A MUTI-CRITERIA EVAUATION OF INFORMATION SECURITY CONTROS USING BOOEAN FEATURES Angel R. Otero 1, Carlos E. Otero 2 an Abrar Qureshi 2 1 Grauate School of Computer an Information Sciences, Nova Southeastern Universit, Fort auerale, F, USA ao269@nova.eu 2 Department of Mathematics & Computer Science, Universit of Virginia s College at Wise, Wise, VA, USA cotero@mcs.uvawise.eu; aqureshi@uvawise.eu ABSTRACT For organizations, the protection of information is of utmost importance. Throughout the ears, organizations have experience numerous sstem losses which have ha a irect impact on their most valuable asset, information. Organizations must therefore fin was to make sure that the appropriate an most effective information securit controls are implemente in orer to protect their critical or most sensitive classifie information. Existing information securit control selection methos have been emploe in the past, incluing risk analsis an management, baseline manuals, or ranom approaches. However, these methos o not take into consieration organization specific constraints such as costs of implementation, scheuling, an availabilit of resources when etermining the best set of controls. In aition, these existing methos ma not ensure the inclusion of require/necessar controls or the exclusion of unnecessar controls. This paper proposes a novel approach for evaluating information securit controls to help ecision-makers select the most effective ones in resource-constraine environments. The propose approach uses Desirabilit Functions to quantif the esirabilit of each information securit control taking into account benefits an penalties (restrictions) associate with implementing the control. This provies Management with a measurement that is representative of the overall qualit of each information securit control base on organizational goals. Through a case stu, the approach is proven successful in proviing a wa for measuring the qualit of information securit controls (base on multiple application-specific criteria) for specific organizations. KEYWORDS Information securit; information securit controls; risk analsis an management; baseline manuals; best practice frameworks; esirabilit functions 1. INTRODUCTION For organizations, the protection of information is of utmost importance. Throughout the ears, organizations have experience numerous sstem losses which have ha a irect impact on their most valuable asset, information. Accoring to [1], losses relate to information securit will continue to happen an their effect will be evastate to organizations. In 2006, the CSI/FBI Computer Crime an Securit Surve state that total losses in the Unite States attributable to computer securit breaches reache $52,494,290. Further, eight former emploees of Bank of America, Wachovia, an other major banks were arreste for illegall stealing an selling account information of approximatel 500,000 customers [2]. These alarming figures point to an inaequac in toa's information securit practices an serves as motivation for fining new was to help organizations improve their capabilities for securing valuable information. DOI : 10.5121/nsa.2010.2401 1
In toa's organizational culture, most information securit challenges are aresse through the use of securit tools an technologies, such as, encrption, firewalls, access management, etc. [3], [4]. Although tools an technologies are an integral part of organizations information securit plans [5], [6], it is argue that the alone are not sufficient to aress information securit problems [7]. To improve overall information securit, organizations must evaluate (an thus implement) appropriate information securit controls (ISC) that satisf their specific securit requirements [8], [9], [10]. However, ue to a variet of organizational-specific constraints (e.g., cost, scheule, resources availabilit), organizations o not have the luxur of selecting an implementing all require ISC. Therefore, the selection, aoption, an implementation of ISC within organizations' business constraints become a non-trivial task. This paper proposes a novel approach for evaluating an ientifing the most appropriate ISC base on organization specific criteria. The propose approach uses Desirabilit Functions to quantif the esirabilit of each ISC taking into account benefits an penalties (restrictions) associate with implementing the ISC. This provies Management with a measurement that is representative of the overall qualit of each ISC base on organizational goals. The erive qualit measurement can be use as the main metric for selecting ISC. The remainer of the paper is organize as follows. Section 2 provies a summar of previous work on ISC selection. Section 3 briefl escribes the propose solution approach. Section 4 provies etaile explanations of the Desirabilit Functions technique. Section 5 presents the results of a case stu. astl, Section 6 provies summarize conclusions an highlights of the propose approach. 2. BACKGROUND WORK Various reasons have been put forth for explaining the lack of effectiveness in the evaluation, selection, an implementation process of ISC. Base on [11], the implementation of ISC in organizations ma constitute a barrier to progress. For instance, participants from the ICIS 1993 conference panel inicate that the implementation of ISC ma slow own prouction thereb turning the emploees work ineffective [12]. Emploees ma view ISC as interrupting their a-to-a tasks [13] an ma, therefore, ten to ignore implementing them in orer to be effective an efficient with their ail job tasks. Accoring to [14], organizations are require to ientif an implement appropriate controls to ensure aequate information securit. In [15], the authors place emphasis on the fact that ifferent organizations have ifferent securit nees, an thus ifferent securit requirements an objectives. In aition, [16] stress that there is no single information securit solution that can fit all organizations. As a result, ISC must be carefull selecte to fit the specific nees of the organization. Ientification an implementation of the most effective ISC is a major step towars proviing an aequate level of securit in organizations [8]. 2.1. Previous Approaches in the Selection of ISC in Organizations Base on [8], the process of ientifing (an selecting) the most effective ISC in organizations has been a challenge in the past, an plent of attempts have been mae to come up with the most effective wa possible. Risk analsis an management (RAM) is just one example. RAM has been recognize in the literature as an effective approach to ientif ISC [8]. RAM consists of performing business analses as well as risk assessments, resulting in the ientification of information securit requirements [8]. RAM woul then list the information securit requirements as well as the propose ISC to be implemente to mitigate the risks resulting from the analses an assessments performe. RAM, however, has been escribe as a subjective, bottom-up approach [17], not taking into account organizations specific constraints. For example, through performing RAM, organizations ma ientif 50 information securit risks. Nonetheless, Management ma not be 2
able to select an implement all necessar ISC to aress the previousl ientifie 50 risks ue to costs an scheuling constraints. Moreover, there ma not be enough resources within the organization to implement these ISC. In this case, Management shoul lists all those risks ientifie an etermine how critical each iniviual risk is to the organization, while consiering cost versus benefit analses. Management must, therefore, explore new was to etermine/measure the relevanc of these ISC consiering the constraints just presente. Baseline manuals or best practice frameworks is another approach wiel use b organizations to introuce minimum securit controls in organizations [8]. Per [14], best practice frameworks assist organizations in ientifing appropriate ISC. Some best practices inclue: Control Objectives for Information an relate Technolog (COBIT), Information Technolog Infrastructure ibrar (ITI), an Operationall Critical Threat, Asset an Vulnerabilit Evaluation (OCTAVE). Aitionall, [9] have mentione other best practice frameworks which have assiste in the ientification an selection of ISC. These are: International Organization for Stanarization (ISO) / International Electrotechnical Commission (IEC) 177995 an ISO/IEC 27001, PROTECT, Capabilit Maturit Moel (CMM), an Information Securit Architecture (ISA). The process of selecting the most effective ISC from these best practice frameworks can be challenging [17]. Accoring to [17], best practice frameworks leave the choosing of controls to the user, while offering little guiance in terms of etermining the best controls to provie aequate securit for the particular business situation. Aitionall, frameworks o not take into consieration organization specific constraints, such as, costs of implementation, scheuling, an resource constraints. Other less formal methos use in the past, such as, a hoc or ranom approaches, coul lea to the inclusion of unnecessar controls an/or exclusion of require/necessar controls [8]. Ientifing an selecting ISC base on the above ma result in organizations not being able to protect the overall confientialit, integrit, an availabilit of their information [14]. In orer to increase the effectiveness of the selection an prioritization process for ISC, new methos nee to be evelope that save time while consiering major factors (e.g., constraints, restrictions, etc.) that unoubtel affect the selection of ISC. From the reviewe literature, it is evient that the selection of ISC is mostl riven b cost, scheuling, an resource availabilit. In other wors, ISC at organizations will be selecte b Management when the benefits of implementing them surpass the costs of establishing the control. Equall important, scheuling issues ma affect whether ISC shoul be selecte. Implementation of ISC ma require specific scheule times, not necessaril planne b the organization. Finall, availabilit of personnel often etermines whether ISC can be selecte or not. Effective information sstem securit implementation requires the ientification an aoption of the most appropriate an effective set of ISC [17] taking into account the issues presente above. 3. SOUTION APPROACH To properl evaluate the qualit, importance, an priorit of ISC in organizations, Management must follow a methoolog that takes into consieration the qualit attributes of the ISC that are consiere relevant. The methoolog must provie capabilities to etermine the relative importance of each ientifie qualit attribute. This woul allow the methoolog to provie an ISC selection/prioritization scheme that represent how well these ISC meet qualit attributes an how important those qualit attributes are for the specific organization. To achieve this, the methoolog create in [18] is moifie an customize to solve the problem of prioritizing ISC in organizations. First, a set of qualit attributes are ientifie as evaluation criteria for all possible ISC. These attributes are efine in terms of ifferent features, where each feature is etermine to be either present or not. Once all features are ientifie, each iniviual ISC is evaluate against each feature using a simple binar (boolean) scale (i.e., 0 or 1). ISC that 3
satisf the highest number of features woul expose a higher level of qualit (or priorit) for that particular qualit attribute. Once all ISC are evaluate an measurements compute for all features, the propose approach uses Desirabilit Functions to fuse all measurements into one unifie value that is representative of the overall qualit of the ISC. This unifie value is compute b using a set of Desirabilit Functions that take into consieration the priorit of each qualit attribute. Therefore, the resulting priorit of each ISC is erive base on Management s goals an organization s specific nees. This results in an ISC evaluation/prioritization approach base on how well ISC meet qualit attributes an how important those qualit attributes are for the organization. 4. DESIRABIITY FUNCTIONS Desirabilit Functions are a popular approach for simultaneous optimization of multiple responses [19], [20]. The have been use extensivel in the literature for process optimization in inustrial settings, where fining a set of operating conitions that optimize all responses for a particular sstem is esire [18], [21]. Through Desirabilit Functions, each sstem response i is converte into an iniviual function i that varies over the range 0 i 1, where i = 1 when a goal is met, an i = 0 otherwise [20]. Once each response is transforme, the levels of each factor are tpicall chosen to maximize the overall esirabilit which is represente as the geometric mean of all m transforme responses [19]. Alternativel, when factors are uncontrollable, the overall esirabilit value can be use to characterize the sstem base on the multiple selecte criteria. Similar to the characterization of inustrial processes, the evaluation of the qualit an prioritization of each ISC in organizations can be approache b fining the set of criteria that provie the optimal benefit versus cost value for a particular organization. When formulate this wa, Desirabilit Functions can be use to provie a unifie measurement that characterizes the qualit of ISC base on a set of preefine evaluation criteria. Once the esirabilit of all ISC is compute, Management can use this information to etermine the relative priorit of ISC an select the best ones simpl b choosing the most esirable ones for a particular organization. 4.1. Computing Desirabilit The first step in the Desirabilit Functions approach involves ientifing all possible ISC that coul be implemente in an organization. These ISC can be obtaine from the best practice frameworks liste in Section 2. For instance, the ISO/IEC 177995 stanar has over 127 ISC available accoring to the organizations specific nees [14]. Once selecte, the results of these ISC are capture in the ISC vector, as presente in (1). n1 n2 X = M n n (1) Once the ISC vector is ientifie, each ISC can be evaluate against a set of qualit attributes QA 1, QA 2,.., QA n. The evaluation process takes place as follow. First, each qualit attribute is efine in terms of m features, where m > 1. The evaluation scale for each feature is binar; that is, the feature is evaluate as being present/true (i.e., 1) or missing/false (i.e., 0). For example, ISC can be prioritize base on their Scope. In other wors, ISC that provie securit of information in man sstems have a higher priorit than ISC that aress securit of information in a minimal number of sstems. In this case, the qualit attribute Scope can be efine with the following features: Sstem 1, Sstem 2,..., Sstem n. Therefore, the highest priorit ISC (base on the Scope qualit attribute) woul be one where Sstem 1 = 1, Sstem 2 = 1, an Sstem n = 1. Similarl, the lowest priorit ISC base on the Scope qualit attribute is 4
one where Sstem 1 = 0, Sstem 2 = 0, an Sstem n = 0. For qualit attributes where the presence of features affects the securit of information negativel (e.g., restrictions, penalties), the reverse is true. In these cases, ISC with all features present (i.e., 1) result in lower priorit an ISC with all features missing (i.e., 0) result in higher priorit. With this framework in place, a measurement of the importance of the j th ISC base on the i th qualit attribute (e.g., Scope) can be compute using (2), m m f x x= = 0 (2) where m is the number of features ientifie for the i th qualit attribute. This computation normalizes the evaluation criteria to a scale of 0 100, where 0 represents the lowest score an 100 the highest (or backwars for restrictions or penalties). The overall assessment of the ISC set base on all qualit attributes is capture using the qualit assessment matrix Q presente in (3). As seen, each value of the matrix represents the score of the j th ISC base on each iniviual i th qualit attribute. It is important to point out that the qualit assessment matrix can be extene to evaluate ISC base on an qualit attributes containing numerous features. Q = QA M 1 1 11 12 n QA 21 22 M 2 2n O QAm m 1 m2 M mn (3) Finall, to assess the importance of each qualit attribute, a weight vector W is create where r i represents the importance of the QA i qualit attribute using the scale 0 10, where 0 represents lowest importance an 10 represents highest importance. The weight vector W is presente in (4). r1 r2 W = M r m (4) Once the information from X, Q, an W is collecte, esirabilit values for each ISC can be compute using the esirabilit matrix presente in (5). As seen, each value of the matrix represents the esirabilit of the j th ISC base on each iniviual i th qualit attribute. 12 = M 1n 11 21 22 M 2n Each iniviual esirabilit value for the ISC is compute accoring to Management base on the organization s specific nees an goals. For example, qualit attributes that are represente positivel b a higher value are transforme using the maximization function in (6) [20]. Alternativel, qualit attributes that are represente negativel b a higher value are transforme using the minimization function in (7) [20], O m1 m2 M mn (5) 5
0 = T 1 ri T > T (6) 1 U = U T 0 ri T < T U > U (7) where an U are the lower an upper limits, T is the target objective (e.g., 100 for maximization, 0 for minimization), an r i is the esirabilit weight for the i th qualit attribute. It is important to note that (6) an (7) are the normal equations for the Desirabilit Function approach. However, through experimentation, it was foun that the approach for ISC selection an prioritization performe better when > 0. Therefore, as heuristic, when is less than.0001, the value is set to.0001. A esirabilit weight of r = 1 results in a linear Desirabilit Function; however, when r > 1, curvature is expose b the Desirabilit Function to emphasize on being close to the target objective (T). When 0 < r < 1, being close to the target objective is less important. Once iniviual esirabilit values for each qualit attribute are compute, the overall ISC esirabilit value can be compute using (8). As seen, each overall esirabilit value is compute as the geometric mean of all m iniviual esirabilit values for ISC 1, 2,, n. After the overall esirabilit value is compute for all ISC, Management can use this value as a priorit measurement erive from the preefine qualit attributes an their relative importance for the particular organization. 5. CASE STUDY D = m i= 1 m i= 1 m i= 1 i1 i2 M in This section presents the results of an ISC evaluation/prioritization case stu using the propose approach. The case stu evaluates 10 ISC base on the following ientifie qualit attributes, some of which have been efine within the ISO/IEC 177995 stanar [9]. Restrictions there are restrictions that Management must take into account before selecting an implementing ISC. These ma inclue whether the costs involve in the selection an implementation of ISC are high, whether resources are not available, an whether there are scheuling constraints associate with implementing the ISC. The presence of an of the above will negativel affect the specific qualit attribute. That is, ISC with all features present will result in a lower priorit; conversel, ISC with all 1 m 1 m 1 m (8) 6
features missing will result in a higher priorit. A high priorit scenario will be one where the implementation cost of the specific ISC is consiere aequate an/or manageable (e.g., within buget), resources are available to implement the particular ISC, an there are no restrictions in terms of scheuling the ISC (i.e., the ISC can be scheule antime uring the ear). Restrictions is efine as: Costs (C), Availabilit of Resources (AoR), an Scheuling (T). Scope This qualit attribute assesses the impact of the ISC on the organization. ISC that provie securit of information in man sstems have a higher priorit than ISC that aress securit of information in a minimal number of sstems. Scope is efine as: Sstem 1 (S1), Sstem 2 (S2),, Sstem n (Sn). Organization s Objectives the number of information securit objectives the ISC satisfies. The higher the number of objectives the ISC satisfies, the higher the esirabilit of the ISC. Organization s objectives is efine with the following features: Objective 1 (O1), Objective 2 (O2),, Objective n (On). Phsical Access ISC will prevent an/or recor unauthorize access to the organization s builing facilities, incluing computer rooms where information processing takes place, the finance/accounting epartment, human resources epartment, etc. The higher the number of phsical locations aresse b the ISC, the higher the esirabilit of the ISC. Phsical access is efine as: ocation 1 (1), ocation 2 (2),, ocation n (n). Access Controls implementation of an ISC for this qualit attribute will promote appropriate levels of access controls to ensure protection of the organization s sstems/applications against unauthorize activities. Organizations ma implement network access controls (N), operating sstems access controls (O), an application controls (A) base on their specific nees. Human Resources implementation of an ISC supports reuctions of risk of theft, frau, or misuse of computer resources b promoting information securit awareness (Aw), training (Tn), an eucation of emploees (E) [22]. Depening on the particular situation, costs involve, an availabilit of personnel, organizations ma select which of these to emplo. Communications an Operations Management ISC will ensure the correct an secure operation of information processing facilities, which inclues aressing for aequate segregation of uties (SoD), change management (CM), an network securit (NS). Organizations ma select ISC to aress all of these or just some epening on their particular nees. Sstems Acquisition, Development, an Maintenance ISC will support securit relate to the organization s in-house an/or off-the-shelf sstems or applications (e.g., ensuring personnel with authorize access can move changes into prouction environments, etc.). The higher the number of sstems or applications aresse b the ISC, the higher the esirabilit of the ISC. Sstems Acquisition, Development, an Maintenance is efine as: Sstems or Applications 1 (SoA1), Sstems or Applications 2 (SoA2),, an Sstems or Applications n (SoAn). Incient Management ensures that securit-relate incients (e.g., attempts to change/manipulate financial ata, etc.) ientifie within the organization s processing of information are communicate in a timel manner an that corrective action is taken for an exceptions ientifie. Incient management ma appl to online processing 7
an/or batch processing. Incient Management is efine as Processing 1 (P1), Processing 2 (P2),, an Processing n (Pn). Using snthetic ata for the ientifie qualit attributes, a binar input evaluation (Table 1), an Desirabilit Functions parameters (Table 2), results were generate from the Desirabilit Functions an presente in Table 3. As seen in Table 2, all lower an upper bounaries are set to 0 an 100, respectivel. Also, all qualit attributes have been ientifie as having equal priorit. This is accomplishe b setting the weight r = 1 for all qualit attributes. Finall, ifferent target values have been ientifie for each qualit attribute. This means that the threshol for achieving 100% esirabilit is customize for each qualit attribute. For example, qualit attributes where T = 70 are consiere 100% esirable if the exhibit 70% (or more) of the features that efine them. Table 1. Binar Input Evaluation. Table 2. Desirabilit Functions Parameters. Table 3. Desirabilit Functions Results. 8
As evience, each ISC has been evaluate using the ientifie features for each qualit attribute. The binar input scale is use to etermine the presence of features. Using the propose approach, the most esirable ISC (base on the qualit attributes) is ISC 4 an ISC 7, followe b ISC 2 an ISC 10, an so on. It is important to notice that the evaluation of ISC using this approach is full epenent on the particular scenario at han. In this case stu, the results are base on the parameters configure in Table 2. However, if change to reflect more priorit on ifferent qualit attributes, the results woul var from the ones presente in Table 3. In aition, ifferent applications of the approach can contain numerous features, which make it full customizable for practical applications. These are perhaps the most meaningful contributions from this research; that is, the abilit to full customize an prioritize organization's goals when selecting ISC. This all can be one easil through simple spreasheet calculations. Similar to this case stu, man ifferent organizational-specific parameters can be specifie for the Desirabilit Functions to properl prioritize/evaluate ISC in inustr scenarios. 6. CONCUSION The research presente in this paper evelops an innovative approach for evaluating the qualit of ISC in organizations base on a multiple qualit evaluation criteria. Specificall, it presents a methoolog that uses Desirabilit Functions to create a unifie measurement that represents how well ISC meet qualit attributes an how important the qualit attributes are for the organization. Through a case stu, the approach is proven successful in proviing a wa for measuring the qualit of ISC for specific organizations. There are several important contributions from this research. First, the approach is simple an reail available for implementation using a simple spreasheet. This can promote usage in practical scenarios, where highl complex methoologies for ISC selection are impractical. Secon, the approach fuses multiple evaluation criteria an features to provie a holistic view of the overall ISC qualit. Thir, the approach is easil extene to inclue aitional qualit attributes not consiere within this research. Finall, the approach provies a mechanism to evaluate the qualit of ISC in various omains. B moifing the parameters of the Desirabilit Functions, qualit of ISC can be evaluate b taking consieration of prioritize qualit attributes that are necessar for ifferent organizations. This can be beneficial for cases such as [23], where the approach can be use to assess an help efine information sstems securit policies [23] an controls that are most effective. Overall, the approach presente in this research prove to be a feasible technique for efficientl evaluating the qualit of ISC in organizations. ACKNOWEDGEMENTS The authors woul like to thank the reviewers whose constructive critique greatl improve the qualit of the paper. REFERENCES [1] M. Schwartz, Computer securit: Planning to protect corporate assets, Journal of Business Strateg, vol. 11(1), pp. 38-41, 1990. [2]. Yuan, Companies face sstem attacks from insie, too, Wall Street Journal, pp. B1 (2005, June 15). [3]. Volonino an S. R. Robinson, Principles an Practice of Information Securit. Pearson Prentice Hall, Inc., New Jerse, 2004. [4] E. Vaast, Danger is in the ee of the beholers: Social representations of information sstems securit in healthcare, Journal of Strategic Information Sstems, vol. 16(1), pp. 130-152, 2007. 9
[5] S. Ransbotham an S. Mitra, Choice an chance: A conceptual moel of paths to information securit compromise, Information Sstems Research, vol. 20(1), pp. 121-139, 2009. [6] G. Rotvol, How to create a securit culture in our organization, Information Management Journal, vol. 42(6), pp. 32-38, 2008. [7] T. Herath an H. R. Rao, Encouraging information securit behaviors in organizations: Role of penalties, pressures, an perceive effectiveness, Decision Support Sstems, vol. 47(2), pp. 154-165, 2009. [8]. Barnar an R. Von Solms, A formalize approach to the effective selection an evaluation of information securit controls, Computers & Securit, vol. 19(2), pp. 185-194, 2000. [9] A. Da Veiga an J. H. P. Eloff, An information securit governance framework, Information Sstems Management, vol. 24(4), pp. 361-372, 2007. [10] M. Kara, E. Kiountouzis, an S. Kokolakis, Information sstems securit policies: A contextual perspective, Computer Securit, vol. 24(1), pp. 246-260, 2004. [11] C. Woo, An unappreciate reason wh securit policies fail, Computer Frau an Securit, vol. 10(1), pp. 13-14, 2000. [12] K. och, S. Conger, an E. Oz, Ownership, privac an monitoring in the workplace: A ebate on technolog an ethics, Journal of Business Ethics, vol. 17, pp. 653-663, 1998. [13] G. V. Post an A. Kagan, Evaluating information securit traeoffs: Restricting access can interfere with user tasks, Computers & Securit, vol. 26(3), pp. 229-237, 2007. [14] R. Saint-Germain, Information securit management best practice base on ISO/IEC 17799, The Information Management Journal, vol. August 2005, pp. 60-66, 2005. [15] R. Baskerville an M. Siponen, An information securit meta-polic for emergent organizations, Journal of ogistics Information Management, vol. 15(1), pp. 337-346, 2002. [16] M. E. Whitman, A. M. Towsen, an R. J. Aalberts, Information sstems securit an the nee for polic, in G. Dhillon, Es. Information securit management: Global challenges in the new millennium (pp 9-18). Hershe, PA: Iea Group Publishing (2001). [17] H. Van er Haar an R. Von Solms, A moel for eriving information securit controls attribute profiles, Computers & Securit, vol. 22(3), pp. 233-244, 2003. [18] C. E. Otero, E. Dell, A. Qureshi, an. D. Otero, A qualit-base requirement prioritization framework using binar inputs, In 4th Asia International Conference on Mathematical/Analtical Moeling & Computer Simulation, pp. 187-192, 2010. [19] G. Derringer an R. Suich, Simultaneous optimization of several response variables, Journal of Qualit Technolog, vol. 12(1), pp. 214-219, 1980. [20] D. Montgomer, Design an Analsis of Experiments. John Wile & Sons, Inc., New York, 2008. [21] C. E. Otero,. D. Otero, I. Weissberger, an A. Qureshi, A multi-criteria ecision making approach for resource allocation in software engineering, In 12th International Conference on Computer Moeling an Simulation, pp. 137-141, 2010. [22] J. D Arc, A. Hovav, an D. Galletta, User awareness of securit countermeasures an its impact on information sstems misuse: A eterrence approach, Information Sstems Research, vol. 20(1), pp. 79-98, 2009. [23] Wilkinson, K., IT Securit Incients Prompt Nashville, Tenn., to Strengthen Polic, Hire IT Securit Chief, http://www.govtech.com/gt/articles/768757?utm_source=rss&utm_meium=link, retrieve on August 24, 2010. 10
Authors Angel R. Otero was born in 1974 in Baamon, Puerto Rico. He receive his B.S. in Accounting from The Pennslvania State Universit an M.S. in Software Engineering from the Floria Institute of Technolog. Mr. Otero is currentl a Ph.D. stuent at Nova Southeastern Universit's Grauate School of Computer an Information Sciences. Mr. Otero is currentl a Manager in the Floria/Puerto Rico Enterprise Risk Services practice of Deloitte & Touche, P, base in Puerto Rico. He has over 13 ears of inustr experience in the areas of public accounting/auiting, information technolog consulting, an information sstems auiting. Mr. Otero is a Certifie Public Accountant, Certifie Information Sstems Auitor, Certifie Information Technolog Professional, an Certifie Internal Controls Auitor. He is also a member of the American Institute of Certifie Public Accountants, the Information Sstems Auit an Control Association, the Puerto Rico Societ of Certifie Public Accountants, an The Institute for Internal Controls. Dr. Carlos E. Otero was born in 1977 in Baamon, Puerto Rico. He receive his B.S. in Computer Science, M.S. in Software Engineering, M.S. in Sstems Engineering, an Ph.D. in Computer Engineering from the Floria Institute of Technolog, in Melbourne, F. His primar research interests inclue performance evaluation an optimization of sstems an processes in a wie variet of omains (incluing wireless sstems, software engineering, an sstems engineering). He is currentl Assistant Professor in the epartment of Mathematics an Computer Science at the Universit of Virginia s College at Wise, Wise, VA. Previousl, he was ajunct professor in the epartment of Electrical & Computer Engineering at Floria Institute of Technolog. He has over 10 ears of inustr experience in satellite communications sstems, comman & control sstems, wireless securit sstems, an unmanne aerial vehicle sstems. Dr. Otero is an active professional member of the ACM an active senior member of the IEEE. Dr. Abrar Qureshi receive a BS egree in Mathematics from the Universit of the Punjab, a BS in Electrical Engineering from Central Philippines Universit, an a MS an Ph.D. in Computer Engineering from Floria Institute of Technolog. He is currentl Assistant Professor in the epartment of Mathematics an Computer Science at the Universit of Virginia s College at Wise, Wise, VA. Before joining UVa-Wise, he worke in Inustr for more than thirteen ears where he worke on various software engineering projects, software evelopment, atabase esign, sstem/software test an automation, an qualit assurance. His research interests inclue software testing, qualit assurance, an software securit. 11