Teresa Susana Mendes Pereira

An Ontology Based Approach to Information Security

The semantically structure of knowledge, based on ontology approaches have been increasingly adopted by several expertise from diverse domains. Recently ontologies have been moved from the philosophical and metaphysics disciplines to be used in the construction of models to describe a specific theory of a domain. The development and the use of ontologies promote the creation of a unique standard to represent concepts within a specific knowledge domain. In the scope of information security systems the use of an ontology to formalize and represent the concepts of security information challenge the mechanisms and techniques currently used. This paper intends to present a conceptual implementation model of an ontology defined in the security domain. The model presented contains the semantic concepts based on the information security standard ISO/IEC_JTC1, and their relationships to other concepts, defined in a subset of the information security domain.

A Security Audit Framework to Manage Information System Security

The widespread adoption of information and communication technology have promoted an increase dependency of organizations in the performance of their Information Systems. As a result, adequate security procedures to properly manage information security must be established by the organizations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject of. The presented framework is based on a conceptual model approach, which contains the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.

A Security Framework for Audit and Manage Information System Security

Auditing Information Systems Security is difficult and becomes crucial to ensure the daily operational activities of organizations as well as to promote competition and to create new business opportunities. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework is based on a conceptual model approach, based on the ISO/IEC_JCT1 standards, to assist organizations to better manage their In-formation Systems Security.

An audit framework to support information system security management

The widespread adoption of information and communication technology has promoted an increase dependency of organisations from the performance of their information systems. As a result, adequate security procedures to properly manage information security must be established by the organisations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit information system security is proposed and discussed. The proposed framework intends to assist organisations firstly, to understand what assets precisely need to be protect and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a simple security auditing process to support the organisation to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new internet-enabled services. The presented framework is based on a conceptual model approach, comprising the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.

Security metrics to evaluate organizational IT security

Organizations have moved their business activity to the Internet and mobile applications, which make them more exposed to unexpected and underestimated security risks. This fact requires organizations to implement adequate security controls as well as the respective monitoring and evaluation on a regular basis. However, these tasks require strong arguments (in monetary terms) to justify the return of investment in the security controls. In this context, it is crucial for organizations to define metrics to assess the efficiency of the implemented controls, to justify the security investments. This paper highlights some reflections regarding the definition of meaningful metrics of security controls, to deliver actionable information for decision makers for managing their organizational assets and ensure their day-to-day operations.

Global perspectives on cybersecurity education

Global cybersecurity crises have compelled universities to address the demand for educated cybersecurity professionals. As no shared framework for cybersecurity as an academic discipline exists, growthhas been unfocused and driven by training materials, which make it harder to create a common body of knowledge. An international perspective is still harder, as different nations use different criteria to define local needs. As a result, new programs entering this space are on their own to conceptualize, design, package and market their programs, as there is no globally accepted reference model for cybersecurity to allow employers or students to understand the extent of a given cybersecurity program. Building on prior efforts at ITiCSE 2010 and 2011, other sources and participant experiences, this working group will develop a taxonomy of approaches to cybersecurity education, capture its dimensions, and develop a corresponding global reference model.

Challenges and reflections in designing Cyber security curriculum

Recently it has been noticed an increased number of cyber-incidents, sometimes causing seriously impact to organizations and governments. Cyberattacks exploits a variety of technological and social vulnerabilities to achieve a malicious objective. The emergence of new and sophisticated Cyberthreats demand very skilled operators with a solid knowledge about concepts and technologies related to Cybersecurity and Cyberdefense. However, the landscape of this base knowledge is very diverse in nature, requiring agile learning methods, besides a very demanding training process limited by the intrinsic technologys complexity and broad range of application domains. Although existing Cybersecurity and Cyberdefense curricula spans a wide array of topics and training strategies, its programs content lack focus on some particular aspect, like depth of education/training and its link to professional development. This paper intends to provide some reflections regarding the curricula contents that should be considered when a graduate level curriculum in cybersecurity is designed.

Insider Threats: The Major Challenge to Security Risk Management

Security risk management is by definition, a subjective and complex exercise and it takes time to perform properly. Human resources are fundamental assets for any organization, and as any other asset, they have inherent vulnerabilities that need to be handled, i.e. managed and assessed. However, the nature that characterize the human behavior and the organizational environment where they develop their work turn these task extremely difficult, hard to accomplish and prone to errors. Assuming security as a cost, organizations are usually focused on the efficiency of the security mechanisms implemented that enable them to protect against external attacks, disregarding the insider risks, which are much more difficult to assess. All these demands an interdisciplinary approach in order to combine technical solutions with psychology approaches in order to understand the organizational staff and detect any changes in their behaviors and characteristics. This paper intends to discuss some methodological challenges to evaluate the insider threats and its impacts, and integrate them in a security risk framework, that was defined according to the security standard ISO/IEC_JTC1, to support the security risk management process.

The extension of the omnipaper system in the context of scientific publications

Today the Internet is an important information source, which facilitates the search and access to information contents on the Web. In fact, the Internet has become an important tool used daily by scholars in the development of their work. However the contents published on the Web increase daily and consequently difficult the identification of new contents published in various information sources. In this context the RSS technology introduces a new dimension in the access and distribution mechanisms of new contents published by distributed information sources. In the scope of scientific contents the use of RSS technology helps the scholars to be up to date of new scientific resources provided by several and distributed information sources. An instance of the OmniPaper RDF prototype has been developed in order to instantiate the mechanisms of distributed information retrieval investigated in the context of the news published in newspapers and use them in the context of scientific contents. In addition a central metadatabase was developed through the RSS approach, in order to enable the scientific content syndication. This paper intends to describe the steps involved in the development of the instantiation system of the OmniPaper RDF prototype. 1 Teresa Susana Mendes Pereira Polytechnic Institute of Viana do Castelo, Superior School of Business Studies, Valenca, Portugal, e-mail: tpereira@esce.ipvc.pt 2 Ana Alice Baptista University of Minho, School of Engineering, Information System Department, Guimaraes, Portugal, e-mail: analice@dsi.uminho.pt 2 Teresa Susana Mendes Pereira and Ana Alice Baptista