Showing papers in "International Journal of Information Security and Privacy in 2009"
TL;DR: An experiment is described designed to determine the efficacy of adding privacy statements, formal declarations of privacy and security policy, to e-commerce web sites in an attempt to reduce privacy concerns by increasing consumer trust in the firm and reducing the perceived risk associated with e- commerce transactions.
Abstract: Companies today collect, store and process enormous amounts of information in order to identify, gain, and maintain customers. Electronic commerce and advances in database and communication technology allow business to collect and analyze more personal information with greater ease and efficiency than ever before. This has resulted in increased privacy concerns and a lack of trust among consumers. These concerns have prompted the FCC to call for the use of Fair Information Practices in electronic commerce. Many firms have added privacy statements, formal declarations of privacy and security policy, to their e-commerce web sites in an attempt to reduce privacy concerns by increasing consumer trust in the firm and reducing the perceived risk associated with e-commerce transactions. This article describes an experiment designed to determine the efficacy of that strategy.
32 citations
TL;DR: There is a significant relationship between ease of use of passwords, intention to use them securely and the secure usage of passwords and the results lend themselves to assisting in policy design and better understanding user behavior.
Abstract: The security of computer systems that store our data is a major issue facing the world. This research project investigated the roles of ease of use, facilitating conditions, intention to use passwords securely, experience and age on usage of passwords, using a model based on the Unified Theory of Acceptance and Use of technology. Data was collected via an online survey of computer users, and analyzed using PLS. The results show there is a significant relationship between ease of use of passwords, intention to use them securely and the secure usage of passwords. Despite expectations, facilitating conditions only had a weak impact on intention to use passwords securely and did not influence actual secure usage. Computing experience was found to have an effect on intention to use passwords securely, but age did not. The results of this research lend themselves to assisting in policy design and better understanding user behavior.
21 citations
TL;DR: It is exposed that when employing a user-chosen password to generate cryptographic keys which themselves are larger than the digest size of the underlying hash function, a part of the resulting key is produced deterministically and this may lead to an exploitable weakness.
Abstract: We expose a potential vulnerability in the common use of password-based cryptography. When employing a user-chosen password to generate cryptographic keys which themselves are larger than the digest size of the underlying hash function, a part of the resulting key is produced deterministically and this, in turn, may lead to an exploitable weakness.
17 citations
TL;DR: What security elements are embedded in Web-based information security policy statements and what security-related keywords appear more frequently are determined to propose a density measure (the extent to which each policy uses security keywords) as an indicator of policy strength.
Abstract: Effective information security extends beyond using software controls that are so prominently discussed in the popular and academic literature. There must also be management influence and control. The best way to control information security is through formal policy and measuring the effectiveness of existing policies. The purpose of this research is to determine 1) what security elements are embedded in Web-based information security policy statements and 2) what security-related keywords appear more frequently. The authors use these findings to propose a density measure (the extent to which each policy uses security keywords) as an indicator of policy strength. For these purposes, they examine the security component of privacy policies of Fortune 100 Web sites. The density measure may serve as a benchmark that can be used as a basis for comparison across companies and the development of industry norms.
15 citations
TL;DR: A large-scale empirical study of the role of legal enforcement in standardizing privacy protection on the Internet finds that legal frameworks have had little success in creating standard practices for privacy-sensitive actions.
Abstract: Numerous countries around the world have enacted privacy-protection legislation, in an effort to protect their citizens and instill confidence in the valuable business-to-consumer E-commerce industry. These laws will be most effective if and when they establish a standard of practice that consumers can use as a guideline for the future behavior of e-commerce vendors. However, while privacy-protection laws share many similarities, the enforcement mechanisms supporting them vary hugely. Furthermore, it is unclear which (if any) of these mechanisms are effective in promoting a standard of practice that fits with the social norms of those countries. We present a large-scale empirical study of the role of legal enforcement in standardizing privacy protection on the Internet. Our study is based on an automated analysis of documents posted on the 100,000 most popular websites (as ranked by Alexa.com). We find that legal frameworks have had little success in creating standard practices for privacy-sensitive actions.
15 citations
TL;DR: It is suggested that IT security threats and risks in the financial sector compare reasonably well across socio-economic contexts, as a consequence, managers of GFSI may avail themselves of this information as they develop and propose measures for managing security concerns in their industry.
Abstract: Practitioners in Global Financial Services Institutions (GFSI) know that they must concern themselves with protecting customer data and thwart emerging threats in their industry. The objective of this study is to provide a level of understanding and insight not apparent in a recent survey that investigated Information Technology (IT) security concerns across GFSI. This research builds on that prior effort and aims to investigate whether socio-economic factors differentiate IT security concerns across GFSI. It has been suggested that security concerns vary by socioeconomic contexts. The authors analysis of Deloitte Touche Tohmatsu (DTT) data showed that perceptions of IT security issues across surveyed GFSI varied on a few security concerns, but remained unchanged on a majority of issues when grouped according to selected socio-economic measures. This finding permitted us to suggest that IT security threats and risks in the financial sector compare reasonably well across socio-economic contexts. As a consequence, managers of GFSI may avail themselves of this information as they develop and propose measures (and counter-measures) for managing security concerns in their industry. Further, the attention of managers is alerted to areas where differences were noticed.
13 citations
TL;DR: This paper summarizes, discusses, and evaluates recent symmetric key based results reported in literature on sensor network security protocols such as for key establishment, random key pre-distribution, data confidentiality, data integrity, and broadcast authentication as well as expose limitations and issues related to those solutions for WSNs.
Abstract: It is challenging to secure a wireless sensor network (WSN) because its inexpensive, tiny sensor nodes do not have the necessary processing capability, memory capacity, and battery life to take advantage of the existing security solutions for traditional networks. Existing security solutions for wireless sensor networks are mostly based on symmetric key cryptography with the assumption that sensor nodes are embedded with secret, temporary startup keys before deployment thus avoiding any use of computationally demanding public key algorithms altogether. However, symmetric key cryptography alone cannot satisfactorily provide all security needs for wireless sensor networks. It is still problematic to replenish an operational wireless sensor network with new sensor nodes securely. Current research on public key cryptography for WSNs shows some promising results, particularly in the use of elliptic curve cryptography and identity based encryption for WSNs. Although security is essential for WSNs, it can complicate some crucial operations of a WSN like data aggregation or in-network data processing that can be affected by a particular security protocol. Accordingly, in this paper, we summarize, discuss, and evaluate recent symmetric key based results reported in literature on sensor network security protocols such as for key establishment, random key pre-distribution, data confidentiality, data integrity, and broadcast authentication as well as expose limitations and issues related to those solutions for WSNs. We also present significant advancement in public key cryptography for WSNs with promising results from elliptic curve cryptography and identity based encryption as well as their limitations for WSNs.
13 citations
TL;DR: The aim of this paper is to help e-firm designers provide a non-predictable presentation layer against CI attacks, and presents an automata SOA based security model against competitive intelligence attacks in e-commerce.
Abstract: This article presents an automata SOA based security model against competitive intelligence attacks in e-commerce. It focuses on how to prevent conceptual interception of an e-firm business model from CI agent attackers. Since competitive intelligence web environment is a new important approach for all e-commerce based firms, they try to come in new marketplaces and need to find a good customer-base in contest with other existing competitors. Many of the newest methods for CI attacks in web position are based on software agent facilities. Many researchers are currently working on how to facilitate CI creation in this environment. The aim of this paper is to help e-firm designers provide a non-predictable presentation layer against CI attacks.
12 citations
TL;DR: A joint cryptograph-steganography methodology, which combines both encryption and information hiding techniques to ensure patient information security and privacy in medical images, is presented.
Abstract: Information security and privacy have traditionally been ensured with data encryption techniques. Generic data encryption standards, such as DES, RSA, AES, are not very efficient in the encryption of multimedia contents due to the large volume. In order to address this issue, different image/video encryption methodologies have been developed. These methodologies encrypt only the key parameters of image/video data instead of encrypting it as a bitstream. Joint compression-encryption is a very promising direction for image/video encryption. Nowadays, researchers start to utilize information hiding techniques to enhance the security level of data encryption methodologies. Information hiding conceals not only the content of the secret message, but also its very existence. In terms of the amount of data to be embedded, information hiding methodologies can be classified into low bitrate and high bitrate algorithms. In terms of the domain for embedding, they can be classified into spatial domain and transform domain algorithms. Different categories of information hiding methodologies, as well as data embedding and watermarking strategies for digital video contents, will be reviewed. A joint cryptograph-steganography methodology, which combines both encryption and information hiding techniques to ensure patient information security and privacy in medical images, is also presented.
11 citations
TL;DR: This work introduces three models to measure information security compliance, the cardinality model, the second’s model, which is based on vector space, and the last model which isbased on the priority principle, based on a new theory to understand information security.
Abstract: This work introduces three models to measure information security compliance. These are the cardinality model, the second’s model, which is based on vector space, and the last model is based on the priority principle. Each of these models will be presented with definitions, basic operations, and examples. All three models are based on a new theory to understand information security called the Information Security Sets Theory (ISST). The ISST is based on four basic sets: external sets, local strategy sets, local standard sets, and local implementation sets. It should be noted that two sets are used to create local standard sets—local expansion and local creation. The major differences between the Zermelo Fraenkel set theory and the ISST are the elimination of using empty element and empty set. This assumption is based on “there is not empty security†measure and the is substituted to be and is defined as “minimum security (or system default security)†. The main objective of this article is to achieve new modeling system for information security compliance. The compliance measurement is defined in the first model as the cardinality between local strategy sets and the actual local implementation. The second model is looking at the security compliance as the angle between two sets, local implementation and local standard. The third model is based on the priority philosophy for local security standard.
11 citations
TL;DR: A model for hot topic discovery is proposed that would pick out hot topics by automatically detecting, clustering and weighting topics on the websites within a time period and a topic index approach is introduced in following the growth of topics, which is useful to analyze and forecast the development of topics on web.
Abstract: As a major medium for information transmission, Internet plays an important role in diffusing and spreading news on web. Some governments attach great importance and pay lot of effort trying to detect, track the development of events and forecast emergency on internet. On the basis of the researches in the field of topic detection and tracking, we proposed a model for hot topic discovery that would pick out hot topics by automatically detecting, clustering and weighting topics on the websites within a time period. We also introduced a topic index approach in following the growth of topics, which is useful to analyze and forecast the development of topics on web.
TL;DR: A method based on discrete wavelet transform (DWT) to protect input data privacy while preserving data mining patterns for association rules and a comparison with an existing kd-tree based transform shows that the DWT-based method fares better in terms of efficiency, preserving patterns, and privacy.
Abstract: Association rule mining is an important data mining method that has been studied extensively by the academic community and has been applied in practice. In the context of association rule mining, the state-of-the-art in privacy preserving data mining provides solutions for categorical and Boolean association rules but not for quantitative association rules. This article fills this gap by describing a method based on discrete wavelet transform (DWT) to protect input data privacy while preserving data mining patterns for association rules. A comparison with an existing kd-tree based transform shows that the DWT-based method fares better in terms of efficiency, preserving patterns, and privacy.
TL;DR: In this case study, an e-mail bounce back system that was developed by a major e-commerce company is described in order to understand whether its e-mails based marketing was successful in delivering the intended message to its customers.
Abstract: Every email that originates from outside of an organization must go through a series of firewalls and gateways before reaching the intended recipient inside the organization. During this journey, each email may get scanned for possible viruses or other malicious programming codes. In some cases, the e-mail may also receive a score based on the possibility of spam content. On any stage of this processing email can be quarantined, or moved to a spam folder for the future possible analysis or simply deleted. Understandably, such complex structure helps secure the company’s internal infrastructure, however, e-mails have become an important tool in marketing for many e-commerce organizations and if marketing e-mails do not get to their intended receiver, the sending company will be disadvantaged. Therefore, from the point of view of the sender of an e-mail, it is important to understand the faith of the e-mail that was sent and whether it was received as intended. In this case study, we describe an e-mail bounce back system that was developed by a major e-commerce company in order to understand whether its e-mail based marketing was successful in delivering the intended message to its customers. In addition to the describing the development of the system, security and privacy issues are also discussed.
TL;DR: This research presents support for the existence of legal, illegal, and legally grey area extra-organizational parties and the need for more complete comprehension of personal information privacy in business-to-consumer research.
Abstract: Considerable research shows that personal information privacy has eroded over the last 30 years. Prior research, however, takes a consumer-centric view of personal information privacy, a view that leads to the conclusion that the individual is responsible for his/her own information. This research presents a comprehensive personal information privacy model of extra-organizational data sharing and use that incorporates how data are actually passed and leaked to organizations of which the consumer has no knowledge and no control. This research presents support for the existence of legal, illegal, and legally grey area extra-organizational parties and the need for more complete comprehension of personal information privacy in business-to-consumer research. In addition, the research identifies the magnitude of privacy violations in spite of legal and self-protection policies. The model can serve as a guide for privacy research and for social discussion and legislation to manage and regulate use of data once collected.
TL;DR: A number of cryptographic ciphers, trust and certificate systems, and key management systems and infrastructures widely used in secure e-mail standards and services are reviewed.
Abstract: Secure e-mail standards, such as Pretty Good Privacy (PGP) and Secure / Multipurpose Internet Mail Extension (S/MIME), apply cryptographic algorithms to provide secure and private e-mail services over the public Internet. In this article, we first review a number of cryptographic ciphers, trust and certificate systems, and key management systems and infrastructures widely used in secure e-mail standards and services. We then focus on the discussion of several essential security and privacy issues, such as cryptographic cipher selection and operation sequences, in both PGP and S/MIME. This work tries to provide readers a comprehensive impression of the security and privacy provided in the current secure e-mail services.
TL;DR: Various forms of man in the middle (MITM) attacks, including ARP spoofing, fake SSL certificates, and bypassing SSL are explored, and rootkits and botnets, two key pieces of crimeware, are introduced and analyzed.
Abstract: One of the most devastating forms of attack on a computer is when the victim doesn’t even know an attack occurred. After some background material, various forms of man in the middle (MITM) attacks, including ARP spoofing, fake SSL certificates, and bypassing SSL are explored. Next, rootkits and botnets, two key pieces of crimeware, are introduced and analyzed. Finally, general strategies to protect against such attacks are suggested.
TL;DR: This proposed protocol improves upon Bao’s protocol by addressing the weakness that leads to a replay attack and provides fair contract signing along with properties like user authentication achieved through the use of a fingerprint based authentication system and features like confidentiality, data-integrity and non-repudiation through implementation of hybrid cryptography and digital signatures algorithms based on Elliptic Curve Cryptography.
Abstract: Fair exchange between two parties can be defined as an instance of exchange such that either both parties obtain what they expected or neither one does. Protocols that facilitate such transactions are known as “fair exchange protocols†. We analyze one such protocol by Micali that demonstrates fair contract signing, where two parties exchange their commitments over an already negotiated contract. In this journal we show that Micali’s protocol is not completely fair and demonstrate the possibilities for one party cheating by obtaining the other party’s commitment and not offer theirs. A revised version of this protocol by Bao provides superior fairness by handling the above mentioned weakness but fails to handle the possibility of a replay attack. Our proposed protocol improves upon Bao’s protocol by addressing the weakness that leads to a replay attack. We also demonstrate a software implementation of our system which provides fair contract signing along with properties like user authentication achieved through the use of a fingerprint based authentication system and features like confidentiality, data-integrity and non-repudiation through implementation of hybrid cryptography and digital signatures algorithms based on Elliptic Curve Cryptography.
TL;DR: This case study examines a project partnership between an information-technology consultant who specializes in small business and a diminutive medical practice that sought support with compliance issues surrounding a research study it was conducting.
Abstract: Compliance with regulatory guidelines and mandates surrounding information security and the protection of privacy has been under close scrutiny for some time throughout the world. Smaller organizations have remained “out of the spotlight†and generally do not hire staff with the expertise to fully address issues of compliance. This case study examines a project partnership between an information-technology (IT) consultant who specializes in small business and a diminutive medical practice that sought support with compliance issues surrounding a research study it was conducting. Other small medical practices were contributing to the research; consequently, information sharing while concurrently adhering to the regulations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was a significant aspect of the project. It was also critical that numerous other security and privacy legislative requirements were met. The issue of data security is often neglected in IT instruction. This case study provides a foundation for examining aspects of information security from the perspective of the small-business IT consultant.
TL;DR: This case is appropriate for use in courses covering information systems security, accounting information systems, or IT audit, and can be used in conjunction with coverage of risk assessment concepts in the context of the availability component of systems reliability and trust of services management.
Abstract: Based on an actual company, this case focuses on Business Continuity Planning issues for a small but growing software company, Municipal Software Solutions, Inc. (MSS). The firm experienced a catastrophic fire which completely eliminated all aspects of the information systems infrastructure, including the software product code repository, the client access infrastructure, the hardware operations center, and the software design facility. Fortunately, no one was harmed, and the firm survived despite the fact that it did not have a formal disaster recovery plan in place. MSS was very lucky. The case can be used in conjunction with coverage of risk assessment concepts in the context of the availability component of systems reliability and trust of services management. Accordingly, it is appropriate for use in courses covering information systems security, accounting information systems, or IT audit.
[...]
TL;DR: The architecture to integrate existing PAKE protocols to the web supports centralized log-ins for web applications from different web sites, making it appropriate for digital identity management and significantly mitigate the risk of phishing attacks.
Abstract: Unlike existing password authentication mechanisms on the web that use passwords for client-side authentication only, password-authenticated key exchange (PAKE) protocols provide mutual authentication. In this article, we present an architecture to integrate existing PAKE protocols to the web. Our integration design consists of the client-side part and the server-side part. First, we implement the PAKE client-side functionality with a web browser plug-in, which provides a secure implementation base. The plug-in has a log-in window that can be customized by a user when the plug-in is installed. By checking the user-specific information in a log-in window, an ordinary user can easily detect a fake log-in window created by mobile code. The server-side integration comprises a web interface and a PAKE server. After a successful PAKE mutual authentication, the PAKE plug-in receives a one-time ticket and passes it to the web browser. The web browser authenticates itself by presenting this ticket over HTTPS to the web server. The plug-in then fades away and subsequent web browsing remains the same as usual, requiring no extra user education. Our integration design supports centralized log-ins for web applications from different web sites, making it appropriate for digital identity management. A prototype is developed to validate our design. Since PAKE protocols use passwords for mutual authentication, we believe that the deployment of this design will significantly mitigate the risk of phishing attacks.
TL;DR: A research model composed of five dimensions and their relations in order to study hacker’s social organization in the whole socio-technical context is proposed and applied to disclose the structure and patterns of a significant and complex hacker group, Shadow crew.
Abstract: Financial fraud and identity theft conducted by criminal hackers have become the top source of the greatest financial losses for organizations. Even though Hacker groups are complex socio-technical systems, much extant research on hackers is conducted at the individual level of analysis. This research proposes a research model composed of five dimensions and their relations in order to study hacker’s social organization in the whole socio-technical context. Based on this model, the researcher applies network analysis methods to disclose the structure and patterns of a significant and complex hacker group, Shadow crew. Network analysis tools, such as Automap and ORA, are applied for data processing and data analysis. Three network measures: degree centrality, cognitive demand, and eigenvector centrality, are utilized to determine the critical leaders. Out-degree centrality is employed to analyze the relations among the five dimensions in the research model.
TL;DR: This study reviews the progress made by the introduction of the Payment Card Industry compliance rules in the USA, finding that compliance has grown but several issues remain unresolved and suggests the way forward.
Abstract: This study reviews the progress made by the introduction of the Payment Card Industry (PCI) compliance rules in the USA. Available data indicate that compliance has grown but several issues remain unresolved. These are identified within, along with an analysis of the feasibility of several solutions to the challenges that have hampered compliance with the Payment Card Industry rules. These solutions are evaluated by the extent to which they can help the merchants meet their business objectives while still safeguarding the credit card data. The first solution involves upgrading the current PCI standards as suggested by the PCI council. The second solution would require moving the burden of credit card information storage to the credit card companies and member banks, as suggested by the National Retail Federation. A third option reflects a socially responsible approach that protects the interests of all stakeholders. The study concludes by suggesting the way forward.
TL;DR: This work introduces a user-centric service discovery model, called PrudentExposure, which automates authentication processes, and encodes hundreds of authentication messages in a novel code word form.
Abstract: In pervasive computing environments, service discovery is an essential step for computing devices to properly discover, configure, and communicate with each other We introduce a user-centric service discovery model, called PrudentExposure, which automates authentication processes Traditional authentication approaches requires much users’ involvement PrudentExposure encodes hundreds of authentication messages in a novel code word form Moreover, we discuss how a progressive and probabilistic model can protect both users’ and service providers’ privacy Perhaps the most serious challenge for pervasive service discovery is the integration of computing devices with people In a challenging case, both users and service providers want the other parties to expose sensitive information first Our model protects both users and service providers