Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker’s observations of system output; this policy regulates information flow. Conventio...

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that norm...

Information security policies can be considered as guidelines and used as a starting point to create a security structure within an organization. Although practitioners continuously emphasize the importance of such policies, information system scholars have not paid the required attention to this context from the cross-cultural perspective. The purpose of this study is to look at the cultural a...

This paper addresses the design of the DOK security service allowing the enforcement of both local and federated policies. The former are those policies which relate to local databases, whereas the latter speci es the aggregation rules that govern the access to data aggregates which reside in di erent databases. In this paper we describe the component of the DOK security service which enforces ...

Pressures are increasing on organisations to take an early and more systematic approach to security. A key to enforcing security is to restrict access to valuable assets. We regard access policies as security requirements that specify such restrictions. Current requirements engineering methods are generally inadequate for eliciting and analysing these types of requirements, because they do not ...

Information systems security policies are pointed out in literature as one of the main controls to be applied by organizations for protecting their information systems. Despite this, it has been observed that, in several sectors of activity, the number of organizations having adopted that control is low. This study aimed to identify the factors which condition the adoption of information system...

Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker’s observations of system output; this policy regulates information flow. Conventio...

This paper proposes and details the notion of trust by policy adherence (TBPA), meaning that code can be certified on the basis of its security-related behaviors rather than its origins and integrity. We describe the overall life cycle of code in this setting, and propose a detailed method whereby a program’s policy adherence can be verified. We suggest enforcing security policies over code by ...

At one time, JEAB editorial policy was perceived by some to consist mainly of dogmatically enforcing a Skinnerian interpretation of all findings reported in the journal. Partly in response to that undeserved reputation, the journal explicitly defined itself as the place to publish research on the behavior of individual organisms, and not as a place that encourages any particular theoretical ori...