Organizations are increasingly relying on information in electronic form to conduct business. While this evolution of an electronic-based society from a paper-based one has been advantageous to both enterprises and individuals alike, the amount of personal information has also grown exponentially. With rapid growth in the number of information systems and related processes, managing information security program, while effectively managing risks, has never been so critical. A recent survey of 600 IT and security executives (Baker, Waterman, & Ivanov, 2010) finds that there is a widespread lack of confidence in their organization’s ability to defend against a cyberattack. “About 40% of those surveyed expected a major incident -- an attack resulting in major consequences -- within a year, and 80% said they expected a major incident within 5 years” (p. 13). On average, respondents estimated that 24 hours of down time from a major attack would cost their own organization U.S. $6.3 million and more than 60% say that the frequency and intensity of cyberattacks have increased in the past year. Given the rise of threats and technologies to launch and hide these attacks, the situation is clearly getting worse for organizations. Effective information security management and governance is the most important action organizations can take to thwart and manage these risks.
In today’s rapidly changing and evolving environment, IT and security executives have to make difficult calculations and decisions about security with limited information. They need to make decisions that are based on analyzing opportunities, risks and security. In such an environment, information security management and governance issues are at the forefront of any discussions for security organization’s information assets, which includes considerations for managing risks, data and costs. Organizations, worldwide, have adopted practical and applied approaches for mitigating risks and managing information security program. The book contains 24 chapters on the most relevant and important issues and advances in applied information security management. The chapters are authored by leading researchers and practitioners in the field of information security from across the globe. The chapters represent emerging threats and countermeasures for effective management of information security at organizations.
With an increase in sophistication of technology, speed of propagation and relative ease of launching and coordinating a cyber-attack, an effective preventive and detective response should include automated and distributed mechanism. There are a variety of tools of available for cyber-attackers to change the attack pattern and signature, which only makes defense against them ever so challenging. To keep up with dynamic evolution of attack types, the detection methods should be constantly kept updated. In chapter 1, titled “A Pragmatic Approach to Intrusion Response Metrics” by Chris Strasburg of The Ames Laboratory, US Department of Energy, USA and Johnny S. Wong of Department of Computer Science, Iowa State University, USA authors discuss their analyses of present-day automated intrusion response metrics; and how they can be used from a more practical standpoint. Authors review existing intrusion detection approaches and practical challenges faced by organizations in implementing and making the best use of them. They present practical solutions and recommendations for implementing intrusion response metrics, and identify research areas that need more focus for development of automated practical and effective response systems.
Intrusion Detection Systems (IDSs) are an important and critical part of any effective information security architecture and program. IDSs have evolved significantly over the last decade in response to efficiently thwart fast evolving threats and risks. At a basic level, IDS acts like a pattern recognition system, where patterns of attacks and malicious codes are used to detect threats. One of the most important steps, that plays a critical role in determining the overall effectiveness of intrusion detection, during pattern recognition is a process known as feature extraction. Use of domain knowledge in manual as well as automatic feature extraction is very pervasive. Hai Thanh Nguyen, Katrin Franke, and Slobodan Petrovic of Gjøvik University College, Gjøvik, Norway provide an overview of various existing feature construction and feature selection methods for intrusion detection systems in Chapter 2. Using experiments, the chapter 2 (“Feature Extraction Methods for Intrusion Detection Systems”) also presents a comparison between different feature selection methods. The experiments use public benchmarking data sets for demonstrating practical applications of feature extraction methods.
With increasing approval and regulation of digital signatures across globe, digital signatures are seen as faster and convenient way of legally signing and ratifying documents. In traditional paper based signatures, authority to sign documents on someone’s behalf can be delegated. With rise in use of digital signatures, architectures and methods of similar delegation techniques for others to be able to legally and securely sign digital documents have been proposed. In chapter 3, authors assert several shortcomings of these proposed methods from a practical implementation and adoption standpoint. Highlighting these shortcomings and stressing advantages of delegation through use of smart cards, in Chapter 3 (“A Distributed and Secure Architecture for Signature and Decryption Delegation Through Remote Smart Cards” authors - Giuseppe Cattaneo, Pompeo Faruolo, and Ivan Visconti of Dipartimento di Informatica – Università di Salerno, Italy - put forth the notion of a “Proxy Smart Card System,” a distributed system that allows a smart card owner to delegate part of its computations to remote users. Authors then formalize the security and functional requirements of a proxy smart card system, identifying the involved parties, the adversary model and the usability properties. The chapter also demonstrates practical implementation of such a smart card based proxy system that includes all the functional requirements for secure delegation, while outperforming existing suggested methods.
Increase in dominance of ecommerce channels in delivering products and services could not be overemphasized. With such a rise in adoption rates, the challenges in securing these channels have never been more critical. In chapter 4, titled “Information security management: Awareness of threats in E-Commerce,” authors, Mohammad Mahfuzur Rahman of Applied Research Centre for Business and Information Technology (ARCBIT), London, UK and Karim Mohammed Rezaul of Glyndwr University, Wrexham, UK present, identify, and investigate information security problems in the e-commerce sector within purview of extant theories of information security.
Information security standards and frameworks are incerasingly adopted by companies of all sizes and forms. However, implementing a deployment scheme should be done within context of organizational specifics to ensure smoother adoption and effective enforcement. In this chapter the authors analyse information security goals found in hospital settings. In chapter 5 (“Analyzing Information Security Goals”), authors Ella Kolkowska, Karin Hedström and Fredrik Karlsson, of Swedish Business School at Örebro University, Sweden demonstrate that the CIA-triad fails to cover organisational specific information security goals in hospital settings. Authors present goal maps, which they used in their study for analysis of empirical data, as a useful tool for analysis and communication of information security goals in an organisation.
Authentication is one of the most basic as well as most important security processes that encompass protection of information from unauthorized use. With recent innovation in technology – both software and hardware – several innovative alternatives to simple text-based passwords have been suggested, which have shown to have higher security and usability. One such concept is graphical passwords. In chapter 6 (“Graphical Passwords”), Luigi Catuogno of Università degli Studi di Salerno, Italy and Clemente Galdi of Università degli Studi di Napoli “Federico II,” Italy provide an overview of this state-of-art concept for stronger authentication using motivation and corroboration from extant literature.
Most of the vulnerabilities and threats in IT artifact arise from misconfigured software. Evaluating and testing security strength of any specific is one of most crucial proactive countermeasures in ensuring security of any software system. In chapter 7 (“Assessing the Security of Software Configurations”), authors - Afonso Araújo Neto and Marco Vieira of University of Coimbra, Portugal - present a methodology to devise security appraisals, which is derived from available security knowledge about specific domains. Authors demonstrate their methodology by designing a couple of security appraisals for transactional systems. The authors also provide a real demonstration of both security appraisals using real scenarios.
Privacy issues in an organizational setting have fast emerged as one of the most challenging aspects of enterprise information security program. Recent instructions and mandates from government, in the form of regulations, have further burdened companies with finding effective ways to comply with those regulations and guidelines without compromising security and convenience. Authors of chapter 8, Siani Pearson and Tomas Sander from Cloud and Security Research Lab, HP Labs, USA, in their work - “A Decision Support System for Privacy Compliance”– present a privacy risk assessment and compliance tool which they are developing and implementing in a large, global company – called HP Privacy Advisor (HP PA). Authors introduce concept of accountable privacy management in an organization that has several parallel projects while suggesting a compliance tool that also manages enterprise security, privacy, risk and trust-related aspects.
Information sharing and collaboration play a significant role in success of business processes and operations in an organizational environment. Cross-departmental and cross-functional teams have increasingly being leveraged for efficient deployment of products and services by businesses. At the same time securing the information that is being shared and collectively worked upon by has become equally critical. Data segregation and secure information splitting has been used in organizations to share confidential data. Chapter 9 (Information Security Management Based on Linguistic Sharing Techniques) by Marek R. Ogiela and Urszula Ogiela of AGH University of Science and Technology, Kraków, Poland presents models for multi-level information splitting and information management with the use of the linguistic approach and formal grammars. The proposed techniques and methods introduce major enhancements over traditional algorithms.
SQL injection attacks are one the most common ways by which confidential data is stolen by hackers. This is also one of the oldest techniques used to extract information from databases compromising the access and privilege requirements. Stronger input validation and detection techniques have been traditionally used to thwart SQL injection attacks. In Chapter 10, SQL Injection Attacks Countermeasures, authors - Kasra Amirtahmasebi, Seyed Reza Jalalinia, and Saghar Khadem of Chalmers University of Technology, Sweden- present seven of the stronger countermeasures that cover a wide range of SQL injection attacks.
Each day, people’s lives become more dependent on embedded systems and on digital information technology that is embedded in their environment. Embedded applications can be managed remotely using public network such as Internet. Web Services have been extensively used in traditional software systems for providing a wide variety of services including integration of applications, remote assistance and collaboration amongst others. Similar applications of web services for embedded systems haven’t seen an emergence yet. In Chapter 11 (“Security and Authentication Issues of an Embedded System Designed and Implemented for Interactive Internet Users”), authors - Siddhartha Baruah, Anjana Kakoty Mahanta and Kanak Ch Sarma of Gauhati University, India - present discussions to demonstrate the feasibility of using Web Services for the integration of embedded applications running on heterogeneous architectures. Authors present a model with an objective to demonstrate web services can be used to monitor and control humidity and temperature through Internet using interactive computer front end.
P2P networks are fast emerging as dependable forms of communications and for provding a large array of services, both for personal as well as commercial applications. P2P network’s characteristics of decentralization, autonomy and dynamicity pose several unique security challenges, which can potentially hamper adoption and development of such networks. In chapter 12 titled “Distributed Key Management Scheme Based on CL-PKC in P2P Networks,” authors - Zhongwen Li, Zhibin Xu, and Chen Liang of Xiamen University, Xiamen, Fujian, China - propose a certificate-less key distribution scheme with multiple trusted centers that fits the characteristics of P2P networks, and analyzed its security.
Security of software and application development and implementation is one of the most common challenges facing companies. There are several approaches of evaluating security aspects of different stages in software development life cycle including fuzzing testing method, penetration testing and code walkthrough. One relatively new and novel inspection method known as Security Goal Indicator Trees is increasingly gaining relevance and importance. Alessandra Bagnato and Fabio Raiteri of Txt e-solutions Corporate Research Division, Italy, and Christian Jung and Frank Elberzhager of ISQ Fraunhofer Institute for Experimental Software Engineering, Germany, in chapter 14 (“Creating and Applying Security Goal Indicator Trees in an Industrial Environment”) focus on the Security Goal Indicator Tree application for eliminating existing shortcomings. The chapter describes the modeling of such security goal based trees as part of requirements engineering using a dedicated plug-in called toll called –GOAT.
Due to their relative convenience and cost savings, applications such as Skype and other mobile applications have seen tremendous growth in adoption in recent years. This has also brought unique and new security challenges for Peer-to-Peer SIP based communication systems that are underlying technologies for novel applications such as Skype. The decentralized nature of P2P makes security management and enforcement rather difficult. In chapter 15 (“Security Enhancement of Peer-to-Peer Session Initiation”), Xianghan Zheng of Fuzhou University, P.R. China and Vladimir A. Oleshchuk of University of Agder, Norway investigate P2PSIP security issues and propose two enhancement solutions: central based security and distributed trust security. They discuss advantages and disadvantages of each of the proposed approaches. They also propose a combination of the two approaches in an attempt to find a better and more optimized protection.
In Chapter 16 (“Towards a Framework for Collaborative Enterprise Security”), Janardan Misra, an Independent Researcher presents a principled approach to one of the many little-studied human and social aspects of enterprise security management. The chapter proposes a reinforcement model of collaborative security employing basic concepts from game theory, socio-psychology, and probabilistic model-checking. The proposed model aims to solve the problem of inducing positive network effect to enable user centric monitoring of security violations. The chapter presents a formal framework for devising policies to enable collaborative monitoring against policy violations without requiring employees and stakeholders of the company to own more roles for security policy monitoring and enforcement. The framework is based on 1) organic unity of biological systems under attacks and 2) socio- psychological studies on security and human motivation. The chapter proposes a reward-punishment based reinforcement model for enabling collaborative monitoring of policy violations by extrinsically inducing positive network effect in the system.
In Chapter 17 (“Privacy-Aware Organisation-Based Access Control Model (PrivOrBAC)”) authors - Nabil Ajam, Nora Cuppens-Boulahia and Fréderic Cuppens of Institut Télécom, Télécom Bretagne, France - identify the relevant privacy requirements that should be integrated in existing security policy models, such as RBAC models. The chapter proposes Privacy-aware Organisation role Based Access Control (PrivOrBAC) model to identify and incorporate new access constraints and parameters, namely the privacy contexts, which should implement the consent and the notification concepts.
In chapter 18, titled “Can Formal Methods Really Help: Analyzing the Security of Electronic Voting Systems?,” Komminist Weldemariam and Adolfo Villafiorita of Fondazione Bruno Kessler, Trento, Italy, discuss effective use of formal methods in e-voting systems development process. The chapter also provides an overview of current trends in the usage of formal techniques in the development of e-voting system. Using their experience, authors specify and verify the behaviors of one of currently deployed e-voting systems using formal techniques and verification against a subset of critical security properties that the system should meet. Using specified attacks that have been shown to successfully compromise the system, the chapter extends the original specification of the system and derives an extended model.
CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are computer generated challenge-response tests employed on websites to differentiate between human users and bot programs which indulge in spamming and other fraudulent activities. CAPTCHAs rely on visual representation and have been vitally effective against several well-known attacks such as spam and denial of service. With the advent and advancement of sophisticated computer programs to break CAPTCHAs, it has become imperative to continuously evolve the CAPTCHA schemes in order to keep the Internet network and website free of congestion and spam-bots. In light of these developments concerning information security, in chapter 19 (“Countering Spam Robots: Scrambled CAPTCHA and Hindi CAPTCHA”), authors, Aditya Raj, Tushar Pahwa, and Ashish Jain of Netaji Subhas Institute of Technology, New Delhi, India, introduce the novel concept of Scrambled CAPTCHA which is a combination of OCR-based and Picture CAPTCHAs and exploits an inherent characteristic of human vision and perception. They present unique security offerings of their concept and its implications. The chapter also introduces Hindi CAPTCHA, based on Hindi language (Devanagari script).
Use of embedded systems has increased exponentially in recent years. They are extensively used in most of the common consumer electronics to industrial applications including transportation and airplanes. These applications of embedded systems are controlled and monitored from remote locations, over the Internet, using web services. While proving huge benefits, it has given rise to new security concerns. Trailokya Oraon of Jorhat Engineering College, Assam, India, in chapter 20, titled “Security Risk of Embedded Systems in a Greenhouse Environment” discusses the details of security issues in web-enabled embedded systems used in greenhouse environment. The discussions in the chapter not only helps understand security issues of an embedded system but also provides insights into securing green computing systems. The chapter identifies the security shortcomings in the system while providing solutions to overcome those challenges. It also demonstrates that security policies should be designed and enforced at each stage of development cycle.
Importance of security of a wireless network system (WSN) cannot be over emphasized. The security threats in such networks are heightened due to dynamic and highly distributed nature of the underlying infrastructural dependency. In chapter 21, “Security in Wireless Sensor Networks with Mobile Codes,” Frantisek Zboril Jr., Jan Horacek, Martin Drahansky, and Petr Hanacek of Brno University of Technology, Brno, Czech Republic introduce design aspects of WSN, from both the hardware and software perspective, to unravel different components and services that can potentially be targeted. The chapter presents main security challenges in such systems, while presenting security mechanisms and possible countermeasures.
Companies use a wide variety of technologies and their artifacts to protent their infrastructure including network, servers and software systems. Some of such artifcats include firewalls, intrusion detection systems, anti-virus, data leak prevention, content encryption amongst others. It becomes challenging to globally manage security of these disparate systems that work towards the same objective of providing comprehensive security. To address this common challenge, in Chapter 22 titled “Grid of Security: A Decentralized Enforcement of the Network Security,” Olivier Flauzac, Florent Nolot, Cyril Rabat, and Luiz-Angelo Steffenel, of University of Reims Champagne-Ardenne, France, present a new approach to deploy a distributed security solution where communication between each device can be control in a collaborative manner. In this novel proposed approach, called grid of security, each security component runs under guidance from its own security rules, which can be shared and improved through exchanges with others devices. This approach ensures that through compliance of security policies; and exchange and communication with other devices the complete system is more trustworthy.
Malware comes in different shapes and forms. They have shown to compromise security of software systems, from personal computers to utility grids. To design and develop countermeasures for any malware software, we need to analyze them first. Malware analysis is a challenging multi-step process providing insight into malware structure and functionality, facilitating the development of an antidote. In chapter 23 (“Effective Malware Analysis Using Stealth Breakpoints”), Dr. Amit Vasudevan of CyLab/Carnegie Mellon University, USA describes a novel breakpoint technique (called stealth breakpoints), for efficient malware analysis, which provides unlimited number of breakpoints which are robust to detection and countering mechanisms.
In chapter 24, titled “Dynamic Cyber Security Economic Model: Incorporating Value Functions for All Involved Parties,” Dr. C. Warren Axelrod of Delta Risk LLC, USA assert that it is important to understand and factor in motivations and reactions of all parties involved (such as criminals, victims, defenders, product and service providers, lawmakers, law enforcement, amongst others) for development of a comprehensive economic model or information security. The chapter attempts to provide initial formulations of such dynamic economic models for information security, while providing insights into potential application of the model to assess the impact of different control mechanisms. Using dynamic “personal utility functions,” the chapter suggests factors that affect all the various parties and examines how these factors affect the responses due to the economic impacts.
The book hosts high-quality research papers and practice articles on management and governance issues in the field of information security. The chapters in the book provide insights into practical and applied solutions, frameworks, technologies and practices on technological and organizational factors of an organization. Often, managers are overwhelmed with solutions and technologies for information security while squandering a lot of resources on trying to understand what would work for them and what not. The book presents information security management solutions being researched on or deployed through book chapters from leading researchers and practitioners in the field, culminating in chapters of the highest quality. The book fills gap in the existing literature on the latest advances in practice and in research in the areas of information security management and governance by providing the audience one comprehensive source of latest trends, issues and research in the field. The chapters are authored by researchers and professionals from more than 10 countries, which further lend the global outlook and approach to the covered topics. The book hosts topics both on theoretical (research) aspects of information security management by presenting solutions and issues in the area while supplementing them with real- world implications and implementations (practice) of the research. By keeping the focus of the chapters to the practices and solutions that are practical and implementable, it adds huge value to the extant literature, while helping organization around the world understand and effectively improve their overall information security posture. To the editors’ knowledge, which collectively represents more than 60 years of practical and academic experience in information security and related fields, none of the existing books present this area, which has provided the opportunity to submit this book for publication. The editors would like to mention that though this will have some industry case studies to demonstrate the applicability and process of applied information security practices, it does not focus entirely in case studies, so thematically, the proposed book is not a case study book.