Handbook of Research on Information Security and Assurance Jatinder N.D Gupta The University of Alabama in Huntsville, USA Sushil K Sharma Ball State University, USA InformatIon scIence reference Hershey • New York Director of Editorial Content: Managing Development Editor: Assistant Development Editor: Editorial Assistant: Senior Managing Editor: Managing Editor: Assistant Managing Editor: Copy Editors: Typesetter: Cover Design: Printed at: Kristin Klinger Kristin M Roth Deborah Yahnke Heather A Probst Jennifer Neidig Jamie Snavely Carole Coulson Laura Kochanowski, Jennifer Young Carole Coulson Lisa Tosheff Yurchak Printing Inc Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E Chocolate Avenue, Suite 200 Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@igi-global.com Web site: http://www.igi-global.com and in the United Kingdom by Information Science Reference (an imprint of IGI Global) Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanbookstore.com Copyright © 2009 by IGI Global All rights reserved No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher Product or company names used in this set are for identification purposes only Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark Library of Congress Cataloging-in-Publication Data Handbook of research on information security and assurance / Jatinder N.D Gupta and Sushil K Sharma, editors p cm Summary: "This book offers comprehensive explanations of topics in computer system security in order to combat the growing risk associated with technology" Provided by publisher Includes bibliographical references and index ISBN 978-1-59904-855-0 (hardcover) ISBN 978-1-59904-856-7 (ebook) Computer networks Security measures Handbooks, manuals, etc Electronic information resources Access control Handbooks, manuals, etc Computer crimes Prevention Handbooks, manuals, etc I Gupta, Jatinder N D II Sharma, Sushil K TK5105.59.H353 2008 005.8 dc22 2008008472 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library All work contributed to this book set is original material The views expressed in this book are those of the authors, but not necessarily of the publisher If a library purchased a print copy of this publication, please go to http://www.igi-global.com/agreement for information on activating the library's complimentary electronic access to this publication Editorial Advisory Board Elisa Bertino Purdue University, USA Herbert J Mattord, CISSP Kennesaw State University, USA Queen Booker Minnesota State University, Mankato, USA P.K Mahanti University of New Brunswick, Canada Mei Cao Arkansas State University, USA Joon S Park Syracuse University, USA Amita Goyal Chin Virginia Commonwealth University, USA Mike Raisinghani Texas Woman’s University, USA Gurpreet Dhillon Virginia Commonwealth University, USA M K Raja The University of Texas at Arlington, USA Sanjay Goel State University of New York at Albany, USA Rajeev Raje Indiana University – Purdue University, Indianapolis, USA Ajay K Gupta Gsecurity, USA Sushil Jajodia George Mason University, USA Stephan Jones Ball State University,USA Shivraj Kanungo The George Washington University, USA Pradeep Khosla Carnegie Mellon University, USA Ronlad Kovac Ball State University, USA Vipin Kumar University of Minnesota, USA Eldon Y Li National Chengchi University, Taiwan Dengpan Liu The University of Alabama in Huntsville, USA Rathindra Sarathy Oklahoma State University, USA Mohini Singh RMIT University, Australia Jim Tiller Managing Editor, (ISC)2 Journal, USA Vijay Varadharajan Mark Weiser Oklahoma State University, USA Michael Whitman Kennesaw State University, USA Branden Williams Principal Consultant, VeriSign, Global Security Consulting, USA John Zeleznikow Victoria University, Australia List of Contributors Aickelin, Uwe / University of Nottingham, UK 109 Aissioui, Abdelkader / LRIA – USTHB, Algeria 152 Ajoku, Pamela / University of Pittsburgh, USA 18 Al-Hamdani, Wasim A / Kentucky State University, USA 122 An, Gaeil / Electronics and Telecommunications Research Institute, Korea 29 Bellettini, Carlo / Università degli Studi di Milano, Italy 139 Benhamou, Belạd / Technopơle de Château-Gombert, France 152 Botelho, Christopher M / Baylor Health, USA 423 Boughaci, Dalila / LRIA – USTHB, Algeria 152 Burt, Carol C / 2AB Inc., Helena, AL, USA 254 Cazier, Joseph A / Appalachian State University, USA 423 Chin, Amita Goyal / Virginia Commonwealth University, USA 292 Clark, Tom / Brocade Communications, USA 433 Coffey, Tom / University of Limerick, Ireland 165 Conger, Sue / University of Dallas, USA 279 Conklin, Wm Arthur / University of Houston,USA 415 Crespi, Alex / Indiana University-Purdue University Indianapolis, USA 254 D’ Arcy, John / University of Notre Dame, USA 55 Dojen, Reiner / University of Limerick, Ireland 165 Drias, Habiba / LRIA – USTHB, Algeria 152 Durresi, Arjan /Indiana University-Purdue University Indianapolis, USA 372 Ege, Raimund K / Northern Illinois University, USA 218 Fernández-Medina, Eduardo / Universidad de Castilla-La Mancha, Spain 495 Friedman, William H / University of Central Arkansas, USA 301 Ghafoor, Arif / Purdue University, USA 331 Ghormley, Yvette / Saint Leo University, USA 308 Graham, Erik / General Dynamics C4 Systems, USA 393 Green, David T / Governors State University, USA 458 Gupta, Ajay / Gsecurity, Inc., USA 382 Gupta, Jatinder N D / The University of Alabama at Huntsville, USA Gupta, Manish / State University of New York, Buffalo, USA 266, 447 Habib, Ahsan / Siemens TTB Center, Berkeley, USA 179 Harrison, Britta / Louisiana State University, USA 68 Hovav, Anat / Korea University, Korea 55 Johnson, Kapp L / California Lutheran University, USA 347 Khazanchi, Deepak / University of Nebraska at Omaha, USA 230 Lando, Jillian K / Syracuse University, USA Landry, Bret J L / University of Dallas, USA 279 Lee, JinKyu /Oklahoma State University, USA 266 Liao, Lijun / Horst-Görtz Institute for IT Security, Germany 202 Liao, Qinyu / The University of Texas at Brownsville, USA Liu, Peng / The Pennsylvania State University, USA 504 Luo, Lin / Florida International University, USA 218 Luo, Xin / The University of New Mexico, USA Luse, Andy / Iowa State University, USA 98 Manulis, Mark / Horst-Görtz Institute for IT Security, Germany 202 Martin, Andrew P / University of Nebraska at Omaha, USA 230 Masood, Ammar / Purdue University, USA 331 Mathur, Aditya / Purdue University, USA 331 Mishra, Sushma / Virginia Commonwealth University, USA 292 Ng, Roy / Ryerson University, Canada 42 Olson, Andrew M / Indiana University-Purdue University Indianapolis, USA 254, 360 Oubeka, Brahim / LRIA – USTHB, Algeria 152 Park, Joon S / Syracuse University, USA 7, 29 Piattini, Mario / Universidad de Castilla-La Mancha, Spain 495 Ponnam, Aditya / Louisiana State University, USA 68 Pradhan, M / Indiana University-Purdue University Indianapolis, USA 529 Proctor, Robert W / Purdue University, USA 402 Raje, Rajeev R / Indiana University-Purdue University Indianapolis, USA 254 Rao, H.R / State Univerity of New York, Buffalo, USA 266 Rea, Alan / Western Michigan University, USA 193 Rrushi, Julian L / Università degli Studi di Milano, Italy 139 Rutherfoord, Rebecca H / Southern Polytechnic State University, USA 483 Samuel, Arjmand / Purdue University, USA 331 Santos, Javier / TECNUN University of Navarra, Spain 467 Sarriegi, Jose M / TECNUN University of Navarra, Spain 467 Scheibe, Kevin / Iowa State University, USA 98 Schultz, E Eugene / High Tower Technologies, USA 402 Schwenk, Jörg / Horst-Görtz Institute for IT Security, Germany 202 Shaikh, Siraj Ahmed / United Nations University (UNU), Macau, SAR China 240 Sharma, Sushil K / Ball State University, USA 341 Sharman, Raj / State University of New York, Buffalo, USA 447 Steinbart, Paul John / Arizona State University, USA 339 Stevens, Dwayne / Community Trust Bank, USA 458 Taylor, Art / Rider University, USA 518 Tilak, Omkar J./ Indiana University-Purdue University Indianapolis, USA 254 Torres, Jose M / TECNUN University of Navarra, Spain 467 Townsend, Anthony / Iowa State University, USA 98 Trujillo, Juan/ Universidad de Alicante, Spain 495 Tupakula, Udaya Kiran / Macquarie University, Australia 85 Twycross, Jamie / University of Nottingham, UK 109 Varadharajan, Vijay / Macquarie University, Australia 85 Villarroel, Rodolfo / Universidad Católica del Maule, Chile 495 Vu, Kim-Phuong L / California State University, USA 402 Wang, Hai / The Pennsylvania State University, USA 504 Watson, Ed / Louisiana State University, USA 68 Weippl, Edgar / Vienna University of Technology and Science, Austria & Secure Business, Austria 441 White, Doug / Roger Williams University, USA 193 Witman, Paul D / California Lutheran University, USA 347 Xia, Y / Indiana University-Purdue University Indianapolis, USA 529 Yang, Li / University of Tennessee at Chattanooga, USA 218 Table of Contents Preface xxiv Acknowledgment xxviii Section I Enterprise Security Chapter I Ransomware: A New Cyber Hijacking Threat to Enterprise Xin Luo, The University of New Mexico, USA Qinyu Liao, The University of Texas at Brownsville, USA Chapter II E-Commerce: The Benefits Security Risks, and Countermeasures Joon S Park, Syracuse University, USA Jillian K Lando, Syracuse University, USA Chapter III Information Warfare: Survival of the Fittest 18 Pamela Ajoku, University of Pittsburgh, USA Chapter IV Evolution of Enterprise Security Federation 29 Gaeil An, Electronics and Telecommunications Research Institute, Korea Joon S Park, Syracuse University, USA Chapter V A Holistic Approach to Information Security Assurance and Risk Management in an Enterprise 42 Roy Ng, Ryerson University, Canada Chapter VI An Integrative Framework for the Study of Information Security Management Research 55 John D’ Arcy, University of Notre Dame, USA Anat Hovav, Korea University, Korea Chapter VII Information Systems Risk Management: An Audit and Control Approach 68 Aditya Ponnam, Louisiana State University, USA Britta Harrison, Louisiana State University, USA Ed Watson, Louisiana State University, USA Section II Security Approaches, Frameworks, Tools, and Technologies Chapter VIII Distributed Denial of Service Attacks in Networks 85 Udaya Kiran Tupakula, Macquarie University, Australia Vijay Varadharajan, Macquarie University, Australia Chapter IX Firewalls as Continuing Solutions for Network Security 98 Andy Luse, Iowa State University, USA Anthony Townsend, Iowa State University, USA Kevin Scheibe, Iowa State University, USA Chapter X An Immune-Inspired Approach to Anomaly Detection 109 Jamie Twycross, University of Nottingham, UK Uwe Aickelin, University of Nottingham, UK Chapter XI Cryptography for Information Security 122 Wasim A Al-Hamdani, Kentucky State University, USA Chapter XII Memory Corruption Attacks, Defenses, and Evasions 139 Carlo Bellettini, Università degli Studi di Milano, Italy Julian L Rrushi, Università degli Studi di Milano, Italy Chapter XIII Design and Implementation of a Distributed Firewall 152 Dalila Boughaci, LRIA – USTHB, Algeria Brahim Oubeka, LRIA – USTHB, Algeria Abdelkader Aissioui, LRIA – USTHB, Algeria Habiba Drias, LRIA – USTHB, Algeria Belạd Benhamou, Technopơle de Château-Gombert, France Chapter XIV A Formal Verification Centred Development Process for Security Protocols 165 Tom Coffey, University of Limerick, Ireland Reiner Dojen, University of Limerick, Ireland Chapter XV Edge-to-Edge Network Monitoring to Detect Service Violations and DoS Attacks 179 Ahsan Habib, Siemens TTB Center, Berkeley, USA Chapter XVI A “One-Pass” Methodology for Sensitive Data Disk Wipes 193 Doug White, Roger Williams University, USA Alan Rea, Western Michigan University, USA Chapter XVII Securing E-Mail Communication with XML Technology 202 Lijun Liao, Horst-Görtz Institute for IT Security, Germany Mark Manulis, Horst-Görtz Institute for IT Security, Germany Jörg Schwenk, Horst-Görtz Institute for IT Security, Germany Chapter XVIII Aspect-Oriented Analysis of Security in Distributed Virtual Environment 218 Li Yang, University of Tennessee at Chattanooga, USA Raimund K Ege, Northern Illinois University, USA Lin Luo, Florida International University, USA Chapter XIX Information Availability 230 Deepak Khazanchi, University of Nebraska at Omaha, USA Andrew P Martin, University of Nebraska at Omaha, USA Chapter XX Formal Analysis and Design of Authentication Protocols 240 Siraj Ahmed Shaikh, United Nations University (UNU), Macau, SAR China Chapter XXI Access Control Frameworks for a Distributed System 254 Rajeev R Raje, Indiana University-Purdue University Indianapolis, USA Alex Crespi, Indiana University-Purdue University Indianapolis, USA Omkar J Tilak, Indiana University-Purdue University Indianapolis, USA Andrew M Olson, Indiana University-Purdue University Indianapolis, USA Carol C Burt, 2AB Inc., Helena, AL, USA Chapter XXII Implications of FFIEC Guidance on Authentication in Electronic Banking 266 Manish Gupta, State Univerity of New York, Buffalo, USA JinKyu Lee, Oklahoma State University, USA H.R Rao, State Univerity of New York, Buffalo, USA Chapter XXIII Disruptive Technology Impacts on Security 279 Sue Conger, University of Dallas, USA Bret J L Landry, University of Dallas, USA Section III Security Policies and Procedures Chapter XXIV Internal Auditing for Information Assurance 292 Sushma Mishra, Virginia Commonwealth University, USA Amita Goyal Chin, Virginia Commonwealth University, USA Chapter XXV IT Continuity in the Face of Mishaps 301 William H Friedman, University of Central Arkansas, USA Chapter XXVI Business Continuity and Disaster Recovery Plans 308 Yvette Ghormley, Saint Leo University, USA Chapter XXVII Security Policies and Procedures 320 Yvette Ghormley, Saint Leo University, USA Chapter XXVIII Enterprise Access Control Policy Engineering Framework 331 Arjmand Samuel, Purdue University, USA Ammar Masood, Purdue University, USA Arif Ghafoor, Purdue University, USA Aditya Mathur, Purdue University, USA Chapter XXIX Information Security Policies: Precepts and Practices 341 Sushil K Sharma, Ball State University, USA Jatinder N.D Gupta, The University of Alabama at Huntsville, USA Chapter XXX A Guide to Non-Disclosure Agreements for Researchers 347 Paul D Witman, California Lutheran University, USA Kapp L Johnson, California Lutheran University, USA Chapter XXXI Assurance for Temporal Compatibility Using Contracts 360 Omkar J Tilak, Indiana University-Purdue University Indianapolis, USA Rajeev R Raje, Indiana University-Purdue University Indianapolis, USA Andrew M Olson, Indiana University-Purdue University Indianapolis, USA Chapter XXXII Spatial Authentication Using Cell Phones 372 Arjan Durresi, Indiana University-Purdue University Indianapolis, USA About the Contributors Kapp L Johnson, Esq., is a senior lecturer in law and rthics in the School of Business at California Lutheran University His practice focused on business transactions, litigation and governance He is member of the California Bar Association whose teaching and research interests include law and economics, business ethics and the legal environment of business Deepak Khazanchi is professor of information systems & quantitative analysis and associate dean in The Peter Kiewit Institute’s College of Information Science & Technology at the University of Nebraska at Omaha (UNO) His current research and teaching interests are focused in the areas of B2B risk analysis in extended enterprise environments, information availability, virtual project management, and project management best practices His research has been published in various peer-reviewed journals and national/international conference proceedings Deepak currently serves as the President of the Midwest United States Association for Information Systems (MWAIS) and Founding Chair of the Association for Information Systems (AIS) Special Interest Group for IT Project Management (http://www.SIGITProjMgmt.org) Jillian Lando’s academic career started in 2000 at New York University She received a BA in economics from the College of Arts and Sciences at the university She obtained her MS in information management from the School of Information Studies at Syracuse University in 2006 She also obtained a Certificate of Advanced Studies in Information Security in 2007 Her main research interests are in the field of information security She is currently employed in the IT department at AXA Equitable Brett J L Landry is an associate professor, CISSP and director of the Center for Information Assurance in the Graduate School of Management at the University of Dallas Landry earned his PhD from Mississippi State University and has published numerous journal articles on Information Technology in the ACM Journal of Educational Resources in Computing (JERIC), Communications of the ACM (CACM), Decision Sciences Journal of Innovative Education, International Journal of Services and Standards, Journal of Business Ethics, Journal of Organizational Change Management and others JinKyu Lee is an assistant professor of management science and information systems in Spears School of Business, Oklahoma State University He holds Ph.D (2007) degree from the School of Management, University at Buffalo, Masters of Information Systems (1999) from Griffith University, Australia, and BBA (1996) from Yonsei University, Korea His current research interest includes e-government, emergency management systems, information assurance, inter-organizational information sharing, and information security workforce development He has published research articles in various academic conferences and journals including DSS, CACM, IEEE Transactions, ICIS, HICSS, AMCIS, and ECEG He has also been involved in several NSF, NSA, and DoD funded research/educational projects in e-government and information assurance areas Lijun Liao is research associate at Horst Görtz Institute for IT-Security (HGI) at Ruhr-University of Bochum (RUB) in Germany In 2005, he received his diploma in security in information technology from RUB His current research interests include email security, XML security, and security in ad-hoc networks Qinyu Liao is an assistant professor of management information systems at The University of Texas at Brownsville She holds a PhD in business information systems from Mississippi State University Her current research interests are in e-commerce, computer security and privacy, end-user adoption of information technologies as well as cross-cultural influences of IT adoption She has published articles in the Journal of Internet Banking and Commerce, and in conference proceedings including Americas Conference on Information Systems, International Conference of Electronic Business and the Southwest Decision Science Institute Conference, among others Peng Liu received his BS and MS degrees from the University of Science and Technology of China, and his PhD degree from George Mason University in 1999 Dr.Liu is an associate professer in the College of Information Sciences and Technology and director of the Cyder Security Lab at Pennsylvania State University His research interests are in all areas of computer and network security  About the Contributors Lin Luo receives her Bachelor degree in electrical engineering from Fudan University and her master degree in computer science from Florida International University Her research interests focus on multimedia classification, architecture design, networking and security She has authored conference and journal papers in these areas Xin Luo is an assistant professor of computer information systems at Virginia State University He received his PhD in information systems from Mississippi State University, and holds an MBA from The University of Louisiana at Monroe and an MSIS from Mississippi State University His research interests center around information security, mobile communications, and cross-cultural IT diffusion His articles have appeared in such journals as Communication of the ACM, Information Systems Security, Journal of Internet Banking and Commerce, and International Journal of Information Security and Privacy He has also published articles in several book chapters and national and international conference proceedings including AMCIS, DSI, IRMA, ISOneWorld, ICEB, GCBF, etc He is the managing editor of Journal of Internet Banking and Commerce Andy Luse is a PhD student in both the human computer interaction interdisciplinary program with a home department in logistics, operations, and management information systems in the College of Business and the Computer Engineering program within the Electrical and Computer Engineering department in the College of Engineering, both at Iowa State University His research interests include computer and network security as well as visualization systems for security He is a member of the Institute of Electrical and Electronics Engineers, the Association for Computing Machinery, the Association for Information Systems, and the Beta Gamma Sigma scholastic honor society M.Pradhan is a research assistant professor of computer and information science at Indiana University and Purdue University- Indianapolis Her research is in the area of understanding of the metabolic pathway and the enzyme function, to develop alternative pathways Mark Manulis is research associate at Horst Görtz Institute for IT-Security at RUB in Germany In 2002, he received his Diploma and MSc in computer science from the Technical University of Braunschweig, Germany His research focuses on cryptographic protocols, anonymity and privacy, electronic payment and coupon systems, as well as key management and authentication in wireless networks Andrew P Martin is a graduate of the Master of Science program in management information systems (MSIS) from The Peter Kiewit Institute’s College of Information Science & Technology at the University of Nebraska at Omaha (UNO) His graduate thesis under Dr Khazanchi’s supervision focuses on the key determinants of information availability and in particular on the role of security policy in addressing information availability concerns Andrew currently is on active duty in the military Ammar Masood received the BS degree in aeronautical engineering from the College of Aeronautical Engineering, NED Engineering University, Pakistan, in 1991, and the MS and PhD degrees in electrical and computer engineering from Purdue University, West Lafayette, in 2003 and 2006 respectively His research interests include access control policy verification and validation frameworks, application of software engineering principles towards achieving computer security and information infrastructure security Aditya Mathur is a professor of computer science at Purdue University located in West Lafayette, Indiana, USA He has taught courses in computer sciences at all levels since 1972 He has written several books ,the most well known being Introduction to Microprocessors ….first book of its kind published in India that introduced thousands of students to the basics of Microprocessors Mathur is a prolific researcher and has published extensively in quality international journals and conferences in the area of software engineering His significant contributions include the saturation effect, feedback control models of software process, comparative analyses of test adequacy criteria, and novel models of software process, comparative analyses of test adequacy criteria, and novel models of software reliability  About the Contributors Eduardo Fernández-Medina holds a PhD in computer science from the University of Sevilla He is assistant professor at the Escuela Superior de Informática of the University of Castilla-La Mancha at Ciudad Real (Spain), his research activity being in the field of security in databases, data warehouses, web services and information systems Fernández-Medina is co-editor of several books and chapter books on these subjects Author of several manuscripts in national and international journals, he is a member of the ALARCOS research group of the Department of Computer Science at the University of Castilla-La Mancha Eduardo’s e-mail is eduardo fdezmedina@uclm.es Sushma Mishra is a PhD student in the Information Systems Department at Virginia Commonwealth University She has a MBA degree from New Delhi, India Her research interests lies in the areas of information security governance, internal controls for security, systems audit and systems analysis and design Roy Ng, MBA(IT), PMP, CISSP, CISA received his MBA in information technology at RMIT University, Australia He is an assistant professor with the Ted Rogers School of Information Technology Management at Ryerson University He has over 20 years of communication networks and IT management experience in consulting, information security infrastructure and network engineering He has held various senior management positions in Fortune 500 companies including area vice president, Avaya Canada Inc and director, consulting services at CGI groups Ng is the principal of SMN Technologies, a consulting firm in the area of information security and project management, His research interest includes Information Assurance and Security in the area of outsourcing, corporate governance, privacy and network communications Andrew M Olson is professor emeritus of computer & information science at Indiana University Purdue University in Indianapolis, and has taught software engineering at Butler University Prior to these Indianapolis appointments, he served on the faculty of the Mathematics Department at the University of Puerto Rico, Rio Piedras, becoming professor and chair, and on the Engineering Mathematics Department faculty at the University of Chile, Santiago He worked as an applications engineer for General Electric Company before then His research has ranged from simulation and symbolic-numeric computation through visual programming languages, human/ machine interaction to, currently, software engineering of distributed computing systems Brahim Oubeka is a network systems engineer He got his engineering degree “Ingénieur d’état” at the Houari Boumedienne University of Science and Technology, Algeria in 2004 and his master degree in network systems from the University of “Versailles Saint-Quentin-en-Yvelines”, France in 2006 Mr Oubeka’s main research interests are the TCP/IP networks, the ethernet technology and the network security systems Pamela Ajoku worked as a research assistant professor in the Department of Industrial Engineering, University of Pittsburgh in Pennsylvania and Center for E-Design at Pittsburgh She has a bachelor’s degree in computer science & engineering and Masters and PhD degrees in industrial engineering from the University of Pittsburgh Prior to graduate studies, Dr Ajoku worked as a network/systems engineer and programmer Her current research interests include information security, manufacturing systems, product development and distributed information systems management She currently works for Haworth, a global manufacturer and leader in office furniture and architectural interiors Joon S Park is an assistant professor and the director of the Laboratory for Applied Information Security Technology (LAIST) at the School of Information Studies at Syracuse University in Syracuse, New York, USA Before he joined the school in 2002, he worked for the U.S Naval Research Laboratory (NRL)’s Center for High Assurance Computer Systems (CHACS) He completed his doctorate at George Mason University in 1999, specializing in information security Mario Piattini has a PhD in computer science from the Politechnical University of Madrid He is a certified information system auditor from the ISACA (Information System Audit and Control Association) Full professor at the Escuela Superior de Informática of the Castilla-La Mancha University (Spain) and author of several books  About the Contributors and papers on databases, software engineering and information systems, Piattini leads the ALARCOS research group of the Department of Computer Science at the University of Castilla-La Mancha, Spain His research interests are: advanced database design, database quality, software metrics, object- oriented metrics and software maintenance His e-mail address is Mario.Piattini@uclm.es Aditya Ponnam received his MBA from Louisiana State University with a concentration in internal auditing and information systems and decisionsciences He also holds a Master of Science in information systems and Bachelors in computer applications from Osmania University, India His experience includes information systems auditing and risk management in energy, transportation and technology industries He is a member of Institute of Internal Auditors and Information Systems Audit and Control Association Robert W Proctor is a professor of psychology at Purdue University Dr Proctor has published over 130 articles on human performance and human factors He is co-author of the books Human Factors in Simple and Complex Systems, Skill Acquisition and Human Performance, and Attention: Theory and Practice He is also co-editor of Handbook of Human Factors in Web Design He is fellow of the American Psychological Association and American Psychological Society, and honorary fellow of the Human Factors and Ergonomics Society Rajeev R Raje is an associate professor in the Department of Computer and Information Science at Indiana University Purdue University Indianapolis Dr Raje holds degrees from the University of Bombay (BE) and Syracuse University (MS and PhD) His research interests are in distributed computing, component-based systems, programming langauges, and software engineering Dr Raje’s current and past research has been supported by the US Office of Naval Research, National Science Foundation, Indigo Foundation, Eli Lilly and Company, and Microsoft Corporation Rajeev is a member of ACM and IEEE H.R Rao graduated from Krannert Graduate School of Management at Purdue University His interests are in the areas of management information systems, decision support systems, e-business, emergency response management systems and information assurance He has chaired sessions at international conferences and presented numerous papers He also has co-edited four books He has authored or co-authored more than 150 technical papers, of which more than 75 are published in archival journals His work has received best paper and best paper runner up awards at AMCIS and ICIS Dr Rao has received funding for his research from the National Science Foundation, the Department of Defense and the Canadian Embassy and he has received the University’s prestigious Teaching Fellowship He has also received the Fulbright fellowship in 2004 He is a co-editor of a special issue of The Annals of Operations Research, the Communications of ACM, associate editor of Decision Support Systems, Information Systems Research and IEEE Transactions in Systems, Man and Cybernetics, and coEditor- in -Chief of Information Systems Frontiers Dr Rao also has a courtesy appointment with Computer Science and Engineering as adjunct Professor Dr Rao’s PhD students have placed at Sogang U, UNCG, ASU, USF, FAU, MSU, OKState, FSU, PennState and others Professor Rao teaches Information assurance , Networks and e-commerce Dr Rao is also the recipient of the 2007 State University of New York Chancellor’s award for excellence in scholarship and creative actitivities Alan Rea is an associate professor of computer information systems at the Haworth College of Business, Western Michigan University in Kalamazoo, MI At WMU, Dr Rea teaches courses in Programming, Server Administration, and Web Services His current research involves a combination of security and informationcommunication technologies, particularly Virtual Reality and Web 2.0 initiatives In particular, Dr Rea looks at designs, methods, and techniques to improve the means through which computers can better enable information exchange and secure processes Julian L Rrushi is a PhD candidate at the Università degli Studi di Milano, Italy, and a visiting scholar at the Illinois Security Laboratory, University of Illinois at Urbana-Champaign, USA He received a BS in Computer Science in 2003 and a MS in Information and Communication Technology in 2005, both from the Università degli Studi di Milano During his Master studies he was awarded a research scholarship by (ISC)² for a project on  About the Contributors mobile code and security implications on servers, and an internship by the Joint Research Center of the European Commission for preparing his Master thesis His research interests focus on cyber-security of SCADA and process control systems in general used to remotely monitor and control critical infrastructure plants Rebecca H Rutherfoord is a full time professor in Information Technology at Southern Polytechnic State University in Marietta, GA Dr.Rutherfoord has been at SPSU for over 24 years and has serves as Department Head for CS, Department Head for Information Technology and Assistant to the President She is currently directing the accreditation efforts for both the university and the IT department Dr Rutherfoord’s research interests include ethical issues , using personality inventories in forming teams, universal instructional design and androgogy-the study of adult learners Arjamand Samuel received his BS degree in 1989 from the College of Aeronautical Engineering, NED Engineering University, Pakistan He obtained his MS degree in Electrical Engineering in 1997 from the Beijing University of Aeronautics and Astronautics, Beijing, PR of China He is currently working toward a PhD degree in the School of Electrical and Computer Engineering at Purdue University From 1989 to 1994; he worked for Pakistan Air force He has been manager of software engineering at Pakistan Aeronautical Complex, Kamra, Pakistan, from 1997 to 2003 He has worked as visiting faculty at Ghulam Ishaq Khan Institute of Engineering and Technology (GIKI) from 1994 to 2004 and has taught at COMSATS Institute of Information Technology, Department of Electrical Engineering from 2003 to 2004 His research interests include context-aware access control models, access control policy He is a member of IEEE Javier Santos is a professor of operation management and enterprise information systems at Tecnun, University of Navarra, Spain He is the Head of the department of Industrial Management Engineering, in Tecnun-University of Navarra His research focuses on enterprise information system integration, modeling and development processes, and complex systems modeling Dr Santos received a PhD in industrial engineering from the University of Navarra He has published a book in John Wiley & Sons and several papers in international journals as International Journal of CIM or International Journal of Industrial Ergonomics Jose Mari Sarriegi is a professor of Information systems, Knowledge management and Modeling and simulation at Tecnun-University of Navarra Engineering School, Spain His research interests include information systems security, knowledge management, and complex systems modeling He has leaded several research projects in all these topics He has published in journals such as IEEE Software, International Journal of Computer Integrated Manufacturing, Lecture Notes in Computer Science, IEEE Internet Computing and International Journal of Industrial Ergonomics He has also presented dozens of papers in international conferences Sarriegi received a PhD in industrial engineering from the University of Navarra Kevin P Scheibe is an assistant professor in Management Information Systems at Iowa State University His research interests include spatial decision support systems, wireless telecommunications, IT outsourcing, and IT privacy and security He is a member of the Association for Information Systems and the Decision Sciences Institute Dr Scheibe has published in journals such as Decision Support Systems, Journal of Information Privacy and Security, and Computers in Human Behavior He received a PhD from Virginia Polytechnic Institute and State University E Eugene Schultz,PhD, CISSP, CISM, is chief Ttechnology officer of High Tower Software He served as a principal engineer with Lawrence Berkeley National Laboratory He is the author of five books and over 100 papers, as well as the editor-in-chief of Computers and Security He has received the NASA Technical Innovation Award, Department of Energy Technical Excellence Award, Best Paper Award for the National Information Systems Security Conference, and Information Systems Security Association’s (ISSA’s) Hall of Fame, Honor Roll, and Professional Contribution Awards Dr Schultz has also provided expert testimony for the U.S Senate and House of Representatives  About the Contributors Jörg Schwenk has the chair for Network and Data Security at the Horst Görtz Institute for IT Security at RUB since 2003 From 1993-2001 he worked in the security department of Deutsche Telekom on different projects He has written more than 60 patents, and more than 20 scientific publications His research interests include cryptographic protocols (especially multi-party protocols), broadcast encryption schemes, XML and Web Service security and Internet security (especially protection against real world challenges such as pharming or WWW-based attacks) Siraj Ahmed Shaikh is currently a postdoctoral research fellow at the International Institute of Software Technology (IIST), at the United Nations University (UNU) in Macau SAR China His main research interests include formal design and analysis of distributed systems and protocols His other interests include performance analysis of security protocols such as IPSec and SSH, and information security education He is a Member of the British Computer Society (BCS) Raj Sharman is a faculty member in the Management Science and Systems Department at SUNY Buffalo, NY He received his BTech and MTech degrees from IIT Bombay, India and his MS degree in industrial engineering and PhD in computer science from Louisiana State University His research streams include information assurance, and disaster response management, decision support systems, and distributed computing His papers have been published in a number of national and international journals He is also the recipient of several grants from the university as well as external agencies Paul John Steinbart is a professor in the Department of Information Systems at Arizona State University He teaches graduate courses on computer and information security and an undergraduate course on accounting information systems Professor Steinbart’s research has been published in leading academic journals including MIS Quarterly, Decision Sciences, and The Accounting Review He is also co-author of the textbook Accounting Information Systems published by Prentice-Hall Professor Steinbart serves as associate editor for the Journal of Information Systems (published by the American Accounting Association) and is a member of the editorial board for the International Journal of Accounting Information Systems Dwayne Stevens is the senior IT auditor at Community Trust Bank, Inc., in Pikeville, Ky He is a 2006 graduate of the MSIS program at Morehead State University, where he also earned his MBA in 2000 In prior roles, Dwayne has served as the software development manager at a rural telecommunications company, and as a college professor teaching information technology and management information systems courses Dwayne is also the vice-president of a small Web design company, Knightly Innovations, in Pikeville, Ky., where he resides with his wife, Melanie Art Taylor is a professor of computer information systems at Rider University where he teaches courses on computer security and forensics, networking and programming He has published seven computer technology books and numerous journal articles Prior to joining Rider University, he worked as a computer consultant specializing in databases and programming Omkar Tilak is a PhD student in the Department of Computer and Information Science at Indiana University Purdue University Indianapolis Omkar holds degrees from the University of Bombay (BE) and Purdue University (MS) His research interests are in distributed computing, component-based systems and software engineering Omkar is a member of IEEE Jose M Torres is a PhD student at Tecnun, University of Navarra, Spain His research focuses primarily on security management of information systems His PhD, finished in September 2007, focuses on contrasting security experts’ perspectives with empirical studies in small and medium size enterprises with the aim to introduce security management habits into this sector He has a publication in the Lecture Notes in Computer Science and also has presented several papers in international conferences  About the Contributors Anthony M Townsend, PhD is the accenture faculty fellow and associate professor of MIS at Iowa State University He received his MS and PhD from Virginia Polytechnic Institute and State University and conducts research in collaborative systems and virtual teams He has published in MIS Quarterly, Information Systems Research, the Communications of the ACM, along with a number of other venues Juan Trujillo is an associated professor at the computer science school at the University of Alicante, Spain Trujillo received a PhD in computer science from the University of Alicante (Spain) in 2001 His research interests include database modeling, conceptual design of data warehouses, multidimensional databases, OLAP, as well as object-oriented analysis and design with UML With papers published in international conferences and journals such as ER, UML, ADBIS, JDM and IEEE Computer, Trujillo has served as program committee member of several workshops and conferences and has also spent some time as a reviewer of several journals His e-mail is jtrujillo@dlsi.ua.es Udaya Kiran Tupakula received a BE degree in electronics and communication engineering from the Gulbarga University, India in 1997 and the Master’s degree in information technology from the University of Western Sydney, Australia in 2001 He received the PhD degree in computer science from the Macquarie University, Australia in 2006 and currently working as a research fellow in Information and Networked System Security Research Group His research interests include security in distributed systems, intrusion detection, mobile adhoc network security and sensor network security Jamie Twycross is a research associate in the Department of Computer Science at The University of Nottingham He is working on a large interdisciplinary project investigating the application of immune-inspired approaches to computer security His research interests include biologically-inspired approaches to computing, computer security and networking, and robotics Uwe Aickelin currently holds an advanced research fellowship awarded by EPSRC (the UK’s largest Funding Council) He is also a Reader in Computer Science at The University of Nottingham and a member of the Automated Scheduling, Optimisation and Planning Research group (ASAP) Dr Aickelin has been awarded over million EPSRC research funding as Principal Investigator in Artificial Immune Systems and Computer Security Vijay Varadharajan is the Microsoft chair and professor of computing at Macquarie University He is also the director of Information and Networked System Security Research He is editorial board member of several international journals including the ACM Transactions on Information System Security and the Springer-Verlag International Journal of Information Security He has published more than 275 papers, has co-authored and edited books, and holds patents His current areas of research interests include trusted computing, security in high speed networks and large distributed systems, and mobile adhoc networks security He is a fellow of IEE, IEAust, ACS, BCS and IMA Rodolfo Villarroel has an MSc in computer science from the Technical University Federico Santa María (Chile), and a PhD at the Escuela Superior de Informática of the Castilla-La Mancha University (Spain) Associated professor at the Computer Science Department of the Universidad Católica del Maule (Chile), his research activity is in the field of security in data warehouses and information systems, and of software process improvement Author of several papers on data warehouse security and improvement of software configuration management process, Villarroel belongs to the Chilean Computer Science Society (SCCC) and the Software Process Improvement Network (SPIN-Chile) His e-mail is rvillarr@spock.ucm.cl Kim-Phuong L Vu is associate professor in human factors at California State University, Long Beach She received her PhD in 2003, and has over 50 publications in areas relating to human performance and humancomputer interaction She is co-author of the book Stimulus-Response Compatibility Principles and co-editor of the Handbook of Human Factors in Web Design  About the Contributors Hai Wang received the BS and MS degrees from Jilin University (Changchun, China) He is now a PhD candidate in the College of Information Sciences and Technology at Pennsylvania State University His research interests are in computer and network security Ed Watson is the E J Ourso Professor of business analysis at Louisiana State University His teaching activities include: technology and operations management, management of information systems, and enterprise systems and IS audit His most recent research activities have been in the areas of IT-enabled service delivery, innovation and corporate transformation, and enterprise systems integration and education He has published over 50 articles and book chapters in operations and information systems outlets He is active in AIS, DSI, and ISACA and is a regular contributor, speaker, and organizer at related conferences and workshops He previously served as SAP UCC director at LSU and SAP University Alliance manager for SAP USA Edgar R Weippl (CISA, CISM, CISSP) is assistant professor at the Vienna University of Technology and Science Director of Security Research (www.securityresearch.at) His research focuses on applied concepts of IT-security and e-learning Edgar has taught several tutorials on security issues in e-learning at international conferences, including ED-MEDIA 2003-2007 and E-Learn 2005 In 2005, he published Security in E-Learning with Springer After graduating with a PhD from the Vienna University of Technology, Edgar worked for two years in a research startup He then spent one year teaching as an assistant professor at Beloit College, WI From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant for an HMO (Empire BlueCross BlueShield) in New York, NY and Albany, NY, and for Deutsche Bank (PWM) in Frankfurt, Germany Doug White has worked for The Federal Reserve System, Martin Marietta Energy Systems, and currently manages Whitehatresearch.com, a consulting specialty firm Dr White has spent 12 years teaching computer programming, security, and networking at the university level Dr White is currently an associate professor at Roger Williams University in Bristol, Rhode Island Paul D Witman is an assistant professor of information technology management in the School of Business at California Lutheran University Witman holds a PhD in information systems and technology from Claremont Graduate University His research interests include information security, usability, technology adoption and continuance, and electronic banking and finance Yuni Xia is an assistant professor of computer and information science at Indiana University Purdue University - Indianapolis Her research includes databases, moving object databases, sensor databases, data mining, data uncertainty management, data stream management and ubiquitous/pervasive computing She holds a bachelor degree from the Huazhong University of Science and Technology of China, an MS and a PhD degree from Purdue University She has served on the program committee of a number of conferences in databases and pervasive computing Li Yang is an assistant professor in the Department of Computer Science and Electrical Engineering at University of Tennessee at Chattanooga Her research interests include network and information security, databases, and engineering techniques for complex software system design She authored over ten papers on these areas on refereed journal, conferences and symposiums She is a member of the ACM 0  Index A academic server (AS) 257 access control lists (ACL) 255 access control lists (ACLs) 437 access control models 221, 333, 497 access control policy, expression of 159 access control policy engineering framework 331 accessibility issues 485 accuracy issues 484 address space randomization 147 advanced encryption algorithms aggregate based congestion control (ACC) 93 American National Standards Institute (ANSI) 433 anti-virus software (AVS) 385 antiransomware, recommendations for application firewall 153 application programming interfaces (APIs) 31 array overflow 140 attack intensity, impact of 512 audit, planning the 72 Authentication 137, 138 B basic state transition model 507 BCY protocol 166, 169 BCY protocol, redesign of 172 behavior protocols for software components 362 Berkeley Internet Name Domain (BIND) 385 Berne Convention for the Protection of Literary and Artistic Works 489 bioinformatics 529 biological approaches, to computer security 110 biometric measures for biosecurity 531 biosecurity, challenges in 530 biosecurity, for biological databases 533 biosecurity, information technology for 531 biosecurity measures 529 bioterrorism 529 Border Gateway Protocol (BGP) update 37 buffer overflow 140 business continuity (BC) 308 business continuity and disaster recovery plan 308 business impact analysis (BIA) 311 business modeling 311 business process /application controls 71 business risks, five types of 69 C canaries 143 Carnegie Mellon University (CMU) 350 cell phones, spatial authentication using 372 certified information systems security professional (CISSP) certification exam 423 challenge-handshake authentication protocol (CHAP) 439 Child Online Privacy and Protection Act (COPPA) 342 chksum, as a validation tool 195 CIA requirements 441 CIA Triangle 342 cloning, as type of theft 284 Committee of Sponsoring Organizations of the Treadway Commission (COSO) 74 common access cards (CACs) 272 common criteria (CC) 256 Common Criteria for Information Technology Security Evaluation (CCITSE) 294 Common Gateway Interface (CGI) 14 Common Line Interface (CLI) 37 Common Open Policy Service (COPS) 32 communicating sequential processes (CSP) 241 Communication, Electric, and Plumbing Union (CEPU) 284 component-based distributed systems (CBDS) 256 component-based software development (CBSD) approach 360 components with contracts 361 Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited Index Computer Ethics Institute 490 computer viruses 21 consolidation PSYOP 22 constraint definition 333 consumer responsibility 10 continuous time Markov chain (CTMC) 515 copyright, and the Web 490 copyright, registering a 490 Copyright Act of 1974 488 copyright laws 488 CORBA systems, formal specification of 362 corporate self-regulation, and security 286 critical success factors (CSFs) 467 cryptographic protocol, designing a provably secure 169 cryptographic protocols 165, 242 Cryptography 137, 138 cryptography, definition of 241 CSP system 244 Currently Unused (CU) 39 cyberterrorism, definition of 20 disaster recovery (DR) 308 disasters, types of 309 disasters for businesses, consequences of 310 discretionary access control (DAC) 232, 255, 333 distributed computing system (DCS) 360 Distributed Denial of Service (DDoS) 30, 37, 85 Distributed denial of service (DDoS) 233 Distributed Denial of Service (DDoS) attack 85 distributed firewall, design of 154 distributed firewall, functional schema of 157 distributed firewall, structural schema of 156 distributed security managers (DSM) 220 distributed virtual environment (DVE) 218 distributed virtual environments (DVEs) 218 distributed virtual environments (DVEs), object oriented view of 220 document and media disposal 429 DOD wipe group 195 dynamic risk analysis 471 D e-cash 13 E-commerce e-commerce 382 e-commerce, current security risks in e-commerce, non-technical security enhancement in 15 e-commerce, why? e-commerce site’s responsibility e-learning 443 e-mail, communication security 202 E-Mail, formats and transmission protocols 203 e-mail, monitoring 487 ECDL-module 441 edge-to-edge measurements 179 Electronic Communications Privacy Act 487 Electronic Privacy Information Center (EPIC) 284 employee verification 428 EMV (Europay, Mastercard, and Visa) 272 encrypt sensitive data 394 enterprise control policy language, requirements of 332 enterprise identity management (EIM) 448 enterprise risk management strategy 68 Enterprise Security Management (ESM) 30 European computer driving license (ECDL) 444 evaluation metrics 508 exception procedures 325 Explicit Congestion Notification (ECN) 40 extending CORBA interfaces with protocols 362 extensible authentication protocols (EAPs) 396 damage potential, reproducibility, exploitability, affected Users, and discoverability (DREAD) 419 dangling pointer vulnerability 141 database management system (DBMS) 496 databases 13 data carving 196 data collection 485 data corruption 285 data flow diagrams (DFDs) 418 Data Generator Agent (DGA) 91 data ownership 485 data stream cipher encryption 148 data theft 284 data warehouses (DWs) 495 delay measurements 182 demilitarized zone (DMZ) configuration 385 Denial of Service (DoS) 179 Denial of Service (DOS) attack 21 denial of service (DoS) attacks 179 Department of Defense (DOD) 21 DES 127, 134, 135, 137, 138 detection probability, impact of 514 Differentiated Service (DiffServ) 39 digicash 13 DIL (Distributed Interaction Language) 362 disaster, consequences of 302 disaster, revising common assumptions about 302  E Index F fabric binding 436 face recognition method 532 false alarms, impact of 512 Federal Financial Institutions Examination Council (FFIEC) 266 Federal Financial Institutions Examination Council (FFIEC), guidance 267 Federal Information Security Management Act (FISMA) 58 Federal Information Security Management Act (FISMA) Policy framework 342 Fibre Channel over IP (FCIP) 438 Fibre Channel protocol and transport 434 Fibre Channel technology 433 financial aid server (FAD) 257 fingerprinting 532 finite state machine (FSM) 334 firewall, decentralized 152 firewall, definition of 152 firewall, descriptions of 153 firewall configuration 385 firewall implementations 153 firewalls, agent classification 154 firewalls, two categories of 153 Forensics Tool Kit (FTK) 197 format string vulnerability 141 free space 197 Frequently Asked Questions (FAQ) 10 FSM based test generation 336 G general IT controls 71 generalized spatio-temporal RBAC (GST-RBAC) model 334 generalized temporal RBAC (GT-RBAC) 334 genetic algorithms (GA’s) 530 global auditing information network (GAIN) 293 globally unique identifiers (GUID) 11 global positioning systems 281 global positioning systems (GPS) 279 goal attainment scaling (GAS) 58 Gramm-Leach-Blilely Act (GLBA) 303 Gramm-Leach-Bliley Act (GLBA) 342 H hacking, and national security 21 hand geometry 533 hard disk wipes 193 hash functions 133 Health Information Privacy and Protection Act (HIPPA) 342 Health Insurance Portability and Accountability Act (HIPAA) 58, 292 Health Insurance Portability and Accountability Act of 1996 (HIPAA, 1996) 193 highly-secure seven-pass DOD wipe 193 holistic risk management approach, need for 70 human computer interface (HCI) 57 human factors, in information security 402 I ICMP traceback 92 identity federation 449 identity management systems, security imperatives 451 immune system 109 individual’s data, privacy of 483 Industry-Sponsored University Research 349 information, four critical roles in 19 information assurance (IA) 293 information availability (IAV) 230, 231, 236 information availability (IAV), second order determinants of 232 Information Operations (IO) 21 Information Science (IS) 347 information security (INFOSEC) 230 information security management (ISM) 55 information security management (ISM), studies emerging 55 information security policy (ISP) 322 information security policy framework 342 information security systems (ISS) 321 information security technology 56 information systems (IS), organizational reliance on 55 information systems security Management framework (ISSMF) 467, 469 information technologies (IT), and national security 18 Information Warfare (IW) 18, 19 informaton technology and risk, coexistence of 69 input/output (I/O) operations 433 input debugging 89 integer overflow 141 internal audit, current practices in 296 internal auditing 292 internal control assessment 295 Internet banking, and authentication 267 Internet Banking Environment 266  Index Internet Fibre Channel Protocol (iFCP) 438 Internet Relay Chat (IRC) 20 Internet Service Provider (ISP) 10 Internet Storage Name Service (iSNS) 438 Intrusion Detection System (IDS) 29 intrusion detection system (IDS) 385 intrusion detection system model 507 intrusion detection systems (IDS) 342 Intrusion Prevention System (IPS) 29 intrusion tolerant database system (ITDB) 504 invisibility, as an enabling characteristic 283 IP packet marking techniques 91 IP SAN transport via IEEE standards, security for 437 IPSec (IP security) 437 IPSec, for SAN transport 437 iris/ retina scanning systems 531 iSCSI LUN mapping 438 IS infrastructure security 472 ISM, financial and economic aspects of 59 IT continuity measures 305 IT systems continuity, providing for after a disaster 305 IW, offensive 19 K Key generator 129 knowledgebase (KB) 256 L Language of Description of Politics of the Access Control (LDPAC) 159 libtissue 109 libtissue SYSTEM 114 Lightweight Directory Access Protocol (LDAP) 32 Linux, comparison to Windows 518 Linux, security modules and mandatory access controls 524 Linux authentication 522 Linux authorization 523 local exchange carriers (LECs) 458 loss inference with advanced method 186 loss inference with simple method 184 low-level coding vulnerabilities 140 LUN masking 438 M malware comparisons mandatory access control (MAC) 232, 255, 333 maximum waiting time (MWT) 232  MDA and MDS compliant approach 497 mean time to attacks (MTTA) 507 mean time to detect (MTTD) 507 mean time to fail (MTTF) 232 mean time to mark (MTTM) 507 mean time to repair (MTTR) 507 mean time to restore (MTTR) 232 mobility management, of cell phones 376 model driven access control 256 model driven architecture (MDA) 496 model driven security (MDS) 495, 496, 498 modern security protocols 165 monitoring the workplace 487 multidimensional (MD) model 495 multidimensional modeling 496 multipurpose Internet message extensions (MIME) 204 N National Institute of Standards and Technology (NIST) 342 NDA, legal overview 348 Needham-Schroeder (1978) protocol 240 Needham-Schroeder protocol 243 network architecture level 385 network design and configuration, proper 396 network health control center (NHCC) 37 network layer firewall 153 network monitoring 181 Network Simulator (NS) 31 non-disclosure agreement, example of 357 non-disclosure agreements (NDAs) 347 nonexecutable memory pages 142 NRL protocol analyzer 241 number generation tokens 273 O object-oriented (OO) 222 object constraint language (OCL) 496 object security constraint language (OSCL) 496 one-time passwords (OTPs) 270 one pass wipe group 196 online environment, vulnerability in an 383 Open(PGP) 207 OpenPGP 205 Open Platform for Secure Enterprise Connectivity (OPSEC) 31 operating system, as last line of defense 518 operational PSYOP 22 Orange Book 505 Index overlay-based monitoring 182 P Packet-Marking (PM) 30 Packet-Marking (PM) Architecture 37 password security 428 Patriot Act 342 personal identification numbers (PINs) 270 PGP/MIME 205 physical access, to office or documents 429 physical security 304 physical security, ensuring 397 pointer taintedness detection 148 Policy-Based Network Management (PBNM) 32 Policy Decision Point (PDP) 32 policy development, and monitoring 398 Policy Enforcement Point (PEP) 32 Policy Management Tool (PMT) 32 port binding 436 pretty good privacy (PGP) 203, 205 privacy, and the information age 484 privacy, and the law 486 privacy, another definition of 485 privacy issues 484 probabilistic waiting time (PWT 232 process, definition of 111 process anomaly detection 111 process based approach, in internal control assessment 297 provisioning and identity management 447 provisioning service object (PSO) 451 provisioning service provider (PSP) 450 psychological operations (PSYOPs) 19 public-key cryptography 242 Public Affairs (PA) 21 public key infrastructure (PKI) 207, 270 public switched telephone network (PSTN) 458 Q qualitative risk measurement 78 Quality of Service (QoS) 30 quality of service (QoS) 179 quantitative risk assessment 78 R radio frequency identification (RFID) 279 ransomware, how it works RBAC0 enhanced DVE, by aspect-oriented design 224 reconstruct the path (RT) 92 record server (RS) 257 Reduced Instruction Set Computer (RISC) architecture 57 remote authentication dial-in user service (RADIUS) 439 replay, type of theft 284 representative defense mechanisms 142 requesting authority (RA) 450 RFID 280 risk-based audit approach 71 risk analysis 311 risk and control, defining and understanding 68 risk and loss, success factors in minimizing 304 risk assessment 75 risk banagement, from audit and control viewpoint 70 risk based approach, in internal control assessment 296 role-based access control (RBAC) 222, 256 role based access control (RBAC) 232, 334 RSA 135, 138 S S/MIME and PGP/MIME format, problems with 208 safe boot environment 195 safeguards, legal requirements to provide 303 SAN routing 437 SANs, why? 433 SAN security, three primary aspects 435 Sarbanes-Oxley Act (SOX) 292, 342 Sarbanes-Oxley Act of 2002 (SOX) 193 secure channels 12 secure MIME (S/MIME) 206 secure shell (SSJ) 439 secure sockets layer (SSL) 12, 439 securing commerce servers 13 securing data transmission 12 security, and access control Models for data warehouses 497 security-based testing 420 security-related threats and risks 403 security and operating system security architecture 519 security and usability, relationship between 405 securityawareness and training 473 security budget 472 security holes, framework for plugging 387 security implementation efficacy 472 security integration 473 security integration, into the design process 496 security policies, constitution of 321  Index security policies, practical guidance for 326 security policies enforcement and compliance 474 security policy clients (SPCs) 33 security policy creation 323 security policy server (SPS) 33 security protocols, formal verification of 166 security reviews 420 security risks, and e-commerce security routers, two types of 37 security strategy 471 separation of duty (SOD) 227 separation of duty (SoD) 334 server-side scripts 14 server/operating system level 384 service level agreement (SLA) 179 service provisioning markup language (SPML) 449 session initiation protocol (SIP) 462 shared-key cryptography 242 simple mail transmission protocol (SMTP) 204 single packet IP traceback 91 slack space 196 SLA verification 181 small and medium enterprises (SME) 442 small and medium size enterprises (SMEs) 469 smart link (SL) 37 smart motes 282 social engineering attacks, methods of 424 SOFtware Appliances (SOFA) 362 Software Engineering Institute (SEI) 416 software test 14 Source Path Isolation Engine (SPIE) 91 spam over Internet telephony (SPIT) 458 spatial authentication, with cell phones 375 spatial authentication using cell phones(SAC) 375 spin-off companies 349 SPML 447 spyware debate, two sides of 10 state transition model analysis 509 storage area networks (SANs) 433 storage security, where is it needed 434 stored-account payment systems 12 stored-value payment systems 12 strategic information systems plan (SISP) 322 strategic PSYOP 22 strong authentication 395 student employment server (SES) 257 survivability evaluation 504 Survival of the Fittest IW (SFIW), conceptual framework 18, 22 suspend function 445  T tactical PSYOP 22 TCP/IP protocol, inherent weakness in 85 technical countermeasures 11 Temporal Interaction Contract (TIC) 363 temporal interaction contracts 363 temporal RBAC (TRBAC) 334 threat-vulnerability identification 76 threat mitigation strategies 314 threat modeling 415 threat modeling deliverables 419 three-phase approach to business continuity and disaster recovery 313 throughput measurements 188 Trade Related Aspects of Intellectual Property Rights 489 Transmission Control Protocol (TCP) 32 Trojan horse programs Type of Service (ToS) field 39 U U.S General Accounting Office (GAO) 21 U.S National Institute of Standards and Technology (NIST) 57 Unified Meta-component Model (UMM) 256 Unified Modeling Language (UML) 222 UniFrame 256 University to Industry Technology Licensing 349 USB authentication tokens 273 US Department of Defense (DOD) 272 user authentication, with cell phone 375 V virtual LAN (VLAN) 437 virtual private networks (VPN) 449 virtual private networks (VPNs) 435 voice over Internet protocol (VoIP 458 voice over IP (VoIP) 95 VoIP, benefits of 458 VoIP, security concerns 460 VoIP, utlization in education 460 VoIP models 459 VoIP security assurance strategies 462 W Web, surfing at work 488 Web server, three components of 13 Windows, comparison to Linux 518 Windows and Linux, comparison 519 Index Windows authentication 521 Windows authorization 523 wipe approaches and application, discussion of 195 WIPO Performances and Phonograms Treaty (WPPT) 489 wired equivalent privacy (WEP) protocol 395 wireless networking, security of 393 Woo-Lam protocol 247 Woo-Lam protocol, analysing the 248 World Intellectual Property Organization Copyright Treaty (WCT) 489 World Wide Name (WWN) 436 X XMaiL 202, 209 XmaiL, (multiple) digital signatures in 212 XmaiL, encrypted contents in 213 XmaiL, structure definitions 210 XMaiL vs S/MIME and (Open)PGP and PGP/MIME 215 XML encryption 210 XML signature 209 XML technologies 202 XPath 209 Z zoning, of resources in the SANs 436  ... expansion of the body of knowledge in this vast field The coverage of this handbook of research on information assurance and security provides a reference resource for both information science and. .. protection of one’s own information and information systems Often, steps are also taken to generate some effects on a potential adversary’s information and information systems The U.S Department of. .. great contribution to practitioners as well as academicians To create such a handbook of research on information assurance and security, we decided to launch this handbook project where researchers