Jordan Shropshire

The influence of the informal social learning environment on information privacy policy compliance efficacy and intention

Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.

Personality, attitudes, and intentions

Investigations of computer user behavior become especially important when behaviors like security software adoption affect organizational information resource security, but adoption antecedents remain elusive. Technology adoption studies typically predict behavioral outcomes by investigating the relationship between attitudes and intentions, though intention may not be the best predictor of actual behavior. Personality constructs have recently been found to explain even more variance in behavior, thus providing insights into user behavior. This research incorporates conscientiousness and agreeableness into a conceptual model of security software use. Attitudinal constructs perceived ease of use and perceived usefulness were linked with behavioral intent, while the relationship between intent and actual use was found to be moderated by conscientiousness and agreeableness. The results that the moderating effect of personality greatly increases the amount of variance explained in actual use. Display Omitted

Breakpoints: An analysis of potential hypervisor attack vectors

Cloud computing is rapidly transforming the delivery of information services. It offers a scalable, reliable platform to dynamically provision computing resources for geographically distributed users. Despite the benefits of low-cost computing and infrastructure on-demand, the risk of compromised clouds detracts many potential adopters. Cloud services are rendered by virtualized operating systems called virtual machines. Virtual machines reside on specialized servers called hypervisors. Hypervisors provide a conduit to the underlying hardware and resources. Because of their important role, they also represent a prime target for attack. They not only contain virtual machines, but also grant access to hardware resources. The growing number of publicized vulnerabilities indicates that attackers have set their sights on the hypervisor. This research considers vulnerabilities in the ESXi 5.0 hypervisor platform. It focuses on attacks which escalate permissions to exploit host metadata. Four potential attacks vectors are identified and analyzed. Recommendations for coping with these increasing threats are suggested.

Improving service continuity: IT disaster prevention and mitigation for data centers

Data centers provide highly-scalable and reliable computing for enterprise services such as web hosting, email, applications, and file storage. Because they integrate a range of different systems, data center administration is a complex process. Managing the risk of IT disaster is especially difficult. Layers of interrelated infrastructure multiply the effect of system malfunctions. Seemingly-small problems can turn into major disasters and take entire data centers offline. To cope with the myriad risks, this research develops a matrix of IT disaster prevention and mitigation techniques for data centers. The matrix is organized along two dimensions: attributes of data center infrastructure and elements of the IT disaster recovery process. It includes 134 specific techniques which were clustered into 49 cells within the matrix. An expert panel assessed the validity of the matrix and ranked the techniques within each cell. The result is a comprehensive tool for improving the resilience of data centers.

Hyperthreats: Hypercall-based DoS attacks

The cloud offers a new environment for achieving Denial of Service (DoS) conditions on targeted infrastructure. Once confined to the network, they are now conducted over the hypercall interface. These attacks are initiated by malicious, unprivileged guests with a goal of incapacitating hosting hypervisors. Because they are not packet-based, they cannot be detected or prevented using network security measures. The present study systematically explores this risk and develops a taxonomy of hypercall-based DoS attacks. For purpose of illustration, a denial of service is attempted against a Xen hypervisor. This scenario demonstrates that even a relatively simple attack could have significant implications for system stability. Finally, system for defending hypervisors against hypercall attacks is introduced. This mitigation observes N-grams and calculates the conditional probability of a sequence of hypercalls. The assumption is that exploits will be manifested as previously-unobserved sequences of hypercalls. The early results of testing are provided.

Analysis of Monolithic and Microkernel Architectures: Towards Secure Hypervisor Design

This research focuses on hyper visor security from holistic perspective. It centers on hyper visor architecture - the organization of the various subsystems which collectively compromise a virtualization platform. It holds that the path to a secure hyper visor begins with a big-picture focus on architecture. Unfortunately, little research has been conducted with this perspective. This study investigates the impact of monolithic and micro kernel hyper visor architectures on the size and scope of the attack surface. Six architectural features are compared: management API, monitoring interface, hyper calls, interrupts, networking, and I/O. These subsystems are core hyper visor components which could be used as attack vectors. Specific examples and three leading hyper visor platforms are referenced (ESXi for monolithic architecture; Xen and Hyper-V for micro architecture). The results describe the relative strengths and vulnerabilities of both types of architectures. It is concluded that neither design is more secure, since both incorporate security tradeoffs in core processes.

Identifying Traits and Values of Top-Performing Information Security Personnel

ABSTRACT Enterprise information security is a talent-centric proposition. Information assurance is a product of the combined expertise, attention-to-detail, and creativity of an information security team. A competitive edge can be obtained by hiring the top information security professionals. Therefore, identifying the right people is a mission-critical task. To assist in the candidate selection process, this research analyzes the enduring traits and values of top security performers. It identifies the personality traits and values which distinguish high-performing information security workers. In a laboratory study, a series of simulations were administered to 61 subjects to assess their ability to solve various information security problems. The characteristics of top information security performers were contrasted against the rest of the cohort. In terms of personality, the top performers have higher levels of conscientiousness and openness. With respect to values, the top performers have stronger theoretical and economic values.

A stitch in time saves nine: the role of moral judgement in reducing internet policy violations

Internet access has become ubiquitous in many organisations. While employees need this access to perform their duties, many studies report a large percentage of employees use their work internet access in violation of organisational policies. These activities can result in reduced efficiency, increased vulnerability to cyber-attack, and legal liability. Although firms vary according to their acceptable personal internet use policies, they tend to provide generic usage guidelines which do not provide a clear basis for decision making. We argue that the decision to use company internet resources for personal use is largely a moral decision, a fact which has been previously overlooked in research and in practice. In this study, we create and test a predictive model which is framed using moral judgement. The model is confirmed using a survey of 787 knowledge workers. Our results suggest that organisations should incorporate moral guidelines in their acceptable internet use policies.

Analysis of centralized and decentralized cloud architectures

This research analyzes cloud computing systems from a design perspective. Specifically, the research investigates the impact of distributed and centralized cloud architectures on security and performance. It begins by establishing a generic terminology for comparing cloud computing systems. Next, four architectural components of clouds are compared. The components are: compute, storage, networking, and VM registry. These subsystems are core features which collectively dictate the scope and composition of the clouds attack surface. For each subsystem, the implications of distributed and centralized architectures are observed. Specific examples and four leading cloud computing platforms are referenced. The selected cloud platforms are vCloud, OpenStack, Eucalyptus, and Cloudstack. These platforms were selected because they present variations of distributed or centralized architectures. The results describe the relative strengths and weaknesses of both types of architectures. Finally, this research concludes that neither architectural approach is more secure, since both incorporate risk tradeoffs in their core components.

A diversity defense for cloud computing systems

By nature, cloud computing systems are static, homogenous entities. They consist of multiple layers of hardware and software resources. These resources are organized into stacks which provide services to end users. Many service stacks are built from a single template. As a result, they consist of identical resources with identical configurations. This gives potential attackers the asymmetric advantage of attack surface predictability. The lack of diversity means that potential exploitations can be replicated across a multitude of identical service stacks. It makes the cloud attack surface easy to infiltrate and compromise. To counter these risks, this research develops a method for implementing diversity defenses in cloud computing systems. The goal of the diversity defense is to present attackers with a varying and unpredictable attack surface, making it harder to predict the effect of malicious behavior. The proposed defense varies the configuration of cloud service stacks and boosts cloud resilience.