involvement of individuals in shaping a strong information security culture. Information security culture encompasses the attitudes, values, and behaviors of individuals when it comes to addressing information security risks. This research aims to evaluate the individual involvement in shaping the information security culture within an organization. The study will involve measuring the level of individual awareness of information security, individual knowledge of information security, compliance with security policies and procedures, as well as individual behaviors in maintaining information security. Data collection will be done using a questionnaire that has been tested for validity and reliability. Awareness has an average total score of 13.20833333 and an average dimension score of 4.40277778. Meanwhile, knowledge has the same value as compliance and behavior, with an average total score of 13.27083333 and an average dimension score of 4.42361111. The results of this research reveal that the research subject has the lowest awareness value compared to other dimensions, while knowledge, compliance, and behavior have the same values. Overall, the research subject exhibits a relatively good information security culture, although it is not perfect.

Conducting Risk Analysis and Vulnerability Assessment in the Core Fund System Management at National Social Security Fund

The study sought to analyse security risks and assess security vulnerabilities in the NSSF Core Fund System. The study employed descriptive survey design while the study population was 314 staff working at head office of NSSF. In addition to that, purposive and sampling techniques were used to select 89 who were members of sample size. In addition to that questionnaire and interview were used to solicit data from the respondents while data were analysed using descriptive and content analysis. The study found that security risks and vulnerabilities associated with the core fund system included cyber-attacks, disclosure of sensitive data and hardware failure, others said viruses, internal security threats and internal accidental threats. In the similar case, some said system administration errors. The study also indicated that existence of information security risks had been in different period of time depending on the type of such information security risks. The study concluded that enhancing information security in the Core Fund System utilized by the National Social Security Fund (NSSF) is crucial for safeguarding the data of both the staff and customers. This can be achieved by regularly updating the records of customers and staff members to ensure their information remains reliable. The increasing reliance on computers, mobile devices, and digitalization of business operations necessitates a knowledgeable manager who understands the vulnerabilities and threats to data and information assets. Such a manager can then develop strategies to mitigate risks and protect the organization's data and assets. The study recommended that it is important for organizations to continue providing training to their staff regarding security policies and guidelines for information systems. This will help raise awareness about security risks and allow for the evaluation of vulnerabilities in the NSSF Core Fund System. As a result, it is necessary to establish standards and guidelines that promote the adoption of best practices in information security, ultimately achieving a satisfactory and sufficient level of security.

РАЗРАБОТКА ПРОГРАММЫ УПРАВЛЕНИЯ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТЬЮ В КОНФИГУРАЦИИ 1С: ПРЕДПРИЯТИЕ 8.3

An integrated approach to information security management is presented in the form of processes on the decomposition diagram of the IDEF0 model. The analysis of possible damage to information assets is recommended to be carried out according to two groups of criteria with the involvement of experts, based on qualitative scales. Expert analysis of information security threats and vulnerabilities through which they can be implemented is proposed to be carried out in conjunction with the use of qualitative scales, taking into account the presence of implemented control mechanisms in the organization. The results of the analysis are expressed in the form of the total level of the vulnerability group. A matrix for determining the magnitude of information security risk is constructed. The obtained qualitative estimates are compared with the quantitative indicator of the average annual damage and calibrated. As a marker of the effectiveness of protective mechanisms, it is proposed to choose the return on investment ratio. In order to increase the efficiency and convenience of conduct-ing an expert assessment of information security risks, automating the processing of the results ob-tained during the examination, as well as calculations on which the decision-maker can rely, a program was created in the configuration 1C: Enterprise 8.3

Assessment of Higher Education Information Security Risk Management Practices in Tanzania

This study assessed the information security risk management practices in in Tanzanian Higher Education Institutions (HEIs). It employed the sequential explanatory research design. Out of 51 HLIs in Tanzania, the study selected 10 HEIs from Dar es Salaam. The researchers computed the sample estimation through the Cochran’s formula for large population with a precision level of ±10 percentage and confidence level of 95%. The actual sample size was 96 ICT professionals in terms of ICT directors, network administrators, system administrators, ICT support staff and lecturers of ICT. The study used a closed-ended questionnaire, which had Yes/No questions and a structured interview, which collect qualitative data. Quantitative data analysis from the questionnaire was done through descriptive statistics using the SPSS whereas qualitative data from interviews was analyzed using the thematic analysis approach. The study uncovered a notable absence of risk management frameworks and inadequate integration of procedures within institutional strategies. While some HEIs demonstrated effective safeguarding of sensitive information, others required enhancements. The study recommend that HEIs should establish formal risk management frameworks and integrate them strategically into institutional plans. To bridge the implementation gap, HEIs should prioritize comprehensive training, require management support and tailor practices according to their specific contexts.

Audit Keamanan Sistem Informasi Manajemen Rumah Sakit Dengan Framework COBIT 2019 Pada RSUD Palembang BARI

This study examines the implementation of information system at RSUD Palembang BARI with the aim of enhancing information system security. In this context, a security audit is conducted using the COBIT 2019 framework. The COBIT 2019 domains and processes utilizing include EDM03, APO12, APO13, APO14, and DSS05. The research involves the identification and evaluation of information security risks, determination of necessary security controls, and ensuring compliance with the information security standards established by COBIT 2019. The findings indicate that the level of information system security at RSUD Palembang BARI is at level 3 (Defined), with a gap analysis difference of 1 level below the expected target. Based on the above results, efforts to improve and enhance the information system security at RSUD Palembang BARI are still needed. The use of information system security techniques such as vulnerability scanning, penetration testing, WAF, IDS and IPS, and data encryption, as well as improving security in terms of server physical aspects such as installing CCTV and restricting user access with access cards or fingerprints, can be implemented to ensure compliance with relevant information security standards. Consideration for obtaining security certifications, like ISO 27001, should also be taken. Additionally, the quality of human resources in terms of policy-making and the ability of employees to address threats and attacks on information system security should be improved through training and strengthening coordination among employees.

INFORMATION SECURITY RISK MANAGEMENT DESIGN OF SUPERVISION MANAGEMENT INFORMATION SYSTEM AT XYZ MINISTRY USING NIST SP 800-30

SIMWAS is an information system at the XYZ Ministry that is used to manage supervisory activities and follow up on supervisory results. SIMWAS is an important asset that contains all internal control business processes, but in practice, SIMWAS information security risks have not been managed properly. To overcome these problems, information security risk management is needed at SIMWAS. This study aims to design and analyze SIMWAS information security risk management using the NIST SP 800-30 framework. NIST SP 800-30 focuses on a particular infrastructure and its boundaries. Since the purpose is to perform a technical risk analysis of the core IT infrastructure, it is highly prescriptive. It has nine primary steps to conduct risk assessment. The NIST SP 800-30 framework is used to design and analyze SIMWAS information security risks by identifying threats, vulnerabilities, impacts, likelihoods, and recommendations for controls. SIMWAS information security risk assessment is carried out by analyzing data obtained from the results of interviews, observations, and document reviews. The results of this study show that SIMWAS information security has four low-level risks, eight moderate-level risks, and five high-level risks. Very low and low risk levels are acceptable according to the risk appetite of the business owner, but moderate, high, and very high-risk levels require risk avoidance, risk transfer and risk reduction. The XYZ Ministry need to carry out residual risk analysis and cost-benefit analysis from implementing controls in each risk scenarios.