Information Security Management, Education and Privacy (eBook)
314 Seiten
Springer US (Verlag)
978-1-4020-8145-3 (ISBN)
The first workshop was organized by IFIP Working Group 11.1, which is itself dedicated to Information Security Management, i.e., not only to the practical implementation of new security technology issued from recent research and development, but also and mostly to the improvement of security practice in all organizations, from multinational corporations to small enterprises. Methods and techniques are developed to increase personal awareness and education in security, analyze and manage risks, identify security policies, evaluate and certify products, processes and systems.
The second workshop was organized by IFIP Working Group 11.8, dedicated to Information Security Education. This year, the workshop was aimed at developing a first draft of an international doctorate program allowing a specialization in IT Security. The draft is based upon selected papers from individuals or groups (from academic, military and government organizations), and discussions at the workshop. This draft will be further refined and eventually published as an IFIP Report. Finally, the last workshop was organized by IFIP Working Group 11.4 on Network Security. The purpose of the workshop was to bring together privacy and anonymity experts from around the world to discuss recent advances and new perspectives on these topics that are increasingly important aspects in electronic services, especially in advanced distributed applications, such as m-commerce, agent-based systems, P2P, etc. The carefully selected papers gathered in this volume show the richness of the information security domain, as well as the liveliness of the working groups cooperating in the IFIP Technical Committee 11 on Security and Protection in Information Processing Systems.
Information Security Management, Education and Privacy is essential reading for scholars, researchers, and practitioners interested in keeping pace with the ever-growing field of information security.
Written for:
Researchers and practitioners in security and privacy technology.
This volume gathers the papers presented at three workshops that are embedded in the IFIP/Sec Conference in 2004, to enlighten specific topics that are currently particularly active in Security. The first one is the 10th IFIP Annual Working Conference on Information Security Management. It is organized by the IFIP WG 11. 1, which is itself dedicated to Information Security Management, i. e. , not only to the practical implementation of new security technology issued from recent research and development, but also and mostly to the improvement of security practice in all organizations, from multinational corporations to small enterprises. Methods and techniques are developed to increase personal awareness and education in security, analyze and manage risks, identify security policies, evaluate and certify products, processes and systems. Matt Warren, from Deakin University, Australia, who is the current Chair of WG 11. 1, acted as the Program Chair. The second workshop is organized by the IFIP WG 11. 8, dedicated to Information Security Education. This workshop is a follow-up of three issues of the World Conference on Information Security Education (WISE) that were also organized by WG 11. 8. The first WISE was organized by Louise Yngstrom in 1999 in Stockholm, and the next one, WISE'4, will be held in Moscow, Russia, 18-20 May 2005. This year, the workshop is aimed at developing a first draft of an international doctorate program allowing a specialization in IT Security.
Contents 6
Preface 9
PART ONE 10TH IFIP WG 11.1 ANNUAL WORKING CONFERENCE ON INFORMATION SECURITY MANAGEMENT 14
CORPORATE INFORMATION SECURITY EDUCATION: 15
1. INTRODUCTION 15
2. THE HUMAN SIDE OF INFORMATION SECURITY 16
3. ELEMENTS OF INFORMATION SECURITY EDUCATION 18
3.1 Everyone should be able to “pass” the course. 19
3.2 Employees must know why information security is important and why a specific policy or control is in place. 19
3.3 Learning materials should be customized to the needs of individual learners. 20
3.4 Users should be responsible for their own learning. 20
3.5 Users should be held accountable for their studies. 21
4. OUTCOMES BASED EDUCATION 22
5. OUTCOMES BASED EDUCATION FOR INFORMATION SECURITY 23
6. CONCLUSION 27
TOWARDS CORPORATE INFORMATION SECURITY OBEDIENCE 31
1. INTRODUCTION 31
2. MANAGING AN ORGANISATION 32
3. CORPORATE CULTURE 33
3.1 The three levels of corporate culture 33
4. INFORMATION SECURITY AND CORPORATE GOVERNANCE 34
5. CORPORATE INFORMATION SECURITY POLICY 35
6. THE NEED TO CHANGE THE CORPORATE CULTURE 35
7. ORGANISATIONAL ENVIRONMENTS 36
8. IMPLEMENTING CORPORATE INFORMATION SECURITY OBEDIENCE 39
9. CONCLUSION 40
10. REFERENCES 40
CIIP-RAM - A SECURITY RISK ANALYSIS METHODOLOGY FOR CRITICAL INFORMATION INFRASTRUCTURE PROTECTION 44
1. INTRODUCTION 44
2. A NEW METHOD OF SECURITY RISK ANALYSIS AND INFORMATION INFRASTRUCTURE PROTECTION 45
3. CRITICAL INFORMATION INFRASTRUCTURE PROTECTION - RISK ANALYSIS METHODOLOGY 46
3.1 INTRODUCTION TO STAGE 1 OF CIIP-RAM 47
3.2 CIIP- RAM Stage 1 – Form system implementation participation group 47
3.3 INTRODUCTION TO STAGE 2 OF CIIP-RAM 49
3.4 CIIP- RAM Stage 2 – Define Critical Information Infrastructure 49
3.5 INTRODUCTION TO STAGE 3 OF CIIP-RAM 52
3.6 CIIP- RAM Stage 3 – Complete Vulnerability Assessment on Infrastructure Levels 52
3.7 INTRODUCTION TO STAGE 4 OF CIIP-RAM 57
3.8 CIIP-RAM Stage 4 – Derive‚ Apply and Analyse Countermeasures 57
4. FUTURE RESEARCH 58
5. CONCLUSIONS 58
6. REFERENCES 58
A FRAMEWORK FOR ROLE-BASED MONITORING OF INSIDER MISUSE 61
1. INTRODUCTION 61
2. INSIDER MISUSE AND DETECTION ISSUES 62
3. OPPORTUNITIES FOR APPLICATION-LEVEL MISUSE 64
4. A COMPARISON OF DETECTION STRATEGIES 67
5. KNOWLEDGE OF SEPARATION OF DUTIES 68
6. PROPOSING A FRAMEWORK FOR MISUSE MONITORING 70
6.1 Management Functions 70
6.2 Host 72
6.3 Client 73
7. DISCUSSION AND CONCLUSIONS 73
8. REFERENCES 74
UPDATE/PATCH MANAGEMENT SYSTEMS: 76
1. INTRODUCTION 76
2. CONTRIBUTION OF A TAXONOMY 78
3. SEARCH CRITERIA 79
4. TAXONOMY PHASES PRESENTED 80
5. SECURITY PROVISIONS 82
6. SUMMARY 86
INVESTIGATING A SMART TECHNOLOGY 90
INTRODUCTION 91
1. THEORETICAL FOUNDATION 91
1.1 Smart-cards 92
1.2 Disadvantages of Smart-card Technology 95
2. RESEARCH OBJECTIVE AND APPROACH 96
3. BACKGROUND TO THE CASE- WIT 97
3.1 The WITCard 98
3.2 Incentives for Use 98
3.3 Difficulties Encountered 99
4. DISCUSSION 103
5. CONCLUSION 104
REFERENCES 105
PART TWO IFIP TC11 WG 11.8 – INFORMATION SECURITY EDUCATION WORKSHOP 108
LABORATORY SUPPORT FOR INFORMATION SECURITY EDUCATION 109
1. INTRODUCTION 109
2. LABORATORY DESIGN 111
3. LABORATORY ACTIVITIES 116
4. ELECTRONIC TUTORIALS FOR INFORMATION SECURITY EDUCATION 120
5. CONCLUSION 122
AN HOLISTIC APPROACH TO AN INTERNATIONAL DOCTORAL PROGRAM 124
1. INTRODUCTION 124
2. DISCUSSING THE INTERNATIONAL DOCTORAL PROGRAM 125
2.1 The system of study 125
2.2 The environment 125
2.3 The system its inflow, through- flow and outflow
2.4 Structure the in-built control system to deal with inner and outer variety 127
3. WISES REVISITED 127
3.1 Pre-WISE work 128
3.2 WISE1 129
3.3 WISE2 130
3.4 WISE3 130
4. AN HOLISTIC APPROACH TO INFORMATION SECURITY AND INFORMATION ASSURANCE 131
4.1 The Systemic- Holistic Approach spelled out 134
4.2 Some critique of the SHA for researching IT security 137
A NEW PARADIGM FOR INFORMATION SECURITY EDUCATION AT DOCTORAL LEVEL 140
1. INTRODUCTION 141
2. EPISTEMOLOGICAL AND ONTOLOGICAL MODES OF THINKING AND SECURITY 144
3. CONCLUSION 146
4. REFERENCES 146
HIGHLY QUALIFIED INFORMATION SECURITY PERSONNEL TRAINING IN RUSSIA 148
1. THE SYSTEM OF HIGHLY QUALIFIED PERSONNEL TRAINING IN RUSSIA 148
2. THESIS REQUIREMENTS 149
3. HIGHLY QUALIFIED PERSONNEL TRAINING IN THE FIELD OF INFORMATION SECURITY 150
4. HIGHLY QUALIFIED PERSONNEL TRAINING EXPERIENCE IN MEPHI 152
DOCTOR OF PHILOSOPHY: IT SECURITY 154
1. RELATIONSHIP BETWEEN TITLE AND NATURE OF OUR DOCTORAL PROGRAMS 154
2. TYPES OF PROGRAM 154
3. OBJECTIVES OF THE PROGRAMS - COMPARISON 155
4. DURATION WHEN UNDERTAKEN AS A FULLTIME PROGRAM 155
5. ENTRANCE REQUIREMENTS 155
6. PROGRAM STRUCTURE 156
7. RECOGNITION OF PRIOR LEARNING 157
8. REQUIRED SIZE AND NATURE OF RESEARCH PROJECT 157
9. INTERNATIONAL STANDARDS TO BE CONSIDERED 157
10. POTENTIAL FUNDING SOURCES, INDUSTRY PARTNERS AND SCHOLARSHIPS FOR RESEARCH PROJECTS 157
11. POSSIBLE AREAS OF CURRICULUM SPECIALIZATION YOUR ORGANIZATION/INSTITUTION MAY BE ABLE TO PROVIDE AS A PARTICIPATING PARTNER 158
12. ANY OTHER INFORMATION RELEVANT TO THE PROGRAM 158
DOCTORAL PROGRAMME ON ICS SECURITY AT THE UNIVERSITY OF THE AEGEAN 160
1. INTRODUCTION 160
2. PROGRAMME AIMS AND OBJECTIVES 161
3. DURATION, ADMISSION AND DEGREE REQUIREMENTS 161
4. COURSES 162
5. THESIS 163
6. POTENTIAL FUNDING SOURCES 164
7. CONCLUSIONS 164
AN INTERNATIONAL SECURITY EDUCATION PERSPECTIVE 165
1. INTRODUCTION AND BACKGROUND 165
2. WHAT ARE THE NEEDS, WHERE ARE THE MODELS TO FOLLOW? 166
3. DEVELOPING A COMMON RESARCH AGENDA BACKED BY DOCTORAL LEVBEL EDUCATION 167
4. MOVING TOWARDS AN INERNATIOANL RESEARCH EDUCATION PROGRAM 167
5. WHAT CAN WE BUILD ON? 168
6. CONCLUSION 169
7. RECOMMENDED RESOURCES 169
DO MILITARY FORCES NEED PH.D.’S? 170
1. INTRODUCTION 170
2. EXISTING DEPARTMENT OF DEFENSE SUPPORTED PHD PROGRAMS 172
3. MILITARY NEEDS 173
3.1 Unique Need for Rapid Return to the Force 174
3.2 Skill Sets 174
3.3 Advantages To A Multi- University / Multinational Program 174
3.4 Disadvantages To A Multi- University / Multinational Program 175
4. CONCLUSION 175
A DOCTORAL PROGRAM WITH SPECIALIZATION IN INFORMATION SECURITY 177
1. INTRODUCTION 177
1.1 Computer Science Ph. D. Program Overview 178
1.2 Information Assurance and Security Specialization 179
2. UNIFYING HIGH ASSURANCE RESEARCH PROJECT 181
2.1 Motivation 181
2.2 Trusted Computing Exemplar Project 181
3. CONCLUSION 183
PART THREE I-NETSEC04 3RD WORKING CONFERENCE ON PRIVACY AND ANONYMITY IN NETWORKED AND DISTRIBUTED SYSTEMS 185
A SECURITY MODEL FOR ANONYMOUS CREDENTIAL SYSTEMS 186
1. INTRODUCTION 186
1.1 Background and motivation 186
1.2 Related work 187
1.3 What we don’t do 188
2. SECURITY OF PSEUDONYM SYSTEMS 188
2.1 The model 189
2.2 The games and soundness 190
2.3 Discussion 193
2.4 Unlinkability of pseudonyms 194
2.5 Discussion 196
2.6 Indistinguishability of pseudonyms 197
2.7 Anonymity of users 199
3. FUTURE WORK AND CONCLUDING REMARKS 199
PRIVATE INFORMATION STORAGE WITH LOGARITHMIC-SPACE SECURE HARDWARE 203
1. INTRODUCTION 203
1.1 Existing Prototype 204
1.2 Improvements to the Prototype 208
2. RELATED WORK 208
3. MEMORY USAGE 209
3.1 Permutation 209
3.2 Shuffling the Dataset 210
4. UPDATES 212
4.1 Integrity 213
4.2 Session Continuity 214
5. EXPERIMENTAL RESULTS 214
6. FUTURE WORK AND CONCLUSIONS 215
TAXONOMY OF MIXES AND DUMMY TRAFFIC 219
1. INTRODUCTION 219
2. WHAT IS A MIX? 220
2.1 Anonymity Metrics for a Mix 220
3. CONTINUOUS OR POOL MIXES? 221
4. CONTINUOUS MIXES 222
4.1 Reordering Technique 222
4.2 Anonymity 222
4.3 Strengths and Weaknesses of the Design 222
5. POOL MIXES 223
5.1 The Generalised Mix Model 224
5.2 Deterministic or Binomial? 225
5.3 Strengths and Weaknesses of the Design 226
6. MIX NETWORKS 227
6.1 Cascades, Free Route Networks and Restricted Route Networks 227
6.2 Inter- Mix detours 228
7. DUMMY TRAFFIC 228
7.1 Generation of Dummies 229
7.2 Route Length and Selection of Path 230
7.3 RGB Dummy Policies 231
8. SUMMARY 231
9. CONCLUSIONS AND OPEN PROBLEMS 231
IDENTITY MANAGEMENT FOR SELF -PORTRAYAL 235
1. INTRODUCTION 235
2. HISTORY AND STATE OF THE ART OF IDENTITY MANAGEMENT SYSTEMS 237
2.1 Commercial projects 237
2.2 Research projects 238
3. MOTIVATION FOR SELF- PORTRAYAL-ORIENTED IDENTITY MANAGEMENT 239
4. INTERNET USAGE AND SELF- PORTRAYAL SURVEY 241
5. PROJECT onefC: AN APPROACH TO AN IDENTITY- ENRICHED SESSION INFRASTRUCTURE 244
5.1 Representing Users Identities 244
5.2 Self- Portrayal- Oriented Identity Management 246
6. CONCLUSION 248
PRIVACY PRESERVING ONLINE REPUTATION SYSTEMS 250
1. INTRODUCTION 250
2. REPUTATION 251
2.1 Context and Interdomain Sharing 253
2.2 Privacy 254
3. CLASSIFICATION OF REPUTATION SYSTEMS 255
3.1 Centralized 257
3.2 Subjective 257
3.3 Distributed 258
3.4 Local Storage 258
3.5 Conclusion 260
4. REQUIREMENTS OF A PRIVACY PROTECTING REPUTATION SYSTEM 260
5. A COIN- BASED PRIVACY PROTECTING REPUTATION SYSTEM 261
5.1 Overview 261
5.2 Online Protocol 262
5.3 Building Blocks 262
5.4 Privacy Aspects 263
6. CONCLUSION AND FUTURE WORK 264
A RISK-DRIVEN APPROACH TO DESIGNING PRIVACY-ENHANCED SECURE APPLICATIONS 266
INTRODUCTION 266
1. AN ANONYMOUS CREDENTIAL SYSTEM WITH CONDITIONAL RE- IDENTIFICATION 268
2. THE AdsOL ADVERTISEMENT SERVICE 270
2.1 High- Level Description 270
2.2 AdsOL Design 271
2.3 Analysis 272
3. A RISK- DRIVEN DESIGN OF THE AdsOL SERVICE 273
3.1 Initial Risk Analysis for AdsOL 273
3.2 Design Options Analysis 275
3.3 Resulting Design 278
3.4 Generalization of the Risk- Driven Design Approach 279
4. CONCLUSIONS AND FUTURE WORK 280
PRIVACY-INVASIVE SOFTWARE IN FILESHARING TOOLS 282
1. INTRODUCTION 282
2. PRIVACY-INVASIVE PROGRAMS AND THEIR IMPLICATIONS 284
3. EXPERIMENT DESIGN 287
4. EXPERIMENT RESULTS AND ANALYSIS 290
5. DISCUSSION 293
6. CONCLUSIONS 295
INFUSING PRIVACY NORMS IN DRM 298
1. FRAMEWORK FOR THINKING ABOUT DRM 299
1.1 Basic DRM functionality 299
1.2 Factors motivating DRM 300
2. DRM IMPLICATES PRIVACY RIGHTS 301
3. CONSENT-BASED PRIVACY LAWS AND DRM 304
4. A ROLE FOR PRIVACY NORMS IN DRM 305
4.1 Infusing privacy norms in DRM 305
4.2 Incentives for infusing privacy norms in DRM 307
5. CONCLUSION 311
ACKNOWLEDGEMENTS 312
REFERENCES 312
More eBooks at www.ciando.com 0
| Erscheint lt. Verlag | 11.4.2006 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Informatik ► Software Entwicklung ► User Interfaces (HCI) | |
| Mathematik / Informatik ► Mathematik ► Finanz- / Wirtschaftsmathematik | |
| Naturwissenschaften | |
| Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management | |
| ISBN-10 | 1-4020-8145-6 / 1402081456 |
| ISBN-13 | 978-1-4020-8145-3 / 9781402081453 |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)Größe: 8,7 MB
DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
PDF (Adobe DRM)Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
