Managed Security Services Research Articles

Information security outsourcing strategies in the supply chain considering security externality

Information assets that complement each other capture the information security characteristics of supply chain firms. Supply chain firms usually outsource security services to Managed Security Service Providers (MSSPs) to protect their information. Considering the security externality and information leakage risk in security outsourcing, this article investigates four security management scenarios faced by two supply chain firms. We try to answer whether both firms should outsource security to the same or different MSSPs. We find that no matter under which scenario, as the complementation degree increases, both firms and MSSPs decrease the security quality, and MSSPs offer a contract with lower compensation. We show that information leakage risk and security externality have different effects on the MSSP’s optimal strategy selections. Besides, the MSSP tends to serve both firms when the security externality is positive but prefers serving only one firm when the security externality is negative. Moreover, we find that the strategy that one firm outsources to an MSSP and its partner manages it in-house can be the optimal selection for the social planner but not the MSSP’s optimal strategy. We also extend the model and find that the results are robust to the situations of uncertain loss and asymmetric loss.

The Role of Civilian Cybersecurity Companies in Military Cyber Operations

Abstract The Russia-Ukraine war has clearly shown that critical infrastructures are prime targets for cyber operations in addition to the physical domain. In practice, in many cases, these critical infrastructures are protected by civilian cybersecurity companies in the context of a managed security service, so their defense operations must necessarily be coordinated with military defense activities. This includes among others the sharing of information classified under different classification systems (national, EU, NATO) between different actors in national cyber defense, the inclusion of appropriate civilian experts in the armed forces, and the usage of cutting-edge cybersecurity technologies (e.g. AI-enabled solutions) that are first introduced for civilian use, with military organizations only having access to them later or possibly not encountering them at all due to procurement difficulties. The main goal of this paper is to introduce the existing opportunities and obstacles to civilians’ involvement in military cyber operations in the areas of legislation, technology, and human resources from the European perspective. Moreover, the paper deals with the actual questions of cybersecurity intelligence sharing between civilian and military entities and the European Union’s actions in order to improve the overall cybersecurity posture of the region.

Analisis Kinerja Tata Kelola Teknologi Informasi pada Bank Menggunakan Framework Cobit 2019

Jambi Province Regional Development Bank or Bank Jambi is a bank in Indonesia. This bank was founded on February 12 1959 and is domiciled in Jambi City. Jambi Regional Development Bank is one of the banks that faces competition from other banks. It expects the council to use the greatest capacity accessible, to win over the opposition. One of the assistance techniques to change the implementation of data innovation that takes advantage of business goals is data innovation administration. The acceptance of innovation administration using the COBIT 2019 structure will have a huge effect in supporting the goals of the organization on the grounds that legitimate data innovation administration can help the organization in competing with different opponents. Different improvements have occurred during the modern time frame like now and have fundamentally affected various parts of society, including the business and production areas of online stores. Taking advantage of this, processes that have been recognized as significant processes, such as APO08 (Managed Relationship), APO12 (Managed Risk), APO13 (Managed Security), DSS04 (Managed Continuity), and DSS05 (Managed Security Services), must be continues to be focused on achieving the significant standards that have been set. By focusing on this cycle and continuously assessing and improving, companies can achieve better goals in using data innovation offices for corporate achievements.

Information Technology Governance Using the COBIT 2019 Framework at PT. Pelindo TPK Bitung

The governance of information technology (IT) is crucial for companies in managing their IT assets. This research investigates the implementation of COBIT 2019 at PT. Pelindo TPK Bitung, a logistics and storage company, aiming to enhance its Information Technology (IT) governance. Facing challenges in IT management, the company adopted COBIT 2019 to improve operational efficiency, reduce security risks, and ensure regulatory compliance. The study employs a structured approach, utilizing the COBIT 2019 Design Toolkit, and includes a literature review, interviews, and systematic evaluations of PT. Pelindo TPK Bitung's IT governance. Findings from the first interview highlight the company's focus on growth, innovation, and strategic IT roles, alongside challenges in integrating IT and operations. The prioritized governance objective, DSS05 - Managed Security Services, achieves a capability level 3, indicating substantial success, though gaps in security aspects necessitate prompt policy reviews. In conclusion, PT. Pelindo TPK Bitung's COBIT 2019 implementation has achieved significant success, reaching a capability level 3, with suggestions provided for sustaining and enhancing security management. This research contributes insights into COBIT 2019 implementation, offering a comprehensive understanding of its impact on IT governance in a specific organizational context

Managing partial outsourcing on information security in the presence of security externality

To efficiently manage information security, firms typically outsource the security of partial business (core and non-core) to a managed security service provider (MSSP). Four options can be adopted for a firm on security strategy, that is, all business is managed in-house (IN Strategy), all business is outsourced to the MSSP (OA Strategy), the core business is outsourced and non-core is managed in-house (OC Strategy), and the core is managed in-house and non-core is outsourced (ONC Strategy). We consider the impact of security externality on the firm’s partial outsourcing strategies and find that if the firm wants a higher security quality of the core business, it is better to manage the core business by itself under an environment where the security externality is negative and the security loss ratio between core and non-core business is low. In addition. The security externality has different effects on both parties’ security decisions under the OC and ONC strategies. Moreover, we show the firm will adopt the partial outsourcing strategy only under a very high security externality when the security loss ratio is high, and the OC strategy is always the worst strategy when the MSSP’s cost coefficient is low. Finally, we extend the main model to an asymmetric case to make our model more general.

A framework for cyber-risk insurance against ransomware: A mixed-method approach

Hackers follow a standard cyber kill chain process and install ransomware payloads using phishing emails on firms belonging to critical industry, resulting in huge losses in revenue, reputation, and customer churn. This study uses a mixed-method explanatory approach to mitigate ransomware attacks. We present the quantitative Ransomware Risk Management Model (R2M2) based on protection motivation theory (PMT). The Ransomware Risk Assessment module based on the threat appraisal component of PMT and the National Institute of Standards and Technology (NIST) guidelines can help the chief information security officer (CISO) to assess the risk using predictive analytics techniques. The Ransomware Risk Quantification module uses collective risk modeling to compute the severity of a ransomware attack on an organization. The Ransomware Risk Mitigation module helps the CISO to minimize the probability and impact of a ransomware attack on their organization by (i) investing in perimeter security technologies and training to ensure prepare, deter, detect, restrain, recover, and review mitigation strategies, (ii) adopting the National Institue of Standards and Technology (NIST) Cybersecurity Framework to ensure business resilience, and (iii) mitigating the residual risk by investing in cyber-risk insurance. We validated the proposed method using a qualitative study by interviewing participants form firms affected by ransomware, managed security service providers, security consultants, and cyber-risk insurers.

Penggunaan COBIT 2019 GMO dalam Menyusun Pengelolaan Layanan TI Prioritas pada Transformasi Digital BankCo

The rapid advancement of digital technology causes fierce competition from digital-born companies to the incumbent ones, so they need to accelerate their digital transformation (DT). Prior research has found the influence of IT governance (ITG) mechanisms on organizational performance. (OP), mediated by DT. However, there is a need to identify the prioritized IT services management initiatives to support their DT. This case study is performed in BankCo using Design Science Research (DSR) and the latest ISACA’s framework of COBIT 2019 Governance & Management Objectives (GMO). The solution and implementation roadmap results are analyzed and designed based on interviews data and documents triangulation. There are three important initiatives BankCo namely DSS05 Managed Security Service, BAI06 Managed IT Changes, and BAI04 Managed Availability and Capacity. The estimated solution implementation increased BankCo’s maturity to 3.XY. This research contributes to the knowledge base regarding IT service management prioritization and provides practical implications for BankCo to enhance their DT, and the banking industry in general.

Measurement of IT Security Governance Capabilities Using COBIT 2019 at Indonesian Business Sector

IT governance implementation in companies has occurred in the enterprise sector up to the BUMN scale. As stated in the Regulation of the Minister of Foreign Affairs Number 2 of 2013, Article 2(1) binds the business world. In the corporate sector, there are IT security issues. The measurement process uses the COBIT 2019 framework. The measurements taken will provide an analysis of the capacity level and gaps. Data was collected using quantitative (questionnaire) and qualitative (documentary studies and interviews) methods. The three relevant subdomains to measure are APO12 – Risk Management, APO13 – Managed Security, and DSS05 – Managed Security Services. The results of the capacity measurement show that the APO12 subdomain is at level 2, APO13 is at level 2, and DSS05 is stopped at level 2. These results indicate that there is a gap in the DSS05 subdomain. The results obtained show recommendations for improvement and level increase, especially in the DSS05 subdomain. The enterprise sector needs improvements in endpoint security policies, access policies, and event logs in IT incidents.

AGILE IT SERVICE MANAGEMENT DESIGN OF FINTECHCO DIGITALIZATION BASED ON COBIT 2019 DEVOPS FOCUS AREA

The Indonesian Financial Technology (Fintech) industry plays a pivotal role in driving digital technology advancements and propelling the nation's growth. The rapid development of Fintech presents a unique challenge for established financial companies, necessitating effective government regulation through a Sandbox approach. FintechCo, operating under the watchful eye of State-Owned Enterprises and the Financial Service Authority, must strike a delicate balance between their agile services and security risks. Hence, FintechCo necessitates an examination of optimal agile services through the utilization of five stages derived from the Design Science Research approach. This need arises to adhere to the Good Corporate Governance standards established by State-Owned Enterprises (SOE) and the Financial Services Authority (FSA). The cutting-edge COBIT 2019 DevOps Focus Area framework is employed for analysis. The research identifies three highest priority Governance and Management Objectives (GMOs): Managed Security Services (DSS05), Managed Problem (DSS03), and Managed Solution Identification and Build (BAI03). These GMOs are thoroughly evaluated, and comprehensive recommendations are provided based on their seven key components. There is an estimated 17% increase in the average capability score, from 2.82 to 3.30, across all three GMOs. The contribution of this study is twofold: to serve as a valuable knowledge resource for agile IT services in digitalization within organizations and to offer practical implications for FintechCo to enhance their digitalization. Furthermore, this research sets a precedent for the Fintech industry, signifying a benchmark for excellence and innovation.

COBIT 2019 INFORMATION SECURITY FOCUS AREA IMPLEMENTATION FOR REINSURCO DIGITAL TRANSFORMATION

As information technology (IT) advancement evolves in Indonesia's insurance sector, organizations like ReinsurCo must accelerate their digital transformation (DT) to remain competitively viable. Although DT paves the way for new business models and operational improvements, the implementation often fails due to poor IT governance. Under the supervision of the State-Owned Enterprises Agency (SOE) and the Financial Services Authority (FSA), ReinsurCo must comply with regulations stating that SOEs must independently assess IT maturity to ensure information security. This research utilizes the five stages of Design Science Research (DSR): problem explication, requirement specification, design and development, demonstration, and evaluation. Data was collected through semi-structured interviews and both internal and external document triangulation. The data were then analyzed using the COBIT 2019 Information Security framework, implementing design factors prioritizing information technology governance and management (ITGM) objectives: APO13 Managed Security, DSS05 Managed Security Services, and BAI06 Managed IT Changes. Further analysis and identification were conducted to discover gaps against the seven component capabilities. These identified gaps were mapped into people, process, and technology aspects, which led to the creation of essential improvement recommendations. These recommendations were compiled into an implementation roadmap that can serve as a priority guide for ReinsurCo. This research is expected to provide a knowledge base for prioritizing information security management in supporting DT by implementing the COBIT 2019 Information Security framework. In a practical context, it aids ReinsurCo in controlling its strategic plans to face information security challenges. Furthermore, this study also offers extensive benefits to the insurance industry.

Assessment of vice-chancellors’ role performance in management of students’ welfare services in universities of North-East Zone, Nigeria

This study was designed to assess the Vice-Chancellors’ Role Performance in Management of Students’ Welfare Services in Universities in North-East Zone, Nigeria. The study was conducted with two objectives which were to assess: The Vice-Chancellor’s role performance in management of students’ hostel accommodation services, the Vice-Chancellors’ role performance in management of security services in Universities in North-East Zone, Nigeria. `A descriptive survey research design was employed for the study. The population of the study comprises of all the fifteen Universities in North-East Geopolitical Zone of Nigeria. A multistage sampling technique was used for the study. Firstly, a purposeful sampling technique was used in the selected 6 universities out of the fifteen university for the study, similarly, a total of 75 staff were selected purposively both students’ affairs division and management staff, in the same vein, a total of 300 students comprises of hostel representatives and class representatives were selected which give a total of 420 respondents respectively. A structured questionnaire titled: ‘Opinion of Staff and Students’ in Management of Hostel Accommodation and Security Services ‘Questionnaire’ (SSMHASSQ). Questionnaire was developed by the researcher and validated by three experts in the Department of Educational Foundations and Curriculum Ahmadu Bello University, Zaria. The reliability coefficient of the validated instrument used for data collection for the study was 0.76 through Cronbach Alpha statistics. Mean and standard deviation were the statistical instrument used for answering the reach questions; while Analysis of Variance (ANOVA) was used test the hypotheses at .05 level of significance. The findings of the study revealed that Vice-Chancellor ensured that students’ hostel accommodation had facilities such as toilets and toiletries, bed space, good light facilities, Solar power systems are installed in the hostel premises for security, security personnel were stationed in the strategic areas to protect students and staff from the current trend of kidnapping, theft in the universities in the North-East zone, Nigeria. It was therefore concluded that the Vice-Chancellor paid little attention to students ' welfare services in universities in the Nort-East. Adequate hostel accommodation should be provided for the students in the universities in the North-east, more sanitary facilities should be provided to students’ hostel to improve their well-being; In terms of security issues, the Vice-Chancellors should ensure that the security unit is provided with security van well equipped with communication gadgets. Also, Vice-Chancellors should ensure that security personnel are trained to handle campus security threat in the universities in the North-East zone of Nigeria.

Information security outsourcing in a resource-sharing environment: The impacts of attack modes

Information security outsourcing has become an emerging trend in the operations of information security, but the relation between information assets of firms and attack modes of hackers have failed to be considered. Through building a game-theoretic model, this article analyzes security outsourcing of two firms who share their information resource with each other and are confronted with opportunistic attacks and targeted attacks. We find that in the case of security decisions in-house, the firms may obtain a lower expected cost and the hacker may derive a lower expected benefit under targeted attacks than under opportunistic attacks, even though targeted attacks are widely deemed to be more harmful to the firms. When outsourcing security operations to a MSSP (Managed Security Service Provider), we reveal that under targeted attacks the MSSP can reap a higher expected benefit and the hacker can still derive a lower expected benefit. Finally, we examine the effects of key security elements and find some interesting results. In particular, the MSSP may or may not benefit from the degree of resource sharing, and the hacker may suffer from its learning ability.

Cryptography based on algebraic perpendicularities

Cryptography, the mathematics of protecting secret or sensitive information, is a continuously evolving area of interest. A concrete example of this is the fact that worldwide spending on information security and risk management technology and services has been estimated to reach over $150 billion in 2021. Modern cryptography is actually not a single separate domain of mathematics but an advanced encryption scheme can be based on applications of results in number theory, such as the Euler–Fermat Theorem, or involve the discrete logarithm problem using either a primitive root of a large prime or an element of an elliptic curve over a prime field. In the background, probability theory, statistics, studies on computational models and finite geometries, etc. play a major role. Recent research has considered even DNA-based molecular cryptography systems.

Intruder Detection in VANET Data Streams Using Federated Learning for Smart City Environments

Vehicular networks improve quality of life, security, and safety, making them crucial to smart city development. With the rapid advancement of intelligent vehicles, the confidentiality and security concerns surrounding vehicular ad hoc networks (VANETs) have garnered considerable attention. VANETs are intrinsically more vulnerable to attacks than wired networks due to high mobility, common network medium, and lack of centrally managed security services. Intrusion detection (ID) servers are the first protection layer against cyberattacks in this digital age. The most frequently used mechanism in a VANET is intrusion detection systems (IDSs), which rely on vehicle collaboration to identify attackers. Regrettably, existing cooperative IDSs get corrupted and cause the IDSs to operate abnormally. This article presents an approach to intrusion detection based on the distributed federated learning (FL) of heterogeneous neural networks for smart cities. It saves time and resources by using the most efficient intruder detection approach. First, vehicles use a federated learning technique to develop local, deep learning-based IDS classifiers for VANET data streams. They then share their locally learned classifiers upon request, significantly reducing communication overhead with neighboring vehicles. Then, an ensemble of federated heterogeneous neural networks is constructed for each vehicle, including locally and remotely trained classifiers. Finally, the global ensemble model is again shared with local devices for their updating. The effectiveness of the suggested method for intrusion detection in VANETs is evaluated using performance indicators such as attack detection rates, classification accuracy, precision, recall, and F1 scores over a ToN-IoT data stream. The ID model shows 0.994 training and 0.981 testing accuracy.

Information Technology Governance Analysis Using The COBIT 2019 Framework at XYZ Institution

Information technology governance has become an essential part of most companies. The use of information technology is not only limited to companies but also educational institutions. Information technology capabilities must keep pace with the times to help achieve process efficiency. Return on investment in information technology is an important consideration, so an assessment of information technology governance needs to be carried out. This study aims to determine how well information technology at the XYZ institution supports companies in doing their business. The COBIT 2019 framework is used in this research to achieve good information technology governance by showing how information technology can be aligned with the business. The study results show that the BAI03 Managed Solutions Identification and Build, BAI07 Managed IT Changes Acceptance and Transitioning, BAI10 Managed Configuration, DSS01 Managed Operations, and DSS05 Managed Security Services processes were found to be priority processes for XYZ institution. Using the COBIT 2019 design factor toolkit, the DSS01 process has a target capability level of 4, while the BAI03, BAI07, BAI10, and DSS05 processes have a target capability level of 3. Each priority process was found to have a capability level of level 1, resulting in a gap in the capability level between the current capability levels and the target capability level. The BAI10 process has the lowest capability level among the five priority processes with a partially rating of 20%.

An efficient blockchain‐based privacy‐preserving scheme with attribute and homomorphic encryption

As a distributed ledger technology, blockchain has excellent openness and transparency, which can provide data security management services for distributed intelligent systems and establish effective security guarantee mechanisms. However, precisely due to the open nature of blockchain, malicious users can trace the real transaction transfer path with high probability and even obtain the real identity of users by collecting transaction information on the blockchain and performing data analysis. Besides, existing intelligent systems lack effective encryption or desensitization measures, and attackers are able to access data in intelligent systems through identity forgery and other means, posing a huge potential risk to user privacy. To alleviate the above security issues, this paper proposes an efficient blockchain-based privacy-preserving scheme with attribute and homomorphic encryption, which can not only achieve user-level fine-grained secure access control but also supports the transmission and verification of blockchain data in the form of ciphertext. The access control method based on attribute-based encryption and the data transmission method based on homomorphic encryption are proposed, and the blockchain-based access whitelist mechanism is designed to reduce the resource loss due to repeated authentication. Simulation calculations and blockchain performance experiments show that this scheme can develop flexible access policies according to the attributes of users, has good performance in computational efficiency, and the blockchain performance test results are stable with errors in milliseconds for all operations. It has certain application potential in the field of distributed intelligent systems and blockchain.

Information Security Decisions with Consideration of Hacker Intrusion Propagation

The spread of network attacks is extremely harmful, which poses a great threat to the assets and reputation of firms. Therefore, making a scientific information security strategy is an important task for the continued and stable development of the firms. This paper develops the SIR model of hacker intrusion propagation and then analyzes the evolution trend of hacker intrusion propagation and the conditions of strategy transfer. The research shows that when immune failure and strategy transfer are not considered, the threshold of hacker intrusion propagation is negatively correlated with the probability of invasion, whereas it is positively correlated with the probability of defense success and the externality during outsourcing. In the case of immune failure, there will always be infected firms in the network, where the threshold of hacker intrusion propagation is affected by the proportion of the infected state and the probability of immune failure. When immune failure and strategy transfer occur simultaneously if the externality is positive and high, information security outsourcing can improve firms’ security benefits; if the externality is negative, the firms should stop cooperating with the managed security service provider (MSSP).

PriSIEM: Enabling privacy-preserving Managed Security Services

Security monitoring is invariably enabled by Security Information and Event Management (SIEM) technology. A major problem with SIEM is that in house deployment and operation are costly in terms of purchase, human resources, and IT infrastructure. Managed Security Services (MSS) offerings can provide high quality security monitoring solutions at a fraction of the cost. However, outsourcing security monitoring might entail data confidentiality and integrity risks and current MSS solutions are unable to meet the stringent privacy requirements posed by a wide range of applications. We present PriSIEM, an efficient distributed computing model which enables privacy-preserving MSS, by leveraging two of the most promising techniques for confidential computing, namely hardware-assisted Trusted Execution (TE) and Homomorphic Encryption (HE). TE is used to create a shielded computing environment in the provider’s domain, which can be trusted by the data owner. In this trusted environment, potentially sensitive data is encrypted using HE, before it is moved and processed in the rest of the provider’s domain (i.e. externally to the TE environment), which cannot be trusted by the data owner. An experimental campaign has been conducted on a proof-of-concept implementation to validate the effectiveness of the hardening mechanisms and to evaluate the performance of the PriSIEM distributed environment.

An economic analysis of information security outsourcing with competitive firms

Nowadays, firms may outsource information security operation to a managed security service provider (MSSP). Constructing a game‐theoretic model, this paper examines the strategic interaction between a MSSP and a strategic hacker in the presence of two competitive firms. We find that the MSSP's equilibrium benefit increases with the firms' loss due to user inconvenience and competition intensity when they remain high. It shows that technology similarity may benefit or harm the MSSP, dependent on its investment efficiency. Interestingly, we reveal that the hacker's benefit first decreases and then increases with technology similarity when its learning ability remains moderate.

Contracting managed security service: Double moral hazard and risk interdependency

• Propose a relational contract to ease double moral hazard in security outsourcing. • The contract can eliminate double moral hazard with a large discount factor. • Interdependency risk can strengthen the effect of the proposed contract. • Relevance to real world is improved by setting a threshold for verifiable part. The problem of double moral hazard seriously affects the efficiency of information security outsourcing. The interdependency risk of information security between managed security service providers (MSSPs) and client firms further complicates the double moral hazard problem. In the loss-based contract, both positive and negative risk interdependencies make outsourcing more inefficient in most instances. To solve the problem, a relational contract is proposed. We find that this relational contract leads to a greater social welfare with increase of discount factor, and the double moral hazard problem can be solved within the range that the discount factor is high. Furthermore, both positive and negative risk interdependencies can help relational contract to eliminate double moral hazard within a larger discount range. Finally, as some MSSPs’ efforts are considered to be verifiable, we find that by specifying thresholds in a relational contract, the benefits of an MSSP’s default can be limited, thereby ensuring that the relational contract achieves social optimal outcomes in more general cases.