A Stratified Cyber Security Vigilance Model: An Augmentation of Risk-Based Information System Security

  • Paul Abuonji Jaramogi Oginga Odinga University of Science and Technology
  • Anthony J. Rodrigues Jaramogi Oginga Odinga University of Science and Technology
  • George O. Raburu Jaramogi Oginga Odinga University of Science and Technology
Keywords: stratified, cyber, security, vigilance, model, risk-based

Abstract

Information system security in the current interconnected environment called the cyber-space is continually getting more sophisticated. All the players involved- governments, corporates, IS security experts and users, both naïve and sophisticated- all grapple with one big problem: how to decide on what level of security is enough for their information system since the amount of security controls applied must be commensurate with the IS assets being protected. In that regard, many organizations adopt risk-based security, in the hope that it would answer the elusive IS security question, but to no avail. Unfortunately, many such organizations still experience numerous breaches to their Information systems and some even realize they have fallen victims to cyber criminals, long after the actual compromise. It is for this reason that this paper presents a novel security model called Stratified Cyber Security Vigilance (SCSV) model that augments the standard risk-based security approach and demonstrates its ability to improve IS security.

Author Biographies

Anthony J. Rodrigues, Jaramogi Oginga Odinga University of Science and Technology
Professor of Computer Science
George O. Raburu, Jaramogi Oginga Odinga University of Science and Technology
Senior Lecturer in the Department of Computer Scienece and Software Engineering

References

(1) Goyal, A. (2011), Systems Analysis and Design. Asoke K. Ghosh, PHI Learning Private Limited: New Delhi

(2) Banday, T. M. (2011). Effectiveness and Limitations of E-mail Security Protocols; International Journal of Distributed and Parallel Systems (IJDPS) Vol.2, No.3, May 2011

(3) Stallings, W. (2011). Network Security Essentials: Applications and Standards, 4th Ed; Pearson Education, Inc: Prentice Hall

(4) Tanenbaum, A. S. & Steen, M. V. (2014), Distributed Systems: Principles and Paradigms, 2nd ed. Edinburg Gate: Pearson Education Limited.

(5) Dean, M. (2008). A risk-based approach to planning and implementing an information security program. Paper presented at PMI® Global Congress 2008—EMEA, St. Julian's, Malta. Newtown Square, PA:

Project Management Institute.

(6) Wurzler, J. (2013), Information Risks & Risk Management; SANS Institute InfoSec Reading Room. Retrieved on 2-1-2016 from: http://www.sans.org/reading-room

(7) Tanenbaum, A. S. (2011). Computer Networks; 4th ed. Prentice-Hall, Inc: New Jersey

(8) Reck, R. (2014), CISO Spotlight: Robb Reck on Security Strategies for Financial Services. Retrieved on 31-12-2015 from: http://darkmatters.norsecorp.com/2014/12/10/cisospotlight- robb-reck-on-security-strategies-for-financial-services

(9) Habraken, J. & Hayden, M. (2009), Teach Yourself Networking in 24 Hours, 3rd ed. Sams Publishing: United States.

(10) O’Brien, J. A. & Marakas, G. M. (2011). Management Information Systems, 10th ed. McGrow-Hill/ Irwin: New York

(11) Laudon, K. C. & Laudon, J. P. (2012). Management Information Systems: Managing the Digital Firm, 12th ed. Pearson Education Limited: Edinburgh Gate, Harlow.

(12) Peterson, L. L. & Davie, B. S. (2007). Computer Networks: A systems Approach, 4th ed. Elsevier, Inc.: San Francisco.

(13) Sinha, P. K. (2007). Distributed Operating Systems: Concepts and Design. Asoke K. Ghosh, PHI Learning Private Limited: New Delhi.

(14) Cambridge Advanced Learner’s Dictionary (2010), 3rd ed. Cambridge: Cambridge University Press.

(15) Parasuraman, R. (1986). Vigilance, monitoring and search. In K. R. Boff, L. Kaufman, & J. P. Thomas (Eds.), Handbook of human perception and performance: Vol. II. Cognitive processes and performance (pp. 41-1–41-49). New York: Wiley.

(16) Pandey, S. K. (2012), Security Vigilance System Through Level Driven Security Maturity Model; International Journal of Computer Science, Engineering and Information Technology (IJCSEIT), Vol.2, No.2.

(17) Deloitte whitepaper (2014), Transforming cyber security in the Financial Services Industry New approaches for an evolving threat landscape; retrieved on 17th May, 2016, from www2.deloitte.com/content/dam/.../ZA_Transforming_Cybersecurity_05122014.pdf

(18) Greenwald, G. (2014), No Place to Hide: Edward Snowden, the NSA & the Surveillance State; Penguin Random House, UK.

(19) Daily Nation Newspaper (23rd November, 2016), Rising Threat of Cyber-attacks Put Companies on the Edge. Published on Tuesday 23rd November, 2016.

(20) Stewart, J. M., Tittel, E. & Chapple, M. (2005), CISSP: Certified Information Systems Security Professional Study Guide; 3rd ed. Sybex Inc.: London

(21) Ward, J. & Peppard, J. (2002), Strategic Planning for Information Systems, 3rd Ed. John Wiley & Sons Ltd: Cranfield, Bedfordshire.

(22) National Institute of Standards and Technology –NIST (2003), Building an Information Technology Security Awareness and Training Program; NIST Special Publication 800 50. Retrieved on 13th November, 2015 from: csrc.nist.gov/publications/drafts/800-16-rev1/draft_sp800_16_rev1_2nd-draft.pdf

(23) CISA Review Manual (2016), Certified Information Systems Auditor (CISA) Review Manual 2016. Retrieved on 2nd June, 2016 from https://www.isaca.org/bookstore/.../Bookstore-2016-Audit-Catalog_bro_eng_1215.pd.

(24) Elky, S. (2006), An Introduction to Information System Risk Management; SANS Institute Engineering with DiffServ and MPLS Support: Proceedings of the 15th International Conference on Telecommunications - ICT, St. Petersburg, Russia, 2008a.

(25) Moray, N. (1967). Where is capacity limited? A survey and a model. Acta Psychologica, 27, 84-92.

(26) Kahneman, D. (1973). Attention and effort. Englewood Cliffs, NJ: Prentice Hall.

(27) Norman, D., & Bobrow, D. (1975). On data-limited and resource-limited processing. Journal of Cognitive Psychology, 7, 44-60.

(28) Navon, D., & Gopher, D. (1979). On the economy of the human information processing system. Psychological Review, 86, 214-255.

(29) Hancock, P. A., and S. G. Hart. (2002). “Defeating Terrorism: What Can Human Factors/Ergonomics Offer?” Ergonomics in Design 10: 6–16.

(30) Hancock, P. A., and J. L. Szalma. 2003. “Vigilance and the Price of Freedom.” Gateway: Human Systems Information Analysis Center 13 (5): 20.

(31) Lieberman, H. R., Castellani, J. W. &Young, A. J. (2009). “Cognitive Function and Mood during Acute Cold Stress after Extended Military Training and Recovery.” Aviation, Space, and Environmental Medicine 80

(7): 629–636.

(32) Awodele, O., Onuiri, E. E. & Okolie, S. O. (2012), Vulnerabilities in Network Infrastructures and Prevention/ Containment Measures: Proceedings of Informing Science & IT Education Conference (InSITE) 2012.

(33) Abdulganiyu, A. (2012), Managing Micro-computer Systems Vulnerabilities in an Institutional Network – The Case of IBB University, Lapai, Nigeria. International Journal of Information and Communication Technology Research; Volume 2 No. 3: 227- 234.

(34) Panneerselvam, R. (2009), Production and Operations Management, 2nd ed. New Delhi: Asoke K. Ghosh. page. 3.

(35) Saleemi, M. A. (2013), Principles and Prectices of Management

simplified; Nairobi: Printing Services Ltd page 14, 19.

(36) Parasuraman, R. (1986). Vigilance, monitoring and search. In K. R. Boff, L. Kaufman, & J. P. Thomas (Eds.), Handbook of human perception and performance: Vol. II. Cognitive processes and performance (pp. 41-1–41-49). New York: Wiley.

(37) Donald, F. M. (2008): The classification of vigilance tasks in the real world, Ergonomics, 51:11, 1643-1655.

(38) Beigh, B. M. & Peer, M. A. (2012), Intrusion Detection and Prevention System: Classification and Quick Review. ARPN Journal of Science and Technology, Vol. 2, No. 7, Pp. 661 - 675

(39) Tanenbaum, A. S. & Steen, M. V. (2014), Distributed Systems: Principles and Paradigms, 2nd ed. Edinburg Gate: Pearson Education Limited.

(40) Hancock, P. A. 2013. “In Search of Vigilance: The Problem of Iatrogenically Created Psychological Phenomenon.” American Psychologist 68: 97–109.

(41) Navon, D., & Gopher, D. (1979). On the economy of the human information processing system. Psychological Review, 86, 214-255.

(42) Norman, D., & Bobrow, D. (1975). On data-limited and resource-limited processing. Journal of Cognitive Psychology, 7, 44-60.

(43) Lucey, T. (2005). Management Information Systems, 9th ed. BookPower: Hampshire

(44) Rue, L. W., Ibrahim, N. A. & Byars, L. L. (2013), Management Skills and Application, 4th ed.New York: McGraw-Hill Companies Inc page 5.

(45) Ward, J. & Peppard, J. (2002), Strategic Planning for Information Systems, 3rd Ed. John Wiley & Sons Ltd: Cranfield, Bedfordshire.

Published
2018-11-04