for Journals by Title or ISSN
for Articles by Keywords
help

Publisher: (Total: journals)

The Journal TOCs for this publisher/subject is currently unavailable. Please visit later.
Similar Journals
Journal Cover
Information and Computer Security
Number of Followers: 21  
 
  Hybrid Journal Hybrid journal (It can contain Open Access articles)
ISSN (Print) 0968-5227 - ISSN (Online) 2056-4961
This journal is no longer being updated because:
    RSS feed has been removed by the publisher
  • Security gaps assessment of smart grid based SCADA systems
    • Pages: 434 - 452
      Abstract: Information and Computer Security, Volume 27, Issue 3, Page 434-452, July 2019.
      Purpose Supervisory control and data acquisition (SCADA) systems security is of paramount importance, and there should be a holistic approach to it, as any gap in the security will lead to critical national-level disaster. The purpose of this paper is to present the case study of security gaps assessment of SCADA systems of electricity utility company in the Sultanate of Oman against the regulatory standard and security baseline requirements published by the Authority for Electricity Regulation (AER), Government of Sultanate of Oman. Design/methodology/approach The security gaps assessment presented in this paper are based on the security baseline requirements that include core areas, controls for each core area and requirements for each control. Findings The paper provides the security gaps assessment summary of SCADA systems of electricity utility company. Practical implications The summary of threats and vulnerabilities presented will help stakeholders to be proactive rather than reactive in the event of any attack. Originality/value This case study discusses the various security challenges in smart grid based on SCADA systems and provides the summary of challenges and recommendations to overcome the same.
      Citation: Information and Computer Security
      PubDate: 2019-06-17T01:22:47Z
      DOI: 10.1108/ICS-12-2018-0146
       
  • Response awareness and instructional self-efficacy: influences on intent
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose This paper aims to examine the influence of response awareness on behavioral intent, and introduces instructional self-efficacy, a construct rarely examined within the context of information security (ISec). Design/methodology/approach A Web-based survey was conducted and a total of 211 valid responses were analyzed. The relationships among response awareness, instructional self-efficacy and behavioral intent were examined through a three-phase structural equation modeling analysis. Findings The results indicate that even at low levels, response awareness has a strong influential effect on the behavioral intent to perform the secure response and on the self-efficacy to instruct others to perform the response. Instructional self-efficacy was also found to be a significant predictor of behavioral intent to perform the response. Finally, evidence was found indicating instructional self-efficacy fully mediates the response awareness to the behavioral intent relationship. Research limitations/implications Because of the characteristics of the population, the focus on a single ISec response and the dependent variable of behavioral intent rather than actual behavior, the generalizability of the findings is impacted. Practical implications The results contribute to practice by confirming the importance of response awareness and of instructional self-efficacy within an ISec context. Specific implications include the indication that informal communications about ISec issues among peers should be encouraged and that instructional self-efficacy should be targeted within ISec awareness training programs. Originality/value This paper’s parsimonious model defined response awareness as vicarious experience with a response and presented instructional self-efficacy, a construct novel to ISec studies that was found to be a significant influence within the relationship between response awareness and behavioral intent.
      Citation: Information and Computer Security
      PubDate: 2019-06-26T10:44:22Z
      DOI: 10.1108/ICS-05-2018-0061
       
  • An experimental evaluation of bow-tie analysis for security
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.
      Citation: Information and Computer Security
      PubDate: 2019-06-20T12:40:38Z
      DOI: 10.1108/ICS-11-2018-0132
       
  • Refining the PoinTER “human firewall” pentesting framework
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose Penetration tests have become a valuable tool in the cyber security defence strategy in terms of detecting vulnerabilities. Although penetration testing has traditionally focussed on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyberattacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper, the authors reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. This paper aims to propose improvements to refine the framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny Design/methodology/approach The authors conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet the requirements to have an ethical human pentesting framework, the authors compiled a list of ethical principles from the research literature which they used to filter out techniques deemed unethical. Findings Drawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, the authors propose the refined GDPR-compliant and privacy respecting PoinTER framework. The list of ethical principles, as suggested, could also inform ethical technical pentests. Originality/value Previous work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature.
      Citation: Information and Computer Security
      PubDate: 2019-06-20T12:38:58Z
      DOI: 10.1108/ICS-01-2019-0019
       
  • Keep on rating – on the systematic rating and comparison of
           authentication schemes
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose Six years ago, Bonneau et al. (2012) proposed a framework to compare authentication schemes to the ubiquitous text password. Even though their work did not reveal an alternative outperforming the text password on every criterion, the framework can support decision makers in finding suitable solutions for specific authentication contexts. The purpose of this paper is to extend and update the database, thereby discussing benefits, limitations and suggestions for continuing the development of the framework. Design/methodology/approach This paper revisits the rating process and describes the application of an extended version of the original framework to an additional 40 authentication schemes identified in a literature review. All schemes were rated in terms of 25 objective features assigned to the three main criteria: usability, deployability and security. Findings The rating process and results are presented along with a discussion of the benefits and pitfalls of the rating process. Research limitations/implications While the extended framework, in general, proves suitable for rating and comparing authentication schemes, ambiguities in the rating could be solved by providing clearer definitions and cut-off values. Further, the extension of the framework with subjective user perceptions that sometimes differ from objective ratings could be beneficial. Originality/value The results of the rating are made publicly available in an authentication choice support system named ACCESS to support decision makers and researchers and to foster the further extension of the knowledge base and future development of the extended rating framework.
      Citation: Information and Computer Security
      PubDate: 2019-06-20T12:37:58Z
      DOI: 10.1108/ICS-01-2019-0020
       
  • Identity deception detection: requirements and a model
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose This paper aims to describe requirements for a model that can assist in identity deception detection (IDD) on social media platforms (SMPs). The model that was discovered demonstrates the usefulness of the requirements. The aim of the model is to identify humans lying about their identity on SMPs. Design/methodology/approach The requirements of a model for IDD will be determined through a literature study combined with a study that identifies currently available identity related metadata on SMPs. This metadata refers to the attributes that describe a user account on an SMP. The aim is to restrict IDD to be only based on these types of attributes, as opposed to or combined with the contents of a single or multiple communications. Findings Data science experiments were conducted and in particular supervised machine learning models were discovered that indeed detects identity deception on SMPs with an area under the receiver operator characteristics curve (ROC-AUC) of 75.5 per cent. Originality/value SMPs allow any user to easily communicate with their friends or the general public at large. People can now be targeted at great scale, most often for malicious purposes. The reality is that many of these cyber-attacks involve some form of identity deception, where the attackers lie about who they are. Much focus to date has been on the identification of non-human deceptive accounts. This paper focuses on deceptive human accounts that target vulnerable individuals on SMPs.
      Citation: Information and Computer Security
      PubDate: 2019-06-17T02:05:52Z
      DOI: 10.1108/ICS-01-2019-0017
       
  • Collaborative security risk estimation in agile software development
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices. Design/methodology/approach Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews. Findings Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product. Research limitations/implications Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker. Originality/value The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.
      Citation: Information and Computer Security
      PubDate: 2019-06-17T01:35:29Z
      DOI: 10.1108/ICS-12-2018-0138
       
  • Sealed computation: a mechanism to support privacy-aware trustworthy cloud
           service
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose The purpose of this study is to propose an approach to avoid having to trust a single entity in cloud-based applications. In cloud computing, data processing is delegated to a remote party for efficiency and flexibility reasons. A practical user requirement usually is data privacy; hence, the confidentiality and integrity of data processing needs to be protected. In the common scenarios of cloud computing today, this can only be achieved by assuming that the remote party does not in any form act maliciously. Design/methodology/approach An approach that avoids having to trust a single entity is proposed. This approach is based on two concepts: the technical abstraction of sealed computation, i.e. a technical mechanism to confine a privacy-aware processing of data within a tamper-proof hardware container, and the role of an auditing party that itself cannot add functionality to the system but is able to check whether the system (including the mechanism for sealed computation) works as expected. Findings Discussion and analysis of the abstract, technical and procedural requirements of these concepts and how they can be applied in practice are explained. Originality/value A preliminary version of this paper was published in the proceedings of the second International Workshop on SECurity and Privacy Requirements Engineering (SECPRE, 2018).
      Citation: Information and Computer Security
      PubDate: 2019-06-17T01:30:29Z
      DOI: 10.1108/ICS-11-2018-0133
       
  • A normative decision-making model for cyber security
    • Abstract: Information and Computer Security, Ahead of Print.
      Purpose The purpose of this paper is to investigate security decision-making during risk and uncertain conditions and to propose a normative model capable of tracing the decision rationale. Design/methodology/approach The proposed risk rationalisation model is grounded in literature and studies on security analysts’ activities. The model design was inspired by established awareness models including the situation awareness and observe–orient–decide–act (OODA). Model validation was conducted using cognitive walkthroughs with security analysts. Findings The results indicate that the model may adequately be used to elicit the rationale or provide traceability for security decision-making. The results also illustrate how the model may be applied to facilitate design for security decision makers. Research limitations/implications The proof of concept is based on a hypothetical risk scenario. Further studies could investigate the model’s application in actual scenarios. Originality/value The paper proposes a novel approach to tracing the rationale behind security decision-making during risk and uncertain conditions. The research also illustrates techniques for adapting decision-making models to inform system design.
      Citation: Information and Computer Security
      PubDate: 2019-06-17T01:24:07Z
      DOI: 10.1108/ICS-01-2019-0021
       
  • From theory to practice: guidelines for enhancing information security
           management
    • First page: 326
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005. Design/methodology/approach Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices. Findings The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards. Practical implications This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance. Originality/value This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.
      Citation: Information and Computer Security
      PubDate: 2019-06-03T10:16:56Z
      DOI: 10.1108/ICS-09-2018-0108
       
  • Published incidents and their proportions of human error
    • First page: 343
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Design/methodology/approach This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field. Findings This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality/value This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.
      Citation: Information and Computer Security
      PubDate: 2019-06-03T10:18:16Z
      DOI: 10.1108/ICS-12-2018-0147
       
  • Revisiting information security risk management challenges: a practice
           perspective
    • First page: 358
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work.. Research limitations/implications The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.
      Citation: Information and Computer Security
      PubDate: 2019-06-03T10:19:36Z
      DOI: 10.1108/ICS-09-2018-0106
       
  • Contrasting cybersecurity implementation frameworks (CIF) from three
           countries
    • First page: 373
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used nationally. This paper contrasts the cybersecurity frameworks that have been developed in three countries, namely, Australia, UK and USA. Design/methodology/approach The paper uses literature review and qualitative document analysis for the study. The paper developed and used an assessment matrix as its coding protocol. The contents of the three cybersecurity frameworks were then scored to capture the degree to which they covered the themes/items of the cybersecurity assessment matrix. Findings The analysis found that the three cybersecurity frameworks are oriented toward the risk management approach. However, the frameworks also had notable differences with regard to the security domains that they cover. For example, one of the frameworks did not offer guidelines with regard to what to do to respond to attacks or to plan for recovery. Originality/value The results of this study are beneficial to policymakers in the three countries targeted, as they are able to gain insights about how their cybersecurity frameworks compares to those of the other two countries. Such knowledge would be useful as decision-makers take steps to improve their existing frameworks. The results of this study are also beneficial to executives who have branches in all three countries. In such cases, security professionals could deploy the most comprehensive framework across all three countries and then extend the deployment in each location to meet country-specific requirements.
      Citation: Information and Computer Security
      PubDate: 2019-06-03T10:20:35Z
      DOI: 10.1108/ICS-10-2018-0122
       
  • Developing cybersecurity education and awareness programmes for small- and
           medium-sized enterprises (SMEs)
    • First page: 393
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose The purpose of this study is to focus on organisation’s cybersecurity strategy and propose a high-level programme for cybersecurity education and awareness to be used when targeting small- and medium-sized enterprises/businesses (SMEs/SMBs) at a city-level. An essential component of an organisation’s cybersecurity strategy is building awareness and education of online threats and how to protect corporate data and services. This programme is based on existing research and provides a unique insight into an ongoing city-based project with similar aims. Design/methodology/approach To structure this work, a scoping review was conducted of the literature in cybersecurity education and awareness, particularly for SMEs/SMBs. This theoretical analysis was complemented using a case study and reflecting on an ongoing, innovative programme that seeks to work with these businesses to significantly enhance their security posture. From these analyses, best practices and important lessons/recommendations to produce a high-level programme for cybersecurity education and awareness were recommended. Findings While the literature can be informative at guiding education and awareness programmes, it may not always reach real-world programmes. However, existing programmes, such as the one explored in this study, have great potential, but there can be room for improvement. Knowledge from each of these areas can, and should, be combined to the benefit of the academic and practitioner communities. Originality/value The study contributes to current research through the outline of a high-level programme for cybersecurity education and awareness targeting SMEs/SMBs. Through this research, literature in this space was examined and insights into the advances and challenges faced by an on-going programme were presented. These analyses allow us to craft a proposal for a core programme that can assist in improving the security education, awareness and training that targets SMEs/SMBs.
      Citation: Information and Computer Security
      PubDate: 2019-06-11T01:03:53Z
      DOI: 10.1108/ICS-07-2018-0080
       
  • A conceptual model and empirical assessment of HR security risk management
    • First page: 411
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose This study aims to develop a conceptual model and assess the extent to which pre-, during- and post-employment HR security controls are applied in organizations to manage information security risks. Design/methodology/approach The conceptual model is developed based on the agency theory and the review of theoretical, empirical and practitioner literature. Following, empirical data are collected through a survey from 134 IT professionals, internal audit personnel and HR managers working within five major industry sectors in a developing country to test the organizational differences in pre-, during- and post-employment HR security measures. Findings Using analysis of variance, the findings reveal significant differences among the organizations. Financial institutions perform better in employee background checks, terms and conditions of employment, management responsibilities, security education, training and awareness and disciplinary process. Conversely, healthcare institutions outperform other organizations in post-employment security management. The government public institutions perform the worst among all the organizations. Originality/value An integration of a conceptual model with HR security controls is an area that is under-researched and under-reported in information security and human resource management literature. Accordingly, this research on HR security management contributes to reducing such a gap and adds to the existing HR security risk management literature. It, thereby, provides an opportunity for researchers to conduct comparative studies between developed and developing nations or to benchmark a specific organization’s HR security management.
      Citation: Information and Computer Security
      PubDate: 2019-06-11T01:07:13Z
      DOI: 10.1108/ICS-05-2018-0057
       
  • Understanding passwords – a taxonomy of password creation strategies
    • First page: 453
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords. Design/methodology/approach The study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet. Findings The result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model. Originality/value On an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks.
      Citation: Information and Computer Security
      PubDate: 2019-06-11T01:13:13Z
      DOI: 10.1108/ICS-06-2018-0077
       
  • Information protection behaviors: morality and organizational criticality
    • First page: 468
      Abstract: Information and Computer Security, Ahead of Print.
      Purpose Organizational insiders play a critical role in protecting sensitive information. Prior research finds that moral beliefs influence compliance decisions. Yet, it is less clear what factors influence moral beliefs and the conditions under which those factors have stronger/weaker effects. Using an ethical decision-making model and value congruence theory, this study aims to investigate how moral intensity and organizational criticality influence moral beliefs and intentions to perform information protection behaviors. Design/methodology/approach The hypotheses were tested using a scenario-based survey of 216 organizational insiders. Two of the scenarios depict low criticality information security protection behaviors and two depict high criticality behaviors. Findings A major finding is that users rely more on perceived social consensus and magnitude of consequences when organizational criticality is low and on temporal immediacy and proximity when criticality is high. In addition, the moral intensity dimensions explain more variance in moral beliefs when organizational criticality is low. Research limitations/implications The study is limited by its sample, which is organizational insiders at a mid-size university. It is also limited in that it only examined four of the six moral intensity dimensions. Practical implications The findings can guide management about which moral intensity dimensions are more important to focus on when remediating tone at the top and other leadership weaknesses relating to information security. Originality/value This study adds value by investigating the separate dimensions of moral intensity on information protection behaviors. It also is the first to examine moral intensity under conditions of low and high organizational criticality.
      Citation: Information and Computer Security
      PubDate: 2019-06-03T10:14:45Z
      DOI: 10.1108/ICS-07-2018-0092
       
 
 
JournalTOCs
School of Mathematical and Computer Sciences
Heriot-Watt University
Edinburgh, EH14 4AS, UK
Email: journaltocs@hw.ac.uk
Tel: +00 44 (0)131 4513762
Fax: +00 44 (0)131 4513327
 
Home (Search)
Subjects A-Z
Publishers A-Z
Customise
APIs
Your IP address: 54.161.118.57
 
About JournalTOCs
API
Help
News (blog, publications)
JournalTOCs on Twitter   JournalTOCs on Facebook

JournalTOCs © 2009-