Toward web-based information security knowledge sharing

doi:10.1016/j.istr.2013.03.004

Information Security Technical Report

Volume 17, Issue 4, May 2013, Pages 199-209

https://doi.org/10.1016/j.istr.2013.03.004 Get rights and content

Abstract

Today IT security professionals are working hard to keep a high security standard for their information systems. In doing so, they often face similar problems, for which they have to create appropriate solutions. An exchange of knowledge between experts would be desirable in order to prevent developing always the same solutions by independent persons. Such an exchange could also lead to solutions of higher quality, as existing approaches could be advanced, instead of always reinventing the security wheel.

This paper examines how information security knowledge can be shared between different organizations on the basis of a web portal utilizing Web-Protégé. It can be shown that through the use of ontologies the domain of information security can be modeled and stored in a human- and a machine-readable format, enabling both human editing and automation (e.g. for risk calculations). The evaluation of the web portal has shown that the most important challenge a tool for knowledge sharing has to face is the aspect of motivating users to participate in a knowledge exchange.

Results from the evaluation have been used to further develop and enhance the web portal by implementing additional facilitating features. These features include a credit system, which rewards users for contributions, as well as the ability to select multiple entities, improving the system's usability.

Introduction

Nowadays¹ many organizations and companies rely heavily on information systems and have to ensure that they work properly at any given time. Additionally Information and Communication Technologies (ICTs) have become an important part of everyday life. In some areas, ICT systems and services are an essential part of economy and society, for example as part of critical information infrastructures where “their disruption or destruction would have a serious impact on vital societal functions (European Network and Information Security Agency, 2009)”

In a study (McAfee Inc, 2009) conducted in 2008 it was found that information security breaches caused companies worldwide to lose more than $1 trillion (708 billion) within one year. Often, security breaches were performed by insiders, especially by former employees. Cyber criminals are also increasing their efforts to steal sensitive data and information.

The study found that criminals will increase their efforts to create sophisticated schemes which take advantage of employees, new technologies and software vulnerabilities. Criminals will also assemble detailed profiles of executives and other high-level targets in order to utilize more effective spear phishing attacks.

When security breaches can have such dire consequences, both in financial and societal terms, securing the systems is of utmost importance. This applies both for the containment of everyday risks such as failures of individual components and also for preventing malicious attacks from outside against the systems.

To be able to approach such challenges in a professional manner, experts have to collect knowledge on information security, about potential risks and to create own solutions to reduce them. Information security is usually defined as the protection and preservation of confidentiality, integrity and availability of information, though other properties such as authenticity, reliability etc. are also of concern (Glaser and Pallas, 2007).

Many of these situations occur on a regular basis. For this reason it would be of advantage to allow knowledge sharing between experts, so that the same solutions aren't created over and over again by different individuals. Such a sharing of knowledge could save valuable resources which could be used in more productive ways. Moreover, sharing could lead to solutions of higher quality, due to the fact that existing solutions are enhanced instead of similar solutions being developed all the time. Till now organizations are partly comparing solutions with other organizations, but there is no unifying system with a widespread basis which could support knowledge sharing in a formal and structured way. This paper will present a web portal based on Web-Protégé, aiming to offer a tool for structured sharing of information security knowledge.

The research question this paper tries to answer is how web portal can be used to foster sharing of information security knowledge among organizations. The working hypothesis is that a tool can provide a central platform for participating organizations over which a sharing of knowledge can take place. This allows having more efficient and more structured cooperation than would be possible through classic channels like phone calls or e-mails. In the following sections we will discuss the functionality and the evaluation of a web portal based on Web-Protégé that aims to offer such a centralized platform.

Section snippets

Related research

The European Network and Information Security Agency (ENISA) has undertaken efforts to build the European Information Sharing and Alerting System (EISAS) (European Network and Information Security Agency, 2009), a pan-European network for information sharing. It was followed by different projects, for example the Framework for Information Sharing and Alerting (FISHA) (Kijewski, 2011). The main goal of these European projects is to raise the information level and the awareness of IT security

Collaborative web portal solution

The presented web portal is aiming to create a unified and machine-readable platform for information security knowledge sharing, enabling collaboration between users, helping them to understand and extend the underlying security ontology together. The knowledge captured in the ontology is dynamic in nature and should model current threats and vulnerabilities as well as up-to-date control mechanisms.

This approach is not restricted to a certain organization but tries to elevate the collaboration

Methodology

For the purpose of evaluating the implemented functionality of the security ontology web portal, an evaluation process consisting of multiple phases was conducted. The goal of this process was on the one hand to review the usability of the web portal functions and on the other hand to assess if the tool can support information security knowledge sharing among information security experts.

For the evaluation we selected three experts with at least five years of information security expertise who

Conclusion

It was found that there are a number of incentives and barriers that encourage or hinder organizations to participate in information sharing. The most important incentives were of economic nature. Organizations want to benefit economically from sharing their knowledge with possible competitors. As was shown in a study by ENISA in 2010 (European Network and Information Security Agency, 2010) economic incentives are coming from cost savings, which can result from enhanced reaction times to

Outlook

The web portal presented in this paper has the potential to support information security experts in their everyday work. The evaluation has shown that the interface is easy to handle, though some refinements have still to be implemented. Still there are conceptual challenges that have to be addressed in future work. During the evaluation it was also shown, that certain aspects of the ontology are difficult to model and offer too much ambiguity. For example the comprehensibility of the

Acknowledgments

The research was funded by COMET K1, FFG – Austrian Research Promotion Agency.

References (13)

A. Cabrera et al.
(2002)
European Network and Information Security Agency
Good practice guide network security information exchanges
(June 2009)
European Network and Information Security Agency
Incentives and challenges for information sharing in the context of network and information security
(September 2010)
D. Feledi et al.
Challenges of web-based information security knowledge sharing
S. Fenz et al.
Formalizing information security knowledge
(2009)
S. Fenz et al.
A community knowledge base for IT security
IT Professional
(2011)

There are more references available in the full text version of this article.

Cited by (30)

Knowledge absorption for cyber-security: The role of human beliefs
2020, Computers in Human Behavior
Citation Excerpt :
Knowledge absorption is an organizational capability to transfer, integrate, and utilize new knowledge obtained from external sources (Cohen & Levinthal, 1989; Grant, 1996a, 1996b; Park, 2011; Tsai, 2001). Prior research suggests that if the organization succeeds at this knowledge absorption, the investment cost for any given level of information security is reduced (Gal-Or & Ghose, 2005), as are inefficient duplications of effort (Feledi, Fenz, & Lechner, 2013). Furthermore, the effectiveness of security solutions improves (Parsons et al., 2014; Safa & Von Solms, 2016).
We investigate how human beliefs are associated with the absorption of specialist knowledge that is required to produce cyber-security. We ground our theorizing in the knowledge-based view of the firm and transaction-cost economics. We test our hypotheses with a sample of 262 members of an information-sharing and analysis center who share sensitive information related to cyber-security. Our findings suggest that resource belief, usefulness belief, and reciprocity belief are all positively associated with knowledge absorption, whereas reward belief is not. The implications of these findings for practitioners and future research are discussed.
Cyber threat intelligence sharing: Survey and research directions
2019, Computers and Security
Citation Excerpt :
There are many ways to build up a reputation to earn credibility amongst other stakeholders. To increase the credibility, stakeholders have to continuously share CTI, correlate various sources, and respond to questions by the community pertaining to the shared intelligence (Feledi et al., 2013). On the contrary, once a bad reputation has been entrenched it is challenging to reverse the effect.
Cyber Threat Intelligence (CTI) sharing has become a novel weapon in the arsenal of cyber defenders to proactively mitigate increasing cyber attacks. Automating the process of CTI sharing, and even the basic consumption, has raised new challenges for researchers and practitioners. This extensive literature survey explores the current state-of-the-art and approaches different problem areas of interest pertaining to the larger field of sharing cyber threat intelligence. The motivation for this research stems from the recent emergence of sharing cyber threat intelligence and the involved challenges of automating its processes. This work comprises a considerable amount of articles from academic and gray literature, and focuses on technical and non-technical challenges. Moreover, the findings reveal which topics were widely discussed, and hence considered relevant by the authors and cyber threat intelligence sharing communities.
Human errors in the information security realm – and how to fix them
2016, Computer Fraud and Security
Information security breaches and privacy violations are major concerns for many organisations. Human behaviour, either intentionally or through negligence, is a great source of risk to information assets. It is acknowledged that technology alone cannot guarantee a secure environment for information assets; human considerations should be taken into account as well as technological and procedural aspects.
An information security knowledge sharing model in organizations
2016, Computers in Human Behavior
Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security.
Human aspects of information security in organisations
2016, Computer Fraud and Security
Citation Excerpt :
Information security experts face similar problems in this domain and they could also gain a lot by sharing knowledge. Preventing the development of multiple solutions to similar problems by way of sharing knowledge leads to the avoidance of wasting time and extra costs.5 This time and funding could be better spent by improving the quality of solutions, instead of reinventing the security wheel.
Information is core to the well-being of any modern-day organisation. In order to satisfactorily protect this important asset, human, organisational and technological aspects play a core integrative role in information security. Both technological and organisational control aspects are critically important, but both of these are closely related to people.
Information security technology cannot guarantee the safety of information assets in organisations. A range of human aspects also need to be taken into consideration.
Nader Sohrabi Safa, Rossouw von Solms and Lynn Futcher of the Nelson Mandela Metropolitan University, South Africa show that, while people are often the weakest link, through cooperation and coordination they can also be a source of great strength in developing effective and efficient defences.
Information security policy compliance model in organizations
2016, Computers and Security
Citation Excerpt :
This collaboration is imperative in terms of documentation, and providing a timeline for activities and a set of evidence for incident handling. Collaboration can be in the shape of submitting, improving, commenting on and peer-reviewing the submitted knowledge (Feledi et al., 2013). Identifying features, in order to assess information security threats, is one of the benefits of collaboration (Mace et al., 2010).
The Internet and information technology have influenced human life significantly. However, information security is still an important concern for both users and organizations. Technology cannot solely guarantee a secure environment for information; the human aspects of information security should be taken into consideration, besides the technological aspects. The lack of information security awareness, ignorance, negligence, apathy, mischief, and resistance are the root of users' mistakes. In this research, a novel model shows how complying with organizational information security policies shapes and mitigates the risk of employees' behaviour. The significant aspect of this research is derived from the conceptualization of different aspects of involvement, such as information security knowledge sharing, collaboration, intervention and experience, as well as attachment, commitment, and personal norms that are important elements in the Social Bond Theory. The results of the data analysis revealed that information security knowledge sharing, collaboration, intervention and experience all have a significant effect on employees' attitude towards compliance with organizational information security policies. However, attachment does not have a significant effect on employees' attitude towards information security policy compliance. In addition, the findings have shown that commitment and personal norms affect employees' attitude. Attitude towards compliance with information security organizational policies also has a significant effect on the behavioural intention regarding information security compliance.

View all citing articles on Scopus

View full text

Toward web-based information security knowledge sharing

Abstract

Introduction

Section snippets

Related research

Collaborative web portal solution

Methodology

Conclusion

Outlook

Acknowledgments

Good practice guide network security information exchanges

Incentives and challenges for information sharing in the context of network and information security

Challenges of web-based information security knowledge sharing

Formalizing information security knowledge

A community knowledge base for IT security

IT Professional