Password Security: An Empirical Study Zviran, Moshe; Haga, William J.
Journal of management information systems,
04/1999, Volume:
15, Issue:
4
Journal Article
Peer reviewed
Organizations are more dependent than ever on the reliable operation of their information systems, which have become a key to their success and effectiveness. While the growing dependence on ...information systems creates an urgent need to collect information and make it accessible, the proliferation of computer technology has also spawned opportunities for ill-intentioned individuals to violate the information systems' integrity and validity.
One of the most common control mechanisms for authenticating users of computerized information systems is the use of passwords. However, despite the widespread use of passwords, little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on password usage. It investigates the core characteristics of user-generated passwords and associations among those characteristics.
Full text
Available for:
BFBNIB, CEKLJ, IZUM, KILJ, NMLJ, NUK, PILJ, PNG, SAZU, UL, UM, UPUK
Research of information system security (ISS) usually conceives of security models on the basis of positive, strategic benefits, such as planning or developing a security baseline. However, ISS works ...only when it enables an organization to protect against attacks, so managers seldom adopt positively based new security measures. By theorising ISS as a technology cluster that consists of distinguishable but interrelated countermeasures, this study analyses managers’ security concerns on the basis of two forces – technology-push (TP) and need-pull (NP) – traditionally applied to technology diffusion. Both TP, which entails managers’ perceived security threats, and NP, or requirements associated with the industry, organisational readiness, and security incidents, forces may prompt organisational ISS diffusion. The empirical findings suggest this conceptualisation effectively explains organisational ISS diffusion, though NP forces appear dominant. In general, organisations are less likely to adopt new security measures unless compelled to do so by industry or security gaps or if they are large enough and technically prepared for security innovations. Therefore, organisations should adjust their security plans to align with the threats facing their industries.
A Research Agenda for Security Engineering Rich Goyette; Yan Robichaud; François Marinier
Technology innovation management review,
08/2013
August 2013: Cybersecurity
Journal Article
Peer reviewed
Open access
Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As ...cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security – upon which society is increasingly dependent – appears in the news almost daily. In this article, we outline a research agenda designed to begin addressing this deficit and to move information system security engineering toward a mature engineering discipline. Our experience suggests that there are two key areas in which this movement should begin. First, a threat model that is actionable from the perspectives of risk management and security engineering should be developed. Second, a practical and relevant security-measurement framework should be developed to adequately inform security-engineering and risk-management processes. Advances in these areas will particularly benefit business/government risk assessors as well as security engineers performing security design work, leading to more accurate, meaningful, and quantitative risk analyses and more consistent and coherent security design decisions. Threat modelling and security measurement are challenging activities to get right – especially when they need to be applied in a general context. However, these are decisive starting points because they constitute the foundation of a scientific security-engineering practice. Addressing these challenges will require stronger and more coherent integration between the sub-disciplines of risk assessment and security engineering, including new tools to facilitate that integration. More generally, changes will be required in the way security engineering is both taught and practiced to take into account the holistic approach necessary from a mature, scientific discipline.
Full text
Available for:
CEKLJ, IZUM, KILJ, NUK, PILJ, SAZU, UL, UM, UPUK
Il est aujourd'hui de plus en plus difficile de gérer les énormes quantités de données générées dans le cadre de la sécurité des systèmes. Les outils de visualisation sont une piste pour faire face à ...ce défi. Ils représentent de manière synthétique et souvent esthétique de grandes quantités de données et d'événements de sécurité pour en faciliter la compréhension et la manipulation. Dans ce document, nous présentons tout d'abord une classification des outils de visualisation pour la sécurité en fonction de leurs objectifs respectifs. Ceux-ci peuvent être de trois ordres : monitoring (c'est à dire suivi en temps réel des événements pour identifier au plus tôt les attaques alors qu'elles se déroulent), exploration (parcours et manipulation a posteriori d'une quantité importante de données pour découvrir les événements importants) ou reporting (représentation a posteriori d'informations déjà connues de manière claire et synthétique pour en faciliter la communication et la transmission). Ensuite, nous présentons ELVis, un outil capable de représenter de manière cohérente des évènements de sécurité issus de sources variées. ELVis propose automatiquement des représentations appropriées en fonction du type des données (temps, adresse IP, port, volume de données, etc.). De plus, ELVis peut être étendu pour accepter de nouvelles sources de données. Enfin, nous présentons CORGI, une extension d'ELVIs permettant de manipuler simultanément plusieurs sources de données pour les corréler. A l'aide de CORGI, il est possible de filtrer les évènements de sécurité provenant d'une source de données en fonction de critères résultant de l'analyse des évènements de sécurité d'une autre source de données, facilitant ainsi le suivi des évènements sur le système d'information en cours d'analyse.
Managing the vast quantities of data generated in the context of information system security becomes more difficult every day. Visualisation tools are a solution to help face this challenge. They represent large quantities of data in a synthetic and often aesthetic way to help understand and manipulate them. In this document, we first present a classification of security visualisation tools according to each of their objectives. These can be one of three: monitoring (following events in real time to identify attacks as early as possible), analysis (the exploration and manipulation a posteriori of a an important quantity of data to discover important events) or reporting (representation a posteriori of known information in a clear and synthetic fashion to help communication and transmission). We then present ELVis, a tool capable of representing security events from various sources coherently. ELVis automatically proposes appropriate representations in function of the type of information (time, IP address, port, data volume, etc.). In addition, ELVis can be extended to accept new sources of data. Lastly, we present CORGI, an successor to ELVIS which allows the simultaneous manipulation of multiple sources of data to correlate them. With the help of CORGI, it is possible to filter security events from a datasource by multiple criteria, which facilitates following events on the currently analysed information systems.
Deep neural networks for image classification have been widely used to enhance user experience, but adversarial attacks continue to pose a threat to the security of deep neural networks related ...systems. To advance the development of more robust and secure models, research in this field is important. Laser attacks have overcome some issues of previous attacks. To enhance the laser-based attack strategy, we propose a novel physical adversarial attack method that optimizes cross-laser parameters using a Bayesian Optimization algorithm improved by contour detection technology. Our method solves the problems of traditional laser-based methods including positioning, insufficient perturbation intensity, low optimization efficiency, lack of multi-angle robustness, and optical path continuity issues. Digital and physical experiments were implemented, and our method achieved an attack success rate of up to 86.24%. Our adversarial attacks pose new challenges and requirements for artificial intelligence security.
Data recovery is a significant problem that presents a real challenge to forensics investigators today. File carvers have traditionally helped mitigate these difficulties. However, two issues still ...present significant challenges – 1) Prior knowledge of file types is required for building file carvers, and 2) fragmentation prevents file carvers from successful recovery. In previous research, we proposed a framework for recovering deleted files without prior knowledge of file types and with the existence of fragmentation. In this paper, we introduce the design and a functioning implementation of our system by modifying an exFat filesystem running on top of FUSE. Evaluation of the overhead of our filesystem shows only a 5% decrease in performance in write operations when compared to an unmodified exFat filesystem, and almost identical read measurements. Our system also shows significantly better recovery rates in the presence of fragmentation when compared to two selected file carvers.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Over the past decade information system security issues has been treated mainly from technology perspective. That model of information security management was reactive, mainly technologically driven ...and rarely aligned to business needs. This paper goes a step further and considers it from the governance view, mainly aligning it with the risk management activities and stressing the necessity for a holistic approach in which the executive management should be involved. The main objective of the paper is to stress the importance of implementing information system security governance model as a proactive and holistic approach which aligns security mechanisms, procedures and metrics with governance principles, business drivers and enterprise strategic objectives. Information system security governance model is constructed, explained and discussed. Approaches to for information system security assurance are analysed and the phases and processes of its regular reviews (audits) explained in further details. The standards and legislation activities that help in that sense are evaluated. The holistic model of governing information system security risks as business risks is explained and discussed.
This study investigated how external influences motivate senior management to commit to information system security (ISS) by examining the mediating role of senior management between external ...influences and organizational change. Neo-institutional theory was used to examine normative, mimetic, and coercive mechanisms that affect ISS assimilation in organizations. Findings show senior management beliefs about ISS and participation in ISS mediate effects of external influences on ISS assimilation. The findings from this pilot study give merit to a more comprehensive study, and provide a better understanding of how to motivate senior management to lead ISS in their organizations.
An Integrated Formal Description Method for Network Attacks Yang, Hanlin; Chen, Tianyu; Zhang, Hang ...
2022 International Conference on Computing, Communication, Perception and Quantum Technology (CCPQT),
2022-Aug.
Conference Proceeding
As the complexity and concealment of network attacks are increasing day by day, construction of a comprehensive and effective defense system calls for modeling and formal description of the scenes, ...techniques and processes of network attacks. Integrating MITRE ATT&CK and MAL (Meta Attack Language) can be a good orientation for current research on network attack description method. This paper proposes a formal description method for network attacks, in which the assets in an information system and the attackers' techniques summarized in the ATT&CK Matrix serve as the vocabulary and an extended MAL serves as the syntax. First, this method differentiates various instances of the same asset category and involves formal description of the attack scene, including the hosts, network environment and their configurations. Second, this method uses a more reasonable classification system for the assets of an information system and a more simplified set of MAL symbols. As is verified by our experiment, this method can generate a comprehensive and clear formal description for the attack scene, attack techniques and attack process of a network attack on a real-world information system, which brings the description level of this kind of integrated method from attacker strategies to network nodes, and can be a guide to defense construction for a real-world information system.
Nowadays the information system security (ISS) has become the main lever of the world economy, it is the keystone for the creation of value, and its unavailability has an undeniable technical, human ...and financial impact. Mastering this discipline, comes down to three pillars (1) securing the content of the risks to which it is exposed (Risk Management of the ISS, ISSRM), (2) defining the stakeholders that contribute to its management and its governance (Governance of the ISS, ISSG) and (3) complying with the regulations in force, law, standards and contractual obligations (Compliance Management of ISS, ISSCM). Satisfying this structure, means developing a holistic approach of ISS governance (ISSG) across the entire target organization. The ISSG that have emerged lately in the world of business and information technology remains a difficult subject to demystify. To develop this approach it is essential to handle the three disciplines each as a separate entity, which will constitute the main building blocks of a new ISSG concept. Then, explore the synergies of their cohabitations in a transverse way, in order to guarantee the business profits. This article focuses on the first brick of our ISSG Framework; which is the ISSRM, by the proposing a new model of process, called 4D-ISS. This model breaks down into four phases named respectively, Define, Direct, Deploy and Decide. This work also proposes the conceptualizing of its deployment using the Business Process Modeling Notation (BPMN), defining the requirements for its implementation, and giving future actions to explore.