HICSS-43 Homepage

HICSS-42 Highlights
Program
* Keynote Address
* Distinguished Lecture
* Tracks and Minitracks
* Symposia, Workshops, and
   Tutorials

 Call for Papers

Author Instructions
    
Minitrack Chair Review Instructions
     
Responsibilities

Accommodation and Travel Arrangements

Registration

Contact

Return to HICSS Homepage

 


Track: Internet and Digital Economy
Minitrack: Emerging Risks and Systemic Concerns in Information
                   Security Research and Applications 
Insider threats to information security represent the first thread for the mini-track. These threats include the malicious actions of “individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm”. Discounting these threats has been identified as one of the top mistakes made by security-conscious organizations. According to a recent report by the United States Secret Service and the Computer Emergency Response Team / Software Engineering Institute, “insiders pose a substantial threat by virtue of their knowledge of and access to their employers’ systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means.” These attacks include assaults on computer systems themselves as well as fraud or other actions taken through the use of computers. This is a problem domain where technological solutions are only part of the solution. Here, a potential attacker has already breached the barrier and gained access to the organization’s systems. They may have intimate knowledge of the protections in place, and may choose to exploit this knowledge if not dissuaded. Research on detection of these types of attacks would certainly be useful to disseminate.

Emergent risks in operations present a second thread for the mini-track. Here we are interested in cultivating research on heretofore-underestimated risks from the introduction of technology and technology-based infrastructure. This would include risks in e-commerce operations as well as control and decision systems, and the hidden aspects of new and treacherous opportunities for exploitation.

A third thread revolves around compliance and prevention. It has been observed that firms may know about gaps in their information security but resist technical prevention measures for fear of introducing additional vulnerabilities. The 2004 Computer Security Institute/Federal Bureau of Investigation Computer Crime and Security Survey indicates that 91% of firms react to incidents by applying patches after an incident occurs; the losses that might be avoided by preventative maintenance remain a topic for research. In addition, understanding the motivations for delaying compliance and the effects of these choices on the organization is a fertile area for thought.

Information sharing represents a fourth possible area for this mini-track. While the benefit of shared experience to combat these threats may seem obvious, there is great reluctance for firms to participate in candid discussions of risks and failures. Some have attributed this lack of candor to concerns about public disclosure and loss of confidence. This is an area where public regulation or private, confidential information pooling of risks and disclosure might be an interesting option. Creating channels and techniques to assist in confidential information use would be another topical concern, as would be the parallels between security and safety reporting.

Modeling and theory building of security topics represents yet another interesting area. The co-chairs have been active in this particular area for several years, working on different approaches to developing and explicating policy options through systems- and agent-based modeling of the cyber-security environment. This work is being combined with organizational learning, teaching and training research to develop a set of useful tools for practitioner and researcher investigations.


 Minitrack Co-Chair:
 

Eliot H. Rich (Primary Contact)
Department of Information Technology Management
University of Albany
1400 Washington Avenue, BA 310
Albany, NY 12222
Email: e.rich@albany.edu
Phone: 518-442-4944
Fax: 518-442-2568
Guido Schryen
International Computer Science Institute
1947 Center Street. Suite 600
Berkeley, CA 94704
Phone: 510-666-2972
Fax: 510-666-2956
E-mail: schryen@gmx.net
Web: www.icsi.berkeley.edu/~schryen

 Jose J. Gonzalez
University of Agder
Faculty of Engineering and Science
Security and Quality in Organizations
Service box 509
NO-4898 Grimstad
Norway
Email: jose.j.gonzalez@uia.no
Phone: +47-372-53240
Fax: +47-37253001