A Stratified Cyber Security Vigilance Model: An Augmentation of Risk-Based Information System Security
Information system security in the current interconnected environment called the cyber-space is continually getting more sophisticated. All the players involved- governments, corporates, IS security experts and users, both naïve and sophisticated- all grapple with one big problem: how to decide on what level of security is enough for their information system since the amount of security controls applied must be commensurate with the IS assets being protected. In that regard, many organizations adopt risk-based security, in the hope that it would answer the elusive IS security question, but to no avail. Unfortunately, many such organizations still experience numerous breaches to their Information systems and some even realize they have fallen victims to cyber criminals, long after the actual compromise. It is for this reason that this paper presents a novel security model called Stratified Cyber Security Vigilance (SCSV) model that augments the standard risk-based security approach and demonstrates its ability to improve IS security.
(1) Goyal, A. (2011), Systems Analysis and Design. Asoke K. Ghosh, PHI Learning Private Limited: New Delhi
(2) Banday, T. M. (2011). Effectiveness and Limitations of E-mail Security Protocols; International Journal of Distributed and Parallel Systems (IJDPS) Vol.2, No.3, May 2011
(3) Stallings, W. (2011). Network Security Essentials: Applications and Standards, 4th Ed; Pearson Education, Inc: Prentice Hall
(4) Tanenbaum, A. S. & Steen, M. V. (2014), Distributed Systems: Principles and Paradigms, 2nd ed. Edinburg Gate: Pearson Education Limited.
(5) Dean, M. (2008). A risk-based approach to planning and implementing an information security program. Paper presented at PMI® Global Congress 2008—EMEA, St. Julian's, Malta. Newtown Square, PA:
Project Management Institute.
(6) Wurzler, J. (2013), Information Risks & Risk Management; SANS Institute InfoSec Reading Room. Retrieved on 2-1-2016 from: http://www.sans.org/reading-room
(7) Tanenbaum, A. S. (2011). Computer Networks; 4th ed. Prentice-Hall, Inc: New Jersey
(8) Reck, R. (2014), CISO Spotlight: Robb Reck on Security Strategies for Financial Services. Retrieved on 31-12-2015 from: http://darkmatters.norsecorp.com/2014/12/10/cisospotlight- robb-reck-on-security-strategies-for-financial-services
(9) Habraken, J. & Hayden, M. (2009), Teach Yourself Networking in 24 Hours, 3rd ed. Sams Publishing: United States.
(10) O’Brien, J. A. & Marakas, G. M. (2011). Management Information Systems, 10th ed. McGrow-Hill/ Irwin: New York
(11) Laudon, K. C. & Laudon, J. P. (2012). Management Information Systems: Managing the Digital Firm, 12th ed. Pearson Education Limited: Edinburgh Gate, Harlow.
(12) Peterson, L. L. & Davie, B. S. (2007). Computer Networks: A systems Approach, 4th ed. Elsevier, Inc.: San Francisco.
(13) Sinha, P. K. (2007). Distributed Operating Systems: Concepts and Design. Asoke K. Ghosh, PHI Learning Private Limited: New Delhi.
(14) Cambridge Advanced Learner’s Dictionary (2010), 3rd ed. Cambridge: Cambridge University Press.
(15) Parasuraman, R. (1986). Vigilance, monitoring and search. In K. R. Boff, L. Kaufman, & J. P. Thomas (Eds.), Handbook of human perception and performance: Vol. II. Cognitive processes and performance (pp. 41-1–41-49). New York: Wiley.
(16) Pandey, S. K. (2012), Security Vigilance System Through Level Driven Security Maturity Model; International Journal of Computer Science, Engineering and Information Technology (IJCSEIT), Vol.2, No.2.
(17) Deloitte whitepaper (2014), Transforming cyber security in the Financial Services Industry New approaches for an evolving threat landscape; retrieved on 17th May, 2016, from www2.deloitte.com/content/dam/.../ZA_Transforming_Cybersecurity_05122014.pdf
(18) Greenwald, G. (2014), No Place to Hide: Edward Snowden, the NSA & the Surveillance State; Penguin Random House, UK.
(19) Daily Nation Newspaper (23rd November, 2016), Rising Threat of Cyber-attacks Put Companies on the Edge. Published on Tuesday 23rd November, 2016.
(20) Stewart, J. M., Tittel, E. & Chapple, M. (2005), CISSP: Certified Information Systems Security Professional Study Guide; 3rd ed. Sybex Inc.: London
(21) Ward, J. & Peppard, J. (2002), Strategic Planning for Information Systems, 3rd Ed. John Wiley & Sons Ltd: Cranfield, Bedfordshire.
(22) National Institute of Standards and Technology –NIST (2003), Building an Information Technology Security Awareness and Training Program; NIST Special Publication 800 50. Retrieved on 13th November, 2015 from: csrc.nist.gov/publications/drafts/800-16-rev1/draft_sp800_16_rev1_2nd-draft.pdf
(23) CISA Review Manual (2016), Certified Information Systems Auditor (CISA) Review Manual 2016. Retrieved on 2nd June, 2016 from https://www.isaca.org/bookstore/.../Bookstore-2016-Audit-Catalog_bro_eng_1215.pd.
(24) Elky, S. (2006), An Introduction to Information System Risk Management; SANS Institute Engineering with DiffServ and MPLS Support: Proceedings of the 15th International Conference on Telecommunications - ICT, St. Petersburg, Russia, 2008a.
(25) Moray, N. (1967). Where is capacity limited? A survey and a model. Acta Psychologica, 27, 84-92.
(26) Kahneman, D. (1973). Attention and effort. Englewood Cliffs, NJ: Prentice Hall.
(27) Norman, D., & Bobrow, D. (1975). On data-limited and resource-limited processing. Journal of Cognitive Psychology, 7, 44-60.
(28) Navon, D., & Gopher, D. (1979). On the economy of the human information processing system. Psychological Review, 86, 214-255.
(29) Hancock, P. A., and S. G. Hart. (2002). “Defeating Terrorism: What Can Human Factors/Ergonomics Offer?” Ergonomics in Design 10: 6–16.
(30) Hancock, P. A., and J. L. Szalma. 2003. “Vigilance and the Price of Freedom.” Gateway: Human Systems Information Analysis Center 13 (5): 20.
(31) Lieberman, H. R., Castellani, J. W. &Young, A. J. (2009). “Cognitive Function and Mood during Acute Cold Stress after Extended Military Training and Recovery.” Aviation, Space, and Environmental Medicine 80
(32) Awodele, O., Onuiri, E. E. & Okolie, S. O. (2012), Vulnerabilities in Network Infrastructures and Prevention/ Containment Measures: Proceedings of Informing Science & IT Education Conference (InSITE) 2012.
(33) Abdulganiyu, A. (2012), Managing Micro-computer Systems Vulnerabilities in an Institutional Network – The Case of IBB University, Lapai, Nigeria. International Journal of Information and Communication Technology Research; Volume 2 No. 3: 227- 234.
(34) Panneerselvam, R. (2009), Production and Operations Management, 2nd ed. New Delhi: Asoke K. Ghosh. page. 3.
(35) Saleemi, M. A. (2013), Principles and Prectices of Management
simplified; Nairobi: Printing Services Ltd page 14, 19.
(36) Parasuraman, R. (1986). Vigilance, monitoring and search. In K. R. Boff, L. Kaufman, & J. P. Thomas (Eds.), Handbook of human perception and performance: Vol. II. Cognitive processes and performance (pp. 41-1–41-49). New York: Wiley.
(37) Donald, F. M. (2008): The classification of vigilance tasks in the real world, Ergonomics, 51:11, 1643-1655.
(38) Beigh, B. M. & Peer, M. A. (2012), Intrusion Detection and Prevention System: Classification and Quick Review. ARPN Journal of Science and Technology, Vol. 2, No. 7, Pp. 661 - 675
(39) Tanenbaum, A. S. & Steen, M. V. (2014), Distributed Systems: Principles and Paradigms, 2nd ed. Edinburg Gate: Pearson Education Limited.
(40) Hancock, P. A. 2013. “In Search of Vigilance: The Problem of Iatrogenically Created Psychological Phenomenon.” American Psychologist 68: 97–109.
(41) Navon, D., & Gopher, D. (1979). On the economy of the human information processing system. Psychological Review, 86, 214-255.
(42) Norman, D., & Bobrow, D. (1975). On data-limited and resource-limited processing. Journal of Cognitive Psychology, 7, 44-60.
(43) Lucey, T. (2005). Management Information Systems, 9th ed. BookPower: Hampshire
(44) Rue, L. W., Ibrahim, N. A. & Byars, L. L. (2013), Management Skills and Application, 4th ed.New York: McGraw-Hill Companies Inc page 5.
(45) Ward, J. & Peppard, J. (2002), Strategic Planning for Information Systems, 3rd Ed. John Wiley & Sons Ltd: Cranfield, Bedfordshire.
Copyright (c) 2018 Transactions on Networks and Communications
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors wishing to include figures, tables, or text passages that have already been published elsewhere are required to obtain permission from the copyright owner(s) for both the print and online format and to include evidence that such permission has been granted when submitting their papers. Any material received without such evidence will be assumed to originate from the authors.
All authors of manuscripts accepted for publication in the journal Transactions on Networks and Communications are required to license the Scholar Publishing to publish the manuscript. Each author should sign one of the following forms, as appropriate:
License to publish; to be used by most authors. This grants the publisher a license of copyright. Download forms (MS Word formats) - (doc)
Publication agreement — Crown copyright; to be used by authors who are public servants in a Commonwealth country, such as Canada, U.K., Australia. Download forms (Adobe or MS Word formats) - (doc)
License to publish — U.S. official; to be used by authors who are officials of the U.S. government. Download forms (Adobe or MS Word formats) – (doc)
The preferred method to submit a completed, signed copyright form is to upload it within the task assigned to you in the Manuscript submission system, after the submission of your manuscript. Alternatively, you can submit it by email email@example.com