1,721,056 research outputs found
Introducing serendipity in a social network model of knowledge diffusion
Full text linkIn this paper, we study serendipity as a possible strategy to control the behavior of an agent-based network model of knowledge diffusion. The idea of considering serendipity in a strategic way has been first explored in Network Learning and Information Seeking studies. After presenting the major contributions of serendipity studies to digital environments, we discuss the extension to our model: Agents are enriched with random topics for establishing new communication according to different strategies. The results show how important network properties could be influenced, like reducing the prevalence of hubs in the network's core and increasing local communication in the periphery, similar to the effects of more traditional self-organization methods. Therefore, from this initial study, when serendipity is opportunistically directed, it appears to behave as an effective and applicable approach to social network control
Cloud security risk management
No full textCloud Security Risk Management is a frequently discussed and analyzed topic that, in recent years, has captured the interest of many scholars and professionals. It reunites under a single category different remarkable elements: The technical and economic relevance of cloud systems, whose diffusion has been one of the most notable phenomena of the last decade; the growing concerns about information security, including privacy; the increasing relevance of risk analysis and management applied to information technology and systems as processes that encompass technical aspects as well as compliance, governance and business.
However, Cloud Security Risk Management as a research field and a set of methodologies, analyses and techniques is still far to be a mature discipline. On the contrary, it is ridden with uncertainty derived from the still early stages of security risk analysis, especially applied to cloud systems, and the relatively poor experience in managing cloud risks.
For these reasons there is still an on going debate about which risks should be considered cloud-specific and new, which established risk-mitigating solutions and standards could be applied to the cloud environment and so forth.
In this chapter, we conduct a survey on the fundamental aspects of Cloud Security Risk Management, starting from the definition of risk and moving to analyze cloud-specific risks. With respect to risk management, we emphasize the contractual nature of cloud computing, thus focusing specifically on Service Level Agreements (SLAs), an issue that has been the subject of several relevant analyses and proposals in recent years
Understanding and influencing attackers’ decisions: implications for security investment strategies
No full textWe model economic behavior of attackers when they are able to obtain complete information about the security characteristics of targets and when such information is unavailable. We find that when attackers are able to distinguish targets by their security characteristics and switch between multiple alternative targets, the effect of a given security measure is stronger. That is due to the fact that attackers rationally put more effort into attacking systems with low security levels. Ignoring that effect would result in underinvestment in security or misallocation of security resources. We also find that systems with better levels of protection have stronger incentives to reveal their security characteristics to attackers than poorly protected systems. Those results have important implications for security practices and policy issues
Risks and benefits of signaling information system characteristics to strategic attackers
No full textThe paper uses a game-theoretic setting to examine the interaction between strategic attackers who try to gain unauthorized access to information systems, or “targets,” and defenders of those targets. Our analysis of the attacker–defender interaction shows that well-protected targets can use signals of their superior level of protection as a deterrence tool. This is due to the fact that, all other things being equal, rational attackers motivated by potential financial gains tend to direct their effort toward less-protected targets. We analyze several scenarios differing in the scope of publicly available information about target parameters and discuss conditions under which greater defenders’ ability to signal their security characteristics may improve their welfare. Our results may assist security researchers in devising better defense
strategies through the use of deterrence and provide new insight about the efficacy of
specific security practices in complex information security environments
Evaluating information security investments from attackers perspective: the return-on-attack (ROA)
Full text linkConducting a cost-benefit analyses of security solutions has always been hard, because the benefits are difficult to assess and often only a part of the overall cost is clear. Despite this, today the provision of economic evaluations of security technology investments is a requirement that more and more customers ask vendors to satisfy. In this paper, we consider the typical calculation of a
Return-On-Investment (ROI) index based on the evaluation of the Annual Loss Expectancy (ALE), as the one provided usually by vendors of IT security.
Our motivating assumption is that such classical index, the ROI, provides a partial characterization of investments in information security technology, because it lacks to explicitly consider attackers' behavior. We suggest that to better evaluate security technology investments, the ROI index should be coupled with a corresponding index aimed at measuring the convenience of attacks, the Return-On-Attack (ROA). Different conclusions could be reached by combining the two indexes and considering either the combination of different technologies or the possible degradation of a security solution's efficiency over time, as shown by means of some case studies and examples
Online Privacy
No full textPrivacy has often gained the headlines on the media in the last few years, due to the revelation of appalling invasions of what many citizens perceive as the private space of their own communications, behavior and lifestyle. Privacy is especially in the spotlight when the online dimension is concerned with the almost endless stream of personal information that travels on the Internet. However, the apparent importance that online privacy has gained in the public discourse should not be taken as a demonstration that privacy problems are going to be solved any time soon. Furthermore, it could not be even taken as a proof of maturity in the comprehension of the problems. In fact, many privacy problems are becoming more intractable now in the modern online ecosystem than decades ago, when privacy emerged as a problem of industrialized societies. Online privacy is enmeshed with the dynamics of technology innovations and with the shape of today IT market, it is also entangled with the often fragile economics of the online advertising sector. At present, privacy depends to customers bounded rationality and, to put it simple, to the fact that for an individual, to manage her own online privacy specifically and timely without sacrificing to reap the benefits of the online ecosystem would be just overwhelming in the current setting. In this chapter, we discuss some particularly critical factors contributing to the problem of managing today online privacy, followed by an introduction to some technical issues. In particular, we present in more details the case of the data broker industry, rather than the much more publicized cases of governmental surveillance and Internet-based data-centric corporations, because of its relatively lesser media exposition combined with an indisputable relevance for citizens’ privacy. The problem of the informed consent and the dubbed privacy control paradox is discussed too for its centrality in almost all privacy policies and still underrated weakness. This leads us to show the complex and multidimensional nature of online privacy and the implication on policy making. In the section on privacy and technologies, we address the problem of online privacy both at the application level - by describing the current techniques used to collect a user's browsing history - and at the communication level - by discussing the methods available to defend against traffic analysis. Then, we highlight the security and privacy issues of mobile health applications
Disaster recovery planning
No full textHistorically, enterprises that have survived natural or man-made disasters have had recovery plans in place and were ready to face the risk of business interruptions. Today, the increased dependency on technology and tighter requirements in terms of recovery speed imposed on e-Business and Web-based services have made recovery plans more complex. Disaster recovery planning, which plans for failures of components of the IT infrastructure, system or network outages, mis-configurations, and natural disasters, should be treated as a necessity by conscious system administrators, managers, and CEOs. In this chapter we discuss disaster recovery planning, illustrating the main phases of the planning process and the techniques that can be used to provide for recovery
Business continuity planning
No full textHistorically, enterprises that have survived natural or man-made disasters have had recovery plans in place and were ready to face the risk of business interruptions. This has been the traditional field of Disaster Recovery. Today, the increased dependence on technology and tighter requirements in terms of recovery speed have made recovery plans more complex and business processes more involved in the process of recovery from a failure. Business Continuity Planning, which manages failures of components of the business infrastructure, systems or network outages, misconfigurations, and natural disasters, should be treated as a necessity by conscientious system administrators, managers, and CEOs. In this chapter we discuss Business Continuity Management and Planning, illustrating the main phases of the planning process and the techniques that can be used to provide for recovery
Contingency planning management
No full textHistorically, enterprises that have survived natural or man-made disasters have had recovery plans in place and were ready to face the risk of business interruptions. Today, the increased dependence on technology and tighter requirements in terms of recovery speed imposed on e-business and Web-based services have made recovery plans more complex. Disaster recovery planning, which plans for failures of components of the IT infrastructure, system or network outages, misconfigurations, and natural disasters, should be treated as a necessity by conscientious system administrators, managers, and CEOs. In this chapter we discuss disaster recovery planning, illustrating the main phases of the planning process and the techniques that can be used to provide for recovery
- …
