DATA SECURITY
Author: Shubham Basant Vishwakarma
Examining the global retail apocalypse during the COVID-19 pandemic using strategic omnichannel management: a consumers’ data privacy and data security perspective.
CHATTERJEE, S et al (2021) states the data could suffer from the inaccuracy of respondents’ memories as the survey is based on the responses of the participants. Post-hoc interviews and field experiments might have removed this drawback. Future researchers may take it up. They analysed the survey data from 387 respondents globally, although this may not reflect the global scenario. Future researchers should investigate this point. This study did not include any rival model to make the study more transparent. Future researchers may investigate this point.
In the field of marketing research and information systems, omnichannel consumer behaviour is becoming an emerging research topic. In this study, they have exhaustively conceptualized omnichannel consumer experience. This study has also investigated how consumers’ experience in omnichannel shopping scenario could help them shop during the COVID-19 pandemic, when there have been mass store closures causing a retail apocalypse. This study is expected to provide effective inputs to those researchers who investigate how efficient business practices can be adopted for survival in any unforeseen turbulent situation.
HIBAF: A data security scheme for fog computing.
WHAIDUZZAMAN, M. et al. (2021) states data protection has been a significant issue in the fog computing paradigm, a resource-limited environment for the IoT ecosystem. Therefore, our new HIBAF infrastructure affords better security, yet less processing data transmission delays within the ecosystem. They conducted several experiments to assess our scheme’s efficiency in response time, CPU utilization, run-time encryption and decryption, key generation time, delay efficiency during key-generation, and database management in terms of the user loads. Moreover, they compared the work with other existing cryptographic schemes to monitor the effectiveness. Furthermore, they evaluated secret key updating time, re-encrypted key updating time, and file revoking time through DDoS attacks in both cloud and fog hierarchies. Finally, through evaluation, they observed that our scheme provides overall, 33% improvement in terms of data processing and management in a fog paradigm compared to the general cloud-IoT ecosystem.
IsaNet: A framework for verifying secure data plane protocols.
KLENZE, T. et al (2023) states the verification of future Internet architectures, and in particular path authorization, is a challenging problem since automated protocol verification tools lack the expressiveness to reason about arbitrary sets of authorized paths and the relevant protocols are likely to undergo changes before their eventual standardization and widespread deployment. General guarantees for evolving protocols require general specifications and proofs that abstract from the idiosyncrasies of particular protocol instances. Our parametrized framework IsaNet provides a solution to these challenges. It substantially reduces the per-protocol specification and verification work compared to restarting verification from scratch for each protocol. For each instance, one must just define the parameters and prove the static conditions to establish path authorization and detectability. Our abstractions are general enough to cover a large class of protocols proposed in the literature.
The present work constitutes an important step towards our ultimate goal of verifying a high-performance implementation of the SCION-22 router written in Go. They are pursuing this goal using the Igloo methodology to soundly link protocol and code verification. This methodology guarantees that the implementation will inherit the properties they have proven for our model. To achieve this goal, they are further refining our SCION-22 model, adding more detail such as packet buffering and segment switching, and they are extracting a program specification of the router’s behavior from the refined model. This specification will be used for the verification of the router code.
In future work, security properties such as packet authentication and path validation could be included in the verification framework. Since not all protocols achieve these properties, an interesting question is how they could be incorporated in a modular fashion without requiring separate parametrized models with duplicated proof effort. Furthermore, it would be interesting to investigate the existence of a reduction result for path authorization and other data plane security properties in the vein of which would enable the fully automated verification of secure dataplane protocols.
Information Security Control Theory: Achieving a Sustainable Reconciliation Between Sharing and Protecting the Privacy of Information.
ANDERSON, C et al (2017) states the exchange of health information between providers is considered critical to the improvement of health care both in better care quality and cost reduction. To increase participation in health information exchange and sustain that participation over time, health-care organizations and individual consumers must feel confident that the information shared and accessed through the exchange is secure and private. The inherent tension in this process between the need to share and desire to protect health information has impacted the achievement of greater interoperability.
They introduce a theory of information security control that considers the development of an information security policy, as a foundational and fundamental process in information security, through the relationship between exposure control reasoning and ethical control reasoning. They find that these two forms of reasoning can be used to balance the tension between sharing and protecting information and that an effective information security policy development process brings together stakeholders, experts, and prior codified knowledge. This approach can provide an important foundation for a successful HIE and help enable more secure information sharing in other arenas that similarly bear the tension between sharing and protecting critical data.
Our investigation provides several novel contributions. First, they address a gap in the information security field by offering a theoretically and empirically grounded policymaking framework for addressing the tension between information sharing and information protection. Second, our information sharing security theory bears special significance to other industry domains where information sharing is governed by strict laws due to the specifically sensitive nature of the information. Third, our findings provide a way forward for promoting the notion of information exchanges that have traditionally floundered due to the security concerns associated with information sharing. Finally, our theory has strong practical implications for practitioners, both in health care and other domains, who may use the learning from the iterative security policy development process to aid their security policy development decisions. They can also apply the theoretical framework to find a balance between openness and protection that best aligns with their specific, local, information goals.
the strictness of state-level data breach disclosure laws, while having a insignificant impact on the risk of data breach within a state, have a significant impact on the risk of data breach within the financial, educational, and medical industries and for the nongovernmental organization sector. In the affected industries, the strictness of state-level data breach disclosure laws is directly correlated with the reduced risk of data breach within these industries. One conclusion that public policymakers can draw from this result is that stricter laws on data breach notifications benefit consumers because they lead to reduced risk of data breach. However, before jumping to this conclusion, policymakers should be warned of some unintended consequences of such a move. Data disclosure laws mandate a minimal security requirement. As a result, to meet these security requirements, organizations may be motivated to outsource security protections to managed security service providers (MSSPs) to benefit from the security expertise of the MSSP and to reduce their cost of complying with the stricter laws. This adds another risk to the organizations’ data, that is, system interdependency risk. The greater the number of clients an MSSP serves, the greater the system interdependency risk, which results in overall reduced social they fare. Furthermore, stricter legal security requirements can also cause “security-related stress” to the employees of the affected organizations, which could have an adverse impact on data security. Finally, existing studies have found that operationally mature organizations are more likely to be motivated by actual security considerations than by compliance with the legal requirements, and operationally immature firms are primarily motivated by compliance. Therefore, if public policy requires strict laws to improve data security, the laws should be targeted at operationally immature firms.
Another key result from this study is that investment in IT security is correlated with a higher risk of data breach within both a state and industry sectors. This result is counter to what is expected according to the opportunity theory of crime. One explanation for this result could be that firms are investing inefficiently in information security management. For instance, firms could be investing a major part of their IT budget on technical controls (e.g., firewalls, antivirus software, intrusion detection systems, etc.), at the expense of administrative and physical controls. This assertion is supported by a survey of 1,500 companies by Gartner, which found that 45 percent of the IT security budget is spent on hardware and software.
Estimating the Contextual Risk of Data Breach: An Empirical Approach.
SEN, R. et al (2015) states opportunities available to data thieves. Finally, the companies are not spending the IT security budget on the right technical controls that protect primarily against data breach. In short, just investing in IT security does not guarantee reduced risk of data breach, unless the expenditure is on the right type of security controls, that is, administrative, technical, and physical. This kind of analysis becomes important given the fact that recent data breach incidents at Target and Neiman Marcus seem to have motivated companies to spend more on IT security.
For IT security practitioners, this research and the insights offered by the study allow an organization to assess the risk environment (in terms of data breaches) based on its location (i.e., state in which it is located), its industry sector, and the kind of breaches that the firm may typically be prone to. Based on these risk assessments and the factors contributing to the risks, it can decide on its investment in preventive controls that would minimize such risks. An organization thinking of outsourcing its data center or investing in its own data center can estimate the risk of data breach in various states; it could also focus specifically on data breach caused by hackers to decide on its investments in preventive measures. Figure 5a provides the survival curves based on model estimates for the risk of data breaches across three states. The vertical axis is the probability of the next data breach and the horizontal axis is the number of days until the next data breach in that state.
The empirical study in our work is based on secondary data. Although in the model they control for various unobserved factors by way of fixed effects, one should be careful regarding a strict casual interpretation of our results in various contexts. It is necessary to replicate more such studies in different contexts so as to make more robust inferences.
Strengthening data privacy: the obligation of organisations to notify affected individuals of data breaches.
SELVADURAI, N. et al (2019) states in a digital landscape which is characterised by the capture, transmission and utilisation of personal data on a vast scale and an increase in incidences of unauthorised access to such data, ensuring the data privacy of individuals is becoming an increasingly critical. The federal Privacy Amendment which introduced a new Part IIIC into the Privacy Act forms a valuable initiative in compelling organisations to disclose instances of unauthorised data access, disclosure or loss that are likely to cause serious harm to the Information Commissioner and affected parties. In the absence of such legislation, the majority of such breaches are unlikely to be brought to the attention of the affected individuals. Having such legislation enables individuals whose personal data have been breached to take remedial action to mitigate the harm caused by the infringement of their privacy. Further, the spectre of public disclosure of data breaches is likely to encourage organisations to strengthen their security management systems and adopt technologies, such as encryption, use of firewalls and network intrusion identification systems, to protect data privacy. The obligation to notify of a data breach on an organisation’s they site forms a particularly powerful incentive for strengthening of security and avoiding data breaches. However, widely defined provisions, such as that which makes notification conditional on it being ‘practicable’ and limiting the steps necessary to be taken to notify individuals at risk to that which is ‘reasonable in the circumstances,’ operate to taken an organisation’s investigative and notification obligations following the occurrence of an actual breach. There is hence scope for further initiatives, involving greater industry self-regulation and limitations on the data collected and retained, to further strengthen the data privacy of individuals and reduce the potential harm caused by breaches of personal data.
A critical balance: collaboration and security in the IT-enabled supply chain.
SMITH, G. E. et al. (2007) states as IT increasingly becomes the medium of business functionality, a reliance on its secure and continued operations has redefined corporate risk. In the supply chain, information sharing and partner relationships are designed to drive down supply chain risk. However, the high integration and IT requirements essential to this goal can increase risk as greater levels of collaboration expose significantly more sensitive information to potential risk from a wider variety of sources. In support of this assertion, they found indications that highly integrated supply chains theyre at greater risk for security incidents versus those exhibiting less integration.
As the usage of IT becomes ubiquitous within single organizations and supply networks, its pure strategic value diminishes and the risks it creates threaten to become more important than the advantages it provides. Therefore, protecting these systems without overspending now poses a critical challenge to business. This paper is an essential first step toward addressing this issue, introducing a model of IT risk depicting both point of origin for attacks and the processes and linkages that are vulnerable to IT threats in the supply chain. However, considerable work remains in terms of measuring the consequences of that risk, a fundamental element in the decision-making process. Research toward this end is critical for SCM to ensure that proper consideration is given to IT security risk as organizations seek to leverage IT to establish collaborative relationships.
Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements.
KAMLEITNER, B.; and MITCHELL, V (2019) the framework highlights the limitations of current regulation, which largely fails to reflect the interdependent and dynamic nature of privacy. Specifically, current approaches appear to underplay the key function of recognition and respect in privacy protection and are ill-suited to reducing the substantial burden of considering all 3Rs in the digital world. The resulting 4E interventions and their applicability to industry, regulators, and consumers could even disrupt data markets and privacy regulations as they currently know them. In building the framework, they do not claim to know all that goes on within it or all the ways it can be applied. Different and varied applications of the framework will allow for greater understanding of its potential uses, implications, and limitations. A key point, however, is that the framework is designed to focus on the sharer, because it is the sharer who has to realize, recognize, and respect others’ data. This promotes several avenues for further academic research.
One important avenue is to identify the extent to which data-collecting systems such as apps, theybsites, or always-on devices ensure realization, recognition, and respect. This would allow researchers to determine the most problematic areas in practice. Another relevant future direction would be to test the effectiveness of the proposed interventions, for example, through experiments that change the wording in permissions from “access” to “give away” or that provide information on the exact amount of data being shared. Future research should also explore the hierarchical relationships between the 3Rs—that is, how much realization is needed before recognition dawns? Alternatively, how much recognition is needed before respect follows? Our focus has been on the sharer as a private individual. However, organizations also may become infringers when they pass on their customer data to other organizations or are the recipients of others’ data. To revisit a previous question, if a device tracks and passes on personal data, who then is responsible? The owner or user of the device? The manufacturer of the device? Or any other service provider that ensures that consumers obtain and use the device? There is research to be done to establish how theyll the 3R framework translates to organizations and how theyll it is suited to analyze the position of the recipient. Finally, there is work to be done to pinpoint who around the world might be (jointly) responsible for, or best suited to, changing data protection policy jurisdictions. Pressure groups, think tanks, and groups other than legislators can all bring about an urgently needed change that will prevent technological facilitation from corrupting a human strength—our interdependent, social nature—into an uncontrollable threat.
Smart environments in the health context, self-management and data protection in the STARR project.
PICHIERRI, F. and DIMITROVA, D. (2018) states the above paragraphs presented a number of challenges that smart environments in the health context, such as the STARR one, present for the effective privacy and data protection of the potential STARR users.
The main issues relate to the complex data flow architecture of such apps. This leads to numerous problems, including a lack of transparency and clear overview of the data, the flow of these data, processing purposes and operations. As a result of this, data controllers could have more opportunities for data misuse as also recently demonstrated by the DeepMind-Royal Free case (Powles and Hodson [17]), including of anonymous data, and data subjects might have difficulty exercising effective control over the processing of their data.
The GDPR offers certain solutions to the above-mentioned problems. It introduces several obligations for the controller, e.g. to be accountable, to be transparent to the data subjects by providing them with clear information about the processing of their data, and to adopt organizational and technical measures to ensure compliance with the GDPR. In the STARR context such measures could be access controls, robust security measures, procedural guarantees for the data subject and their rights as data subjects, and organizational decisions regarding the purposes of the processing. Such a data protection and privacy organizational and technological architecture could allow stroke survivors to self-manage his/her recovery and also privacy sphere.
However, due to the delicate situation of stroke survivors, one should take into account their ability to participate in the control of the legality of the processing of their data.
Data protection and codes of conduct in collaborative research.
KOŠČÍK, M.and MYŠKA, M. (2018) states that they have identified a real need for codes of conduct under Article 40, which was present even prior to the GDPR. However, this need was perceived only within some particular research disciplines. The efforts to formulate codes of conduct have been fragmented and have remained on the levels of recommendations and guidelines. Various sorts of best practices, guidelines, and policies have been created and published by DPAs, research councils, funding bodies, ethical boards, and research institutions themselves. As a result, these efforts are often counterproductive since researchers are exposed to multiple policies that are not compatible in all of their particularities. The nature of these guidelines is mainly informative or binding only towards employees or grant recipients.
Data protection governance in the research sector has many elements of self-regulation, but the co-regulatory approach presumed by Article 27 of the Data Protection Directive and Article 40 is almost non-existent, this is most likely due to the lack of true incentives for research institutions to cooperate with DPAs.
The GDPR brings new incentives for adoption of the codes of conduct under Article 40, especially by drawing the attention of governing bodies to the issues of privacy and data protection. Another incentive to adopt new codes of conduct is the complexity of GDPR. Research institutions may now feel the need to draft codes of conduct for the sake of safeguarding legal certainty for both researchers and research subjects.
They identified three major obstacles that make a general code of conduct at the European level infeasible, which are lack of a single body or association that truly represents all research institutions at the international level; fragmentation and conflicting needs of individual branches of science; and overlapping of research with other sectors that may require their own codes of conduct. The adoption of universal code of conduct for scientific research remains unlikely. However, they see the adoption of Pan-European codes of conduct as a useful instrument for specific scientific disciplines that require large cross-border movements of personal data. Adoption of several ‘specialized’ codes of conduct instead of one overarching code appears to be the better option.
CONCLUSTION:
In conclusion, data security is Permanent in today’s digital landscape. With the increasing volume of sensitive information stored and transmitted online, the risks associated with data breaches, identity theft, and cyber-attacks continue to rise. It’s imperative for organizations to implement robust security measures to safeguard data integrity, confidentiality, and availability. This involves employing encryption techniques, access controls, regular audits, and staying abreast of emerging threats to promptly address vulnerabilities. Additionally, fostering a culture of security awareness among employees through training programs and enforcing strict compliance with data protection regulations are essential aspects of maintaining a secure environment. By prioritizing data security, businesses can not only protect their assets and reputation but also build trust among customers and stakeholders, ultimately contributing to their long-term success in the digital age.
References:
ANDERSON, C.; BASKERVILLE, R. L.; KAUL, M. Information Security Control Theory: Achieving a Sustainable Reconciliation Between Sharing and Protecting the Privacy of Information. Journal of Management Information Systems, [s. l.], v. 34, n. 4, p. 1082–1112, 2017. DOI 10.1080/07421222.2017.1394063. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=bced59f9-58ef-3383-a2e4-a9e42b98c939. Acesso em: 25 fev. 2024.
CHATTERJEE, S.; CHAUDHURI, R.; VRONTIS, D. Examining the global retail apocalypse during the COVID-19 pandemic using strategic omnichannel management: a consumers’ data privacy and data security perspective. Journal of Strategic Marketing, [s. l.], v. 29, n. 7, p. 617–632, 2021. DOI 10.1080/0965254X.2021.1936132. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=844620fb-dbac-377e-be91-cdac82117a97. Acesso em: 25 fev. 2024.
KAMLEITNER, B.; MITCHELL, V. Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements. Journal of Public Policy & Marketing, [s. l.], v. 38, n. 4, p. 433–450, 2019. DOI 10.1177/0743915619858924. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=957be070-2e8e-39ee-b007-98f903958ab1. Acesso em: 25 fev. 2024.
KLENZE, T.; SPRENGER, C.; BASIN, D. IsaNet: A framework for verifying secure data plane protocols. Journal of Computer Security, [s. l.], v. 31, n. 3, p. 217–259, 2023. DOI 10.3233/JCS-220021. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=e6003772-ca15-366e-8b5e-b741466e6bd2. Acesso em: 25 fev. 2024.
KOŠČÍK, M.; MYŠKA, M. Data protection and codes of conduct in collaborative research. International Review of Law, Computers & Technology, [s. l.], v. 32, n. 1, p. 141–154, 2018. DOI 10.1080/13600869.2018.1423888. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=d483c17c-4356-3253-88a7-8e9245fbf803. Acesso em: 25 fev. 2024.
PICHIERRI, F.; DIMITROVA, D. Smart environments in the health context, self-management and data protection in the STARR project. International Review of Law, Computers & Technology, [s. l.], v. 32, n. 1, p. 174–189, 2018. DOI 10.1080/13600869.2018.1433954. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=024321e7-8d85-3646-a6d5-49de058fbff4. Acesso em: 25 fev. 2024.
SELVADURAI, N.; KISSWANI, N.; KHALAILEH, Y. Strengthening data privacy: the obligation of organisations to notify affected individuals of data breaches. International Review of Law, Computers & Technology, [s. l.], v. 33, n. 3, p. 271–284, 2019. DOI 10.1080/13600869.2017.1379368. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=81984d05-c2cf-3b6b-824c-9a1913e19ae6. Acesso em: 25 fev. 2024.
SEN, R.; BORLE, S. Estimating the Contextual Risk of Data Breach: An Empirical Approach. Journal of Management Information Systems, [s. l.], v. 32, n. 2, p. 314–341, 2015. DOI 10.1080/07421222.2015.1063315. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=ccdfaf41-b52f-31a2-a895-c3a6a0f4a133. Acesso em: 25 fev. 2024.
SMITH, G. E. et al. A critical balance: collaboration and security in the IT-enabled supply chain. International Journal of Production Research, [s. l.], v. 45, n. 11, p. 2595–2613, 2007. DOI 10.1080/00207540601020544. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=59a9690f-5fa6-317d-9558-6bb7894423bd. Acesso em: 25 fev. 2024.
WHAIDUZZAMAN, M. et al. HIBAF: A data security scheme for fog computing. Journal of High Speed Networks, [s. l.], v. 27, n. 4, p. 381–402, 2021. DOI 10.3233/JHS-210673. Disponível em: https://research.ebsco.com/linkprocessor/plink?id=4f89fd62-6475-308a-8f3e-6775d84a34a2. Acesso em: 25 fev. 2024.