We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browserprovided set of APIs. Unfortunately, some of the scripts us...

Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effec...

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is ...

The formal security policy model and security analysis is necessary to help Database Management System (DBMS) to attain a higher assurance level. In this paper we develop a formal security model for a DBMS enforcing multiple security policies including mandatory multilevel security policy, discretionary access control policy and role based access control policy. A novel composition scheme of po...

This chapter analyzes the various types of policies implemented by the web security services. According to X.800 definition five are the basic web security services categories: authentication, non-repudiation, access control, data integrity and data confidentiality. In this chapter we discuss access control and data privacy services. Access control services may adopt various models according to...

This paper presents a CORBA Security discretionary prototype developed in the context of JaCoWeb Security Project. JaCoWeb Security Project is developing an authorization scheme for large-scale networks that is based on structures and concepts introduced in Web, Java and CORBA for security. This scheme is being developed in order to deal with management of security policies in large-scale netwo...

We explore the inference of fine-grained human readable declassification policies as a step towards providing security guarantees that are proportional to a programmer’s effort: the programmer should receive weak (but sound) security guarantees for little effort, and stronger guarantees for more effort. We present declassification policies that can specify what information is released under wha...

In this paper, a practical method that can be employed to manage security policies using the eXtensible Markup Language (XML) is presented. The method efficiently administrates security policies based on the object oriented role-based access control model (ORBAC). Moreover, an information flow analysis technique is introduced for checking whether or not a created XML-based ORBAC security policy...

A framework for the speciication of security policies is proposed. It can used to formally specify conndentiality and integrity policies, the latter can be given in terms of Clark-Wilson style access triples. The framework extends the Clark-Wilson model in that it can be used to specify dynamic segregation of duty. For application systems where security is critical, a mul-tilevel security based...

The “weakest link” of security is the human and organizational aspects of information security. Nowadays, risk assessment methods and information security plans and policies are an essential part of many organizations. However, the managerial aspects of information security often remain challenging, especially in emerging technological contexts, and management executives lack an understanding o...