Kushal Anjaria

Quantitative analysis of information leakage in service-oriented architecture-based Web services

Purpose Any computing architecture cannot be designed with complete confidentiality. As a result, at any point, it may leak the information. So, it is important to decide leakage threshold in any computing architecture. To prevent leakage more than the predefined threshold, quantitative analysis is helpful. This paper aims to provide a method to quantify information leakage in service-oriented architecture (SOA)-based Web services. Design/methodology/approach To visualize the dynamic binding of SOA components, first, the orchestration of components is modeled. The modeling helps to information-theoretically quantify information leakage in SOA-based Web services. Then, the paper considers the non-interference policy in a global way to quantify information leakage. It considers not only variables which interfere with security sensitive content but also other architectural parameters to quantify leakage in Web services. To illustrate the attacker’s ability, a strong threat model has been proposed in the paper. Findings The paper finds that information leakage can be quantified in SOA-based Web services by considering parameters that interfere with security sensitive content and information theory. A hypothetical case study scenario of flight ticket booking Web services has been considered in the present paper in which leakage of 18.89 per cent information is calculated. Originality/value The paper shows that it is practically possible to quantify information leakage in SOA-based Web services. While modeling the SOA-based Web services, it will be of help to architects to identify parameters which may cause the leakage of secret contents.

Relation between cybernetics and information security: from Norbert Wiener’s perspectives

Purpose Nowadays, to design the information security mechanism for computing and communication systems, there are various approaches available like cryptographic approach, game-theoretic approach, quantitative–qualitative analysis-based approach, cognitive-behavioral approach, digital forensic-based approach and swarm computing-based approach. The contemporary research in these various fields is independent in nature. The purpose of this paper is to investigate the relationship between these various approaches to information security and cybernetics. Design/methodology/approach To investigate the relationship between information security mechanisms and cybernetics, Norbert Wiener’s concepts and philosophy of the cybernetics have been used in the present work. For a detailed study, concepts, techniques and philosophy of the cybernetics have been extracted from the books of Norbert Wiener titled “The human use of human beings” and “Cybernetics or control and communication in the animal and the machine”. Findings By revisiting the concepts of the cybernetics from the information security perspectives, it has been found that the aspects of information security and the aspects of cybernetics have great bonding. Originality/value The present paper demonstrates how bonding between cybernetics and information security can be used to solve some of the complex research challenges in information security area.

Relating Wiener’s cybernetics aspects and a situation awareness model implementation for information security risk management

Purpose Situation awareness theory is a primary mean to take decisions and actions in a dynamically changing environment. Nowadays, to implement situation awareness, theories and models in organizational scenarios have become an important research challenge. The purpose of this paper is to investigate the relationship between the situation awareness theory and cybernetics. Further, the aim is to use this relationship to check the feasibility of situation awareness-based information security risk management (ISRM) implementation in the organizational scenario. Design/methodology/approach To investigate the relationship between situation awareness theory and cybernetics, Endsley’s situation awareness theory and Norbert Wiener’s cybernetics concepts and philosophy have been used in the present work. For a detailed study, concepts, techniques and philosophy of the cybernetics have been extracted from the thesis of Norbert Wiener titled “The human use of human beings” and “Cybernetics or control and communication in the animal and the machine”. Findings The present paper demonstrates that relationship can be successfully established between cybernetics and situation awareness theory. Further, this relationship can be used to solve organizational implementation issues related to situation awareness based systems. To demonstrate relationship and solutions of implementation issues, two case studies related to ISRM are also incorporated in the present case study. Originality/value The present work bridges two parallel and prominent theories of situation awareness and cybernetics. It also demonstrates that combination of both the theories can be used to feasibly implement situation awareness based systems in organizations.

Information leakage minimization using a negative information flow based confidentiality policy

Recently, quantitative analysis of information flow and information leakage is widely used to decide the threshold of the leakage of information in the computing system. As a result, quantitative analysis based confidentiality policies are also used to protect the information in a computing system. In the present work, one such policy, negative information flow based confidentiality policy and its drawbacks have been discussed. To eliminate the drawbacks of negative information flow policy, a new confidentiality policy has been proposed in the present work. The proposed policy is based on the noise that can be imposed on the system in a controlled way without changing significant system behavior and reliability. The algorithm which can calculate the amount of noise that can be imposed on the computing system without affecting the system reliability is also discussed in the present work.