Bertino, E., & Takahashi, K. (2011). Identity management: Concepts, technology, and systems. Boston, MA: Artech House. [Full text e-book available in the Books 24x7 database.]
Providing a comprehensive overview of current trends and future directions in identity management, this practical resource offers an in-depth understanding of how to design, deploy and assess identity management solutions.
Rakes, T. R., Deane, J. K., & Rees, L. R. (2012). IT security planning under uncertainty for high-impact events. Omega, 40(1), 79-88. doi:10.1016/j.omega.2011.03.008 [Full text available in the ScienceDirect database.]
While many IT security incidents result in relatively minor operational disruptions or minimal recovery costs, occasionally high-impact security breaches can have catastrophic effects on the firm. Unfortunately, measuring security risk and planning for countermeasures or mitigation is a difficult task. Past research has suggested risk metrics which may be beneficial in understanding and planning for security incidents, but most of these metrics are aimed at identifying expected overall loss and do not directly address the identification of, or planning for, sparse events which might result in high-impact loss. The use of an upper percentile value or some other worst-case measure has been widely discussed in the literature as a means of stochastic optimization, but has not been applied to this decision domain. A key requirement in security planning for any threat scenario, expected or otherwise, is the ability to choose countermeasures optimally with regard to tradeoffs between countermeasure cost and remaining risk. Most of the planning models in the literature are qualitative, and none that we are aware of allow for the optimal determination of these tradeoffs. Therefore, we develop a model for optimally choosing countermeasures to block or mitigate security attacks in the presence of a given threat level profile. We utilize this model to examine scenarios under both expected threat levels and worst-case levels, and develop budget-dependent risk curves. These curves demonstrate the tradeoffs which occur if decision makers divert budgets away from planning for ordinary risk in an effort to mitigate the effects of potential high-impact outcomes.
Salem, M. B., & Stolfo, S. J. (2011). On the design and execution of cyber-security user studies: Lessons learned. Paper presented at the Fourth Workshop on Cyber Security Experimentation and Test, San Francisco, CA. Retrieved from http://www.usenix.org/events/cset11/tech/final_files/Salem.pdf
Real-world data collection poses an important challenge in the security field. Insider and masquerader attack data collection poses even a greater challenge. Very few organizations acknowledge such breaches because of liability concerns and potential implications on their market value. This caused the scarcity of real-world data sets that could be used to study insider and masquerader attacks. Moreover, user studies conducted to collect such data lack rigor in their design and execution. In this paper, we present the methodology followed to conduct a user study and build a data set for evaluating masquerade attack detection techniques. We discuss the design, technical, and procedural challenges encountered during our own masquerade data gathering project, and share some of the lessons learned from this several-year project.
