Go home now Header Background Image
Search
Submission Procedure
share: |
 
Follow us
 
 
 
 
Volume 18 / Issue 6

available in:   PDF (30 kB) PS (132 kB)
 
get:  
Similar Docs BibTeX   Write a comment
  
get:  
Links into Future

J.UCS Special Issue

David G. Rosado
(GSyA Research Group, Department of Information Technologies and Systems
University of Castilla-La Mancha, Ciudad Real, Spain
David.GRosado@uclm.es)

Luis Enrique Sánchez
(Sicaman-NT, Departament of R+D, Spain
lesanchez@sicaman-nt.com)

Eduardo Fernández-Medina
(GSyA Research Group, Department of Information Technologies and Systems
University of Castilla-La Mancha, Ciudad Real, Spain
Eduardo.FdezMedina@uclm.es)

Jan Jürjens
(Technical University of Dortmund, Germany
jan.jurjens@cs.tu-dortmund.de)

Information Systems Security is one of the most pressing challenges facing all kinds of organizations today. Although many companies have discovered how critical information is to the success of their business or operations, very few have managed to be effective in maintaining their information secure, avoiding unauthorized access, preventing intrusions, stopping secret information disclosure, etc. There are various definitions of security, but all of them basically agree on the same components. Security in information systems considers the protection of information and of the systems that manage it, against a wide range of threats in order to ensure business continuity, minimize risks and maximize the return on investment and business opportunities. Security is, therefore, currently a widespread and growing concern that covers all areas of society: business, domestic, financial, government, and so on. In fact, the so-called information society is increasingly dependent on a wide range of software systems whose mission is critical, such as air traffic control systems, financial systems, or public health systems. The potential losses that are faced by businesses and organizations that rely on all these systems, both hardware and software, therefore signify that it is crucial for information systems to be properly secured from the outset.

This Special Issue of the international Journal of Universal Computer Science includes papers received from a public Call for Papers and extended and improved versions of those papers that were selected from the best submissions of the International Workshop on Security in Information Systems (WOSIS 2011).

Page 728

The aim of this workshop has been to serve as a forum for academics, researchers, practitioners and students in the field of security engineering and security software engineering, by presenting new developments and lesson learned from real world cases, and to promote the exchange of ideas, discussion and development in these areas. This edition is the eighth in a series, which began in Ciudad Real (Spain) in 2002, and has continued in Porto (Portugal), Paphos (Cyprus), Miami (USA), Funchal, Madeira (Portugal), Barcelona (Spain), Milan (Italy) and Beijing (China), respectively. The workshop has gained a considerable reputation as a result of this relatively long history, and it receives an annual average of almost fifty submissions, with an acceptance rate of approximately thirty five percent.

Our workshop has matured year by year, and is now established as a forum for high quality research papers in the area of security in information systems. The most valuable assets of this workshop, which make it attractive to authors, are both the highly exclusive set of program committee members (comprising 28 members of 12 nationalities), and the invitation of exceptional speakers of great renown in this scientific area (Yvo Desmedt, Sushil Jajodia, Ernesto Damiani, Leonardo Chiariglione, Ruth Breu, Eduardo B. Fernández, and Sabrina De Capitani). Selections of the best papers of past editions of the workshop have, moreover, been published in international journals such as Information Systems Security, Journal of Research and Practice in Information Technology, Internet Research, Computer Standards and Interfaces and Journal of Universal Computer Science.

This special issue includes eight papers of interest within the wide spectrum of research into the area of information systems security. Three of them have been selected as the best papers presented in the workshop, and the rest of papers come from a public call. There is a predominance of theoretical papers, mainly focused on security engineering, but there is also an important sample of papers which contribute to the area of security software engineering. This fact reaffirms the importance of both research disciplines in the scientific community, and confirms the growth of the secure software engineering discipline as a clear integration of security engineering and software engineering. A brief introduction to each paper selected is presented in the following paragraphs.

The first paper, entitled "Success rate of remote code execution attacks - expert assessments and observations", by Holms et al. describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The authors present judgments made by 15 cyber security experts participating in an international cyber defense exercise. A methodology of the expert assessment study is defined where the respondents of the study, the cyber defense exercise, and the carried out questionnaire are described.

The second contribution, entitled "Combating Mobile Spam through Botnet Detection using Artificial Immune Systems", by Vural and Venter studies the potential threat of Botnets based on mobile networks, and proposes the use of computational intelligence techniques to detect Botnets. The authors implement a software tool employing an artificial immune system that is installed on a mobile device and that detects spam SMSs being sent by malware or Botnets installed on the device. They explain how the prototype is used in a real-world situation to combat Botnet spam.

Page 729

The third paper, "Qos-Security metrics based on ITIL and Cobit Standard for measurement Web service", by Charuenporn and Intagosum is an approach for creating Qos-security metrics for measurement Web services based on IT practices guideline (ITIL and Cobit). The authors select two information system standards, COBIT and ITIL, as standards for the development of security metrics and presents security metrics in class diagram and explains security metrics based on both IT best practices. They develop a quality model and experiment with test set by vector method, to adapt the security of web service composition.

The fourth contribution, "Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment", by Rebollo et al., describes a literature review in search of Information Security Governance frameworks that have been specifically designed for the Cloud Computing paradigm, and which take into account its particularities. The systematic literature review is followed by a data extraction process, in which the main characteristics of each Information Security Governance framework are highlighted in the light of different comparative criteria. These criteria have been defined to take into account the specific consideration of developing security governance in Cloud Computing environments.

The fifth contribution, entitled "Syntactic and Semantic Extension to Secure Tropos to Support Security Risk Management", by Matulevicius et al. extends the Secure Tropos language, an agent-and goal-oriented security modelling language to support modelling of security risks. The authors suggest improvements of Secure Tropos semantics and syntax. On the syntax level they extend the concrete and abstract syntax of the language, so that it covers the security risk management domain. On the semantic level, they illustrate how language constructs need to be improved to address the three different levels of security risk management. The suggested improvements are illustrated with the aid of a running example.

The sixth contribution, "A Framework for the Comparison of Best Practice Recommendations and Legal Requirements for South African Banks", by Botha and Loock, presents a framework which can be applied when determining and comparing information security best practice recommendations and information security legal requirements for online banking. The authors investigate whether the implementation of best practices are sufficient to comply with legal requirements and highlight the importance of applying such a framework in a comprehensive fashion to understand the legal requirements imposed and ensure that adequate controls are in place for achieving compliance.

The seventh paper, entitled "Countermeasures to Prevent Misbehaviour in VANETs", by Molina-Gil et al., proposes a set of countermeasures to prevent selfish behaviour and malicious attacks, making use of node revocation through cooperation enforcement mechanisms and isolation of malicious nodes from the network. The authors introduce a mechanism to provide real and reliable information to those vehicles actively involved in the correct operation of the network. The scheme includes a decentralized revocation system of selfish and malicious nodes, using node cooperation and isolation of attackers, based on the use of reputation lists and rewarding mechanisms.

Page 730

Finally, the eighth contribution, which is entitled "Adaptive Group Key Management Protocol for Wireless Communications", by Gharout et al., offers a solution for group key management with a mobility support. The authors propose a decentralized architecture for group key management in mobile environments where the group is organized into clusters of areas, and areas of the same clusters use a common Traffic Encryption Key (TEK). They define a key distribution protocol which is highly scalable to dynamic groups and treats the nodes' mobility with a null re-keying cost and keeps perfect backward and forward secrecies. This protocol is supported by simulation studies comparing to other protocols.

We would like to thank Professor Christian Gütl (Managing Editor) and Ms. Dana Kaiser (Assistant Editor) of the Journal of Universal Computer Science for their invaluable help and support, and for providing us with the opportunity to edit this special issue. We are also extremely grateful for the hard work and kindness of all the members of our international program committee when performing their timely, complete and professional reviews. Last, but not least, we would like to thank the authors for their contributions.

David G. Rosado
Luis Enrique Sánchez
Eduardo Fernández-Medina
Jan Jürjens

Ciudad Real, Spain and Dortmund, Germany, March 2012

Page 731