Search Results

This chapter looks at government and policy from a different perspective. E-Government has been an important if overlooked part of the e-Japan strategy, and central to this is Juki-net. The debacle of its introduction is analysed, which was marked by initial confrontation with anti Juki-net campaigners concerned about privacy and information security, and subsequently between administrative agencies and residents, where passive resistance virtually assigned the Juki-card to oblivion. A ‘customer-oriented’ solution to the impasse is proposed, which is considered symptomatic of the whole e-Japan programme. It is shown that policy makers are as much in need of MOT education as the engineers and managers who still believe in the linear model of innovation.

This chapter examines the strategic relations between expenditures on competitor analysis (CA) and information security (IS), and the implications for management accounting. It is shown that the amount spent on CA increases with the rival’s initial share of total profits, and decreases with increasing IS productivity. The firm with higher initial profits spends more on IS and less on CA than the firm with smaller initial profit share.

This Chapter presents two frameworks to help understand the range of concerns relative to consumer harm articulated at national and European level in the context of cloud computing. These concerns have been in the crosshairs of European telecommunications policy-makers since cloud computing became a prevalent issue for telecommunications regulation around 2007.

This introductory chapter briefly sets out the book's purpose, which is to explore some of the dynamics behind corporations' struggle with information security. It then discusses the reasons behind the continuing escalation in data vulnerability, which include dynamics on three levels: the macro or societal level; the meso or group level; and the micro or individual level. On the macro level, corporate hoarding of networked, aggregated consumer data, the expansion of information criminality, and the arrival of information security regulation have all affected the ecology of corporate information security. On the mesosystem/interpersonal level, information vulnerability erodes commercial trust and imposes costs on third parties. On the micro level, individual companies often ignore information security or believe the return on investment in information security to be inadequate. These suboptimal approaches result from, first, a failure to recognize the losses caused by weak information security, and second, an absence of thorough risk management planning. An overview of the subsequent chapters also presented.

This chapter discusses the basic principles of cryptography. It covers the role of cryptography in securing information; the types of risk to which information is typically exposed; the main security services that are the focus of this book; the fundamentals of cryptosystems; the resources it is reasonable to assume that an attacker of a cryptosystem has access to; and the much misunderstood concept of ‘breaking’ a cryptosystem.

This chapter examines software contracting through the lens of cybersecurity in order to analyze terms and practices that arguably reduce the general level of cybersecurity. The inspiration for this approach is the growing recognition that the cybersecurity problem is not merely a technical one, but is also dependent upon social and economic factors, including the applicable law. The first part of the chapter considers a series of clauses that undermine cybersecurity by suppressing public knowledge about software security vulnerabilities. The next part considers a range of practices (rather than license terms) that undermine cybersecurity. The final section turns to the question of what should be done, if anything, about license terms that undermine cybersecurity. In particular, it suggests that there are reasons to believe that such terms are the product of various market failures rather than a reflection of the optimal software license terms.

Vast amounts of information result from business and consumer search, communication, and transactions. All this information can enhance market efficiency and consumer surplus as firms tailor products to buyers. But, there is increased risk of information loss. What issues should be on the Digital Agenda with regard to information loss, and what data are available to inform and generate incentives for consumer, business, and policy interactions in the information marketplace? This paper reviews the situation and points out where we need more thought and more data. Topics include: (1) Frameworks for analysis: How should we model the information marketplace, particularly with regard to the benefits and costs of information aggregation and protection? (2) Quantification and data: What is the evidence on the prevalence and nature of information loss, and what are the costs of information loss, and to whom? (3) Market and Policy Response: What do we know about the efficacy of market vs. other approaches to incentivize market participants to avoid loss or remediate after information loss? Throughout, of particular interest is the international dimension of the information marketplace. What issues arise when countries differ in their attitudes and policies toward the information marketplace?

This concluding chapter reiterates the four major themes of the preceding chapters: (i) a need to focus on the human elements in information security; (ii) a need to recognize the emergent nature of information security threats; (iii) a need to consider the multiple simultaneous contexts of information risk; and (iv) a need for immediate improvements in corporate self-governance. In the short term, companies must put in place rigorous codes of information security conduct and exercise vigilant enforcement. In the long term, companies must learn to build cultures of information security and develop a sense of collective corporate responsibility for information security, regardless of whether regulation requires them to do so. Meaningful improvements in information security require a commitment to security as an ongoing, collaborative process.

This chapter presents an insider's view of how information about corporate information security breaches reaches the public. It says that “[d]espite the passage of state-level data security breach notification legislation in many states, journalists still often have to rely on sources other than the companies and organizations that experience a breach for information about a breach—either because the breach is not considered newsworthy or because the data that are stolen do not fall into the category of data covered by notification laws.” Journalists learn about breaches from a number of sources. Rarely, though, are companies or organizations that experienced the breach the first to reveal it. The chapter describes some of the practical limitations of data breach notification laws with regard to public disclosure of corporate security breaches. It argues that companies fear that disclosing such information would place them at a disadvantage with competitors and make them vulnerable to lawsuits from customers as well as to other potential intruders.

This chapter analyzes electronic health data security vulnerabilities and the legal framework that has been established to address them. It describes the wide-ranging threats to health information security and the harms that security breaches can produce. Some of the threats arise from sources that are internal to organizations, including irresponsible or malicious employees, while other threats are external, such as hackers and data miners. The harms associated with improper disclosure of private medical data can include medical identity theft, blackmail, public humiliation, medical mistakes, discrimination, and loss of financial, employment, and other opportunities. The chapter also discusses federal laws, state laws, and common-law causes of action that address patient privacy rights and health information security. Finally, it offers recommendations for improving safeguards for electronically processed health records.

This chapter presents a technical critique challenging the most basic premises underlying the Gramm–Leach–Bliley Act—that “financial data” refers to data held by financial institutions. Instead, it argues that a better analysis starts with looking to the data, not the holder. After providing a primer on the basics of information security engineering, it asks whether there is something inherent in the nature of financial information that makes it a challenge for information security and any regulatory framework. Analyzing the two most common forms of financial information—credit card numbers and Social Security numbers—the chapter concludes that although the credit card industry appears to successfully mitigate risks of disclosure, the use of Social Security numbers as a financial identifier is inherently problematic and should be eliminated.

This chapter introduces the topic of information technology for a safe and secure society in Japan and shows an emerging trend toward a cyber-physical solution. It begins by reviewing major security incidents in the United States and Japan, and presenting the Japanese national strategy for information security. It then describes various emerging security technologies in Japan, starting with an overview of the two levels of security technology: the component level, such as finger vein authentication and RFID, and the system and management level, such as a multiple risk communicator. Each of these technologies is discussed in turn. The chapter also covers various issues related to mitigating information leakage.

This chapter argues for a multidisciplinary perspective in analyzing information security. Developing the best information security practices requires broadening the scope of current perspectives on information security. Although computer science is not traditionally viewed as a social science, problems in its domain are inherently social in nature, relating to people and their interactions. Applying social science perspectives to the field of computer security not only helps explain current limitations and highlights emerging trends, but also points the way toward a radical rethinking of how to make progress on this vital issue.

This chapter discusses the strategic concerns companies face in deciding whether to patent information security methods. It argues that the full promise of cryptography for information security is unrealized. Companies are increasingly patenting security technologies in an effort to expand their portfolios and better protect corporate intangible assets. Cryptographic methods can enable authentication in an electronic environment and help secure information storage, communications, and transactions. Patenting in the field has expanded aggressively, and greater patent density—sometimes described as a “thicket,”—affects both developers and users, and brings with it the potential to chill innovation. This greater patent density suggests the need for countermeasures such as patent pooling, patent-aware standard setting by firms and the government, and portfolio management of patents.

This chapter discusses the challenges to information security from social networking websites and the new business models they represent. The success of this new generation of data-intensive virtual space enterprises raises heightened concerns about information security. It is already known that identity thieves are making extensive use of personal information disclosed in such virtual spaces to commit fraud, while unaccredited writers of subapplications for these spaces can also gain access and evade security around vast amounts of valuable data. It is argued that although the law may provide some data control protections, aspects of the code itself provide equally important means of achieving a delicate balance between users' expectations of data security and privacy and their desire to share information.

This chapter discusses the use of vetting in the civil service purge. Vetting took two forms—normal (or negative) and positive vetting (PV)—and both were used to screen recruits and to ‘purge’ those already employed. There can be no objection to the principle that governments have a duty to ensure that sensitive security information does not get into the hands of the enemy, whether in war or peace. To that extent, it would be hard to argue against the practice of vetting to protect information from being compromised. That said, it must be recognized that the consequence of vetting was to discriminate against individuals, either on grounds of their political affiliations or beliefs, or on the ground of their lifestyle. It must also be recognized that while some of the individuals in question would be found work of a non-security nature, the effect of vetting would be to blight careers and opportunities.

This chapter explores how responsibility for protecting electronic data is currently attributed and examines legislation aimed at managing the problem of compromised personal records. It compares the aims of legislation with an analysis of reported incidents of data loss for the period of 1980–2007. A discrepancy between legislative responses to electronic data loss and the actual damages incurred reveals that responsibility for maintaining the security of electronic personal records has been misplaced and should be reexamined. The chapter concludes with a brief discussion of the options for public policy oversight.

When discussing the Internet in China, most Western audiences only hear about espionage or Internet control portrayed by their media. They do not understand China’s social and economic Internet challenges. Since the advent of the Internet, China has witnessed rapid development, and this has created many security and privacy problems for Chinese Internet users (netizens). To improve the security, reliability, and economic potential of its networks, China now also must improve Internet privacy. Generally speaking, Internet privacy is an important consideration in China’s national cybersecurity situation. The chapter traces the historical and cultural background of Internet privacy in China, the evolving legal frameworks for protecting the right to privacy and Internet privacy, and problems with the existing legal framework, and will offer suggestions for improvement.