Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

This is an Open Access publication published under CSC-OpenAccess Policy.
Publications from CSC-OpenAccess Library are being accessed from over 74 countries worldwide.
The Three Dimensions of Security
Malik F. Saleh
Pages - 85 - 93     |    Revised - 01-09-2011     |    Published - 05-10-2011
Volume - 5   Issue - 2    |    Publication Date - July / August 2011  Table of Contents
Dimensions of Security, Security, Policy, People, Enforcement of Security
Security is an issue of generally recognized importance. Security starts with you, the user. It is well known that a formal security policy is a prerequisite of security. Having a policy and being able to enforce it is a totally different thing. This paper explains the three aspects of security that should be combined to create a well-rounded solution for securing organizations. This solution examines people, policy and enforcement as three dimensions in the world of security. This paper serves as 1) a conceptual framework for securing organization 2) the basis for formal policy-to-enforcement; 3) It raises awareness that the users should be informed of their roles and responsibilities in protecting the organization; and 4) evidence for writing policies that can be implemented and enforcement involves understanding the policies by the users
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 Scribd 
5 SlideShare 
6 PdfSR 
1 Saleh, M.F., Information Security Maturity Model International Journal of Computer Science and Security (IJCSS), 2011. 5(3): p. 21.
2 David, J., Policy enforcement in the workplace. Computers & Security, 2002. 21(6): p. 506-513.
3 Madigan, E.M., C. Petrulich, and K. Motuk, The cost of non-compliance: when policies fail, in Proceedings of the 32nd annual ACM SIGUCCS fall conference. 2004, ACM: Baltimore, MD, USA. p. 47-51.
4 Norman, D.A., The Way I See it: When security gets in the way. interactions, 2009. 16(6): p. 60-63.
5 Vidyaraman, S., M. Chandrasekaran, and S. Upadhyaya, Position: the user is the enemy, in Proceedings of the 2007 Workshop on New Security Paradigms. 2008, ACM: New Hampshire. p. 75-80.
6 Schneier, B., Secrets and Lies: Digital Security in a Networked World. 2000, New York: John Wiley & Sons, Inc.
7 Corporation, M. The Enemy Within. 2005 [cited June 20; Available from: http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey/.
8 Adams, A. and M.A. Sasse, Users are not the enemy. Communications of the ACM, 1999. 42(12).
9 Gross, J. and M.B. Rosson. Looking for Trouble: Understanding End-User Security Management. in Computer Human Interaction for the Management of Information Technology (CHIMIT) 2007.
10 Sasse, M.A., S. Brostoff, and D. Weirich, Transforming the 'Weakest Link' - a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal, 2001. 19(3): p. 122-131.
11 Kumaraguru, P., et al., Teaching Johnny not to fall for phish. ACM Trans. Internet Technol., 2010. 10(2): p. 1-31.
12 Gupta, S., R.P. Bostrom, and M. Huber, End-user training methods: what we know, need to know. SIGMIS Database, 2010. 41(4): p. 9-39.
13 Compeau, D., et al., End-user training and learning. Commun. ACM, 1995. 38(7): p. 24-26.
14 McCoy, C. and R.T. Fowler, "You are the key to security": establishing a successful security awareness program, in Proceedings of the 32nd annual ACM SIGUCCS fall conference. 2004, ACM: Baltimore, MD, USA. p. 346-349.
15 Hne, K. and J.H.P. Eloff, Information security policy what do international information security standards say? Computers & Security, 2002. 21(5): p. 402-409
16 Schneider, F.B., Enforceable security policies. ACM Transactions on Information and System Security, 2000. 3(1): p. 30-50.
17 Craig, J.S., The human element: training, awareness, and human resources implications of health information security policy under the Health Insurance Portability and Accountability Act (HIPAA), in 2009 Information Security Curriculum Development Conference. 2009, ACM: Kennesaw, Georgia. p. 95-99.
18 Johnson, M., et al., Optimizing a policy authoring framework for security and privacy policies, in Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010, ACM: Redmond, Washington. p. 1-9.
19 Hall, D.E., Requirements and policy challenges in highly secure environments, in Proceedings of the 2004 ACM SIGMOD international conference on Management of data. 2004, ACM: Paris, France. p. 897-898.
20 Solmsa, B.v. and R.v. Solms, The 10 deadly sins of information security management. Computers & Security, 2004. 23: p. 371-376.
21 Bird, T. What is policy enforcement, and why should we care? 2004; Available from: http://www.computerworld.com/s/article/98080/What_is_policy_enforcement_and_why_should_we_care_?taxonomyId=17&pageNumber=3.
22 Group, T.C. Trusted Network Connect. 2010 [cited 2011 June 28]; Available from: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/.
23 Cisco. Network Admission Control. 2011 [cited 2011 June 28]; Available from: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_nac.html.
24 Microsoft. Network Access Protection. 2011 [cited 2011 June 28]; Available from: http://www.microsoft.com/windowsserver2008/en/us/nap-main.aspx.
25 Robling, G. and M. Muller, Social engineering: a serious underestimated problem. SIGCSE Bull., 2009. 41(3): p. 384-384.
26 Kvedar, D., M. Nettis, and S.P. Fulton, The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. J. Comput. Small Coll., 2010. 26(2): p. 80-87.
27 Orgill, G.L., et al., The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems, in Proceedings of the 5th conference on Information technology education. 2004, ACM: Salt Lake City, UT, USA. p. 177-181.
Dr. Malik F. Saleh
Prince Mohammad Bin Fahd University - Saudi Arabia