Emerald | Information Management & Computer Security

An advanced web attack detection and prevention tool

Helen Kapodistria, Sarandis Mitropoulos, Christos Douligeris — 2011-11-22 00:00:00.0

Abstract

Purpose – The purpose of this paper is to introduce a new tool which detects, prevents and records common web attacks that mainly result in web applications information leaking using pattern recognition. It is a cross-platform application, namely, it is not OS-dependent or web server dependent. It offers a flexible attacks search engine, which scans http requests and responses during a webpage serving without affecting the web server performance. Design/methodology/approach – The paper starts with a study of the most known web vulnerabilities and the way they can be exploited. Then, it focuses on those web attacks based on input validation, which are the ones the new tool detects through pattern recognition. This tool acts as a proxy server having a simple GUI for administration purposes. Patterns can be detected in both http requests and responses in an extensible and manageable way. Findings – The new tool was compared to dotDefender, a commercial web application firewall, and ModSecurity, a widely used open source application firewall, using over 200 attack patterns. The new tool had satisfying results for every attack category examined having a high percentage of success. Results for stored XSS could not be achieved since the other tools are not able to search and detect them in http responses. The fact that the new tool is very extensible, it makes it possible for future work to be done. Originality/value – This paper introduces a new web server plug-in, which has some advanced web application firewall features with a flexible attacks search engine which scans http requests and responses. By scanning http responses, attacks such as stored XSS can be detected, a feature that cannot be found on other web application firewalls.

Leadership styles and information security in small businesses

Debasis Bhattacharya — 2011-11-22 00:00:00.0

Abstract

Purpose – The objective of this study is to examine information security issues within small businesses and determine whether and to what degree any relationship exists between leadership styles and the level of concern for information security problems. Design/methodology/approach – This paper presents an empirical study of 122 small business owners from the state of Hawaii with regards to their leadership styles and information security concerns. Findings – The results of this study showed a significant correlation between transactional and transformational leadership styles and the level of concern towards information security problems within small businesses. Practical implications – This research suggests that small businesses leaders need to demonstrate more than one leadership style to broaden their preparation against a range of information security issues and problems. Originality/value – The findings may be applicable to small business leaders who proactively search for a cost-effective and optimal combination of leadership styles, technologies, and policies that will mitigate the evolving threats of cybercrime and information security problems.

Quantifying information dynamics through a new valuation system

2011-11-22 00:00:00.0

Abstract

Purpose – The aim of this research is to demonstrate the importance of placing a valuation on information assets and to propose a new valuation technique that complements existing valuation methods and provides improved results. It seeks to answer the following research question: what are the attributes of information relevant to value and how can they be used to produce a valuation of the information? Design/methodology/approach – Using a test bed, hosted on the college's intranet for 12 days, three important variables were calculated: accessibility, lifespan and outcome across five files. Calculating these three variables is essential to conducting an accurate valuation of the information asset. Findings – The research demonstrates the relationships between these variable (accessibility, lifespan and outcome) as well as showing that they have a critical impact on the value of the information asset. The findings provide a strong rationale for the practitioner or researcher to adopt the model in real time situations. The correlation coefficients of our attributes are: 0.9996 for accessibility and lifespan; 0.9755 for accessibility and outcome and 0.9754 for lifespan and outcome. Research limitations/implications – Due to the sensitive nature of some of the information held by the organization, the observations were somewhat limited. However, the model could be replicated with a collaborative arrangement between the organization and academia. Practical implications – This paper aims to provide a new model for risk management that can be used effectively to conduct a valuation of information assets. The approach will help the organization to better quantify their information assets and will prove to be a useful tool for the next generation of Information security managers. Originality/value – This paper determines the valuation of information assets based on three variables; accessibility, lifespan and outcome. These variables have been identified from the extensive literature review in the area of intangible assets.

Design of secure and trustworthy mobile agent-based e-marketplace system

Ahmed Patel, Wei Qi, Mona Taghavi — 2011-11-22 00:00:00.0

Abstract

Purpose – Mobile agent-based e-marketplace is one type of business application that has been developed as a flexible and efficient approach to help companies or corporations to extend their businesses to outreach larger markets without regional and continental boundaries. However, every distributed system is unable to avoid the security problems due to the open internet environment. Mobile agent-based e-marketplaces are no exception. Thus, the security of mobile agents is a crucial factor in the design of mobile agent-based e-marketplaces. To overcome this kind of problem, the purpose of this paper is to design and implement a framework and system of secure and trustworthy mobile agent based e-marketplace. Design/methodology/approach – This paper presents the system design for the system implementation based on the designed framework. It includes three major aspects: the design issues, system design and development environment and tools for system implementation. The system architecture, use case diagram and use case specifications are presented in the system design section. Findings – The system design is an essential step that is required before a prototype system is implemented. The system is designed based on the described and outlined requirements and evaluation criteria, therefore, to support a secure and trustworthy trading environment. The paper is concluded by discussing and highlighting further research work. Originality/value – This paper presents the system design for implementing a secure and trustworthy mobile agent-based e-marketplace system by using the latest version of UML modeling tool and techniques.