A review of information security issues and respective research contributions

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A review of information security issues and respective research contributions

Full text

Pdf (354 KB)

Source

ACM SIGMIS Database archive
Volume 38 , Issue 1 (February 2007) table of contents

SESSION: Research contibutions table of contents

Pages: 60 - 80

Year of Publication: 2007

ISSN:0095-0033

Authors

Mikko T. Siponen	University of Oulu
Harri Oinas-Kukkonen	University of Oulu

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 273, Downloads (12 Months): 1960, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1216218.1216224 What is a DOI?

ABSTRACT

This paper identifies four security issues (access to Information Systems, secure communication, security management, development of secure Information Systems), and examines the extent to which these security issues have been addressed by existing research efforts. Research contributions in relation to these four security issues are analyzed from three viewpoints: a meta-model for information systems, the research approaches used, and the reference disciplines used. Our survey reveals that most information security research has focused on the technical context, and on issues of access to IS and secure communication. The corresponding security issues have been resolved by using mathematical approaches as a research approach. The reference disciplines most commonly reflected have been mathematics, including philosophical logic. Based on this analysis, we suggest new directions for studying information security from an information systems viewpoint, with respect to research methodology and research questions. Empirical studies in relation to the issues of security management and the development of secure IS, based on suitable reference theories (e.g., psychology, sociology, semiotics, and philosophy), are particularly necessary.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Abrams, M. D. and Moffett, J. T. (1995). "A Higher Level of Computer Security Through Active Policies," Computer & Security, Vol. 14, No. 2, pp. 147--157.
	2	Abrams, M. D. and Podell, H. J. (1995). "Evaluation Issues," in Abrams, M.D., Jajodia, S. and Podell, H.J. (Eds.), Information Security - An Integrated Collection of Essays, Los Alamitos, CA: IEEE Computer Society Press.
	3	Ajzen, I. (1991). "The Theory of Planned Behavior," Organizational Behavior and Human Decision Processes, Vol. 50, pp. 179--211.
	4	R. J. Anderson, A security policy model for clinical information systems, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.30, May 06-08, 1996
	5	Anderson, R., and Kuhn, M. (1996). "Tamper Resistance - a Cautionary Note," Proceedings of The Second USENIX Workshop on Electronic Commerce, Oakland, California, pp. 18--21.
	6	Anderson, R. J. and Petitcolas, F. A. P. (1998). "On the Limits of Steganography," IEEE Journal on Selected Areas in Communications, Vol. 16, Is.4, pp. 474--481.
	7	Backhouse, J. and Dhillon, G. (1996). "Structures of Responsibilities and Security of Information Systems," European Journal of Information Systems, Vol. 5, No. 1, pp. 2--10.
	8	Baldwin, R. W. (1990). "Naming and Grouping Privileges to Simplify Security Management in Large Databases," Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy.
	9	Claude Banville , Maurice Landry, Can the field of MIS be disciplined?, Communications of the ACM, v.32 n.1, p.48-60, Jan. 1989 [doi>10.1145/63238.63241]
	10	R. Baskerville, Designing information systems security, John Wiley & Sons, Inc., New York, NY, 1988
	11	Baskerville, R. (1989). "Logical Controls Specification: An Approach to Information System Security," in Klein, H., and Kumar, K. (Eds.), Systems Development for Human Progress, Amsterdam: North-Holland.
	12	Baskerville, R. (1991). "Risk Analysis: An Interpretative Feasibility Tool In Justifying Information Systems Security," European Journal of Information Systems, Vol. 1, Is.2, pp. 121--130.
	13	Richard Baskerville, Information systems security design methods: implications for information systems development, ACM Computing Surveys (CSUR), v.25 n.4, p.375-414, Dec. 1993 [doi>10.1145/162124.162127]
	14	R. Baskerville , A. T. Wood-Harper, Diversity in information systems action research methods, European Journal of Information Systems, v.7 n.2, p.90-107, June 1, 1998 [doi>10.1038/sj.ejis.3000298]
	15	N. Baukari , A. Aljane, Security and auditing of VPN, Proceedings of the 3rd Workshop on Services in Distributed and Networked Environments (SDNE '96), p.132, June 03-04, 1996
	16	Bell, R. (1993). "Virtual Private Networks - The Major Issues, Problems and Opportunities," IEE Colloquium on Virtual Networking.
	17	S. M. Bellovin, Probable Plaintext Cryptanalysis of the IP Security Protocols, Proceedings of the 1997 Symposium on Network and Distributed System Security, p.52, February 10-11, 1997
	18	Bellovin, S. M. and Cheswick, W. R. (1994). "Network Firewalls," IEEE Communications Magazine, Vol. 32, Is.9, pp. 50--57.
	19	Bemardi, A., Rico, N., Cherkaoui, O., and Banfield, J. (1994). "Specification and Analysis of A Security Management System," Proceedings of the IEEE Network Operations and Management Symposium.
	20	Bennett, S.P. and Kailay, M.P. (1992). "An Application of Qualitative Risk Analysis to Computer Security for the Commercial Sector," Proceedings of the Eight Annual Computer Security Applications Conference.
	21	Bishop, M. (1991). "An Overview of Computer Viruses in a Research Environment," 4th DPMA, IEEE, ACM Computer virus and Security Conference.
	22	Bontchev, V. (1996). "Possible Macro Virus Attacks and How to Prevent Them," Computers & Security, Vol. 15, No. 7, pp. 959--626.
	23	Bookson, C. (1994). "GSM Security: A Description of the Reasons for Security and the Techniques," IEE Colloquium on Security and Cryptography.
	24	Booysen, H. A. S. and Eloff, J. H. P. (1995). "A Methodology for the Development of Secure Application Systems," Proceeding of the 11th IFIP TC11 International Conference on Information Security.
	25	Anthony Boswell, Specification and Validation of a Security Policy Model, IEEE Transactions on Software Engineering, v.21 n.2, p.63-68, February 1995 [doi>10.1109/32.345822]
	26	Brown, P. W. (1994). "Digital Signatures: Are They Legal for Electronic Commerce?" IEEE Communications Magazine, Vol. 32, Is.9, pp. 76--80.
	27	BS7799 (1993). British Standard Institution, London, UK.
	28	Christoph Busch , Wolfgang Funk , Stephen Wolthusen, Digital Watermarking: From Concepts to Real-Time Video Applications, IEEE Computer Graphics and Applications, v.19 n.1, p.25-35, January 1999 [doi>10.1109/38.736466]
	29	Silvana Castano , Maria Grazia Fugini , Giancarlo Martella , Pierangela Samarati, Database security, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1995
	30	Ceraolo, J. P. (1996). "Penetration Testing Through Social Engineering," Information Systems Security, Vol. 4, No. 4.
	31	Chan, K. L., Kwong, S., and Longginnou, L. (1993). "Security Management on Mobile-Phone Communication," Proceedings of the Computer, Communication, Control and Power Engineering.
	32	Chang, C. C. and Hwang, S. J. (1991). "Cryptographic Authentication of Passwords," Proceedings of 25th Annual 1991 IEEE International Carnahan Conference on Security Technology.
	33	Chang, C. C., Hwang, R. J., and Buehrer, D. (1993). "Using Smart Cards to Authenticate Passwords," Proceedings, Institute of Electrical and Electronics Engineers 1993 International Carnahan Conference on Security Technology.
	34	David L. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Communications of the ACM, v.24 n.2, p.84-90, Feb. 1981 [doi>10.1145/358549.358563]
	35	L. Cholvy , F. Cuppens, Analyzing consistency of security policies, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.103, May 04-07, 1997
	36	Clark, D. D. and Wilson, D. R. (1987). "A Comparison of Commercial and Military Security Policies," Proceedings of the 1987 IEEE Symposium on Security and Privacy.
	37	F Cohen, Computer viruses, Proceedings of the 2nd IFIP international conference on Computer security: a global challenge, p.143-157, December 1984, Toronto, Ontario, Canada
	38	Cohen, F. (1991). "Current Best Practice Against Computer Viruses," Proceedings of 25th Annual 1991 IEEE International Carnahan Conference on Security Technology.
	39	Collins, B. (1998). "Designing Secure Intranets," Computing & Control Engineering Journal, Vol. 9, Is.4, pp. 185--192.
	40	Computer Fraud & Security Bulletin (2000). Elsevier Advanced Technology.
	41	Scott Craver , Boon-Lock Yeo , Minerva Yeung, Technical trials and legal tribulations, Communications of the ACM, v.41 n.7, p.45-54, July 1998 [doi>10.1145/278476.278486]
	42	Cunningham, J. B. (1997). "Case Study Principles for Different Types of Cases," Quality & Quantity, Vol. 31, pp. 401--423.
	43	Custance, N. D. E. (1996). "The Use of Baseline Measures in Risk Assessment," Proceedings of the 30th Annual International Carnahan Conference on Security Technology. IEEE Computer Society Press.
	44	Michael A. Cusumano , David B. Yoffie, Software Development on Internet Time, Computer, v.32 n.10, p.60-69, October 1999 [doi>10.1109/2.796110]
	45	Marc Dacier , Yves Deswarte, Privilege Graph: an Extension to the Typed Access Matrix Model, Proceedings of the Third European Symposium on Research in Computer Security, p.319-334, November 07-09, 1994
	46	Barbara C. Davis , Tatu Ylönen, Working Group Report on Internet/Intranet Security, Proceedings of the 6th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, p.305-308, June 18-20, 1997
	47	Drew Dean , Edward W. Felten , Dan S. Wallach , Dirk Balfanz, Java security: Web browsers and beyond, Internet besieged: countering cyberspace scofflaws, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1997
	48	Deci, E. L. and Ryan, R. M. (1985). Intrinsic Motivation and Self-Determination in Human Behavior, New York: Plenum Press.
	49	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	50	Denning, P.J. (1992). "Passwords," American Scientist, Vol. 80, pp. 117--120.
	51	Denning, D.E and Baugh, W.E., Jr. (1996). "Key Escrow Encryption Policies and Technologies," Information Systems Security, Vol. 5, No. 2, pp. 34--44.
	52	Dorothy E. Denning , Dennis K. Branstad, A taxonomy for key recovery encryption systems, Internet besieged: countering cyberspace scofflaws, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1997
	53	Dhillon, G. (1997). Managing Information Systems Security, United Kingdom: MacMillan Press LTD.
	54	Dhillon, G. and Backhouse, J. (2001). "Current Directions in IS Security Research: Toward Socio-organizational Perspectives," Information Systems Journal, Vol. 11, No. 2.
	55	Modelling Static and Dynamic Aspects of Hypermedia Systems, Proceedings of the 1997 International Conference on Multimedia Computing and Systems (ICMCS '97), p.634, June 03-06, 1997 [doi>10.1109/MMCS.1997.609792]
	56	Diaz, P, Aedo, A., and Ribagorda, A. (1998). "A Security Model for the Design of Hypermedia Systems," Proceedings of the TC11 14th International Conference on Information Security (SEC'98).
	57	Alden Dima , John Wack , Shukri Wakid, Raising the Bar on Software Security Testing, IT Professional, v.1 n.3, p.27-32, May 1999 [doi>10.1109/6294.774950]
	58	Dobson, J. (1991). "A Methodology for Analysing Human and Computer-Related Issues in Secure Systems," in Dittrich, K., Rautakivi, S., and Saari, J. (Eds.), Computer Security and Information Integrity, Elsevier Science Publishers.
	59	Dobson, J. E., McDermid, J.A., (1989), A Framework for Expressing Models of Security Policy. 1989 IEEE Symposium on Security and Privacy.
	60	Eric Dubois , Suchun Wu, A framework for dealing with and specifying security requirements in information systems, Information systems security: facing the information society of the 21st century, Chapman & Hall, Ltd., London, UK, 1996
	61	Patrick Dymond , Michael Jenkin, WWW Distribution of Private Information with Watermarking, Proceedings of the Thirty-second Annual Hawaii International Conference on System Sciences-Volume 5, p.5031, January 05-08, 1999
	62	Eckert, C. (1995). "Matching Security Policies to Application Needs," Proceedings of the IFIP TC11 Eleventh International Conference on Information Security, IFIP/SEC'95.
	63	Ekenberg, L., Oberoi, S., and Orci, I. (1995). "A Cost Model for Managing Information Security Hazards," Computers & Security, Vol. 14, No. 8, pp. 707--717.
	64	Ellmer, E., Pernul, G., and Kappel, G. (1995). "Object-Oriented Modeling of Security Semantics," Proceedings of the 11th Annual Computer Society Applications Conference (ACSAC'95).
	65	Eloff, J. H. P. and Nel, A. J. (1992). "A Methodology for Network Security," Proceedings of the International Workshop on Advanced Communications and Applications for High Speed Networks, IEEE Computer Society Press.
	66	Eloff, J. H. P and von Solms, R. (1998). "Measuring the Information Security Level in an Organization," Proceedings of the Sixth Working Conference of Workgroup 11.1 and Workgroup 11.2 of Technical Committee 11.
	67	Rainer Falk , Markus Trommer, Managing Network Security - A Pragmatic Approach, Proceedings of the The 17th IEEE Symposium on Reliable Distributed Systems, p.398, October 20-23, 1998
	68	Eduardo B. Fernandez , Krishnakumar R. Nair, An Abstract Authorization System for the Internet, Proceedings of the 9th International Workshop on Database and Expert Systems Applications, p.310, August 26-28, 1998
	69	Foley, S.N. (1991). "A Taxonomy for Information Flow Policies and Models," Proceedings of the 1991 IEEE Computer Security Symposium on Research in Security and Privacy.
	70	Warwick Ford , Michael S. Baum, Secure electronic commerce: building the infrastructure for digital signatures and encryption, Prentice-Hall, Inc., Upper Saddle River, NJ, 1997
	71	Fumy, W. and Landrock, P. (1993). "Principles of Key Management," IEEE Journal on Selected Areas in Communications, Vol. 11, Is.5, pp. 785--793.
	72	Robert D. Galliers , Frank F. Land, Viewpoint: choosing appropriate information systems research methodologies, Communications of the ACM, v.30 n.11, p.901-902, Nov. 1987 [doi>10.1145/32206.315753]
	73	Simson Garfinkel , Gene Spafford, Web security & commerce, O'Reilly & Associates, Inc., Sebastopol, CA, 1997
	74	Garvey, T.D. (1992). "The Inference Problem for Computer Security," Proceedings of Computer Security Foundations Workshop V.
	75	Garvey, T. D. and Lunt, T. (1991). "Model-Based Intrusion Detection," Proceedings of the 14th National Computer Security Conference, Washington D.C.
	76	Ghosh, A. K. (1998). E-Commerce Security: Weak Links, Best Defenses, Hoboken, NJ: Wiley Computer Publishing.
	77	GMITS (1996), Guidelines for the Management of IT Security, Part 1: Concepts and Models for IT Security. ISO/IEC TR 13335-1.
	78	Gong, L. (1993). "Increasing Availability and Security of an Authentication Service," IEEE Journal on Selected Areas on Communication, Vol. 11, Is.5, pp. 657--662.
	79	Li Gong, Optimal authentication protocols resistant to password guessing attacks, Proceedings of the The Eighth IEEE Computer Security Foundations Workshop (CSFW '95), p.24, March 13-15, 1995
	80	Li Gong, Java Security: Present and Near Future, IEEE Micro, v.17 n.3, p.14-19, May 1997 [doi>10.1109/40.591650]
	81	Gove, R. A. (1999). Fundamentals of Cryptography and Encryption. Handbook of Information Security Management 1999, Krause, M., and Tipton, H.F. (Eds.), Boca Raton, FL: CRC Press.
	82	J. Iliadis , S. Gritzalis, Addressing Security Issues in Programming Languages for Mobile Code, Proceedings of the 9th International Workshop on Database and Expert Systems Applications, p.288, August 26-28, 1998
	83	Susan J. Harrington, The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions, MIS Quarterly, v.20 n.3, p.257-278, Sept. 1996 [doi>10.2307/249656]
	84	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976 [doi>10.1145/360303.360333]
	85	Mike Hendry, Smart card security and applications, Artech House, Inc., Norwood, MA, 1997
	86	Gaby Herrmann , Günther Pernul, Viewing business-process security from different perspectives, International Journal of Electronic Commerce, v.3 n.3, p.89-103, March 1999
	87	Hirschheim, R., Klein, H. K., and Lyytinen, K. (1996). "Exploring the Intellectual Structures of Information Systems Development: A Social Action Theoretic Analysis, Accounting, Management and Information Technologies, Vol. 6, No. 1-2, pp. 1--64.
	88	J. Hitchings, A practical solution to the complex human issues of information security design, Information systems security: facing the information society of the 21st century, Chapman & Hall, Ltd., London, UK, 1996
	89	Hruska, J. (1997). "Virus Detection," European Conference on Security and Detection (ECOS'97).
	90	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	91	Iivari, J. (1989). "Levels of Abstraction as a Conceptual Framework for an Information System," In Falkenberg, E.D., and Lindgreen, P., (Eds), Information System Concepts: An In-depth Analysis., North-Holland, Amsterdam.
	92	Iivari, J. (1991). "A Paradigmatic Analysis of Contemporary Schools of IS Development," European Journal of Information Systems, Vol. 1, No. 4, pp. 249--272.
	93	Juhani Iivari , Rudy Hirschheim, Analyzing information systems development: a comparison and analysis of eight IS development approaches, Information Systems, v.21 n.7, p.551-575, Nov. 1996 [doi>10.1016/S0306-4379(96)00028-2]
	94	Juhani Iivari , Rudy Hirschheim , Heinz K. Klein, A Paradigmatic Analysis Contrasting Information Systems Development Approaches and Methodologies, Information Systems Research, v.9 n.2, p.164-193, February 1998 [doi>10.1287/isre.9.2.164]
	95	Iivari, J., Hirschheim, R., and Klein, H. K. (2001). "A Dynamic Framework for Classifying Information Systems Development Methodologies and Approaches," Journal of Management Information Systems, Vol. 17 No. 3, pp. 179--218.
	96	Atsushi Inoue , Masahiro Ishiyama , Atsushi Fukumoto , Toshio Okamoto, Secure Mobile IP using IP Security Primitives, Proceedings of the 6th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, p.235-241, June 18-20, 1997
	97	ITSEC (1991). Commission of the European Communities, Information Technology Security Evaluation Criteria, Provisional Harmonised Criteria: Version 1.2, Office for Official Publications of the European Communities, Luxembourg.
	98	Jeremy Jacob, A Uniform Presentation of Confidentiality Properties, IEEE Transactions on Software Engineering, v.17 n.11, p.1186-1194, November 1991 [doi>10.1109/32.106973]
	99	Jajodia S., Sandhu, R. S., and Blaustein B. T. (1995). "Solutions to the Polyinstantiation Problem," in Abrams, M.D., Jajodia, S., and Podell, H.J. (Eds.), Information Security, An Integrated Collection of Essays, Los Alamitos, CA: IEEE Computer Society Press.
	100	H. L. James, Managing information systems security: a soft approach, Proceedings of the 1996 Information Systems Conference of New Zealand (ISCNZ '96), p.10, October 30-31, 1996
	101	Jamil, T. (1999). "Steganography: The Art of Hiding Information in Plain Sight," IEEE Potentials, Vol. 18, Is.1, pp. 10--12.
	102	David L. Jobusch , Arthur E. Oldenhoeft, A survey of password mechanisms: weaknesses and potential improvement, part 1, Computers and Security, v.8 n.7, p.587-601, Nov. 1989 [doi>10.1016/0167-4048(89)90051-5]
	103	Johnson, N. F. and Jajodia, S. (1998). "Exploring Steganography: Seeing the Unseen," IEEE Computer, Vol. 31, No. 2, pp. 26--34.
	104	Järvinen, P. (2000). "Research Questions Guiding Selection of an Appropriate Research Method," Proceedings of the 8th European Conference on Information Systems (ECIS 2000), Vienna.
	105	Günter Karjoth , Danny B. Lange , Mitsuru Oshima, A Security Model for Aglets, IEEE Internet Computing, v.1 n.4, p.68-77, July 1997 [doi>10.1109/4236.612220]
	106	Richard A. Kemmerer, Shared resource matrix methodology: an approach to identifying storage and timing channels, ACM Transactions on Computer Systems (TOCS), v.1 n.3, p.256-277, August 1983 [doi>10.1145/357369.357374]
	107	Richard A. Kemmerer , Phillip A. Porras, Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels, IEEE Transactions on Software Engineering, v.17 n.11, p.1166-1185, November 1991 [doi>10.1109/32.106972]
	108	Kolstad and Bowles (1991). "Security Requirements and Models in Open Systems," Proceedings of the Twenty-Third Southeastern Conference on Systems Theory.
	109	Koning, W. and Fred. D. (1995). "A Methodology for the Design of Security Plans," Computers & Security, Vol. 14, No. 7, pp. 633--643.
	110	Kowalski, S. (1990). "Computer Ethics and Computer Abuse: A Longitudinal Study of Swedish University Students," IFIP TC11 6th International Conference on Information Systems Security.
	111	Kwon, T. and Son, J. (1998). "Authenticated Exchange Protocols Resistant to Password Guessing Attacks," IEE Proceedings of Communication, Vol. 145, Is.5.
	112	Kyeongbeom Kim , Youngkyun Kim , Youngkee Song , Soran Ine, A Software Platform for Secure Applications based on CORBA, Proceedings of the 6th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDCS '97), p.22, October 29-31, 1997
	113	Butler W. Lampson, Protection, ACM SIGOPS Operating Systems Review, v.8 n.1, p.18-24, January 1974 [doi>10.1145/775265.775268]
	114	George Lawton, Biometrics: A New Era in Security, Computer, v.31 n.8, p.16-18, August 1998 [doi>10.1109/MC.1998.707612]
	115	Jieh-Sheng Lee , Jieh Hsiang , Po-Hao Tsang, A Generic Virus Detection Agent on the Internet, Proceedings of the 30th Hawaii International Conference on System Sciences: Information Systems Track—Internet and the Digital Economy, p.210, January 03-06, 1997
	116	Jussipekka Leiwo , Seppo Heikkuri, An Analysis of Ethics as Foundation of Information Security in Distributed Systems, Proceedings of the Thirty-First Annual Hawaii International Conference on System Sciences-Volume 6, p.213, January 06-09, 1998 [doi>10.1109/HICSS.1998.654776]
	117	Leiwo, J., Gamage, C., and Zheng, Y. (1999). "Harmonization of Information Security Requirements," Informatica, Vol. 17.
	118	Sharman Lichtenstein, Developing Internet Security Policy for Organizations, Proceedings of the 30th Hawaii International Conference on System Sciences: Information Systems Track—Internet and the Digital Economy, p.350, January 03-06, 1997
	119	E. Roos Lindgreen , H. R. D. Janus , A. Shahim , G. Hulst , I. S. Herschberg, Security when outsourcing: concepts, constructs, compliance, Proceedings of the IFIP TC11 13 international conference on Information Security (SEC '97) on Information security in research and business, p.308-318, January 1997, Copenhagen, Denmark
	120	Lindup, K. R. (1995). "A New Model for Information Security Policies," Computer & Security, Vol. 14, No. 8, pp. 691--695.
	121	Steven W. Lodin , Christoph L. Schuba, Firewalls fend off invasions from the Net, IEEE Spectrum, v.35 n.2, p.26-34, Feb. 1998 [doi>10.1109/6.648669]
	122	Emil Lupu , Morris Sloman, A Policy Based Role Object Model, Proceedings of the 1st International Conference on Enterprise Distributed Object Computing, p.36-47, October 24-26, 1997
	123	K. Lyytinen, A taxonomic perspective of information systems development: theoretical constructs and recommendations, Critical issues in information systems research, John Wiley & Sons, Inc., New York, NY, 1987
	124	Salvatore T. March , Gerald F. Smith, Design and natural science research on information technology, Decision Support Systems, v.15 n.4, p.251-266, Dec. 1995 [doi>10.1016/0167-9236(94)00041-2]
	125	David M. Martin Jr , Sivaramakrishnan Rajagopalan , Aviel D. Rubin, Blocking Java Applets at the Firewall, Proceedings of the 1997 Symposium on Network and Distributed System Security, p.16, February 10-11, 1997
	126	Mathieson, K. (1991). "Predicting User Intentions: Comparing the Technology Acceptance Model with the Theory of Planned Behaviour," Information System Research, Vol. 3, No. 2, pp. 173--191.
	127	John McLean, The Specification and Modeling of Computer Security, Computer, v.23 n.1, p.9-16, January 1990 [doi>10.1109/2.48795]
	128	Kevin McLean, Information Security Awareness - Selling the Cause, Proceedings of the IFIP TC11, Eigth International Conference on Information Security: IT Security: The Need for International Cooperation, p.179-193, May 27-29, 1992
	129	Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
	130	Millen, J. (1999). "20 Years of Covert Channel Modeling and Analysis," Proceedings of the 1999 IEEE Symposium on Security and Privacy.
	131	Benjamin Miller, Vital signs of identity, IEEE Spectrum, v.31 n.2, p.22-30, Feb. 1994 [doi>10.1109/6.259484]
	132	Molva, R., Samfat, D., and Tsudik, G. (1994). "Authentication of Mobile Users," IEEE Network, Vol. 8, Is.2, pp. 26--34.
	133	Moulton, R. T. and Moulton, M. E. (1996). "Electronic Communications Risk Management: A Checklist for Business Managers," Computer & Security, Vol. 15, No. 5.
	134	Moskowitz, I. S. and Kang, M. H. (1994). "Covert Channels - Here to Stay?" Proceedings of the Ninth Annual Conference on Computer Assurance (COMPASS '94) Safety, Reliability, Fault Tolerance, Concurrency and Real Time, Security.
	135	Needham, R. M. (1989). "Authentication," in Anderson, T. (Ed.), Safe & Secure Computing Systems, Blackwell Scientific Publications, pp. 189--196.
	136	Niiniluoto, I. (1990). "Science and Epistemic Values," Science Studies, Vol. 3, No. 1, pp. 21--26.
	137	Notargiacomo, L. (1995). "Architectures for MLS Database Management Systems," in Abrams, M.D., Jajodia, S., and Podell, H.J. (Eds.), Information Security, An Integrated Collection of Essays, Los Alamitos, CA: IEEE Computer Society Press.
	138	Jay F. Nunamaker, Jr. , Minder Chen , Titus D. M. Purdin, Systems development in information systems research, Journal of Management Information Systems, v.7 n.3, p.89-106, Winter1990/91
	139	O'Sullivan, J. A., Moulin, P., and Ettinger, J. M. (1998). "Information Theoretic Analysis of Steganography," Proceedings of 1998 IEEE International Symposium on Information Theory.
	140	Donn B. Parker, Fighting computer crime: a new framework for protecting information, John Wiley & Sons, Inc., New York, NY, 1998
	141	John Podd , Julie Bunnell , Ron Henderson, Cost-Effective Computer Security: Cognitive and Associative Passwords, Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), p.304, November 24-27, 1996
	142	Pernul, G. (1992). "Security Constraint Processing During Multilevel Secure Database Design," Proceedings of the 8th Annual Computer Security Applications Conference, IEEE Society Press.
	143	Pernul, G. (1994). "Database Security," Advances in Computers, Vol. 38, Yovits, M.C. (Ed.), Academic Press.
	144	Pernul, G. and Quirchmayr, G. (1994). "Organizing MLS Databases from a Data Modelling Point of View," Proceedings of the 10th Annual Computer Security Applications Conference, IEEE Society Press.
	145	Günther Pernul , A. Min Tjoa , Werner Winiwarter, Modelling data secrecy and integrity, Data & Knowledge Engineering, v.26 n.3, p.291-308, July 1998 [doi>10.1016/S0169-023X(97)00045-1]
	146	Pounder, C. (1997). "First Steps Towards a European Union Policy on the Securing of Electronic Communications," Computers & Security, Vol. 16, Is.7, pp. 590--594.
	147	Nicholas J. Puketza , Kui Zhang , Mandy Chung , Biswanath Mukherjee , Ronald A. Olsson, A Methodology for Testing Intrusion Detection Systems, IEEE Transactions on Software Engineering, v.22 n.10, p.719-729, October 1996 [doi>10.1109/32.544350]
	148	Rahnema, M. (1993). "Overview of the GSM System and Protocol Architecture," IEEE Communications Magazine, pp. 92--100.
	149	Michael K. Reiter , Aviel D. Rubin, Crowds: anonymity for Web transactions, ACM Transactions on Information and System Security (TISSEC), v.1 n.1, p.66-92, Nov. 1998 [doi>10.1145/290163.290168]
	150	Rieß, H. P. (1991). "Modeling Security in Distributed Systems," in Dittrich, K., Rautakivi, S., and Saari, J. (Eds.), Computer Security and Information Integrity, Elsevier Science Publishers.
	151	Aviel D. Rubin , Daniel E. Geer Jr., A Survey of Web Security, Computer, v.31 n.9, p.34-41, September 1998 [doi>10.1109/2.708448]
	152	P Y A Ryan , S A Schneider, Process Algebra and Non-interference, Proceedings of the 1999 IEEE Computer Security Foundations Workshop, p.214, June 28-30, 1999
	153	A. W. Röhm , G. Pernul , G. Herrmann, Modeling Secure and Fair Electronic Commerce, Proceedings of the 14th Annual Computer Security Applications Conference, p.155, December 07-11, 1998
	154	Alexander W. Roehm , Gaby Herrmann , Guenther Pernul, A Language for Modeling Secure Business Transactions, Proceedings of the 15th Annual Computer Security Applications Conference, p.22, December 06-10, 1999
	155	Sanderson, E. and Forcht, K. (1996). "Information Security in Business Environments," Computers & Security, Vol. 15, Is.4, pp. 321--322.
	156	Ravi Sandhu , Venkata Bhamidipati , Edward Coyne , Srinivas Ganta , Charles Youman, The ARBAC97 model for role-based administration of roles: preliminary description and outline, Proceedings of the second ACM workshop on Role-based access control, p.41-50, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266752]
	157	Ravinderpal Singh Sandhu, The schematic protection model: its definition and analysis for acyclic attenuating schemes, Journal of the ACM (JACM), v.35 n.2, p.404-432, April 1988 [doi>10.1145/42282.42286]
	158	Ravi S. Sandhu, The Typed Access Matrix Model, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.122, May 04-06, 1992
	159	Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993 [doi>10.1109/2.241422]
	160	Ravi Sandhu , Pierangela Samarati, Authentication, access control, and audit, ACM Computing Surveys (CSUR), v.28 n.1, p.241-243, March 1996 [doi>10.1145/234313.234412]
	161	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	162	Sandhu, R. (1998). "Role-Based Access Control," Advances in Computers, Vol. 46, Academic Press.
	163	Gustavus J. Simmons, Symmetric and Asymmetric Encryption, ACM Computing Surveys (CSUR), v.11 n.4, p.305-330, Dec. 1979 [doi>10.1145/356789.356793]
	164	Simmons, G. J. (1988). "A Survey of Information Authentication," Invited Paper, Proceedings of the IEEE, Vol. 76, Is. 5, pp. 603--620.
	165	Siponen, M. T. (2000a). "A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security, Vol. 8, Is.1, pp. 31--41.
	166	Mikko T. Siponen, On the Role of Human Morality in Information System Security: The Problems of Descriptivism and Non-descriptive Foundations, Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures, p.401-410, August 22-24, 2000
	167	Mikko T. Siponen, Policies for Construction of Information Systems' Security Guidelines: Five Approaches, Proceedings of the IFIP TC11 Fifteenth Annual Working Conference on Information Security for Global Information Infrastructures, p.111-120, August 22-24, 2000
	168	Smith, M. and Sherwood, J. (1995). "Business Continuity Planning," Computers & Security, Vol. 14, No. 1, pp. 14--23.
	169	Eugene H. Spafford, Computer viruses, Internet besieged: countering cyberspace scofflaws, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1997
	170	Spruit, M.E.M. (1998). "Competing Against Human Failing," 15th IFIP World Computer Congress. 'The Global Information Society on the Way to the Next Millennium'. SEC, TC11, Vienna.
	171	Spurling, P. (1995). "Promoting Security Awareness and Commitment," Information Management and Computer Security, Vol. 3 No. 2.
	172	SSE-CMM (1999a). "The Model," v2.0. http://www.sse-cmm.org.
	173	SSE-CMM (1999b). "The Appraisal Method," v2.0. http://www.sse-cmm.org.
	174	Stacey, T. R., Helsley, R. E., and Baston, J. V. (1996). "Identifying Information Security Threats," Information Systems Security, Vol. 5, No. 3, pp. 50--59.
	175	Stackpole, B. (1999). "An Introduction to IPSEC," in Krause, M., and Tipton, H.F. (Eds.), Handbook of Information Security Management, Auerbach, pp. 387--399.
	176	A. Sterbenz, An Evaluation of the Java Security Model, Proceedings of the 12th Annual Computer Security Applications Conference, p.2, December 09-13, 1996
	177	Sterne, D. F. (1991). "On the Buzzword 'Security Policy'," Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Los Alamitos, CA: IEEE Society Press, pp. 219--230.
	178	Straub, D. W. (1990). "Effective IS Security: An Empirical Study," Information System Research, Vol. 1, No. 2, pp. 255--277.
	179	Detmar W. Straub , Richard J. Welke, Coping with systems risk: security planning models for management decision making, MIS Quarterly, v.22 n.4, p.441-469, Dec. 1998 [doi>10.2307/249551]
	180	Tarr, C. J. and Kinsman, P. (1996). "The Validity of Security Risk Assessment," Proceedings of 30th Annual International Carnahan Conference on Security Technology.
	181	Thomas, R. K. and Sandhu. R. S. (1994). "Conceptual Foundations for a Model of Task-based Authorizations," Proceedings of the 7th IEEE Computer Security Foundations Workshop, Franconia, NH.
	182	Thomson, M. E. and von Solms, R. (1998). "Information Security Awareness: Educating Our Users Effectively," Information Management & Computer Security, Vol. 6, No. 4, pp.167--173.
	183	Valia, R. and Al-Salqan, Y. (1997). Proceedings of the Sixth IEEE Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.
	184	Hartmut Vogler , Thomas Kunkelmann , Marie-Louise Moschgath, An Approach for Mobile Agent Security and Fault Tolerance using Distributed Transactions, Proceedings of the 1997 International Conference on Parallel and Distributed Systems, p.268-274, December 11-13, 1997
	185	George Voyatzis , Ionnis Pitas, Protecting Digital-Image Copyrights: A Framework, IEEE Computer Graphics and Applications, v.19 n.1, p.18-24, January 1999 [doi>10.1109/38.736465]
	186	Wack, J. P. and Carnahan, L. J. (1995). "Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls," NIST Special Publication 800-10.
	187	Jenny E. Walter, Security in unattended computing labs—safeguarding users as well as machines, Proceedings of the 21st annual ACM SIGUCCS conference on User services, p.267-271, November 1993, San Diego, California, United States [doi>10.1145/263814.263897]
	188	Thomas Y. C. Woo , Simon S. Lam, Authentication for Distributed Systems, Computer, v.25 n.1, p.39-52, January 1992 [doi>10.1109/2.108052]
	189	Wood, C., Summers, R.C., and Fernandez, E.B. (1979). "Authorization in Multilevel Database Models," Information Systems, Vol. 4, No. 2, pp. 155--163.
	190	Charles Cresson Wood , William W. Banks , Sergio B. Guarro , Abel A. Garcia , Viktor E. Hampel , Henry P. Sartorio, Computer security: a comprehensive controls checklist, Wiley-Interscience, New York, NY, 1987
	191	Wood, C. C. (1996). "A Policy for Sending Secret Information Over Communications Networks," Information Management & Computer Security, Vol. 4, No. 3.
	192	Boon-Lock Yeo , Minerva M. Yeung, Watermarking 3D Objects for Verification, IEEE Computer Graphics and Applications, v.19 n.1, p.36-45, January 1999 [doi>10.1109/38.736467]
	193	N. Yialelis , E. Lupu , M. Sloman, Role-based security for distributed object systems, Proceedings of the 5th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'96), p.80, June 19-21, 1996
	194	Zeng, L., Wamg, H., Lee, M.K.O. (1997). "Multiple Intelligent Agent Supported Internet Security System: Issues, Current Solutions, and a Proposed Approach," Proceedings of the 1997 IEEE International Conference on Intelligent Processing Systems (ICIPS'97).
	195	Q. Zhong , N. Edwards, Security in the Large: Is Java's Sandbox Scalable?, Proceedings of the The 17th IEEE Symposium on Reliable Distributed Systems, p.387, October 20-23, 1998
	196	X. Nick Zhang, Secure Code Distribution, Computer, v.30 n.6, p.76-79, June 1997 [doi>10.1109/2.587552]
	197	M. Zviran , W. J. Haga, User authentication by cognitive passwords: an empirical assessment, Proceedings of the fifth Jerusalem conference on Information technology, p.137-144, September 1990, Jerusalem, Israel
	198	Zviran, M. and Haga, W. J. (1993). "A Comparison of Password Techniques for Multilevel Authentication Mechanisms," The Computer Journal, Vol. 36, No. 3, pp. 227--237.