"Internal Control Considerations for Information System Changes and Patches" J.S. Zanzig, G.A. Francia, III, and X.P. Francia. In H. Rahman, & R. de Sousa (Eds.) Information Systems and Technology for Organizational Agility, Intelligence, and Resilience (pp. 161-179). Hershey, PA: Business Science Reference. doi:10.4018/978-1-4666-5970-4.ch008. April, 2014.
Abstract: The dependence of businesses on properly functioning information systems to allow organizational personnel and outside investors to make important decisions has never been more pronounced. Information systems are constantly evolving due to operational and security requirements. These changes to information systems involve a risk that they could occur in a way that results in improper processing of information and/or security issues. The purpose of this chapter is to consider related guidance provided in a Global Technology Audit Guide (GTAG) from The Institute of Internal Auditors in conjunction with current change and patch management literature in order to assist internal auditors and organizational personnel in better understanding a process that leads to efficient and effective information system changes. The authors describe how internal auditors and information technology professionals can work together with organization management to form a mature approach in addressing both major information system changes and patches.
"Gamification of Information Security." G.A. Francia, III, D. Thornton, M. Trifas, and T. Bowden. In B. Akhbar and H. Arabnia (Eds), Emerging Trends in Information and Communication Technologies Security. Elsevier Publishing. pp. 85-97. 2014.
Abstract: The need for well-trained Information Security and Assurance (ISA) professionals, as well as general information security awareness, has increased considerably in the last decade, and shows no sign of slowing. To address this need, both industry and academia have been driven to innovative approaches. The use of digital games and game mechanics to further education has received growing attention and respect in the last several years. There is strong evidence that thoughtful employment of gaming elements can improve motivation and understanding. This paper provides a broad background on the topics of game-based learning, gamification, and serious games. Further, it describes our on-going approach to developing and promoting digital games for information security awareness, including two game designs and a gamification system architecture.
"Regulatory and Policy Compliance with Regard to Identity Theft Prevention,Detection, and Response," G.A. Francia III and F. Hutchinson. In Te-Shun Chou (Ed), Information Assurance and Security Technologies for Risk Assessment and Threat Management: Advances. IGI Global Publishing, pp. 292-322, 2012.
ABSTRACT. The proliferation of the Internet has intensified the identity theft crisis. Recent surveys indicate staggering losses amounting to almost $50 billion incurred due to almost 9 million cases of identity theft losses. These startling and apparently persistent statistics have prompted the United States and other foreign governments to initiate strategic plans and to enact several regulations in order to curb the crisis. This chapter surveys national and international laws pertaining to identity theft. Further, it discusses regulatory and policy compliance in the field of information security as it relates to identity theft prevention, detection, and response policies or procedures. In order to comply with recently enacted security-focused legislations and to protect the private information of customers or other third-party members, it is important that institutions of all types establish appropriate policies and procedures for dealing with sensitive information.
"Multimedia Information Security and Privacy--Theory and Applications," G.A. Francia III, Ming Yang,Monica Trifas, Lei Chen, and Yongliang Hu. In Dr. Hamid Nemati (Ed), Security and Privacy Assurance in Advancing Technologies: New Developments. IGI Global Publishing, 2011.
ABSTRACT. Information security has traditionally been ensured with data encryption techniques. Different generic data encryption standards, such as DES, RSA, AES, have been developed. These encryption standards provide high level of security to the encrypted data. However, they are not very efficient in the encryption of multimedia contents due to the large volume of digital image/video data. In order to address this issue, different image/video encryption methodologies have been developed. These methodologies encrypt only the key parameters of image/video data instead of encrypting it as a bitstream. Joint compression-encryption is a very promising direction for image/video encryption. Nowadays, researchers start to utilize information hiding techniques to enhance the security level of data encryption methodologies. Information hiding conceals not only the content of the secret message, but also its very existence. In terms of the amount of data to be embedded, information hiding methodologies can be classified into low bitrate and high bitrate algorithms. In terms of the domain for embedding, they can be classified into spatial domain and transform domain algorithms. In this chapter, we have reviewed various data encryption standards, image/video encryption algorithms, and joint compression-encryption methodologies. Besides, we have also presented different categories of information hiding methodologies as well as data embedding strategies for digital image/video contents.
"Security Compliance Auditing: Review and Research Directions," G.A. Francia III and J. Zanzig. In M. E. Whitman & H. J. Mattord (Eds.), Readings and Cases in the Management of Information Security, Volume II: Legal and Ethical Issues in Information Security Management. Course Technology. 2009.
ABSTRACT. The pervasiveness and convenience of computers and the Internet tend to make most of society deeply dependent on information technology. This technology has provided tremendous benefits to society in regard to areas such as commerce, the distribution of knowledge, and the ability of persons to communicate with one another. Unfortunately it has also opened up vulnerabilities that did not exist outside of networked computer systems. The vast number of federal and state regulations over technological security presents a daunting task for organizations to ensure compliance. It is believed that there is a common thread of security issues interwoven within technological security legislation. Some of these common elements include: Risk assessment process to continually assess security risks, access controls so that only authorized individuals can enter various areas of a system, and security logs to monitor the system’s handling of security issues and maintain accountability for system users.
"Global Information Security Regulations, Case Studies and Cultural Issues," G.A. Francia III and A. Ciganek). In M. E. Whitman & H. J. Mattord (Eds.), Readings and Cases in the Management of Information Security, Volume II: Legal and Ethical Issues in Information Security Management. Course Technology. 2009.
ABSTRACT. The pervasiveness of the Internet has created a new challenge to legislators around the globe: the enactment of regulations that will preserve and protect the country’s Information Technology (IT) infrastructure and its integrity in delivering secure products and services. This chapter examines the global and yet, unilateral, attempts of various countries in ratifying their own information security legislations.
“A Formal Framework for Patch Management." G.A. Francia III, K. Kim, B. O. Ahn, and S.X. Zhou. International Journal of Interdisciplinary Telecommunications and Networking (IJITN). Vol. 5 No.2:18-31, 2013.
ABSTRACT. A patch management model provides a framework with which a system’s parameters and behavior can be tested and validated. The authors propose a formal framework that is based on the Continuous Time Markov Chain Model and validate the model using the SHARPE modeling tool. Furthermore, they perform sensitivity analyses to study the dynamic behavior of the proposed model with varying parameter values. A discussion on the results of our study and future research directions concludes the paper.
“Portable SCADA Security Toolkits,” G.A. Francia III, N. Bekhouche, T. Marbut, and C. Neuman. International Journal of Information and Network Security (IJINS). Vol. 1 No.4:265-274, October, 2012.
ABSTRACT. The Internet and the demands of connectivity and convenience to access the control systems found in critical infrastructures have ushered newly discovered vulnerabilities that have been exploited by internal and external threats. These vulnerabilities of control systems could be exposed by even novice hackers through the use of non-sophisticated tools found on the Internet. These insecurities have been perpetuated by technology staff and even educators who are themselves unaware of the potential risks and consequences. This is further exacerbated by the lack of affordable training tools and systems for the information security curriculum. We describe a cost-effective way of equipping educators with hands-on toolkits that can be used in their classrooms as security testing and learning kits. In addition, we describe several SCADA security curriculum modules that can be used for providing hands-on laboratory exercises utilizing the toolkits. We believe that this small contribution towards training future control system security professionals will have a tremendous impact on the security of industrial systems.
"Cryptographic and Steganographic Approaches to Ensure Multimedia Information Security and Privacy," G.A. Francia III, M. Yang, M. Trifas, and L. Chen. International Journal of Information Security and Privacy. Vol. 3, no. 3, pp. 37-54. July-September, 2009.
ABSTRACT. Information security and privacy have traditionally been ensured with data encryption techniques. Generic data encryption standards, such as DES, RSA, AES, are not very efficient in the encryption of multimedia contents due to the large volume. In order to address this issue, different image/video encryption methodologies have been developed. These methodologies encrypt only the key parameters of image/video data instead of encrypting it as a bitstream. Joint compression-encryption is a very promising direction for image/video encryption. Nowadays, researchers start to utilize information hiding techniques to enhance the security level of data encryption methodologies. Information hiding conceals not only the content of the secret message, but also its very existence. In terms of the amount of data to be embedded, information hiding methodologies can be classified into low bitrate and high bitrate algorithms. In terms of the domain for embedding, they can be classified into spatial domain and transform domain algorithms. Different categories of information hiding methodologies, as well as data embedding and watermarking strategies for digital video contents, will be reviewed. A joint cryptograph-steganography methodology, which combines both encryption and information hiding techniques to ensure patient information security and privacy in medical images, is also presented.
"The Design and Implementation of an Automated Security Compliance Toolkit: A Pedagogical Exercise, " G.A. Francia III, B Estes, R. Francia, V. Nguyen, and A. Scroggins. Journal of Digital Forensics, Security and Law.(Vol 2, no. 4, January, 2008).
"An Empirical Study on the Performance of Java/.Net Cryptographic APIs." G.A. Francia III and R. Francia. Information Security Journal: A Global Perspective. (Vol 16:No. 6, November, 2007): 344-354.
ABSTRACT. The unprecedented growing demands on security and privacy protection ushered the proliferation of cryptographic tools. This paper presents a study on the performance comparison of cryptographic Application Program Interfaces (APIs) that are implemented for the Java and the .Net frameworks. The results of the study clearly indicate the superiority of a set of commercial cryptographic APIs over its open-source counterpart.
Conference Proceeding Articles:
“Cyberattacks on SCADA Systems,” G. A. Francia, III, D. Thornton, and T. Brookshire. Proceedings of the 16th Colloquium for Information Systems Security Education. Orlando, FL, June 11-13, 2012. (Awarded “Best Paper” in conference).
ABSTRACT. Critical infrastructures such as the Supervisory Control and Data Acquisition (SCADA) systems have succumbed to the demands of greater connectivity. Although the scheme of connecting these critical equipment and devices to cyberspace has brought us tremendous convenience, it also enabled certain unimaginable risks and vulnerabilities. These risks and vulnerabilities are very critical to our daily existence and are perilous to ignore. This paper presents an overview of the vulnerabilities of SCADA systems. Also described are proof-of-concept methods of attacking some of these vulnerabilities.
“Security Best Practices and Risk Assessment of SCADA and Industrial Control Systems,” G A Francia III, D. Thornton, and J. Dawson. Proceedings of the Security and Management 2012 Conference, Las Vegas, NV, July, 2012: 352-358.
ABSTRACT. The nation's critical infrastructures, such as those found in SCADA and industrial control systems (ICS), are increasingly at risk and vulnerable to internal and external threats. Security best practices on these systems come at a very opportune time. Further, the value of risk assessment of these systems is something that cannot just be relegated as irrelevant. In this paper, we present a review of security best practices and risk assessment of SCADA and ICS and report our research findings on an on-going risk modeling of a prototypical industrial control system using the CORAS framework tool.
"Virtualization for a Cyber-Security Laboratory,” G.A. Francia, III, A. Garrett, and T. Brookshire. Proceedings of the Frontiers of Education in Computer Engineering and Science Conference 2012, Las Vegas, NV, July, 2012:508-514.
ABSTRACT. Virtualization has become an integral part of the businesses of today. The virtue of virtualization rests on its ability to cut down cost and to provide an effective means of managing Information Technology (IT) resources. The purpose of this study on virtualization is two-fold: first is to find an effective way to deliver online pedagogical materials and exercises, and second is to compare the merits of various virtualization systems using a common platform. We present our findings on this paper and direct the reader to avenues of possible future research directions.
"Critical Infrastructure Curriculum Modules," Proceedings of the 2011 Information Security Curriculum Development (INFOSECCD) Conference. Kennesaw, GA. October, 2011.
ABSTRACT. Critical infrastructures have succumbed to the demands of greater connectivity. Although the scheme of connecting these critical equipment and devices to cyberspace has brought us tremendous convenience, it also enabled certain unimaginable risks and vulnerabilities. The importance of critical infrastructure (CI) protection has never been pronounced and we are in a juncture in history where CI security is paramount. Although research in this area of national need has grown steadily, pedagogical materials in this area is slow to keep up. This paper presents the development of course modules for critical infrastructure security curriculum. Although these course modules can be used to augment an existing course in CI, they can also be utilized as bases with which to build a complete CI course. Existing laboratory setups which can be used to supplement the course are also described. The course modules and the supplemental laboratories are envisioned to be great instruments for training future information security professionals. These pedagogical materials can also be used as supplements to other courses that pertain to information security, risk management, or emergency preparedness.
"Design and Implementation of a Critical Infrastructure Security and Assessment Laboratory," (with N. Bekhouche and T. Marbut). Proceedings of the Security and Management 2011 Conference, Las Vegas, NV, July, 2011.
"Security Metrics-Review and Research Directions," (with S. Jarupathim). Proceedings of the Security and Management 2009 Conference, Las Vegas, NV, July, 2009. pp. 441-446.
"Applied Data Mining in a Scholarship Program, "(with C. Sanders). Proceedings of the Frontiers of Education in Computer Engineering and Science Conference 2009, Las Vegas, NV, July, 2009. pp. 336-340.
"A Model for Section 404 Compliance using Fuzzy Logic Processing," (with J. Zanzig (JSU) and D. Flesher (Univ of Miss)) Proceedings of the 2009 Southeast Region American Accounting Association Meeting. University, MS, USA, April 30-May 2, 2009.
ABSTRACT. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a framework in 1992 for the evaluation of internal controls over financial reporting. The significance of this framework was again brought to the forefront of financial reporting when Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) placed responsibility on both public company management and their external auditors to annually evaluate and report on the effectiveness of their internal controls over financial reporting. In regard to the compliance issues set out in the SOX, the Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 5 entitled An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial. This article provides some of the basic building blocks for the framework of a model of how compliance with Section 404 of the Sarbanes-Oxley Act can be achieved while allowing for flexibility in the application of the model to accommodate the unique characteristics of various organizations.
"The Impact of Culture on Global Information Security Regulations," (with A. Ciganek) Proceedings of the Southern Association for Information Systems Conference. Charleston, SC, USA, March 12-14, 2009.
ABSTRACT. The balance between individual privacy and information and security assurance (ISA) regulations is a fluid debate that has many different facets. The objective of this early research is to examine the impact that culture has on ISA regulations. In particular, we examine how internationally accepted ISA policies are adopted in disparate cultures. Multiple interviews were conducted in Thailand with individuals with requisite knowledge on how Internet security was applied in their country. A discussion of these findings is presented, categorized by national culture dimensions and illustrated with examples, followed by some concluding remarks.
"Visual Security Monitoring Gadgets," Proceedings of the Information Security Curriculum Development (InfoSecCD) 2008 Conference:40-43, 2008.
"Digital Forensics Laboratory Projects," The Journal of Computing in Small Colleges,(Vol 21, No. 5, May 2006):38-45. Proceedings of the 4th Annual CCSC-MS Conference.
"An Efficient Packet Loss Recovery Methodology for Video-over-IP." (with M Yang, N Bourbakis, and Z Chen) Proceeding of the 9th IASTED International Conference on Signal and Image Processing (SIP2007), Honolulu, Hawaii, USA, August 20-22, 2007.
"Forensic Data Visualization System: Improving Security through Automation," (with M Trifas, D Brown, R Francia, and C Scott) Proceeding of the Computer Security Conference, Myrtle Beach, SC, USA, April 12-13, 2007.
"Self Adaptive Application Level Fault Tolerance for Parallel and Distributed Computing," (with Z Chen, M Yang, and J Dongarra) Proceeding of the 21st IEEE International Parallel & Distributed Processing Symposium, DPDNS'07 Workshop, Long Beach, CA, USA, March 26-29, 2007. IEEE Computer Society Press.
"Steganography Obliterator: An Attack on the Least Significant Bits," (with T. Gomez) Proceedings of the Information Security Curriculum Development(InfoSecCD) 2006 Conference:102-108.
"Visualization and Management of Digital Forensic Data," (with A. Trifas, D. Brown, R. Francia, and C. Scott) Proceedings of the Information Security Curriculum Development (InfoSecCD) 2006 Conference:115-120.
"Wireless Security Tools,"(with P. Le and A. Kilaru) Proceedings of the 2005 International Conference on Wireless Networks (ICWN'05):562-568. CSREA Press. 2005
"Computer Forensic Tools and Techniques," (with K. Clinton) Proceedings of the 2005 International Conference on Security and Management (SAM'05):248-252. CSREA Press. 2005
"Computer Forensics Laboratory and Tools," (with K. Clinton). Proceedings of the 3rd Annual CCSC MidSouth Conference. April 1-2, 2005.The Journal of Computing Sciences in Colleges (Vol 20:No.6): 143-150.