Journal of Information Security

Journal Information
ISSN / EISSN : 2153-1234 / 2153-1242
Current Publisher: Scientific Research Publishing, Inc. (10.4236)
Former Publisher: Scientific Research Publishing, Inc. (10.4236)
Total articles ≅ 254
Archived in

Latest articles in this journal

Chandra Sekhar Bhusal
Journal of Information Security, Volume 12, pp 104-114; doi:10.4236/jis.2021.121005

Despite the availability of advanced security software and hardware mechanisms available, still, there has been a breach in the defence system of an organization or individual. Social engineering mostly targets the weakest link in the security system i.e. “Humans” for gaining access to sensitive information by manipulating human psychology. Social engineering attacks are arduous to defend as such attacks are not easily detected by available security software or hardware. This article surveys recent studies on social engineering attacks with discussion on the social engineering phases and categorizing the various attacks into two groups. The main aim of this survey is to examine the various social engineering attacks on individuals and countermeasures against social engineering attacks are also discussed.
Abou_El_Ela Abdou Hussien
Journal of Information Security, Volume 12, pp 56-78; doi:10.4236/jis.2021.121003

Digital systems have changed our world and will continue to change it. Supportive government policy, a strong research base and history of industrial success place the benefits of an emerging digital society. Protecting benefits and minimizing risks requires reliable and robust cyber security, backed by a robust research and translation system. Trust is essential for growth and maintenance of participation in the digital community. Organizations gain trust by acting in a trustworthy way leading to building reliable and secure systems, treating people, their privacy and their data with respect, and providing reliable and understandable information to help people understand how safe they are. Research and revolution in industry and academia will continue to make important contributions to create flexible and reliable digital environment. Cyber Security has a main role in the field of information technology because securing information has become one of the greatest challenges today. When we think about the cyber security, the first thing that comes to our mind is “cyber crimes” which are increasing exponentially day by day. Many governments and firms are taking many measures to prevent these cybercrimes. Besides the various measures, cyber security remains a major concern. This paper intended to give a deep overview of the concepts and principles of cyber security that affect the safety and security in an international context. It mainly focuses on challenges faced by cyber security on the latest technologies and focuses also on introducing security types, cyber security techniques, cyber security ethics, trends that change the face of cyber security and finally attempting to solve one of the most serious cyber security crimes of violating privacy on the internet by improving the security of sensitive personal information (SPI) in Cyber-physical systems using a selected proposed algorithm that analyzes the user’s information resources and determines the valid data to be encrypted, then uses adaptive acquisition methods to collect the information and finally a new cryptographic method is used to complete SPI secure encryption according to acquisition results as described in details in Section 4.
Sherita Tara Kissoon
Journal of Information Security, Volume 12, pp 137-161; doi:10.4236/jis.2021.121007

The purpose of this research is to investigate the decision-making process for cybersecurity investments in organizations through development and utilization of a digital cybersecurity risk management framework. The initial article, Optimum Spending on Cybersecurity Measures is published on Emerald Insight at:, contains the detailed literature review, and the data results from Phase I and Phase II of this research REF _Ref61862658 \r \h \* MERGEFORMAT [1]. This article will highlight the research completed in the area of organizational decision-making on cybersecurity spend. In leveraging the review of additional studies, this research utilizes a regression framework and case study methodology to demonstrate that effective risk-based decisions are necessary when implementing cybersecurity controls. Through regression analysis, the effectiveness of current implemented cybersecurity measures in organizations is explored when connecting a dependent variable with several independent variables. The focus of this article is on the strategic decisions made by organizations when implementing cybersecurity measures. This research belongs to the area of risk management, and various models within the field of 1) information security; 2) strategic management; and 3) organizational decision-making to determine optimum spending on cybersecurity measures for risk taking organizations. This research resulted in the development of a cyber risk investment model and a digital cybersecurity risk management framework. Using a case study methodology, this model and framework were leveraged to evaluate and implement cybersecurity measures. The case study methodology provides an in-depth view of a risk-taking organization’s risk mitigation strategy within the bounds of the educational environment focusing on five areas identified within a digital cyber risk model: 1) technology landscape and application portfolio; 2) data centric focus; 3) risk management practices; 4) cost-benefit analysis for cybersecurity measures; and 5) strategic development. The outcome of this research provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks, specifically showing that risk taking organizations implemented cybersecurity measures to meet compliance and audit obligations with an annual spend of $3.18 million. It also indicated that 23.6% of risk-taking organizations incurred more than 6 cybersecurity breaches with an average dollar loss of $3.5 million. In addition, the impact of a cybersecurity breach on risk taking organizations is as follows: 1) data loss; 2) brand/reputational impact; 3) financial loss fines; 4) increase oversight by regulators/internal audit; and 5) customer/client impact. The implication this research has on practice is extensive, as it focuses on a broad range of areas to include risk, funding and type and impact of cyber security breaches encountered. The survey study clearly demonstrated the need to develop and utilize a digital cybersecurity risk management framework to integrate current industry frameworks within the risk management practice to include continuous compliance management. This type of framework would provide a balanced approach to managing the gap between a risk-taking organization and a risk averse organization when implementing cybersecurity measures.
Abou_El_Ela Abdou Hussein
Journal of Information Security, Volume 12, pp 79-103; doi:10.4236/jis.2021.121004

Data Migration is a multi-step process that begins with analyzing old data and culminates in data uploading and reconciliation in new applications. With the rapid growth of data, organizations constantly need to migrate data. Data migration can be a complex process as testing must be done to ensure data quality. Migration also can be very costly if best practices are not followed and hidden costs are not identified in the early stage. On the other hand, many organizations today instead of buying IT equipment (hardware and/or software) and managing it themselves, they prefer to buy services from IT service providers. The number of service providers is increasing dramatically and the cloud is becoming the preferred tool for more cloud storage services. However, as more information and personal data are transferred to the cloud, to social media sites, DropBox, Baidu WangPan, etc., data security and privacy issues are questioned. So, academia and industry circles strive to find an effective way to secure data migration in the cloud. Various resolving methods and encryption techniques have been implemented. In this work, we will try to cover many important points in data migration as Strategy, Challenges, Need, methodology, Categories, Risks, and Uses with Cloud computing. Finally, we discuss data migration security and privacy challenge and how to solve this problem by making improvements in it’s using with Cloud through suggested proposed model that enhances data security and privacy by gathering Advanced Encryption Standard-256 (ATS256), Data Dispersion Algorithms and Secure Hash Algorithm-512. This model achieves verifiable security ratings and fast execution times.
Yong Wang, Jinsong Xi, Tong Cheng
Journal of Information Security, Volume 12, pp 34-55; doi:10.4236/jis.2021.121002

As an information-rich collective, there are always some people who choose to take risks for some ulterior purpose and others are committed to finding ways to deal with database security threats. The purpose of database security research is to prevent the database from being illegally used or destroyed. This paper introduces the main literature in the field of database security research in recent years. First of all, we classify these papers, the classification criteria are the influencing factors of database security. Compared with the traditional and machine learning (ML) methods, some explanations of concepts are interspersed to make these methods easier to understand. Secondly, we find that the related research has achieved some gratifying results, but there are also some shortcomings, such as weak generalization, deviation from reality. Then, possible future work in this research is proposed. Finally, we summarize the main contribution.
Beatrice O. Beatrice O. Akumba, Aamo Aamo Iorliam, Selumun Agber, Emmanuel Odeh Okube, Kenneth Dekera Kwaghtyo
Journal of Information Security, Volume 12, pp 163-176; doi:10.4236/jis.2021.122008

Video shreds of evidence are usually admissible in the court of law all over the world. However, individuals manipulate these videos to either defame or incriminate innocent people. Others indulge in video tampering to falsely escape the wrath of the law against misconducts. One way impostors can forge these videos is through inter-frame video forgery. Thus, the integrity of such videos is under threat. This is because these digital forgeries seriously debase the credibility of video contents as being definite records of events. This leads to an increasing concern about the trustworthiness of video contents. Hence, it continues to affect the social and legal system, forensic investigations, intelligence services, and security and surveillance systems as the case may be. The problem of inter-frame video forgery is increasingly spontaneous as more video-editing software continues to emerge. These video editing tools can easily manipulate videos without leaving obvious traces and these tampered videos become viral. Alarmingly, even the beginner users of these editing tools can alter the contents of digital videos in a manner that renders them practically indistinguishable from the original content by mere observations. This paper, however, leveraged on the concept of correlation coefficients to produce a more elaborate and reliable inter-frame video detection to aid forensic investigations, especially in Nigeria. The model employed the use of the idea of a threshold to efficiently distinguish forged videos from authentic videos. A benchmark and locally manipulated video datasets were used to evaluate the proposed model. Experimentally, our approach performed better than the existing methods. The overall accuracy for all the evaluation metrics such as accuracy, recall, precision and F1-score was 100%. The proposed method implemented in the MATLAB programming language has proven to effectively detect inter-frame forgeries.
Lawrence A. Gordon, Martin P. Loeb, Lei Zhou
Journal of Information Security, Volume 12, pp 115-136; doi:10.4236/jis.2021.121006

This paper provides an analysis of how the benefits of information segmentation can assist an organization to derive the appropriate amount to invest in cybersecurity from a cost-benefit perspective. An analytical model based on the framework of the Gordon-Loeb Model ([1]) is presented that provides a set of sufficient conditions for information segmentation to lower the total investments in cybersecurity and the expected loss from cybersecurity breaches. A numerical example illustrating the insights gained from the model is also presented.
Zhimao Lu, Houmed Mohamed
Journal of Information Security, Volume 12, pp 177-187; doi:10.4236/jis.2021.122009

With the rapid development of internet technology and the increasing popularity of e-commerce, data encryption technology plays a very important role in data security. Information security has two aspects: security protocol and cryptographic algorithm and the latter is the foundation and core technology of information security. Advanced Encryption Standard (AES) encryption algorithm is one of the most commonly used algorithms in symmetric encryption algorithms. Such algorithms face issues when used in the context of key management and security functions. This paper focuses on the systematic analysis of these issues and summarizes AES algorithm implementation, comprehensive application and algorithm comparison with other existing methods. To analyze the performance of the proposed algorithm and to make full use of the advantages of AES encryption algorithm, one needs to reduce round key and improve the key schedule, as well as organically integrate with RSA algorithm. Java language is used to implement the algorithm due to its large library, then to show the efficiency of the proposed method we compare different parameters, such as encryption/decryption speed, entropies and memory consumption...) with a classic algorithm. Based on the results of the comparison between AES and the hybrid AES algorithm, the proposed algorithm shows good performance and high security. It therefore can be used for key management and security functions, particularly for sharing sensitive files through insecure channel. This analysis provides a reference useful for selecting different encryption algorithms according to different business needs.
Eloi De Chérisey, Sylvain Guilley, Olivier Rioul, Darshana Jayasinghe
Journal of Information Security, Volume 12, pp 1-33; doi:10.4236/jis.2021.121001

In any side-channel attack, it is desirable to exploit all the available leakage data to compute the distinguisher’s values. The profiling phase is essential to obtain an accurate leakage model, yet it may not be exhaustive. As a result, information theoretic distinguishers may come up on previously unseen data, a phenomenon yielding empty bins. A strict application of the maximum likelihood method yields a distinguisher that is not even sound. Ignoring empty bins reestablishes soundness, but seriously limits its performance in terms of success rate. The purpose of this paper is to remedy this situation. In this research, we propose six different techniques to improve the performance of information theoretic distinguishers. We study them thoroughly by applying them to timing attacks, both with synthetic and real leakages. Namely, we compare them in terms of success rate, and show that their performance depends on the amount of profiling, and can be explained by a bias-variance analysis. The result of our work is that there exist use-cases, especially when measurements are noisy, where our novel information theoretic distinguishers (typically the soft-drop distinguisher) perform the best compared to known side-channel distinguishers, despite the empty bin situation.
Hassan Mokalled, , Valentina Casola, Daniele Debertol, Ermete Meda, Rodolfo Zunino
Journal of Information Security, Volume 11, pp 46-70; doi:10.4236/jis.2020.111003

The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they adopt multi-layered security strategies that include using a SIEM solution. However, implementing a SIEM solution is not just an installation phase that fits any scenario within any organization; the best SIEM system for an organization may not be suitable at all for another one. An organization should consider other factors along with the technical side when evaluating a SIEM solution. This paper proposes an approach to aid enterprises, in selecting an applicable SIEM. It starts by suggesting the requirements that should be addressed in a SIEM using a systematic way, and then proposes a methodology for evaluating SIEM solutions that measures the compliance and applicability of any SIEM solution. This approach aims to support companies that are seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites an SIEM system should have; and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions.
Back to Top Top