You are here: Home Contents V11 N1 V11N1_Shropshire.html
Personal tools

Towards Structured Implementation of Network Security Policies



Full text

Journal of Information Systems Security
Volume 11, Number 1 (2015)
Pages 327
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Jordan Shropshire — University of South Alabama, USA
Art Gowan — James Madison University, USA
Information Institute Publishing, Washington DC, USA




Modern enterprises are organic, changing structures with dynamic computing needs. In order to keep up with these changes, information resources are under constant revision. Besides changing functional aspects of computer systems, information security features must also be updated on a regular basis. The task of updating system access controls can be quite complex. Errors are often incorporated into the result. This research develops a structured process for updating security controls, whilst minimizing human errors at the same time. The proposed process is designed especially for entry level system administrators. It organizes the task into a series of linear steps, simplifying the problem space. The paper consists of five steps: security policy analysis, technical specification, rule development, reconciliation and list optimization. The framework is evaluated in an experiment using the Solomon Four-Group method, with a sample of 112 subjects. The results indicate that a structured approach reduces perceived task complexity, increases self-efficacy, and results in improved access control lists.




Access Control Lists, Solomon Four-group, Structured Approach, Task Complexity, Self-efficacy




Bertolino A, et al. (2014). A Toolchain for Designing and Testing Access Control Policies. In Engineering Secure Future Internet Services and Systems (Heisel M, Joosen W, Lopez J and Martinelli F, Eds), pp 266-286, Springer International Publishing.

Caldwell D, et al. (2004). The Cutting Edge of Ip Router Configuration. SIGCOMM Comput. Commun. Rev. 34, 21–26.

Chivers H and Fletcher M (2005). Applying Security Design Analysis to a Service-Based System. Software: Practice and Experience 35, 873-897.

Compeau DR and Higgins CA (1995). Application of Social Cognitive Theory to Training for Computer Skills. Information Systems Research 6, 118-143.

Gonsalves A (2012). Is Cloud-Based Security Really Less Expensive? Computerworld.

Gouglidis A, et al. (2014). Security Policy Verification for Multi-Domains in Cloud Systems. International Journal of Information Security 13, 97-111.

Haley CB, et al. (2006). A Framework for Security Requirements Engineering. pp 35–42, ACM.

Hazelhurst S (2000). Algorithms for Analysing Firewall and Router Access Lists. arXiv preprint cs/0008006,

Heitmeyer C (2001). Applying Practical Formal Methods to the Specification and Analysis of Security Properties. In Information Assurance in Computer Networks, pp 84–89, Springer.

Jonassen DH (1997). Instructional Design Models for Well-Structured and Iii-Structured Problem-Solving Learning Outcomes. Educational Technology Research and Development 45, 65–94.

Katz D and Brock O (2011). A Factorization Approach to Manipulation in Unstructured Environments. In Robotics Research, pp 285–300, Springer.

King DK, et al. (2010). Self-Efficacy, Problem Solving, and Social-Environmental Support Are Associated with Diabetes Self-Management Behaviors. Diabetes care 33, 751–753.

Liu P and Li Z (2012). Task Complexity: A Review and Conceptualization Framework. International Journal of Industrial Ergonomics 42, 553-568.

Lund MS, et al. (2010). Model-Driven Risk Analysis: The Coras Approach. Springer.

Maynard DC and Hakel MD (1997). Effects of Objective and Subjective Task Complexity on Performance. Human Performance 10, 303-330.

Pople HE (1982). Heuristic Methods for Imposing Structure on Ill-Structured Problems: The Structuring of Medical Diagnostics. Artificial intelligence in medicine 51, 119–190.

Qian J, et al. (2001). Acla: A Framework for Access Control List (Acl) Analysis and Optimization. In Communications and Multimedia Security Issues of the New Century (Steinmetz R, Dittman J and Steinebach M, Eds), pp 197-211, Springer US.

Rasheed H (2014). Parallel and Distributed Systems. Parallel and Distributed Systems 43, 364-368.

Ruj S, et al. (2014). Decentralized Access Control with Anonymous Authentication of Data Stored in Clouds. IEEE Transactions on Parallel and Distributed Systems 25, 384-394.

Salancik GR and Pfeffer J (1978). A Social Information Processing Approach to Job Attitudes and Task Design. Administrative Science Quarterly 23, 224-253.

Sandhu RS and Samarati P (1994). Access Control: Principle and Practice. IEEE Communications Magazine 32, 40-48.

Schaad A and Moffett JD (2002). A Framework for Organisational Control Principles. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual, pp 229-238.

Solomon RL (1949) An Extension of Control Group Design. Psychological Bulletin 46, 137-150.

Stajkovic AD and Luthans F (1998). Self-Efficacy and Work-Related Performance: A Meta-Analysis. Psychological Bulletin 124, 240-261.

Vakkari P (1999). Task Complexity, Problem Structure and Information Actions: Integrating Studies on Information Seeking and Retrieval. Information Processing & Management 35, 819-837.

Venkatasubramanian KK, et al. (2014). Caac – an Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures. ACM Trans. Auton. Adapt. Syst. 8, 20:1–20:18.

Verma P and Prakash A (2005). Face: A Firewall Analysis and Configuration Engine. In The 2005 Symposium on Applications and the Internet, 2005. Proceedings, pp 74-81.

Winter SG (2000). The Satisficing Principle in Capability Learning. Strategic Management Journal 21, 981–996.

Yu ESK, et al. (2011). Social Modeling for Requirements Engineering. MIT Press.

Zhang H (2014). A Vision for Cloud Security. Network Security 2014, 12-15.

Zimmerman BJ (2000). Self-Efficacy: An Essential Motive to Learn. Contemporary Educational Psychology 25, 82-91.