Pub Date : 2007-01-01DOI: 10.1080/10658980601144915
Edward H. Freeman
Responsible developers work hard to produce secure, reliable, and efficient software packages. No company wants its integrity compromised by hackers, employees, or legitimate users. Negative publicity damages a firm’s reputation. Legal proceedings can cost an organization millions and destroy any chance of long-term success. Realistically, few products are released without security flaws. Programmers and system designers strive to find security bugs during the development cycle or at worse during beta testing, when bugs can be fixed easily. Careful testing will allow internal programmers to debug the software without publicity or industry notice. The outcome may differ if outsiders discover a security breach. Malicious hackers may exploit the breach to obtain classified information, to destroy the integrity of the information, or simply for the challenge. Even self-described “ethical hackers” may share this information with no discretion. Given the speed of the Internet, security breaches can be transmitted worldwide in hours. This article deals with vulnerability disclosure, where the details of a security breach are freely available. It also deals with the bizarre case of Bret McDanel, a young computer expert who spent 16 months in federal prison after he exposed a security breach in his former employer’s software package.
{"title":"Vulnerability Disclosure: The Strange Case of Bret McDanel","authors":"Edward H. Freeman","doi":"10.1080/10658980601144915","DOIUrl":"https://doi.org/10.1080/10658980601144915","url":null,"abstract":"Responsible developers work hard to produce secure, reliable, and efficient software packages. No company wants its integrity compromised by hackers, employees, or legitimate users. Negative publicity damages a firm’s reputation. Legal proceedings can cost an organization millions and destroy any chance of long-term success. Realistically, few products are released without security flaws. Programmers and system designers strive to find security bugs during the development cycle or at worse during beta testing, when bugs can be fixed easily. Careful testing will allow internal programmers to debug the software without publicity or industry notice. The outcome may differ if outsiders discover a security breach. Malicious hackers may exploit the breach to obtain classified information, to destroy the integrity of the information, or simply for the challenge. Even self-described “ethical hackers” may share this information with no discretion. Given the speed of the Internet, security breaches can be transmitted worldwide in hours. This article deals with vulnerability disclosure, where the details of a security breach are freely available. It also deals with the bizarre case of Bret McDanel, a young computer expert who spent 16 months in federal prison after he exposed a security breach in his former employer’s software package.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75233202","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2007-01-01DOI: 10.1080/10658980701260520
S. Fleming
{"title":"Implicit Trust Can Lead to Data Loss","authors":"S. Fleming","doi":"10.1080/10658980701260520","DOIUrl":"https://doi.org/10.1080/10658980701260520","url":null,"abstract":"","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82224041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2007-01-01DOI: 10.1080/10658980601144899
W. Yarberry
This article originally published as “Change Management” in EDPACS, 2005, 33(4):12–24.
本文原题为“变革管理”,载于《教育管理与管理》,2005,33(4):12-24。
{"title":"Effective Change Management: Ensuring Alignment of IT and Business Functions","authors":"W. Yarberry","doi":"10.1080/10658980601144899","DOIUrl":"https://doi.org/10.1080/10658980601144899","url":null,"abstract":"This article originally published as “Change Management” in EDPACS, 2005, 33(4):12–24.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80361479","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2007-01-01DOI: 10.1080/10658980701260579
R. Rainer, T. Marshall, Kenneth J. Knapp, Gina H. Montgomery
Organizations today know that information technology is essential not only for daily operations but also for gaining strategic advantage in the marketplace. The importance of information technology means that information security has also become important. Breaches in information security can result in litigation, financial losses, damage to brands, loss of customer confidence, loss of business partner confidence, and can even cause the organization to go out of business. A recent study (Knapp, Marshall, Rainer, & Morrow 2006) surveyed 874 certified information system security professionals (CISSPs) to determine and rank the top 25 information security issues. Of the 18 highest-ranked issues, 10 were more managerial in nature rather than technical. Table 1 shows these ten issues with their ranks in parentheses. As we consider these ten issues as a whole, we see how critically important it is for information security professionals to have strong business, management, and organizational skills. As we look at each issue individually, we see a list of specific areas where information security professionals should have competence in order to effectively operate in an organizational context. The list of issues in Table 1 represents the issues with which information security professionals often have the most difficulty addressing. For example, three of these issues emphasize the need for excellent communication between information security professionals and business managers. The issues of “top management support,” “low funding and inadequate budgets,” and “justifying security expenditures” are closely related. The support of organizational executives is clearly needed to obtain the necessary funding for the information security function. To obtain this funding, information security professionals must present a coherent business case for information security needs. Information security professionals must also communicate with the entire user community to raise their awareness of information security issues through training and education, thereby promoting an organizational culture attuned to information security. Information security professionals must also work with business managers and the user community during the risk Address correspondence to R. Kelly Rainer, Jr., Ph.D., George Phillips Privett Professor of Management Information Systems at Auburn University, Auburn, Alabama. E-mail: rainerk@auburn.edu Do Information Security Professionals and Business Managers View Information Security Issues Differently?
{"title":"Do Information Security Professionals and Business Managers View Information Security Issues Differently?","authors":"R. Rainer, T. Marshall, Kenneth J. Knapp, Gina H. Montgomery","doi":"10.1080/10658980701260579","DOIUrl":"https://doi.org/10.1080/10658980701260579","url":null,"abstract":"Organizations today know that information technology is essential not only for daily operations but also for gaining strategic advantage in the marketplace. The importance of information technology means that information security has also become important. Breaches in information security can result in litigation, financial losses, damage to brands, loss of customer confidence, loss of business partner confidence, and can even cause the organization to go out of business. A recent study (Knapp, Marshall, Rainer, & Morrow 2006) surveyed 874 certified information system security professionals (CISSPs) to determine and rank the top 25 information security issues. Of the 18 highest-ranked issues, 10 were more managerial in nature rather than technical. Table 1 shows these ten issues with their ranks in parentheses. As we consider these ten issues as a whole, we see how critically important it is for information security professionals to have strong business, management, and organizational skills. As we look at each issue individually, we see a list of specific areas where information security professionals should have competence in order to effectively operate in an organizational context. The list of issues in Table 1 represents the issues with which information security professionals often have the most difficulty addressing. For example, three of these issues emphasize the need for excellent communication between information security professionals and business managers. The issues of “top management support,” “low funding and inadequate budgets,” and “justifying security expenditures” are closely related. The support of organizational executives is clearly needed to obtain the necessary funding for the information security function. To obtain this funding, information security professionals must present a coherent business case for information security needs. Information security professionals must also communicate with the entire user community to raise their awareness of information security issues through training and education, thereby promoting an organizational culture attuned to information security. Information security professionals must also work with business managers and the user community during the risk Address correspondence to R. Kelly Rainer, Jr., Ph.D., George Phillips Privett Professor of Management Information Systems at Auburn University, Auburn, Alabama. E-mail: rainerk@auburn.edu Do Information Security Professionals and Business Managers View Information Security Issues Differently?","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2007-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78954859","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601051979
Edward H. Freeman
Abstract The Internet is firmly established as a primary method of communications. Documents and information can be sent online in a matter of seconds, reliably and confidentially. Email addresses have joined telephone numbers and street addresses as acceptable methods of identification and communications. Organizations and individuals throughout the world negotiate contracts, make major purchases and transact business without any exchange of papers.
{"title":"Service of Process by Email","authors":"Edward H. Freeman","doi":"10.1080/10658980601051979","DOIUrl":"https://doi.org/10.1080/10658980601051979","url":null,"abstract":"Abstract The Internet is firmly established as a primary method of communications. Documents and information can be sent online in a matter of seconds, reliably and confidentially. Email addresses have joined telephone numbers and street addresses as acceptable methods of identification and communications. Organizations and individuals throughout the world negotiate contracts, make major purchases and transact business without any exchange of papers.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79735990","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601052019
M. Talabis
Abstract We believe information security learning is an area that would benefit greatly from the integration of the honeynet.
我们认为信息安全学习是一个将从蜜网集成中获益的领域。
{"title":"Honeynet Learning: Discovering Information Security","authors":"M. Talabis","doi":"10.1080/10658980601052019","DOIUrl":"https://doi.org/10.1080/10658980601052019","url":null,"abstract":"Abstract We believe information security learning is an area that would benefit greatly from the integration of the honeynet.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76864667","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601051797
Ken Dunham
Abstract In December 2005, I predicted that 2006 would be the “Year of the Rootkit.” Recent statistics and major attacks have proven this to be the case. Rootkits are more prevalent than ever, especially on the Windows platform. This report provides an introduction to Windows rootkits, recent trends, how they function, and how you can detect and remove rootkits.
{"title":"Year of the Rootkit","authors":"Ken Dunham","doi":"10.1080/10658980601051797","DOIUrl":"https://doi.org/10.1080/10658980601051797","url":null,"abstract":"Abstract In December 2005, I predicted that 2006 would be the “Year of the Rootkit.” Recent statistics and major attacks have proven this to be the case. Rootkits are more prevalent than ever, especially on the Windows platform. This report provides an introduction to Windows rootkits, recent trends, how they function, and how you can detect and remove rootkits.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91289780","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601051482
Cezar Drugescu, Rafael Etges
Abstract This article provides a discussion of the way organizations currently seek to effectively evaluate their existing information security initiatives and to build realistic business cases to increase executive awareness of risk and regulatory compliance, and, therefore, to secure budgets for new expenditures on internal controls.
{"title":"Maximizing the Return on Investment on Information Security Programs: Program Governance and Metrics","authors":"Cezar Drugescu, Rafael Etges","doi":"10.1080/10658980601051482","DOIUrl":"https://doi.org/10.1080/10658980601051482","url":null,"abstract":"Abstract This article provides a discussion of the way organizations currently seek to effectively evaluate their existing information security initiatives and to build realistic business cases to increase executive awareness of risk and regulatory compliance, and, therefore, to secure budgets for new expenditures on internal controls.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83283324","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601051409
T. Macaulay
Abstract Akin to sound resonating through a piano wire, impacts from both physical (flood, vandalism/sabotage, explosions, pandemics, etc.) and logical (network/software/data) incidents resonate between and through enterprises and business hierarchies via “risk conductors.” There are two orders of risk conductor: Critical Infrastructure (CI) as the industrial risk conductors, and intra-organizational operational risk conductors in the form of Human Factors (HF) and Information and Communication Technology (ICT). Risk conductors, either industrial or operational, are the dispersal agents of geographically centered, physical, or logical impacts. Critical infrastructures may transmit an impact from one enterprise to another throughout an economy. Operational risk conductors—HF and ICT—transmit horizontally within an enterprise from one business unit to another, potentially amplifying internal incidents from manageable to crisis/disaster proportions. Operational risk conductors may also transmit vertically, away from the enterprise up to the client base and downwards into the supply chain, transmitting impacts to both customers and partners/suppliers. Operational risk conductors are not necessarily a new phenomena, but they have taken on considerably greater significance under the rapid convergence of information and communication assets to Internet Protocol (IP), which has catalyzed a feedback-loop between HF and ICT. As an incident typically possesses both HF and ICT impacts, HF and ICT in turn impact each other, multiplying the scope and scale of the impact. In addition to presenting a framework for understanding and managing operational risks and resiliency, this paper proposes a cause-and-effect relationship between IP convergence and the materialization of operational risk conductors.
{"title":"Risk Conductors","authors":"T. Macaulay","doi":"10.1080/10658980601051409","DOIUrl":"https://doi.org/10.1080/10658980601051409","url":null,"abstract":"Abstract Akin to sound resonating through a piano wire, impacts from both physical (flood, vandalism/sabotage, explosions, pandemics, etc.) and logical (network/software/data) incidents resonate between and through enterprises and business hierarchies via “risk conductors.” There are two orders of risk conductor: Critical Infrastructure (CI) as the industrial risk conductors, and intra-organizational operational risk conductors in the form of Human Factors (HF) and Information and Communication Technology (ICT). Risk conductors, either industrial or operational, are the dispersal agents of geographically centered, physical, or logical impacts. Critical infrastructures may transmit an impact from one enterprise to another throughout an economy. Operational risk conductors—HF and ICT—transmit horizontally within an enterprise from one business unit to another, potentially amplifying internal incidents from manageable to crisis/disaster proportions. Operational risk conductors may also transmit vertically, away from the enterprise up to the client base and downwards into the supply chain, transmitting impacts to both customers and partners/suppliers. Operational risk conductors are not necessarily a new phenomena, but they have taken on considerably greater significance under the rapid convergence of information and communication assets to Internet Protocol (IP), which has catalyzed a feedback-loop between HF and ICT. As an incident typically possesses both HF and ICT impacts, HF and ICT in turn impact each other, multiplying the scope and scale of the impact. In addition to presenting a framework for understanding and managing operational risks and resiliency, this paper proposes a cause-and-effect relationship between IP convergence and the materialization of operational risk conductors.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82497971","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-12-01DOI: 10.1080/10658980601051359
J. Vandermeer
Abstract The rise of regulatory oversight and privacy concerns, the exponential growth in the amount of email, the lack of email discipline by employees, and the ubiquity of email as a primary communications mechanism have created new risks for companies and businesses of every size. It is not only the disgruntled worker you should be worried about—it is likely your star performers who are unknowingly placing your company at risk while just trying to do their jobs. They are emailing data to their personal accounts and/or to customers or partners, all in the clear and often without anyone knowing until it is too late to stop the security or ethical breach.
{"title":"Seven Highly Successful Habits of Enterprise Email Managers: Ensuring that your employees' email usage is not putting your company at risk","authors":"J. Vandermeer","doi":"10.1080/10658980601051359","DOIUrl":"https://doi.org/10.1080/10658980601051359","url":null,"abstract":"Abstract The rise of regulatory oversight and privacy concerns, the exponential growth in the amount of email, the lack of email discipline by employees, and the ubiquity of email as a primary communications mechanism have created new risks for companies and businesses of every size. It is not only the disgruntled worker you should be worried about—it is likely your star performers who are unknowingly placing your company at risk while just trying to do their jobs. They are emailing data to their personal accounts and/or to customers or partners, all in the clear and often without anyone knowing until it is too late to stop the security or ethical breach.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85810303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: