Reducing normative conflicts in information security

Pieters, Wolter; Coles-Kemp, Lizzie

doi:10.1145/2073276.2073279

Cited by 10 publications

(8 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This will include implementation of intrusion detection techniques that build on our results in [31,32]. We are also interested in exploring the role of social and behavioral norms in human-computer interaction, however, we would agree with [33] that using qualitative research methods to discover norms in social behavior is an onerous undertaking, therefore requires resource allocation for something that may appear intangible and difficult to justify in the short-term.…”

Section: Resultsmentioning

confidence: 96%

“…This also reflects an often overlooked part of security which is that users are part of the system, exercising their own judgment and following informal and unexpected processes [44]. Note that social norms can also underpin behavior that is at odds with security policies [33]. Of course, a challenge with social norms is that they can be difficult to recognize and understand.…”

Section: Norms and Social Ordermentioning

confidence: 99%

“…As noted above, the function of the norm is that we understand the world. Thus, using the norm as a guide reduces uncertainty, and enhances confidence that a choice made is the correct course of action [33]. Applying this to the context of making decisions about choosing a system password, drawing attention to a norm within a group can be a useful tool [45].…”

Section: Social Normsmentioning

confidence: 99%

See 2 more Smart Citations

I'm OK, You're OK, the System's OK

Pieczul

Foley

Rooney

2014

Proceedings of the 2014 New Security Paradigms Workshop

View full text Add to dashboard Cite

The normative security paradigm seeks to view a system as a society in which security is achieved by a combination of legislative provisions and normative behaviors. Drawing solely on legislative provisions is insufficient to achieve a just and orderly society. Similarly, security paradigms that focus solely on security policies and controls are insufficient. We argue that systems have analogous normative behaviorsbehavioral norms-that are learnt from system logs. Using this analogy we explore how current theories about social norms in society can provide insight into using normative behavior in systems to help achieve security.

show abstract

Section: Resultsmentioning

confidence: 96%

Section: Norms and Social Ordermentioning

confidence: 99%

Section: Social Normsmentioning

confidence: 99%

See 1 more Smart Citation

I'm OK, You're OK, the System's OK

Pieczul

Foley

Rooney

2014

Proceedings of the 2014 New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…Normatives are fundamental for prioritizing goals, organizing and planning actions in order to define how things should be done. Considering the user's perspective, it is much more common than it may seem, but users generally try to follow social expectations rather than following security procedures [ 29 ]. This is not desirable regarding security perspectives, because such conflicts lead to security policy inconsistency.…”

Section: Tisa: Trust Information Security Architecturementioning

confidence: 99%

A Layered Trust Information Security Architecture

Albuquerque

Villalba

Orozco

et al. 2014

Sensors

View full text Add to dashboard Cite

Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA) and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how information is represented and treated nowadays in the technological environment is shown, and the reason why it is so difficult to guarantee security in all aspects of the information pathway is discussed.

show abstract

“…Understanding risk management in critical infrastructures is a multifaceted issue of both qualitative and quantitative nature (Shreeve et al 2020). Despite the rise of rule-based and probabilistic risk methodologies, for example, attack trees, attribute-based algorithms (Tatam et al, 2021), security risk is ‘incalculable’ since there are limits of what could be inferred from scientific data (Amoore, 2014: 424). Risk methodologies are ‘already political’ as they involve combinatorial possibilities whose arrangement has effects on risk scores, and associated countermeasures (Amoore, 2014: 423).…”

Section: Introductionmentioning

confidence: 99%

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

2022

View full text Add to dashboard Cite

Big data technologies are entering the world of ageing computer systems running critical infrastructures. These innovations promise to afford rapid Internet connectivity, remote operations or predictive maintenance. As legacy critical infrastructures were traditionally disconnected from the Internet, the prospect of their modernisation necessitates an inquiry into cyber security and how it intersects with traditional engineering requirements like safety, reliability or resilience. Looking at how the adoption of big data technologies in critical infrastructures shapes understandings of risk management, we focus on a specific case study from the cyber security governance: the EU Network and Information Systems Security Directive. We argue that the implementation of Network and Information Systems Security Directive is the first step in the integration of safety and security through novel risk management practices. Therefore, it is the move towards legitimising the modernisation of critical infrastructures. But we also show that security risk management practices cannot be directly transplanted from the safety realm, as cyber security is grounded in anticipation of the future adversarial behaviours rather than the history of equipment failure rates. Our analysis offers several postulates for the emerging research agenda on big data in complex engineering systems. Building on the conceptualisations of safety and security grounded in the materialist literature across Science and Technology Studies and Organisational Sociology, we call for a better understanding of the ‘making of’ technologies, standardisation processes and engineering knowledge in a quest to build safe and secure critical infrastructures.

show abstract

Reducing normative conflicts in information security

Cited by 10 publications

References 34 publications

I'm OK, You're OK, the System's OK

I'm OK, You're OK, the System's OK

A Layered Trust Information Security Architecture

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

Contact Info

Product

Resources

About