Editor: Kenneth Knapp, USAF Academy, USA
Foreword by Merrill Warkentin, Mississippi State University, USA
------- ------- -------
SECTION I: RISK & THREAT ASSESSMENT
Chapter I. Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Jaziar Radianti, University of Agder, Norway
Jose. J. Gonzalez, University of Agder and Gjøvik University College, Norway
This paper discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. The authors conduct a disguised observation of online BM trading sites to identify causal models of the ongoing viability of BMs. Results are expressed as a system dynamic model and suggest that without interventions, the number and size of BMs is likely to increase. A simulation scenario with a policy to halt BM operations results in temporary decrease of the market. Combining the policy with efforts to build distrust among BM participants may cause them to leave the forum and inhibit the imitation process to establish similar forums.
Chapter II. An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Somak Bhattacharya, Indian Institute of Technology, India
Samresh Malhotra, Indian Institute of Technology, India
S. K. Ghosh, Indian Institute of Technology, India
As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical means by which an attacker breaks into a network is through a series of exploits, where each exploit in the series satisfies the pre-condition for subsequent exploits and makes a causal relationship among them. Such a series of exploits constitutes an attack path where the set of all possible attack paths form an attack graph. Attack graphs reveal the threat by enumerating all possible sequences of exploits that can compromise a given critical resource. The contribution of this chapter is to identify the most probable attack path based on the attack surface measures of the individual hosts for a given network and subsequently to identify the minimum securing options. As a whole, the chapter deals with the identification of probable attack path and risk mitigation that can significantly help improve the overall security of an enterprise network.
Chapter III. Insider Threat Prevention, Detection and Mitigation
Robert F. Mills, Air Force Institute of Technology, USA
Gilbert L. Peterson, Air Force Institute of Technology, USA
Michael R. Grimaila, Air Force Institute of Technology, USA
This chapter introduces the insider threat and discusses methods for preventing, detecting, and responding to the threat. Trusted insiders present one of the most significant risks to an organization. They possess elevated privileges when compared to external users, have knowledge about technical and non-technical control measures, and potentially can bypass security measures designed to prevent, detect, or react to unauthorized access. The authors define the insider threat and summarize various case studies of insider attacks in order to highlight the severity of the problem. Best practices for preventing, detecting, and mitigating insider attacks are provided.
Chapter IV. An Autocorrelation Methodology for the Assessment of Security Assurance
Richard T. Gordon, Bridging The Gap, Inc., USA
Allison S. Gehrke, University of Colorado, Denver, USA
This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this methodology is to determine the relatedness of effects on security operations from independent security events and from security event categories, identify opportunities for increased efficiency in the security infrastructure yielding time savings in the security operations and identify combinations of security events which compromise the security infrastructure. The authors focus on evaluating and describing a novel security assurance measure that governments and corporations can use to evaluate the strength and readiness of their security infrastructure.
Chapter V. Security Implications for Management from the Onset of Information Terrorism
Ken Webb, Perth, Australia
In this chapter, the author presents the results of a qualitative study and argues that a heightened risk for management has emerged from a new security environment that is increasingly spawning asymmetric forms of Information Warfare. This chapter defines for readers what the threat of Information Terrorism is and the new security environment that it has created. Security implications for management have subsequently evolved, as managers are now required to think about the philosophical considerations emerging from this increasing threat.
SECTION II: ORGANIZATIONAL AND HUMAN SECURITY
Chapter VI. The Adoption of Information Security Management Standards: A Literature Review
Yves Barlette, GSCM-Montpellier Business School, France
Vladislav V. Fomin, Vytautas Magnus University, Lithuania and Rotterdam School of Management, The Netherlands
This chapter discusses major information security management standards, particularly the ISO/IEC 27001 and 27002 standards. A literature review was conducted in order to understand the reasons for the low level of adoption of information security standards by companies, and to identify the drivers and the success factors in implementation of these standards. Based on the findings of the literature review, the authors provide recommendations on how to successfully implement and stimulate diffusion of information security standards.
Chapter VII. Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Peter R. Marksteiner, U. S. Air Force, USA
The overabundance of information, relentless stream of interruptions, and potent distractive quality of the Internet can draw knowledge workers away from productive cognitive engagement. Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a unifying taxonomy organizational leaders and academicians may find useful. Using military doctrine and thinking to underscore the potential seriousness of this evolving threat should inspire organizational leaders to recognize the criticality of its impact and motivate them to help clear the data smog, reduce information overload, and communicate for effect.
Chapter VIII. Balancing the Public Policy Drivers in the Tension between Privacy and Security
John W. Bagby, The Pennsylvania State University, USA
The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. This chapter posits that personally identifiable information is a form of property that flows along an “information supply chain” from collection, through archival and analysis and ultimately to its use in decision-making. The conceptual framework for balancing privacy and security developed here provides a foundation to develop and implement public policies that safeguard individual rights, the economy, critical infrastructures and national security. The illusive resolution of the practical antithesis between privacy and security is explored by developing some tradeoff relationships using exemplars from various fields that identify this quandary while recognizing how privacy and security sometimes harmonize.
Chapter IX. Human Factors in Security: The Role of Information Security Professionals within Organizations
Indira R. Guzman, TUI University, USA
Kathryn Stam, SUNY Institute of Technology, USA
Shaveta Hans, TUI University, USA
Carole Angolano, TUI University, USA
This chapter contributes to a better understanding of role conflict, skill expectations, and the value of information technology (IT) security professionals in organizations. Previous literature has focused primarily on the role of information professionals in general but has not evaluated the specific role expectations and skills required by IT security professionals in today’s organizations. The authors take into consideration the internal and external factors that affect the security infrastructure of an organization and therefore influence the role expectations and skills required by those who are in charge of security. The authors describe the factors discussed in the literature and support them with quotes gathered from interviews conducted with information security professionals in small organizations in central New York. They present a set of common themes that expand the understanding of this role and provide practical recommendations that would facilitate the management of these professionals within organizations.
Chapter X. Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
LTJG Nikolaos Bekatoros, US Naval Postgraduate School, USA
Major Jack L. Koons III, US Naval Postgraduate School, USA
Dr. Mark E. Nissen, US Naval Postgraduate School, USA
In this chapter, the authors use Contingency Theory research to inform leaders and policy makers regarding how to bring their Computer Networked Operations (CNO) organizations and approaches into better fit, and hence to improve performance. The authors identify a candidate set of organizational structures that offer potential to fit the U. S. Department of Defense better as it strives, and struggles, to address the technological advances and risks associated with CNO. Using the Organization Consultant expert system to model and diagnose key problems, the authors propose a superior organizational structure for CNO that can also be applied to organizations in the international environment. Results elucidate important insights into CNO organization and management, suitable for immediate policy and operational implementation, and expand the growing empirical basis to guide continued research
Chapter XI. An Approach to Managing Identity Fraud
Rodger Jamieson, The University of New South Wales, Australia
Stephen Smith, The University of New South Wales, Australia
Greg Stephens, The University of New South Wales, Australia
Donald Winchester, The University of New South Wales, Australia
This chapter outlines components of a strategy for government and a conceptual identity fraud management framework for organizations. Identity crime, related cybercrimes and information systems security breaches are insidious motivators for governments and organizations to protect and secure their systems, databases and other assets against intrusion and loss. Model components used to develop the identity fraud framework were selected from the cost of identity fraud, identity risk management, identity fraud profiling, and fraud risk management literature.
SECTION III: EMERGENCY RESPONSE PLANNING
Estimated Publication Date: Spring 2009
Editor: Kenneth J. Knapp, USAF Academy, USA
Foreword by Merrill Warkentin, Mississippi State University, USA
Table of Contents
Section I: Risk & Threat Assessment
Chapter I. Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Chapter II. An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Chapter III. Insider Threat Prevention, Detection and Mitigation
Chapter IV. An Autocorrelation Methodology for the Assessment of Security Assurance
Chapter V. Security Implications for Management from the Onset of Information Terrorism
Section II: Organizational and Human Security
Chapter VI. The Adoption of Information Security Management Standards: A Literature Review
Chapter VII. Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Chapter VIII. Balancing the Public Policy Drivers in the Tension between Privacy and Security
Chapter IX. Human Factors in Security: The Role of Information Security Professionals within Organizations
Chapter X. Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
Chapter XII. A Repeatable Collaboration Process for Incident Response Planning
Chapter XIII. Pandemic Influenza, Worker Absenteeism and Impacts on Critical Infrastructures: Freight Transportation as an Illustration
Chapter XIV. Information Sharing: A Study of Information Attributes and their Relative Significance During Catastrophic Events
Chapter XVI. Server Hardening Model Development: A Methodology-Based Approach to Increased System Security
Chapter XVII. Trusted Computing: Evolution and Direction
