Jose Sarriegi - Academia.edu (original) (raw)

Papers by Jose Sarriegi

Communications in Computer and Information Science, 2012

Lecture Notes in Computer Science, 2009

This paper presents the results of a security management survey of IT administrators from small a... more This paper presents the results of a security management survey of IT administrators from small and medium sized enterprises (SMEs) who ranked predefined Critical Success Factors (CSFs) and Indicators. The outcome of this study relies on the development of a set of security management guidelines that allows IT administrators to adopt assessment and managerial security routines. The secondary contribution relies on allowing IT administrators to establish a culture of implementing and tracking the effectiveness of technical and non-technical security controls. The survey results describe how IT administrators would like the most critical aspects of security to evolve.

Lecture Notes in Computer Science, 2009

Research into critical infrastructure (CI) interdependencies is still immature. Such interdepende... more Research into critical infrastructure (CI) interdependencies is still immature. Such interdependencies have important consequences for crisis management. Owing to the complexity of this problem, computer modelling and simulation is perhaps the most efficient research approach. We present five facts that should be taken into account when modelling these interdependencies: 1) CIs are interdependent elements of a complex system. 2) Ever increasing interdependencies create new complexity. 3) Crises in CI are dynamically complex. 4) There is a need for a long term perspective. 5) Knowledge about CI is fragmented. These facts significantly condition the tools and methodologies to be used for modelling interdependencies, as well as the training and communication tools to transfer insights to crisis managers and policymakers. We analyze several modelling methodologies for applicability to CIs interdependencies problem

The implementation of an ERP (Enterprise Resource Planning) demands the development of a complex ... more The implementation of an ERP (Enterprise Resource Planning) demands the development of a complex project. On one hand, the scientific literature presents some key factors which allow the project to reach the expected objectives. However, these researches do not consider the dynamic relationships that take place among these key factors, although interrelations can benefit or stop the project development. On

Lecture Notes in Computer Science, 2006

... Adopting regulations as security strategy can lead organizations towards the compliancerequir... more ... Adopting regulations as security strategy can lead organizations towards the compliancerequirements of ... Instead, they will focus on convincing employees to execute cyber attacks [33]. Therefore, developing information security awareness among the organization is no longer a ...

Lecture Notes in Computer Science, 2007

... Tecnun (University of Navarra) Manuel de Lardizábal 13, 20018 San Sebastián, Spain {fosveen,j... more ... Tecnun (University of Navarra) Manuel de Lardizábal 13, 20018 San Sebastián, Spain {fosveen,jmtorres,jmsarriegi}@tecnun.es Abstract. ... The Internet Worm, ILoveYou and Melissa showed how fast malware can spread in a networked world. ...

2014 47th Hawaii International Conference on System Sciences, 2014

Infrastructures (CIs) can have severe consequences for our societies. Therefore, CI resilience ha... more Infrastructures (CIs) can have severe consequences for our societies. Therefore, CI resilience has attracted increasing attention in industries and policy-making. However, empirical studies on CI resilience are rare. In particular, research on the implementation of policies aiming at an improvement of CI resilience is lacking. Using Group Model Building combined with the Delphi method, and surveys we have developed a framework to improve CI resilience. This research identifies policies to enhance CI resilience against major industrial accidents across four dimensions (technical, organizational, economic and social) and proposes a temporal order to ensure that the benefit of policy implementation can be maximized.

Lecture Notes in Computer Science, 2006

At the highest abstraction level, an attempt by a social engineer to exploit a victim organizatio... more At the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, such as to disable the organization by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as

2011 44th Hawaii International Conference on System Sciences, 2011

While awareness is acknowledged as a key factor in crisis management, much is vague as to the mea... more While awareness is acknowledged as a key factor in crisis management, much is vague as to the meaning of the awareness concept, its measurement, how awareness impacts the lifecycle of a crisis and how awareness can be promoted. This vagueness, we hypothesize, potentially reflects the immaturity of crisis management theory. This in turn obscures the landscape of leading crisis indicators,

How long could an organization survive without its information systems working efficiently? Frequ... more How long could an organization survive without its information systems working efficiently? Frequent changes of the systems to protect, significant delays between efforts and results, the large amount of involved variables and the difficulty to measure some of them make security management a challenge for current companies. Simulation models provide a virtual environment that can help analysing the dynamic balance between the affected key factors. These key factors include technical controls (Software and hardware elements to protect the system), formal controls (Procedures for guaranteeing an efficient use of technical controls) and security culture (Human factors that affect the compliance of the designed procedures). This paper presents an ongoing real modelling process, involving a university team and two companies. The paper includes information about the used methodology, the modelling process and the preliminary results of the obtained model. This process has allowed concludi...

International Journal of System of Systems Engineering, 2008

At the highest abstraction level, an attempt by a social engineer to exploit a victim organisatio... more At the highest abstraction level, an attempt by a social engineer to exploit a victim organisation either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximise an outcome, such as to disable the organisation by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling ('balancing') feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defence in control processes or in escalating ('reinforcing') processes of resistance. The possible combinations of the two modes of attack and the two modes of defence yield four archetypes of exploit and natural defence. Predictably, the social engineer would seek to outsmart the first line of defence; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multilayered defence against social engineering attacks.

International Journal of Industrial Ergonomics, 2007

... The objective of these types of studies tends to focus on reducing Cumulative Trauma Disorder... more ... The objective of these types of studies tends to focus on reducing Cumulative Trauma Disorder (Armstrong, 1986; Maizlish et al., 1995). However, ergonomic analysis can also simultaneously include improvements in productivity (Resnick and Zanotti, 1997). ...

International Journal of Food Safety, Nutrition and Public Health, 2011

The food supply chain has been recognised by the USA and the EU as a critical infrastructure, and... more The food supply chain has been recognised by the USA and the EU as a critical infrastructure, and it should be considered a target for possible terrorist attacks. In this paper, we present a methodological approach developed within the EU project SecuFood to evaluate the risk associated with this threat. The usefulness of the approach is related to the improvement of the analysis of food supply chain risk in terms of the potential threats, the vulnerability of the system, and the effectiveness of counter measures.

International Journal of Computer Integrated Manufacturing, 2004

This paper presents MiiSD, a Methodology for integrated information System Design that can also b... more This paper presents MiiSD, a Methodology for integrated information System Design that can also be used to identify information to be standardized to develop partial standard models. It proposes a meeting point between scientific developments, centred on the definition of standards for information exchange and on the commercial development of management programmes for business information. Applying the proposed methodology the amount and complexity of the data to be standardized are reduced. Additionally, this methodology helps companies to define what its information structure systems should be. On the other hand, it can also be used to carry out an audit of the information system already running within a company, identifying the main areas that are lacking. MiiSD outlines a new perspective over the problem of information integration in manufacturing companies.

Information Management & Computer Security, 2007

Purpose – This research paper aims to examine how incident-reporting systems function and particu... more Purpose – This research paper aims to examine how incident-reporting systems function and particularly how the steady growth of high-priority incidents and the semi-exponential growth of low-priority incidents affect reporting effectiveness. Social pressures that can affect low- ...

systemdynamics.org

Theory informs us of the differences between principles and methods used to build System Dynamics... more Theory informs us of the differences between principles and methods used to build System Dynamics and Agent Based Models. However, little is known about how the paradigms are applied in practice and the subsequent difficulties encountered. In order to ...

Enterprise Information Systems, 2008

This paper presents a support methodology that facilitates the analysis of shared information bet... more This paper presents a support methodology that facilitates the analysis of shared information between applications. The contemporary needs of information systems within companies rely on the integration of different applications. As a consequence, integration projects called EAI (enterprise application integration) and BPM (business process management) have arisen. These projects need support methodologies to facilitate the process of information integration. The

Managing a company requires different tools and methodologies in order to successfully deal with ... more Managing a company requires different tools and methodologies in order to successfully deal with its intangible resources and maintain a competitive advantage. Econometrics, Agent-Based Modelling (ABM) and System Dynamics (SD) are modelling paradigms ...

… International Conference of …, 2009

Page 1. 1 The Dynamics of Crisis Lifecycle for Emergency Management Ms. Ana Laugé Dr. Jose M. Sar... more Page 1. 1 The Dynamics of Crisis Lifecycle for Emergency Management Ms. Ana Laugé Dr. Jose M. Sarriegi Dr. Jose M. Torres Tecnun - University of Navarra Paseo Manuel de Lardizabal nº13 20018 San Sebastian (SPAIN) (+34) 943 219877 ...

Information Systems are a key factor for firms' competitiveness. Thus, their efficient management... more Information Systems are a key factor for firms' competitiveness. Thus, their efficient management has become a key concern and security management one of the most relevant issues. An empirical study has been developed to determine the characteristics of security management within Small and Medium sized Enterprises (SMEs). A summary of the main data from this study is presented.

Communications in Computer and Information Science, 2012

Lecture Notes in Computer Science, 2009

This paper presents the results of a security management survey of IT administrators from small a... more This paper presents the results of a security management survey of IT administrators from small and medium sized enterprises (SMEs) who ranked predefined Critical Success Factors (CSFs) and Indicators. The outcome of this study relies on the development of a set of security management guidelines that allows IT administrators to adopt assessment and managerial security routines. The secondary contribution relies on allowing IT administrators to establish a culture of implementing and tracking the effectiveness of technical and non-technical security controls. The survey results describe how IT administrators would like the most critical aspects of security to evolve.

Lecture Notes in Computer Science, 2009

Research into critical infrastructure (CI) interdependencies is still immature. Such interdepende... more Research into critical infrastructure (CI) interdependencies is still immature. Such interdependencies have important consequences for crisis management. Owing to the complexity of this problem, computer modelling and simulation is perhaps the most efficient research approach. We present five facts that should be taken into account when modelling these interdependencies: 1) CIs are interdependent elements of a complex system. 2) Ever increasing interdependencies create new complexity. 3) Crises in CI are dynamically complex. 4) There is a need for a long term perspective. 5) Knowledge about CI is fragmented. These facts significantly condition the tools and methodologies to be used for modelling interdependencies, as well as the training and communication tools to transfer insights to crisis managers and policymakers. We analyze several modelling methodologies for applicability to CIs interdependencies problem

The implementation of an ERP (Enterprise Resource Planning) demands the development of a complex ... more The implementation of an ERP (Enterprise Resource Planning) demands the development of a complex project. On one hand, the scientific literature presents some key factors which allow the project to reach the expected objectives. However, these researches do not consider the dynamic relationships that take place among these key factors, although interrelations can benefit or stop the project development. On

Lecture Notes in Computer Science, 2006

... Adopting regulations as security strategy can lead organizations towards the compliancerequir... more ... Adopting regulations as security strategy can lead organizations towards the compliancerequirements of ... Instead, they will focus on convincing employees to execute cyber attacks [33]. Therefore, developing information security awareness among the organization is no longer a ...

Lecture Notes in Computer Science, 2007

... Tecnun (University of Navarra) Manuel de Lardizábal 13, 20018 San Sebastián, Spain {fosveen,j... more ... Tecnun (University of Navarra) Manuel de Lardizábal 13, 20018 San Sebastián, Spain {fosveen,jmtorres,jmsarriegi}@tecnun.es Abstract. ... The Internet Worm, ILoveYou and Melissa showed how fast malware can spread in a networked world. ...

2014 47th Hawaii International Conference on System Sciences, 2014

Infrastructures (CIs) can have severe consequences for our societies. Therefore, CI resilience ha... more Infrastructures (CIs) can have severe consequences for our societies. Therefore, CI resilience has attracted increasing attention in industries and policy-making. However, empirical studies on CI resilience are rare. In particular, research on the implementation of policies aiming at an improvement of CI resilience is lacking. Using Group Model Building combined with the Delphi method, and surveys we have developed a framework to improve CI resilience. This research identifies policies to enhance CI resilience against major industrial accidents across four dimensions (technical, organizational, economic and social) and proposes a temporal order to ensure that the benefit of policy implementation can be maximized.

Lecture Notes in Computer Science, 2006

At the highest abstraction level, an attempt by a social engineer to exploit a victim organizatio... more At the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, such as to disable the organization by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as

2011 44th Hawaii International Conference on System Sciences, 2011

While awareness is acknowledged as a key factor in crisis management, much is vague as to the mea... more While awareness is acknowledged as a key factor in crisis management, much is vague as to the meaning of the awareness concept, its measurement, how awareness impacts the lifecycle of a crisis and how awareness can be promoted. This vagueness, we hypothesize, potentially reflects the immaturity of crisis management theory. This in turn obscures the landscape of leading crisis indicators,

How long could an organization survive without its information systems working efficiently? Frequ... more How long could an organization survive without its information systems working efficiently? Frequent changes of the systems to protect, significant delays between efforts and results, the large amount of involved variables and the difficulty to measure some of them make security management a challenge for current companies. Simulation models provide a virtual environment that can help analysing the dynamic balance between the affected key factors. These key factors include technical controls (Software and hardware elements to protect the system), formal controls (Procedures for guaranteeing an efficient use of technical controls) and security culture (Human factors that affect the compliance of the designed procedures). This paper presents an ongoing real modelling process, involving a university team and two companies. The paper includes information about the used methodology, the modelling process and the preliminary results of the obtained model. This process has allowed concludi...

International Journal of System of Systems Engineering, 2008

At the highest abstraction level, an attempt by a social engineer to exploit a victim organisatio... more At the highest abstraction level, an attempt by a social engineer to exploit a victim organisation either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximise an outcome, such as to disable the organisation by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling ('balancing') feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defence in control processes or in escalating ('reinforcing') processes of resistance. The possible combinations of the two modes of attack and the two modes of defence yield four archetypes of exploit and natural defence. Predictably, the social engineer would seek to outsmart the first line of defence; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multilayered defence against social engineering attacks.

International Journal of Industrial Ergonomics, 2007

... The objective of these types of studies tends to focus on reducing Cumulative Trauma Disorder... more ... The objective of these types of studies tends to focus on reducing Cumulative Trauma Disorder (Armstrong, 1986; Maizlish et al., 1995). However, ergonomic analysis can also simultaneously include improvements in productivity (Resnick and Zanotti, 1997). ...

International Journal of Food Safety, Nutrition and Public Health, 2011

The food supply chain has been recognised by the USA and the EU as a critical infrastructure, and... more The food supply chain has been recognised by the USA and the EU as a critical infrastructure, and it should be considered a target for possible terrorist attacks. In this paper, we present a methodological approach developed within the EU project SecuFood to evaluate the risk associated with this threat. The usefulness of the approach is related to the improvement of the analysis of food supply chain risk in terms of the potential threats, the vulnerability of the system, and the effectiveness of counter measures.

International Journal of Computer Integrated Manufacturing, 2004

This paper presents MiiSD, a Methodology for integrated information System Design that can also b... more This paper presents MiiSD, a Methodology for integrated information System Design that can also be used to identify information to be standardized to develop partial standard models. It proposes a meeting point between scientific developments, centred on the definition of standards for information exchange and on the commercial development of management programmes for business information. Applying the proposed methodology the amount and complexity of the data to be standardized are reduced. Additionally, this methodology helps companies to define what its information structure systems should be. On the other hand, it can also be used to carry out an audit of the information system already running within a company, identifying the main areas that are lacking. MiiSD outlines a new perspective over the problem of information integration in manufacturing companies.

Information Management & Computer Security, 2007

Purpose – This research paper aims to examine how incident-reporting systems function and particu... more Purpose – This research paper aims to examine how incident-reporting systems function and particularly how the steady growth of high-priority incidents and the semi-exponential growth of low-priority incidents affect reporting effectiveness. Social pressures that can affect low- ...

systemdynamics.org

Theory informs us of the differences between principles and methods used to build System Dynamics... more Theory informs us of the differences between principles and methods used to build System Dynamics and Agent Based Models. However, little is known about how the paradigms are applied in practice and the subsequent difficulties encountered. In order to ...

Enterprise Information Systems, 2008

This paper presents a support methodology that facilitates the analysis of shared information bet... more This paper presents a support methodology that facilitates the analysis of shared information between applications. The contemporary needs of information systems within companies rely on the integration of different applications. As a consequence, integration projects called EAI (enterprise application integration) and BPM (business process management) have arisen. These projects need support methodologies to facilitate the process of information integration. The

Managing a company requires different tools and methodologies in order to successfully deal with ... more Managing a company requires different tools and methodologies in order to successfully deal with its intangible resources and maintain a competitive advantage. Econometrics, Agent-Based Modelling (ABM) and System Dynamics (SD) are modelling paradigms ...

… International Conference of …, 2009

Page 1. 1 The Dynamics of Crisis Lifecycle for Emergency Management Ms. Ana Laugé Dr. Jose M. Sar... more Page 1. 1 The Dynamics of Crisis Lifecycle for Emergency Management Ms. Ana Laugé Dr. Jose M. Sarriegi Dr. Jose M. Torres Tecnun - University of Navarra Paseo Manuel de Lardizabal nº13 20018 San Sebastian (SPAIN) (+34) 943 219877 ...

Information Systems are a key factor for firms' competitiveness. Thus, their efficient management... more Information Systems are a key factor for firms' competitiveness. Thus, their efficient management has become a key concern and security management one of the most relevant issues. An empirical study has been developed to determine the characteristics of security management within Small and Medium sized Enterprises (SMEs). A summary of the main data from this study is presented.