You are previewing Social and Human Elements of Information Security: Emerging Trends and Countermeasures.
O'Reilly logo
Social and Human Elements of Information Security: Emerging Trends and Countermeasures

Book Description

Social and Human Elements of Information Security: Emerging Trends and Countermeasures provides high-quality research into the social and human aspects of information security. A comprehensive source of the latest findings in the field, this book brings together the most recent work from researchers in the field of information security.

Table of Contents

  1. Copyright
  2. List of Reviewers
  3. Foreword
  4. Preface
    1. BEYOND TECHNOLOGY AND POLICY, TOWARDS COMPREHENSIVE INFORMATION SECURITY
    2. ORGANIZATION OF THE BOOK
    3. OVERVIEW OF CHAPTERS IN THE BOOK
  5. REFERENCES
  6. I. Human and Psychological Aspects
    1. I. Human and Social Aspects of Password Authentication
      1. ABSTRACT
      2. INTRODUCTION
        1. Password Authentication Background
        2. Information Security Background
      3. HUMAN AND SOCIAL ASPECTS IN PASSWORD AUTHENTICATION
        1. Security Techniques
        2. Human Error in Information Security
        3. Human Memory Limitations
        4. Password Authentication in Practice
      4. TRENDS IN PASSWORD AUTHENTICATION
        1. Emerging and Future Trends in Password Authentication
      5. FUTURE PASSWORD AUTHENTICATION RESEARCH
      6. CONCLUSION
    2. REFERENCES
    3. II. Why Humans are the Weakest Link
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
      4. HUMANS AND DECEPTION
      5. THE BASICS OF INFLUENCE
        1. Authority
        2. Scarcity
        3. Liking and Similarity
        4. Reciprocation
        5. Commitment and Consistency
        6. Social Proof
        7. Other weaknesses
      6. HOW TO ACT WHEN INFLUENCING OTHERS: A PRACTICAL EXAMPLE
        1. How the Attacker Can Be Persuasive
        2. Defending Against Deception
      7. FUTURE TRENDS
      8. CONCLUSION
    4. REFERENCES
    5. III. Impact of the Human Element on Information Security
      1. ABSTRACT
      2. KNOWLEDGE & INFORMATION SECURITY
        1. The Human Element: The Reason and Catalyst
        2. The Human Factor in Information Security
      3. CASE STUDY ONE
      4. CASE STUDY TWO
        1. The "Reality" and "Feeling" of Security
        2. Security Tradeoffs: Influenced by the Feeling of Security
        3. The Conscious Competence Model
        4. Reducing Risk of "Security Tradeoffs" using the "Conscious Competence" Model as a Guideline
        5. Current Approaches and Their Effectiveness
        6. Security Policies
        7. Information Security Competence
        8. Strategies for Increasing Information Security Competence
          1. Step 1: Set Goals
          2. Step 2: Increase Security Perception by Conveying Concepts
          3. Step 3: Increase Security Acceptance
          4. Step 4: Applying Security Skills
          5. Step 5: Linking Security with the Organizations Goals
          6. Step 6: Continuous Measurement
        9. Discussion
      5. CONCLUSION
    6. REFERENCES
    7. IV. The Weakest Link: A Psychological Perspective on Why Users Make Poor Security Decisions
      1. ABSTRACT
      2. INTRODUCTION
          1. True Story:
      3. SYSTEM MODEL APPROACH TO UNDERSTANDING SECURITY INTERACTIONS
      4. PHISHING FOR RECRUITS: WEST POINT MILITARY ACADEMY E-MAIL STUDIES
        1. User Factors
          1. Satisficing and Problem Solving
          2. Representativeness as a Decision Making Heuristic
          3. Feedback and Learning from Security-Related Decisions
        2. Technology Factors
          1. Credibility
          2. Personal Relevance
          3. Environmental Factors
          4. Time Pressure
          5. Evaluating Potential Solutions
          6. Inattention Blindness
      5. CURIOSITY KILLED THE NETWORK: DELIVERING MALWARE THROUGH STORAGE DEVICES
        1. User Factors
          1. Users do not Think They are at Risk
          2. Safety is an Abstract Concept
          3. Technology Factors
          4. Environmental Factors
          5. Diffusion of Responsibility
          6. Evaluating Potential Solutions
          7. Systems Approach to Training
      6. COMMUNICATION OF SECURITY RISK
        1. User Factors
          1. Base Rate and Response Bias
        2. Technology Factors
        3. Environmental Factors
          1. Evaluating Potential Solutions
      7. DISASTERS WAITING TO HAPPEN
        1. Oops, Lost the Hard Drive
          1. True story:
          2. Can I have your Social Security Number Please?
        2. Evaluating Potential Solutions
      8. CONCLUSION
    8. REFERENCES
    9. V. Trusting Computers Through Trusting Humans: Software Verification in a Safety-Critical Information Society
      1. ABSTRACT
      2. INTRODUCTION
      3. THE SOCIAL NATURE OF MATHEMATICAL PROOF
      4. COMPUTER SYSTEM VERIFICATION: TRUST AND THE SOCIAL
      5. COMPUTER-MEDIATED TRUST
      6. BUILDING TRUST INTO A COMPUTER SYSTEM
      7. SOFTWARE QUALITY ASSURANCE AND MILITARY STANDARDS FOR SOFTWARE
      8. CASE STUDY CONTEXT
        1. Research Methodology
        2. Analysis of Case Study Findings
      9. CONCLUSION: TRUSTING COMPUTERS
    10. REFERENCES
  7. II. Social and Cultural Aspects
    1. VI. Information Security Culture as a Social System: Some Notes of Information Availability and Sharing
      1. ABSTRACT
      2. INTRODUCTION
      3. INFORMATION SECURITY CULTURE
      4. DYNAMIC ORGANISATION MODEL
      5. MODELING THE INFORMATION SHARING OF AN ORGANIZATION
      6. INFORMATION AVAILABILITY REQUIREMENTS AND SHARING PRINCIPLES IN PRACTICE
      7. CONCLUDING REMARKS
    2. REFERENCES
    3. VII. Social Aspects of Information Security: An International Perspective
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND TO INFORMATION SECURITY
        1. From a Technological to a Human-Centred Perspective
      4. ISSUES AND PROBLEMS
        1. Towards a Determination of the Success of Current Practice
        2. Information Assurance: A Survey
      5. SOLUTIONS AND RECOMMENDATIONS
        1. Towards an Improved Information Security Practice
        2. An Evaluative Model for Information Security
          1. How the Model Works
          2. Case Analysis of the Evaluative Model
      6. THE FUTURE: IMPLEMENTING INFORMATION SECURITY BASED ON SOCIAL CONSIDERATIONS
      7. CONCLUSION
    4. REFERENCES
      1. ENDNOTE
    5. VIII. Social and Human Elements of Information Security: A Case Study
      1. ABSTRACT
      2. INTRODUCTION
      3. PHILOSOPHY OF SECURITY
      4. HUMAN FACTORS: A BEHAVIORAL MODEL
      5. SOCIAL FACTORS (SYSTEMS AND ECOSYSTEMS)
        1. Cognitive Science and Security
      6. THE CASE STUDY: FINANCIAL INCLUSION USING INFORMATION TECHNOLOGY
        1. Business Requirements for the Financial Inclusion Initiative
        2. Technical Implementation Issues (Problems and Solutions)
        3. The Smart Card
        4. Issues in Storing Value in the Smart Card
        5. Issues in Customer Authentication using Biometric Identification
        6. The Terminal
        7. EMV Standards for Smart Card: Terminal Communication
        8. Terminal: Host Communication
      7. HUMAN AND SOCIAL FACTORS IN INFORMATION SECURITY
        1. The Insider
        2. The Outsider
        3. The Other Customer
        4. The Other Banking Correspondent
      8. CONCLUSION
    6. REFERENCES
    7. IX. Effects of Digital Convergence on Social Engineering Attack Channels
      1. ABSTRACT
      2. INTRODUCTION
      3. SOCIAL ENGINEERING
      4. SOCIAL ENGINEERING ON CONVERGED NETWORKS
        1. Social Engineering Attacks Involving Physical Presence
        2. Social Engineering via Email, News, and Instant Messenger
        3. Phishing
        4. Social Engineering Using Removable Media
        5. Social Engineering via Telephone and Voice Over IP Networks
      5. SOLUTIONS AND COUNTERMEASURES TO SOCIAL ENGINEERING ATTACKS
        1. Anti-Phishing Techniques
        2. Voice Analytics
        3. Blacklisting
        4. penetration Testing
        5. Data Filtering
        6. Reverse Social Engineering
        7. User Education
      6. CONCLUSION
    8. REFERENCES
    9. X. A Social Ontology for Integrating Security and Software Engineering
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
      4. APPROACH
      5. BASIC CONCEPTS OF THE i* STRATEGIC MODELLING FRAMEWORK
        1. Actor
        2. Intentional Elements: Goal, Softgoal, Task, Resource and Belief
        3. Strategic Dependency Model
        4. Intentional Links
        5. Strategic Rationale Model
        6. Agents, Roles, and Positions
      6. DOMAIN REQUIREMENTS ANALYSIS WITH i*
        1. Actor Identification
        2. Goal/Task Identification
        3. Strategic Dependency Identification
      7. SECURITY REQUIREMENTS ANALYSIS WITH i*
        1. Attacker Analysis
        2. Dependency Vulnerability Analysis
        3. Countermeasure Analysis
        4. Qualitative Goal-Reasoning Mechanism
        5. Trust Analysis Based on System Configuration
          1. Digital Stored Value Card System
      8. RELATED WORK
        1. Security Models
        2. security management Frameworks
        3. software systems Design Frameworks
        4. Agent-Oriented Requirements Engineering
          1. Misuse/Abuse Cases
      9. CONCLUSION
      10. ACKNOWLEDGMENT
    10. REFERENCES
  8. III. Usability Issues
    1. XI. Security Configuration for Non-Experts: A Case Study in Wireless Network Configuration
      1. ABSTRACT
      2. INTRODUCTION
        1. Outline
      3. BACKGROUND
      4. PROBLEM DEFINITION
        1. Existing Configuration Interfaces
        2. Issues Addressed
        3. Leveling the Playing Field: Making Security more Accessible to End Users
        4. Maintaining Flexibility for Application Designers and vendors
      5. DESIGN PRINCIPLES
      6. DESIGN AND IMPLEMENTATION
      7. EVALUATION
        1. Target Population
        2. Tasks Tested
        3. Evaluation Method
      8. EXPERIMENTAL RESULTS
        1. Understanding of wireless Technology
        2. Configuration Interface Design
      9. DISCUSSION AND FUTURE TRENDS
      10. CONCLUSION
      11. ACKNOWLEDGMENT
    2. REFERENCES
      1. ENDNOTE
    3. XII. Security Usability Challenges for End-Users
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
        1. Usability Problems in Practice
          1. End-User Survey
          2. End-User Trials
        2. Reliance upon Technical Terminology
        3. Unclear and Confusing Functionality
        4. Lack of Visible Status and Informative Feedback
        5. Forcing Uninformed Decisions
        6. Addressing the Problems
      4. CONCLUSION
    4. REFERENCES
    5. XIII. CAPTCHAs: Differentiating between Human and Bots
      1. ABSTRACT
      2. INTRODUCTION
        1. Necessity
        2. History
        3. Turing Tests
      3. CAPTCHA DEFINITION
        1. Existing Definitions
        2. Revised Definition
        3. CAPTCHA Names
        4. Reverse Turing Tests
      4. EXISTING CAPTCHA SCHEMES
        1. Published Schemes
          1. Character Based CAPTCHA Schemes
          2. Georgia Tech's Contributions
          3. Pessimal Print
          4. Baffle Text
          5. Scatter Type
          6. Microsoft CAPTCHAs
          7. Image Based CAPTCHA Schemes
          8. ARTiFACIAL
        2. Image Recognition CAPTCHA
        3. The Identity Anomalies CAPTCHA
      5. IMAGINATION CAPTCHA
        1. Animation Based CAPTCHA
          1. Audio Based CAPTCHA Schemes
          2. Sounds CAPTCHA
        2. Miscellaneous CAPTCHA Schemes
          1. Collaborative CAPTCHAs
          2. Other Ideas
        3. Unpublished Schemes
        4. Our New CAPTCHA Schemes
          1. The Problem with Existing Schemes
          2. Face Recognition CAPTCHA
        5. Test Generation Scheme
          1. Image Databases
          2. Image Processing Tools
          3. Using Human Faces in Image Recognition: Scheme One
          4. Recognizing Human Faces: Scheme Two
          5. Methodology
          6. Extension
          7. Improvements
          8. Analysis and Conclusions
          9. Simple Games CAPTCHA
          10. Online Games and Bots
        6. Analysis
          1. Real World Existence
          2. Usability
      6. COMPARISON AND ANALYSIS OF CAPTCHA SCHEMES
        1. CAPTCHAs in the Real World
        2. Acceptance of CAPTCHAs by the Users
        3. Abuse of CAPTCHAs—Spam
        4. Online Games and Bots
        5. Problems with CAPTCHAs
      7. ATTACKING CAPTCHAS
        1. Technical AI Attacks
        2. Relay Attacks
          1. Online Relay Attacks
          2. Off-Line Relay Attacks
      8. SUMMARY AND CONCLUSION
    6. REFERENCES
    7. XIV. Privacy Concerns when Modeling Users in Collaborative Filtering Recommender Systems
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
        1. Statements
        2. Definition of Privacy
        3. Related Work in Collaborative Filtering
      4. GENERIC PRIVACY ENHANCING PROCESS
        1. User Modeling Process
        2. Generic Solution To Guarantee Privacy
        3. Examples Of Applications With Different Architectures
          1. Client/Server Architecture
        4. Grid Computing
      5. FUTURE TRENDS
      6. CONCLUSION
    8. REFERENCES
      1. ENDNOTES
  9. IV. Organizational Aspects
    1. XV. An Adaptive Threat-Vulnerability Model and the Economics of Protection
      1. ABSTRACT
      2. INTRODUCTION
        1. Some Definitions
      3. BACKGROUND
      4. BROADENING THE SECURITY CONCEPT
        1. Wrapped Exploits and Open Responses
        2. The Dynamics of Threats and Vulnerabilities
        3. The Changing Threat Environment
        4. The Changing Vulnerability Environment
      5. THREATS AND VULNERABILITIES IN THE HUMAN CONTEXT
        1. The Technical Viewpoint
        2. The Interaction of Metrics and Behavior
        3. The Human Component
          1. Cost-Benefit Aspects
          2. Costs of Threats
          3. Benefits of Threats
        4. Comparisons of Technical and Human/social Threats
          1. Costs of Exploits
          2. Benefits of Exploits
        5. Comparisons of Technical and Human/social Exploits
          1. Costs of Vulnerabilities
          2. Benefits of Vulnerabilities
        6. Comparisons of Technical and Human/Social Vulnerabilities
          1. Costs of Defense Measures
          2. Benefits of Defense Measures
          3. Costs of Incidents
          4. Benefits of Incidents
        7. Comparisons of Technical and Human/social Incidents
          1. Costs of Recovery and Restoration
          2. Benefits of Recovery and Restoration
        8. Comparisons of Technical and Human/social Recovery and Restoration
      6. FUTURE WORK ON SUCCESSIVE ITERATIONS
        1. Future Trends
      7. SUMMARY AND CONCLUSION
    2. REFERENCES
      1. ENDNOTES
    3. XVI. Bridging the Gap between Employee Surveillance and Privacy Protection
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
        1. Why Do Companies Conduct surveillance?
          1. Productivity, Cost Control, and Allocation
          2. Security
          3. Protection of Own or Third Persons' Interests
      4. WORKPLACE SURVEILLANCE: TOOLS AND TECHNIQUES
        1. Current Use of Monitoring Technologies
        2. Discussion
      5. PRIVACY IMPLICATIONS OF WORKPLACE SURVEILLANCE TECHNOLOGIES
        1. A Changing Work Environment
        2. Employees' privacy
        3. Implications of Video surveillance and Location Monitoring Techniques
      6. RELEVANT REGULATORY FRAMEWORK
        1. Privacy in private Contexts and Relationships
        2. The U.S. Doctrine of "Reasonable Expectation of privacy"
        3. The European Approach to privacy Rights in the Workplace
        4. Privacy and Data Protection Principles
      7. FAIR PRACTICES
      8. CONCLUSION AND OPEN ISSUES
    4. REFERENCES
    5. XVII. Aligning IT Teams' Risk Management to Business Requirements
      1. ABSTRACT
      2. INTRODUCTION
      3. BACKGROUND
      4. RISK MANAGEMENT AND ALIGNMENT
        1. Alignment
        2. The First Link between Strategic Processes and Social Processes: Risk Perceptions
        3. The Second Link between Strategic Processes and Social Processes: Risk Culture
        4. A Methodology to Understand Risk Culture and Alignment
          1. Three Dimensions
        5. An Example
          1. Company Background
          2. Context
          3. Influence of Context of Perceptions of Risk (and Risk Tolerance)
          4. Influence of Context on Risk Culture
          5. Content of the Risk Management Framework
          6. Influence of Risk Perceptions on the Risk Management Framework
          7. Formal Alignment Process
          8. Managing the Inter-Dependence between Risk Perceptions and ERM Alignment
          9. Managing the Influence of Culture on Alignment
          10. 'Unusual Eevents Offer Chance to Validate Process'
      5. CONCLUSION
      6. NOTE
    6. REFERENCES
    7. XVIII. Security Requirements Elicitation: An Agenda for Acquisition of Human Factors
      1. ABSTRACT
      2. INTRODUCTION
      3. SYSTEMS AND SECURITY REQUIREMENTS ELICITATION: HUMAN FACTORS
      4. BACKGROUND AND DISCUSSIONS
      5. CONCLUSION AND FUTURE DIRECTIONS
    8. REFERENCES
    9. XIX. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis
      1. ABSTRACT
      2. INTRODUCTION
      3. LITERATURE REVIEW AND CONCEPTUAL FRAMEWORK
        1. The Role of the Information Security Policy
        2. Threats to the Security of Information Assets
        3. Conceptual Framework and Research Hypotheses
      4. RESEARCH DESIGN
        1. Questionnaire Development Validation and Targeting
        2. Best Practice in Information Security Policy Adoption
        3. Sample Characteristics and response Bias
      5. RESEARCH FINDINGS
        1. The Impact of the Adoption of an InSPy on Security Breaches
        2. The Impact of the Age of the InSPy on Security Breaches
        3. Impact of Inspy Update Frequency on Security
        4. The Impact of the Scope of An Inspy on Security Breaches
        5. The Impact of The Adoption of Best Practice on Security Breaches
      6. DISCUSSION
      7. CONCLUDING REMARKS
      8. ACKNOWLEDGMENT
    10. REFERENCES
  10. Compilation of References
  11. About the Contributors