–
International Conferences: SIGMIS – Computers and People Research 2015 Newport Beach, CA |
The ACM SIGMIS Computers and People Research 2015 conference met at Newport Beach, California on June 4-6, 2015. This year’s conference theme was the Cyber Security Workforce in the Global Context. Topics covered are related to the Hard Problem of human factors in cybersecurity.
David H. Tobey; “A Vignette-Based Method for Improving Cybersecurity Talent Management through Cyber Defense Competition Design,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 31–39. doi:10.1145/2751957.2751963
Abstract: The preliminary findings are reported from a four-year study of cybersecurity competency assessment and development achieved through the design of cyber defense competitions. The first year of the study focused on identifying the abilities that should indicate aptitude to perform well in the areas of operational security testing and advanced threat response. A recently developed method for Job Performance Modeling (JPM) is applied which uses vignettes — critical incident stories — to guide the elicitation of a holistic description of mission-critical roles grounded in the latest tactics, techniques and protocols defining the current state-of-the-art, or ground truth, in cyber defense. Implications are drawn for design of scoring engines and achievement of game balance in cyber defense competitions as a talent management system.
Keywords: aptitude, competency model, critical incident, cyber defense competition, game balance, job performance model, ksa, talent management, vignette (ID#: 15-6936)
URL: http://doi.acm.org/10.1145/2751957.2751963
Leigh Ellen Potter, Gregory Vickers; “What Skills Do You Need to Work in Cyber Security?: A Look at the Australian Market,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015,
Pages 67–72. doi:10.1145/2751957.2751967
Abstract: The demand for cyber security professionals is rising as the incidence of cyber crime and security breaches increases, leading to suggestions of a skills shortage in the technology industry. While supply and demand are factors in the recruitment process for any position, in order to secure the best people in the security field we need to know what skills are required to be a security professional in the current cyber security environment. This paper seeks to explore this question by looking at the current state of the Australian Industry. Recent job listings in the cyber security area were analysed, and current security professionals in industry were asked for their opinion as to what skills were required in this profession. It was found that each security professional role has its own set of skill requirements, however there is significant overlap between the roles for many soft skills, including analysis, consulting and process skills, leadership, and relationship management. Both communication and presentation skills were valued. A set of “hard” skills emerged as common across all categories: experience, qualifications and certifications, and technical expertise. These appear to represent the need for a firm background in the security area as represented by formal study and industry certifications, and supported by solid experience in the industry. Specific technical skills are also required, although the exact nature of these will vary according to the requirements of each role.
Keywords: cyber security, security professional, skills (ID#: 15-6937)
URL: http://doi.acm.org/10.1145/2751957.2751967
Nishtha Kesswani, Sanjay Kumar; “Maintaining Cyber Security: Implications, Cost and Returns,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 161–164. doi:10.1145/2751957.2751976
Abstract: Cyber security is one of the most critical issues that are faced globally by most of the countries and organizations. With the ever increasing use of computers and the internet, there has been tremendous growth of cyber-attacks. The attackers target not only high end companies but also banks and government agencies. As a result the companies and governments across the globe are sparing huge amount of money to create a cyber-secure niche. In every organization, whenever an investment has to be made, everybody is concerned about the return which the organization will be getting from that investment. Every investment has to be justified from the point of view of return. Investments made in cyber security are never preferred by the organizations as they do not give any return. Return on Investments made in Cyber security is not measured in terms of profits and gains, but rather in terms of prevented losses. This paper provides an insight in to various established approaches which can be used for measurement of return on cyber security investment. Cost-benefit analysis of cyber security investments can be useful to the organization to have insight into whether money is well spent or not.
Keywords: annual loss expectancy approach, cost benefit analysis, gordon and loeb approach, net present value approach
(ID#: 15-6938)
URL: http://doi.acm.org/10.1145/2751957.2751976
Michelle L. Kaarst-Brown, E. Dale Thompson; “Cracks in the Security Foundation: Employee Judgments about Information Sensitivity,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 145–151. doi:10.1145/2751957.2751977
Abstract: Despite the increased focus on IT security, much of our reliance on “information sensitivity classifications” is based on broadly specified technical “access controls” or policies and procedures for the handling of organizational data — many of them developed incrementally over decades. One area ignored in research and practice is how human beings make “sensitivity judgments” or “classify” information they may encounter in everyday activities. This has left what we view as a crack in the IT security foundation. This crack has created a tension between formal IT security classification schema, technical controls, and policy, and the sensitivity judgments that everyday workers must make about the non-coded information they deal with. As noted in government and private reports, a new look at information sensitivity classification is vital to the expanding reach and criticality of information security. Based on a grounded theory study that elicited 188 judgements of sensitive information, we found valuable lessons for IT security in how workers, both in IT and outside of IT, recognize, classify, and react to their human judgments of sensitive information.
Keywords: classification, employee judgments, information sensitivity, it security, security awareness, security judgments
(ID#: 15-6939)
URL: http://doi.acm.org/10.1145/2751957.2751977
Conrad Shayo, Javier Torner, Frank Lin, Jake Zhu, Joon Son; “Is Managing IT Security a Mirage?,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 97–98. doi:10.1145/2751957.2751970
Abstract: The purpose of this panel is to provide a forum to discuss the main IT security issues confronting organizations today. The panelists and attendees will discuss the existing gap between current IT security practices vs. best practices based on survey trends on IT security for the past 5 years, explore popular models used to justify IT security investments, and showcase some of the most popular hacking tools to demonstrate why it is so easy to compromise organizational IT security assets. The panel will conclude by discussing the emerging IT security standards and practices that may help deter, detect, and mitigate the impact of cyber-attacks. As the title suggests, we posit the question: Is Managing IT Security a Mirage?
Keywords: cyber-attacks, cybersecurity, hacking, information system risk, information system security, it vulnerability, ransomware, secure it infrastructure (ID#: 15-6940)
URL: http://doi.acm.org/10.1145/2751957.2751970
Shuyuan Mary Ho, Hengyi Fu, Shashanka S. Timmarajus, Cheryl Booth, Jung Hoon Baeg, Muye Liu; “Insider Threat: Language-Action Cues in Group Dynamics,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 101–104. doi:10.1145/2751957.2751978
Abstract: Language as a symbolic medium plays an important role in virtual communications. Words communicated online as action cues can provide indications of an actor’s behavioral intent. This paper describes an ongoing investigation into the impact of a deceptive insider on group dynamics in virtual team collaboration. An experiment using an online game environment was conducted in 2014. Our findings support the hypothesis that language-action cues of group interactions will change significantly after an insider has been compromised and makes efforts to deceive. Furthermore, the language used in group dynamic interaction will tend to employ more cognition, inclusivity and exclusivity words when interacting with each other and with the focal insider. Future work will employ finely tuned complex Linguistic Inquiry and Word Count dictionaries to identify additional language-action cues for deception.
Keywords: insider threat detection, language-action cues., online deception, trusted human-computer interaction (ID#: 15-6941)
URL: http://doi.acm.org/10.1145/2751957.2751978
Antoine Lemay, Sylvain P. Leblanc, Tiago de Jesus; “Lessons from the Strategic Corporal: Implications of Cyber Incident Response,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 61–66. doi:10.1145/2751957.2751965
Abstract: With the rise of cyber espionage the role of cyber incident responders is becoming more complex, but the personnel profile of incident handlers has remained constant. In this new environment, the strategic position of companies is being affected by operation personnel, including cyber incident responders, who have little to no awareness of the strategic implications of their technical decisions. In recent decades, the military has gone through a similar situation and has dubbed this new reality the “Strategic Corporal”. This paper analyzes cyber incident response through the theoretical framework of the Strategic Corporal to argue that today’s cyber incident responders fit that profile. The paper looks at three solutions put forward by the military, namely training, communication of the commander’s intent and embracing decentralization, and shows that these are viable solutions to make cyber incident responders ready to meet the current challenge.
Keywords: cyber incident response, cyber responder training, management of cyber responders, strategic impact of cyber decisions (ID#: 15-6942)
URL: http://doi.acm.org/10.1145/2751957.2751965
Rinku Sen, Manojit Chattopadhyay, Nilanjan Sen; “An Efficient Approach to Develop an Intrusion Detection System Based on Multi Layer Backpropagation Neural Network Algorithm: IDS Using BPNN Algorithm,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 105–108. doi:10.1145/2751957.2751979
Abstract: The key success factor of the business depends upon correct and timely information. The vital resources of the organization should be protected from inside and outside threats. Among many threats of network security, intrusion has become a crucial reason for many organizations to incur loss. Many researchers are trying their level best to handle the different types of intrusion affecting the business. To detect such a type of intrusion, our initiative is to us a very popular soft computing tool namely back propagation neural network (BPNN). We have prepared a flexible BPNN architecture to identify the intrusion with the help of anomaly detection methodology. The result we obtained is better than or at per with many best research paper in this field of study. We have used KDD dataset for our experiment.
Keywords: anomaly detection, artificial neural network, bpnn, intrusion detection system, kdd cup 99 dataset (ID#: 15-6943)
URL: http://doi.acm.org/10.1145/2751957.2751979
Masoud Hayeri Khyavi, Mina Rahimi; “The Missing Circle of ISMS (LL-ISMS),” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 73–77. doi:10.1145/2751957.2751972
Abstract: Information security management (ISMS) subject is a new area which has been discussed in various companies and organizations and many large and small security companies also are thinking of investigating on this topic. However experience has shown that imitation of a scientific and technological issue and its implementation at the national level not only showed best real effect of that ever(but also) has caused a huge waste of resources. In this paper, we have an idea for localization of ISMS which in regard to ISO standards and importance of this subject, prepares the facility and best area for research and work on ISMS. In this essay we introduce a new circle which covers a new level in ISMS subject
Keywords: management, security (ID#: 15-6944)
URL: http://doi.acm.org/10.1145/2751957.2751972
Mark G. Graff; “Key Traits of Successful Cyber Security Practitioners,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 21–21. doi:10.1145/2751957.2751983
Abstract: The author’s view, formed over a decades-long career as a cyber security practitioner, is that successful professionals in the field have historically tended to share certain personality traits. Beyond the knack for problem solving and tolerance for late nights and vending machine food common in Information Technology (IT) circles, elements of integrity and character are, for example, often key to achievement in this career niche. The author describes several such traits, illustrating with informal case histories their operation and impact — both positive and negative. Implications for education, training and staffing in this field are also discussed.
Keywords: cyber security, education, management, personality, profession, staffing, training (ID#: 15-6945)
URL: http://doi.acm.org/10.1145/2751957.2751983
Santos M. Galvez, Joshua D. Shackman, Indira R. Guzman, Shuyuan M. Ho; “Factors Affecting Individual Information Security Practices,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 135–144. doi:10.1145/2751957.2751966
Abstract: Data and information within organizations have become important assets that can create a significant competitive advantage and therefore need to be given careful attention. Research from industry has reported that the majority of security-related problems are indirectly caused by employees who disobey the information security policies of their organizations. This study proposes a model to evaluate the factors that influence the individual’s information security practices (IISP) at work. Drawing on social cognitive and control theories, the proposed model includes cognitive, environmental, and control factors as antecedents of ISSP. The findings of this study could be used to develop effective security policies and training. They could also be used to develop effective security audits and further recommendations for organizations that are looking to make significant improvements in their information security profiles
Keywords: control theory, information security behavior, information security practices, iso27002, mandatoriness, security standards, self-efficacy, social cognitive theory (ID#: 15-6946)
URL: http://doi.acm.org/10.1145/2751957.2751966
Mohammad Mohammad; “IT Surveillance and Social Implications in the Workplace,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 79–85. doi:10.1145/2751957.2751959
Abstract: The workplace is where most adults spend roughly half of their waking hours. It is not surprising, therefore, that employment practices affect a broad range of privacy rights. With the exception of polygraph testing, there are few areas of workplace activities that are covered by the American constitution or privacy laws. Accordingly, employers have a great deal of leeway in collecting data on their employees, regulating access to personnel files, and disclosing file contents to outsiders. In addition to the issue of personnel files, workplace privacy involves such practices as polygraph testing, drug testing, computer and telephone monitoring, and interference with personal lifestyle. All of these practices stem from a combination of modern employer concerns employee theft, drug abuse, productivity, courtesy and the protection of trade secrets and technological advances that make it more economical to engage in monitoring and testing. The result for employees, however, is a dramatic increase in workplace surveillance. Unprecedented numbers of workers are urinating into bottles for employer run, drug-testing programs. Thousands of data entry operators have their every keystroke recorded by the very computers on which they are working. Surveillance is so thorough in some offices that employers can check to see exactly when employees leave their work stations to go to the bathroom and how long they take. A significant step toward resolving these issues can be taken by considering the possibilities and limitations posed by the extended use of surveillance and developing a model to balance these competing concerns. The model is proposed a master plan entitled "Monitoring Process Model (MPM)" showing the employers and employees and their inter-related activities. Which uses a thorough examination of the research literature, thus far to advocate the use of justifications for surveillance that Weigh Company interests against a notion of transactional privacy a form of privacy that focuses on trust and relationships.
Keywords: monitor, privacy, surveillance, trust (ID#: 15-6947)
URL: http://doi.acm.org/10.1145/2751957.2751959
John R. Magrane, Jr.; “Personal Information Sharing with Major User Concerns in the Online B2C Market: A Social Contract Theory Perspective,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 7–8. doi:10.1145/2751957.2755507
Abstract: The cyber world has seen growth in the online business over the past two decades and e-commerce continues to expand. Moreover it has brought ease and comfort in the lives of the people and now there is no distinction of states and regions. Mainstream people can buy anything from anywhere in the world through web-platforms such as Amazon.com, thus enhancing e-commerce. However, the major concern that arises is the security apprehension. This research paper studies the willingness of the online shopper to disclose personal information. The study will use a conceptual model to examine customers’ online activities and how variables such as user trust, knowledge sharing behavior, and loyalty intentions influence users’ privacy concerns, and further moderated by one’s perceived environmental security in the B2C Internet market. Social Contract Theory (SCT) will be used to analyze the issue in the behavioral perspective, based on the human obligations towards one another and on the state as the supreme authority that establishes the principles that maintain the balance of a society.
Keywords: environmental security, knowledge sharing behavior, loyalty, personal information, privacy concerns, trust
(ID#: 15-6948)
URL: http://doi.acm.org/10.1145/2751957.2755507
Tina Francis, Muthiya Madiajagan, Vijay Kumar; “Privacy Issues and Techniques in E-Health Systems,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 113–115. doi:10.1145/2751957.2751981
Abstract: During the present era, mobiles and smart devices are in abundance. A number of services have been provided through these devices. Ubiquitous services is gaining popularity in the present era. Ubiquity in healthcare is a sector which has gained importance in the current decade, as medical costs are not affordable to the common man. Ubiquitous healthcare has scope in seamlessly monitoring patients and identifying their health conditions. However privacy is at risk when using ubiquitous healthcare as personal health data are given to third party individuals for monitoring, storage and retrieval. This paper we proposes a privacy preserving model of an e-health system, so as to maintain the security of patient data across different domains in the e-health system.
Keywords: access control, access controls, cloud computing, cryptography, data encryption, cloud data security, patterns, security, security monitoring, trusted computing (ID#: 15-6949)
URL: http://doi.acm.org/10.1145/2751957.2751981
Glourise M. Haya; “Complexity Reduction in Information Security Risk Assessment,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 5–6. doi:10.1145/2751957.2755506
Abstract: Results of research done by Dlamini et al. [5] clearly show information security was once focused around technical issues. However, over time, that approach transitioned to a more strategic governance model where legal and regulatory compliance, risk management, and digital forensics disciplines became the significant contributors in the domain. This focus has resulted in a proliferation of information security risk assessment models, which on the whole, have not necessarily helped to reduce risks or appropriately respond to security events. This research seeks to develop a new information security risk assessment model through the aggregation of existing models.
Keywords: information security, risk assessment, risk management (ID#: 15-6950)
URL: http://doi.acm.org/10.1145/2751957.2755506
Christian Sillaber, Ruth Breu; “Using Stakeholder Knowledge for Data Quality Assessment in IS Security Risk Management Processes,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 153–159. doi:10.1145/2751957.2751960
Abstract: The availability of high quality documentation of the IS as well as knowledgeable stakeholders are an important prerequisite for successful IS security risk management processes. However, little is known about the relationship between stakeholders, their knowledge about the IS, security documentation and how quality aspects influence the security and risk properties of the IS under investigation. We developed a structured data quality assessment process to identify quality issues in the security documentation of an information system. For this, organizational stakeholders were interviewed about the IS under investigation and models were created from their description in the context of an ongoing security risk management process process. Then, the research model was evaluated in a case study. We found that contradictions between the models created from stakeholder interviews and those created from documentation were a good indicator for potential security risks. The findings indicate that the proposed data quality assessment process provides valuable inputs for the ongoing security and risk management process. While current research considers users as the most important resource in security and risk management processes, little is known about the hidden value of various entities of documentation available at the organizational level. This study highlights the importance of utilizing existing IS security documentation in the security and risk management process and provides risk managers with a toolset for the prioritization of security documentation driven improvement activities.
Keywords: data quality of information system, information system security documentation quality, information systems security risk management (ID#: 15-6951)
URL: http://doi.acm.org/10.1145/2751957.2751960
Jordan Shropshire, Art Gowan; “Characterizing the Traits of Top-Performing Security Personnel,” in SIGMIS-CPR ’15 Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, June 2015, Pages 55–59. doi:10.1145/2751957.2751971
Abstract: Organizational information security is a talent-centric proposition. Information assurance is a product of the combined expertise, attention-to-detail, and creativity of an information security team. A competitive edge can be obtained by hiring the top information security professionals. Therefore, identifying the right people is a mission-critical task. To assist in the candidate selection process, this research analyzes the enduring traits of top security performers. Specifically, it evaluates the Big Five Model of personality and the Six Workplace Values. In a laboratory study, 62 undergraduates majoring in information assurance completed a series of simulations which assessed their ability to solve various information security problems. The characteristics of top information security performers were contrasted against the rest of the cohort. In terms of personality, the top performers have high levels of conscientiousness and openness. With respect to workplace values, the top performers have a stronger preference for theoretical endeavors such as the pursuit of truth.
Keywords: employee attitudes, performance, personality, security (ID#: 15-6952)
URL: http://doi.acm.org/10.1145/2751957.2751971
Diana Burley, Indira R. Guzman, Daniel P. Manson, Leigh Ellen Potter; “
Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research,” Newport Beach, CA, June 4–6, 2015. ACM, New York, NY. 2015. ISBN: 978-1-4503-3557-7
Abstract: It is our great pleasure to welcome you to the 2015 ACM SIGMIS Computers and People Research Conference -- CPR ’15. CPR has long been the premier forum for the presentation of research and experiential reports on themes related to developing and managing the information technology (IT) workforce. This year's conference extends that tradition with the theme: Cyber Security Workforce in the Global Context. CPR provides both researchers and practitioners with a unique opportunity to share their perspectives with others interested in the various aspects of building the IT workforce globally. The call for papers attracted forty-seven submissions from global researchers. Submissions from Australia, Austria, Canada, France, Germany, India, Iran (Islamic Republic of), New Zealand, Pakistan, Singapore, United Arab Emirates, and the United States covered a variety of topics including; gaming and competitions related to information security, digital inequality, cyber security skills, teamwork, surveillance, and security judgment. The program includes five panels on cybersecurity workforce development, an industry panel, one focus group and a poster session. The doctoral consortium welcomes six Ph.D. students and we thank the generosity of the doctoral consortium mentors who will work to advance their research. In addition to the paper sessions, we also encourage participants to attend our keynote speech and invited presentations. These valuable and insightful talks can and will guide us to a better understanding of the future. We are pleased to highlight our keynote address: “Key Traits of Successful Cyber Security Practitioners,” Mark G. Graff of Tellagraff, LLC (most recently the CISO of NASDAQ and the 2014 Internet Security Executive of the Year for the Northeast United States). (ID#: 15-6953)
URL: http://dl.acm.org/citation.cfm?id=2751957&coll=DL&dl=GUIDE&CFID=546454935&CFTOKEN=60376420
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.