Information Security and Privacy Research Group
Current Research Projects
A Security Risk model for Food Security
Professor Matthew Warren
Modern societies are dependent upon complex supply chains to fulfil their day to day livings needs. Of particular importance is the issue of food security within Supply Chain Systems. Any disruption upon food supply would impact large populations with potentially catastrophic results. The project will focus upon developing an approach that would allow for the mapping of complex supply chains, identifying potential security risks and threats and looking at ways of protecting against those security risks.
Baseline Approaches to Security Analysis
Professor Matthew Warren
There are a number of Security Risk Analysis approaches and methods. One type of approach relates to baseline security, that is a minimal level of protection that is needed to protect a system. The issue is that the security protection offered could be sub optimal or excessive. Many of the issues relate to the security situations and environments (e.g. small business security compared to corporate situations).
The project will focus upon developing a tool for analysing the key baselines approaches and developing a way of harmonizing the security protection to ensure that adequate security protection is offered for the correct security environment.
A model for Human Security Protection
Professor Matthew Warren
In recent years the security threats that face an organisation have been focussed upon technology. But recent breaches in security have been linked to failure in the human aspects of security, e.g. the users becoming a security threat by their actions whether intentionally or unintentionally by installing malicious code, users being victims of social engineering attacks.
The project will analyse the potential security attack methods, and users behaviour models to determine a security model that will allow organisations to determine their potential risk and explore ways of protection.
The security of personal information and the impact of social contact via social networking sites
Dr Shona Leitch and Professor Matthew Warren
The project will examine the personal data and the security of data on social networking sites.
Facebook is an ever evolving and developing social networking tool, which is not only being used to disseminate information to family, friends and colleagues but as a way of meeting and interacting with "strangers" through the advent of a large number of social applications.
Social networking, as well as being a way of isolated people interacting, has also been shown to have a huge social and personal impact on some users,( e.g. harassment via a social networking site resulted in a teenager's suicide).
The personal information (not just factual data) including the thoughts and feelings of individuals can be used by others through social applications to cause emotional and psychological distress to others.
The level of security for all this personal information on Facebook will be examined, as well as the possible threats and issues that could impact its users.
Evaluating information security within the Australian health care industry: a new method
Warren Brooks
Numerous information systems security design methods have been developed to provide analysts and designers with a means of evaluating security. Due to the high importance of each information state (i.e. availability, confidentiality, integrity, non-repudiation and privacy) within a health care environment, these design methods lack the necessary considerations for technical, human and organisational factors associated with health information.
Therefore, this research project aims to develop an information security evaluation methodology to improve the analysis of security countermeasures; provide assistance in establishing an appropriate level of security and aid health organisations wishing to certify against an information security management standard.
Establishing an E-security Culture in Australian SME's
Sneza Dojkovski
SME's have different e-security requirements from larger organisations and as a result of increasing use of the Internet to conduct business activities, they are exposed to a growing number and a wider variety of threats and vulnerabilities. They should be aware of the relevant security risks and preventive measures, assume responsibility and take steps to enhance the e-security of their systems. The approach and behaviour that employees and management take towards e-security must be acceptable and needs to be part of everyday life in an SME as it becomes part of the SME's culture.
Thus this has highlighted the concerns of security issues surrounding the e-business environment within an SME, and the significance in developing and improving e-security through the creation of a framework that will promote greater awareness and understanding of security issues and training and to develop a culture of security in SME's. E-security culture can thus be defined as the assumption about which type of e-security behaviour is accepted and encouraged in order to incorporate security characteristics as the way in which things are done in an organisation.
The framework will incorporate the approach that employees and management take towards e-security, the behaviour of people in the working environment and hence organisational behaviour, as well as other issues concerning e-security culture that need to be addressed.
Implication of Public Key Infrastructure on the Internet and consideration of social aspects and technical factors
Ana Jancic
The major problem of communication over the Internet is that people can not immediately authenticate each others identity. However, for more important communications between parties, especially for e-commerce and Online banking, mutual trust is very important. PKI has been invented to provide security of the stored electronic data and transmission over the Internet. It is the combination of hardware, software, and people policies with the aim to manage digital certificates. It also uses encryption techniques to satisfy basic factors of information security.
This research will try to analyse weaknesses of PKI that are coming from technical, social and business perspective. Australia as a country does not have large enough population, such as USA or European Union, and this tool has not been developed and applied enough by now. The aim of the research would be to analyse current PKI in Australia and worldwide, and to find some most optimal and efficient solutions.
Graphical Authentication
Justin Pierce
Traditional authentication techniques such as passwords and PINs possess several encumbrances, not the least of which includes the difficulty people have in remembering them. Users often counteract this problem by choosing passwords that have some inherent meaning to them (i.e. their child's first name is a popular choice). However, such a personally meaningful password is easier to guess or 'crack' [sic] by nefarious impostors. The application of biometrics can assist in alleviating the user's memory problem by measuring a uniquely identifiable characteristic of a user's physiology or behaviour. However, biometrics does have limitations that inhibit its widespread adoption, for example the cost of such authentication implementations and operation as well as issues related to individual privacy.
The objective of this research is to develop a compromise solution between passwords and biometric authentication to offer an alternative authentication technique that is user-friendly and delivers increased security. Therefore, graphical authentication offers the user an opportunity to visually recognize information, rather than having to recall it: an ability that users are more receptive to.
The emergence of IT security governance issues, the concerns and implications for business enterprises
Graeme Pye
Corporate or enterprise governance focuses on the obligations and practices applied to delivering strategic direction, ensuring business goals are met, assessing and managing risk factors, and ensuring that the an enterprise's resources are used judiciously. In this high-level context, governance is about managing the business organisation and administering the optimal utilisation of its resources.
If we accept that IT security governance is a subset of corporate or enterprise governance, then this research can be extended to address the issues and implications to business of security responsibilities such as: information asset management; reporting and practices; strategies and objectives of IT security; risk assessment; security resource management; compliance with legislation, standards, regulations, policies and business rules. This research will undertake to establish the maintenance of a controlled environment to manage an organisation's IT security relating to confidentiality, integrity and availability of the supporting security processes and systems that accedes to the appropriate governance of IT security.
