Putting Technology into Perspective in Asia

With almost four billion people, Asia comprises about 55% of the world's population and 45% of the world's Internet users [1]. Internet penetration in Asia is estimated at almost 28% compared with the rest of the world at 43% [2]. The number of mobile users in Asia at the end of 2012 was estimated at about 3.2 billion subscribers. Eighteen countries in Asia have saturated mobile markets exceeding 100% penetration, while Macau and Hong Kong have mobile penetration levels of more than 200% [3]. India and China account for over 60% of the telecommunications market in Asia which is why so many companies are vying to be there.

But all of this needs to be factored against some humbling statistics. For example, 66.7% of people living in South Asia in 2010 earned less than$2 a day compared with 30% in East Asia and the Pacific [4]. According to the World Bank, more than a third of these people did not earn more than$1.25 a day, placing them below the poverty line. An estimated 80–90% of this population is rural, with rural poverty especially endemic in Southern Asia [5]. However, between 1990 and 2008 the number of people living in poverty in the world halved [6]. One question to ponder is how much of this reduction in poverty was as a direct result of technology?

When I worked for Nortel in Asia I had the opportunity to study voice and data teletraffic flow maps published by the International Telecommunications Union (ITU). I was always intrigued by the fact that thick arrows representing large volumes showed information flowing in and out of developed nations [7]. Poorer nations in Asia and Africa especially had very thin flows. Sometimes this signified that a market was predominantly “closed” and had not yet formally deregulated, or that internal conflict caused it to remain troubled instead of outward looking and global. The poverty cycle, also known as a spiral, is difficult to break. Initiatives like one laptop per child (OLPC) surely provide hope [8], as do open data initiatives to give access to information to anyone who has an Internet connection of any type [9]. However when there is no one to pay the electricity bill or to even guarantee the underlying infrastructure, even these promising ventures will fall short.

There are numerous ways to consider technology within a framework of progress. For example, some point to genetically modified (GM) crops that can provide food for those in need [10]; enabling technologies in the manufacturing industry giving workers a chance to earn a living; transportation technology like containers on ships and rail that enable global supply chain processes; sophisticated private and public exchange banking systems that allow for electronic commerce from anywhere in the world; and a high tech industry that is continually reinventing itself with new innovations to keep the retail sector moving.

Nonetheless, resources are limited as populations continue to rise at an increasing rate in developing nations, placing pressure on fossil fuel reserves. On the one hand these limited resources have meant that we are continually seeking to harness new alternative means of energy such as solar and wind, but on the other hand, we may be quickly approaching a crisis far greater than that of the 1973 oil embargo and subsequent stock market crash, if we do not back renewable resource initiatives with serious and ongoing research funding.

The externalities of technology are not only felt on a global scale with respect to climate change as a direct result of carbon emissions, but are vividly obvious in other activities from the exportation of e-waste disposal to countries like Bangladesh and Nepal, and in the contamination of waterways through industrial chemical waste within organizations situated within Asia and Africa [11].

In other cases, technology change has equated to business process optimization so harsh on employees that inhumane practices have been discovered in sweat shops and white good manufacturing lines. We might be paying significantly reduced prices for our computers, toasters, and clothes, but somewhere up the “chain” someone has had to get the component parts to a finished good. We have a responsibility to ensure that child workers are not being exploited on cocoa farms to bring us our favorite chocolate bars, and that pregnant female workers are not bound to their sewing machines from dawn to dusk, among a great many other worker issues.

I observe around my neighborhood during rubbish collection days, electrical appliances such as printers, abandoned on the roadside because it is cheaper to purchase a brand new one than to take the effort in purchasing color toner and installing it for use. Little by little we have become the throw-away generation, and the side effects from this thoughtless consumerism will cost us heavily in years to come. How much more prevalent this behavior might become with the onset of 3D printers and downloadable computer-aided designs (CAD) is anyone's guess.

While I do not wish to cast any shadow on this significant special issue dedicated to “Technology and Society in Asia” for which I thank the tremendous efforts of ISTAS12 organizers Greg Adamson, Michael Arnold, Sophie McKenzie, and guest editors Martin Gibbs, Philip Hall, and Shiro Uesugi, a counter-balance is necessary to place the special issue in perspective [12]. Yes, technology is the answer to so many of our problems today, but it can also be the source of our woes. That which has had such a positive impact on the production functions of so many processes, i.e., technology, can also carry with it negative intangible and hidden costs to the individual, the household, the factory, and society at large. We need to think past the first ripple effect, to far-reaching consequences, ensuring that we take the longer-term view, before that which immediately benefits profit margins.


1. United Nations Population Information Network, 2009, [online] Available: http://www.un.org/popin/data.html.

2. Internet World Stats: Usage and Population Statistics, 2013, [online] Available: http://www.internetworldstats.com/stats3.htm.

3. P. Evans, P. Budde, "Asia-Mobile broadband and digital economy overview", BuddeComm, 2012, [online] Available: http://www.budde.com.au/Research/Asia-Mobile-Broadband-and-Digital-Economy-Overview.html.

4. "Poverty and equity data", The World Bank, 2013, [online] Available: http://data.worldbank.org/topic/poverty.

5. "Rural Poverty Portal: Asia", International Fund for Agricultural Development (IFAD), 2009, [online] Available: http://www.ruralpovertyportal.org/region/home/tags/asia.

6. M. Tuck, "Poverty Reduction and Equity", The World Bank, 2013, [online] Available: http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTPOVERTY/.

7. "Measuring the Information Society" in International Telecommunications Union, 2012.

8. one.laptop.org, OLPC Foundation.

9. Interaction Design Foundation.

10. S.K. Moore, E. Strickland, "GM foods grow up", IEEE Spectrum, 2013, [online] Available: http://spectrum.ieee.org/energy/environment/gm-foods-grow-up.

11. StEP Solving the e-waste problem, 2012, [online] Available: http://www.step-initiative.org/.

12. ISTAS12 Technology and Society in Asia IEEE International Symposium on Technology and Society, 2012.

Citation: Katina Michael, "Putting Technology into Perspective in Asia", IEEE Technology and Society Magazine, Volume: 32, Issue: 3, Fall 2013, pp. 5 - 6, DOI: 10.1109/MTS.2013.2276662

Welcome Message from The Program Committee Chair (ISTAS13)

It was in July 2012 that Steve Mann and I corresponded on the possibility of hosting a conference on wearable computing in Toronto, Canada. Steve had just returned home from a family holiday to France and publicly blogged about an unfortunate incident that had happened to him while away. On 17th July 2012 he posted: “Physical assault by McDonald’s for wearing Digital Eye Glass”. I could not be helped but to be reminded of that exchange during Star Wars between Luke Skywalker and the bartender:

LUKE: Do you really think we’re going to find a pilot here that’ll take us to Alderaan?

BEN: Well, most of the best freighter pilots can be found here. Only watch your step. This place can be a little rough. LUKE: I’m ready for anything.

THREEPIO: Come along, Artoo.

INTERIOR: TATOOINE — MOS EISLEY — CANTINA. The young adventurer and his two mechanical servants follow Ben Kenobi into the smoke-filled cantina. The murky, moldy den is filled with a startling array of weird and exotic alien creatures and monsters at the long metallic bar. At first the sight is horrifying. One-eyed, thousand-eyed, slimy, furry, scaly, tentacled, and clawed creatures huddle over drinks. Ben moves to an empty spot at the bar near a group of repulsive but human scum. A huge, roughlooking Bartender stops Luke and the robots.

BARTENDER: We don’t serve their kind here! Luke still recovering from the shock of seeing so many outlandish creatures, doesn’t quite catch the bartender’s drift.

LUKE: What?

BARTENDER: Your droids. They’ll have to wait outside. We don’t want them here. Luke looks at old Ben, who is busy talking to one of the Galactic pirates. He notices several of the gruesome creatures along the bar are giving him a very unfriendly glare. Luke pats Threepio on the shoulder.

LUKE: Listen, why don’t you wait out by the speeder. We don’t want any trouble.

THREEPIO: I heartily agree with you sir.
— Star Wars (1977)
"We don't serve their kind here!"

"We don't serve their kind here!"

Sarah Slocum daring to take Glass footage inside a nightclub in the USA.

We both knew the timing was right for such an event that was not just a technical engineering or applied orientation on the theme of smart worlds, but an event that would grapple with the dichotomies of transparency and human rights, privacy and security, and of course technology and society more broadly. If I could credit Mann for one thing, beyond his savvy inclination toward innovation, it is that he has multiple dimensions to his thought, seeing the same problem through different lenses- not just eyetaps but the big picture view.

The basic premise for ISTAS13 was- if the numbers of people wearing cameras grew substantially by 2015 what would be the ensuing social implications? Rather than wait to answer that question in 2015, we decided to begin proactively with our intent, so as outcomes from the conference would be considered as viable feedback into the design process of these emerging devices that would be worn on the body much like a watch or arm band.

The opportunity to deliver the proposed conference under IEEE SSIT’s annual conference, the IEEE Symposium on Technology and Society (ISTAS), was an opportunity we could not pass up, and after gaining approval from the board of governors of SSIT in October 2012, we went full steam ahead.

I don’t know too many people who would bravely put an international conference of standing together within a 9 month timeframe but I was astounded by the passion of everyone I came into contact with- from Ryan Janzen our youthful and switched on Organising Chair, to Steve Mann our powerhouse engineer who seemed to be available all day and all night at times as General Chair, our absolutely dedicated dynamic duo Alexander Hayes and Susannah Sabine as publicity chairs and web developers/masters, to Russell Verbeeten who managed to seal some very important and outstanding patronage and exhibits for us to enjoy at the conference. I also cannot forget the amazing volunteerism of members of the EyeTap Laboratory, most of them students of Steve Mann. These young men and women are our future, and it has been refreshing to see firsthand their approaches to philosophy, deep thinking about society, and how they will contribute both great innovations and imagination to the tech sector. I also thank Doug Nix who was there at the vital beginning and organized all our sponsors and submitted IEEE paperwork, and former chair Rabiz Foda enthusiastic within IEEE Toronto Chapter, and Purav Patel our former treasurer who left us in excellent condition before some personal matters presided in priority. Thanks also to the patient staff at IEEE Conferences.

Of my program committee, I say especially a thank you. You never tired of my messaging to you, for additional reviews when they were needed, and in re-reviewing on occasion to ensure that the appropriate changes had been made. Despite that we have 80 or so papers on the program, 40 full papers were finally accepted, and another 40 abstract only papers through invitation, plenary or otherwise. We received over 110 submissions for the conference which was substantial given the timelines. To our ad-hoc reviewers, I thank you too- even when you could not offer substantial commentary you did provide us with feedback which in turn helped our authors submit stronger pieces of work.

Thank you to the keynotes of Steve Mann, Marvin Minsky, Ray Kurzweil, Gordon Bell, and David Brin. On occasion I have had to pinch myself to remind myself that such a line up was possible. To our top class invited and plenary speakers- (I): Thad Starner, Ann Cavoukian, Colonel Lisa Shay, Isabel Pedersen, Cathal Gurrin, Monique Morrow, Teemu Leinonen, Natasha Dow Schull, Jeremy Pitt, Jean-Gabriel Ganascia, Carolyn McGregor, Emil M. Petriu, Ori Inbar, Nikola Serbedzija, Clint Zeagler, Rob Manson, Helen Papagiannis, (P): Matthew Schroyer, Jeff Robbins, Martin Kallstrom, Susan Herman, Daniel Kish, Ellen M. McGee, Corey Manders, Leigh Blackall, and Pia Waugh… I am privileged to call you friends. You all share one amazing quality- of course your expertise goes without saying, but you all wanted to be a part of this debate from the instant I asked you to be a part of the event. I will also say openly to the academic community, that you paid your own way to get to ISTAS13, and that goodwill won’t be forgotten especially during these economic times.

Our program represents diversity- on day 1 at Hart House we have a day dedicated to engineering; day 2 and 3 will be at the Bahen Centre respectively addressing topics to do with application development/design methods and the socio-legislative implications of wearables.

As an indication of the internationalization of this conference delegates and paper submissions have come from the following nation states: Australia, Canada, England, Finland, France, Germany, Ireland, Israel, Poland, Saudi Arabia, Singapore, South Africa, Spain, Sweden, United States of America, Uruguay. We also have representation from a full range of sectors including commercial, government, non-government organisations, and users. We appreciate the participation of the Privacy and Information Commissioner of Ontario, the American Civil Liberties Union, companies like EPSON, APX Labs, META, CISCO, Microsoft, ESRI, Memoto, Autographer, buildAR, Streamfolio, Augmate and Infinty Augmented Reality, Institute for Infocomm Research; as well as institutions and industry research and development units, such as the University of Wollongong, uberveillance.com, Optinvent, Singularity Weblog.

Our co-sponsors and technical sponsors also need to be acknowledged including: IEEE SSIT, IFMBE (International Federation of Medical and Biological Engineering), University of Wollongong, University of Toronto, PSES (Product Safety Engineering Society). The breadth and depth of the patrons and sponsors indicates the growing importance of such dialogue today. Our delegate list also welcomes participation from Sony, Samsung, Qualcomm, Gartner, Verizon, Blackberry, Thalmic Labs, Ambient Ease, Telepresence Systems, OMG Life, Myplanet Digital, BMC Software, Smart Street Worlds, Illuminating Concepts, KIWI Wearables, LG Electronics. It is great to see this industry involvement and we hope we can really provide some substantial food for thought as we all contribute to technologies with ever-changing impacts on our life.

A note on the peer review process that was followed in this conference. Authors had the opportunity to either submit “abstract only” presentations, short papers of no more than 2,000 words or full papers of 5,000 words or more. Papers were sent to external reviewers and each paper received at least two blind reviews. Where there was a discrepancy in opinion an individual author may have received three or even four reviews. A list of reviewers can be found in this booklet. A note, that full papers were the only papers to undergo peer review. Abstracts and short papers were however vetted by an individual member from the program committee for technical accuracy.

What the general chair, organizing committee, and program committee can promise you all, is that this is just the beginning of the discussion on VEILLANCE. With Roger Clarke’s dataveillance conception, Steve Mann’s sousveillance conception, and MG Michael’s uberveillance conception, the stage is set for “watching”. All of these perspectives are vital and their historical contributions must reflect a new language of understanding, as technology far outstrips our current laws and value systems. Where to next? We hope you will join the discussion!

Citation: Katina Michael, "Welcome Message from The Program Committee Chair", International Symposium on Technology and Society (ISTAS13), 27-29 June 2013, University of Toronto, Canada, Info7-Info9, DOI: 10.1109/ISTAS.2013.6613093 




 ISSN Information:

Risk, complexity and sustainability

This special section is dedicated to risk as understood within our society, in which we depend upon increasingly complex and interconnected technologies for even our most basic needs-water, food, shelter, electricity, gas, sewage, communications, and banking.

Natural disasters and their impact on vital services has been a research area that has flourished, especially since the 2004 Indian Ocean Tsunami that claimed hundreds of thousands of lives in South Asia. This research has yielded a plethora of strategies for addressing short-term and geographically defined disasters. While such disaster preparedness systems are vital to minimize the loss of life during a natural disaster, we turn to consider what some would call of even greater value to society at large. That is, how to reduce the vulnerability of everyday citizens by understanding better how their essential supply lines interconnect, which supply chains are intertwined and, how this might impact the individual, regardless of whether they are living in a crowded city or remote village.

By developing a clear understanding of what makes us all vulnerable in our particular context, we can be better prepared to reduce these exposures, and build a more resilient society in the process. As one example, “survival” literature suggests that one of the most problematic repercussions of a serious “incident” is disruption to food supply. Y et during the Christchurch Earthquake in New Zealand in February 2011, food supply was much less problematic than sewage disposal. In another example, residents of a rural town threatened by earthquake were unconcerned at the possible disruption of landline phone services - but were disturbed to learn that ATM and banking communications, cell-phone data, emergency calls (as well as landline phone services) were all carried on a single fiber-optic link!

Classically, we have built models that calculate the probability of an event occurring and measure its theoretical impact if the event does indeed occur - but these models are limited. They might reveal to us a ranking of probable incidence, and the estimated loss in dollar figures as a result, but they do not provide insight into how interdependencies in various supply chains play out during an incident (whether caused by natural or human-made mischief).

For instance, we know that in a simplistic scenario, if water supply is disrupted, then our electricity system will not operate effectively, and if our electricity system does not work then all additional services that require power, such as the crucial ATM network also does not work, and people are left without the ability to purchase fuel, food, etc. The financial sector will certainly consider the effect of ATM systems failure, but (as with most supply chain managers) their assessments of brand damage and corporate losses are likely to receive higher weighting than end-user problems.

A very strong argument exists that we need to be building vulnerability models so that we can at least know where the weakest points in an operational community (of individuals) lie. By identifying the weakest points, we can overcome them with strategies well in advance of a major incident. This does not mean that we can eradicate vulnerability completely from our communities, but we can minimize the level of exposure - both to anticipated and unanticipated threats.

Technology is a double edged sword - on the one hand it offers advanced, efficient, and economical services, but on the other it exposes us to both technological and also ethical risks. Therefore a crucial role exists for engineering ethics and social responsibility in higher education curricula. Additionally, we need better mechanisms with which to comprehend the full dimensions of risk and exposure - and a desire to move towards a future that offers real (individual) people both security and service.

This special section addresses some of these issues, including fundamental definitions of technique vs. technology, complex systems of systems, and planning for future technologies and policy repercussions well in advance.

IEEE Keywords: Sustainable development, Strategic planning, Risk management, Complex networks, Disasters

Citation: Lindsay Robertson, Katina Michael, 2013, IEEE Technology and Society Magazine, Vol. 32, Issue: 2, Summer, p. 12, 05 June 2013, DOI: 10.1109/MTS.2013.2265145

Service-Based Electronic Commerce Systems (Editorial ECR)

1 Introduction

The increasing popularity of service-based applications accounts for the growth of e-commerce, as e-commerce systems are maintained by service providers themselves. Further, service-based e-commerce systems provide a flexible, low-cost business model to enable customers to focus more on their core business. The business can easily meet the fluctuating demands of business transactions through this model. Emerging electronic commerce systems are expected to be available anytime, anywhere, and using different official or personal computing devices. Service-based e-commerce systems will have businesses as customers using an on-demand model. Differing from traditional electronic commerce, the timely reporting and resolution of customer issues resulting in enhanced customer service and ubiquitous usage are the advantages of service-based e-commerce systems. This special issue aims to expose the readership to the latest research results on service-based electronic commerce systems, including the key technologies, such as enhancing the scalability, reliability, operational portability, security, integration and performance of the services. The special issue is composed of 3 refereed papers covering such topics as smartphone-based multimedia services, online auction frauds detection methods and privacy preserving in commercial networks. The issue is expected to demonstrate pioneer work in this field, investigate the novel solutions and methods for services design and discuss the future trends in this field.

2 The papers in this special issue

The first paper, “Design of Trustworthy Smartphone-Based Multimedia Services in Cultural Environments” by Dimitrios Koukopoulos and Georgios Styliaras, investigates the issues in mobile multimedia services. Smartphone is a dynamic new media that faces high popularity due to its versatile services and the friendliness of its usage. It can be used in many activities of everyday life from ecommerce to e-tourism. It studied smartphone’s secure usability in cultural heritage sites and environments and made a first attempt towards a trustworthy commercial multimedia guiding system targeting cultural sites that will be executed in a set of smartphones. More specifically, authors are interested in how the needs of curators and visitors, experts or not, of a cultural heritage site can be facilitated by the provided multimedia guiding services of smartphones employing trustworthy implementations of smartphone services that are controlled by a central server. Furthermore, the study makes an attempt to propose a simple business model for the commercial exploitation of such services.

In the second paper, “Factors affecting privacy disclosure on social network sites: An integrated model” by Feng Xu, Katina Michael and Xi Chen, investigates the factors affecting privacy disclosure on social network sites. The self-disclosure of personal information by users on social network sites plays a vital role in the self-sustainability of online social networking service provider platforms. However, people’s levels of privacy concern increases as a direct result of unauthorized procurement and exploitation of personal information from the use of social networks which in turn discourages users from disclosing their information or encourages users to submit fake information online. An integrated model is proposed to explain privacy disclosure behaviors on social network sites. The paper found the key factors affecting users’ self-disclosure of personal information. Using privacy calculus, the perceived benefit was combined into the Theory of Planned Behavior, and after some modifications, an integrated model was prescribed specifically for the context of social network sites. While design the services in social networks or electronic commerce systems, the paper’s results can be used to reduce the levels of privacy concern.

The third paper, “Fuzzy Rule Optimization for Online Auction Frauds Detection based on Genetic Algorithm” by Cheng-Hsien Yu and Shi-Jen Lin, investigates the auction frauds issues in online auction sites. To improve the prevention of online auction frauds, this research will propose a hybrid approach to detect the fraudster accounts to help the users to identify which seller is more dangerous. In the research, social network analysis was used to produce the behavior features and transform these features into fuzzy rules which can represent the detection rules. Then optimize the fuzzy rules by genetic algorithms to build the auction fraud detection model. The proposed features and methodologies were used to detect the fraudster accounts and find out the detection models of them. This paper is expected to give some suggestions for service designers of online auctions or electronic commerce systems and help the website administrators to detect the possible collusive fraud groups easier in online auction.

Citation: Lian, S., Chen, X. & Michael, K. Electron Commer Res (2013) 13, No. 2: 125-127. https://doi-org.ezproxy.uow.edu.au/10.1007/s10660-013-9109-0, Springer US.


Security Risk Management (book review)

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

In an age of outsourcing tasks that are not considered to be a core competency of the business, organisations have often relied on external consultants for matters pertaining to security. In actual fact, most companies could have utilized existing skill-sets in-house to produce a security risk management program, if only they knew what steps to take, and how to go about it all. Evan Wheeler in his book on information security risk management does just that he equips professionals tasked with security, with the thinking required to create a program that is more preoccupied with the complex strategic-level questions than the technical or operational level skills required to execute particular tools and applications. Wheeler, a practicing security consultant himself, asks the big questions which technicians usually cannot answer beginning with the “why” question. From Wheeler’s perspective it is important that those who have been given the role to manage security, have the upper management support to act as “internal” consultants with clear roles and responsibilities defined from the outset, given resource allocation limitations. Wheeler’s book offers a simple to understand risk management lifecycle where the business owners are empowered to manage their own risks with the security team playing a supporting role as policymaker and overseer. Security thus becomes everyone’s problem.

Wheeler organizes his book in three very accessible parts. The first part provides an introduction to risk management which positions security within an organizational context as well as introduces the risk management lifecycle. The second part which is on risk assessment and analysis techniques, includes chapters on risk profiling, formulating a risk, risk exposure, security control, risk evaluation and reporting. And the final third part is on building and running a risk management program, with a focus on generating a blueprint for security. What is practical about this book is that there are quick guides to follow with detailed descriptions for each part, sub-part, and individual steps in the stages of the risk management workflow. The numerous template pro-formas included in the book also presents another tangible way for practitioners to get involved in risk management, providing an approach toward identifying and mapping an organisation’s risks and mitigating them. The book also contains generic case studies wherever appropriate. The appendices which include example profiles and questionnaires are additionally supported by partly-filled out tabular forms in the main body of the text. Sample worksheets, workflow diagrams, tips and tricks, and associated warning signals along the way are also illustrative, helping the information security professional to get started straight away without falling into recognized pitfalls. One thing that makes this book so useful is the style that it has been written in, a credit to Wheeler that it allows for direct engagement and is easily digestible by any one at any level in the organisation.

A distinct omission in Wheeler’s book is an acknowledgment of the importance of the existence of international standards, such as the International Standards Organisation’s (ISO) 27000 series of standards on information security matters, and also other IT governance related frameworks, such as CoBIT. While the claim is made that Wheeler offers a new approach in his book, shaking up old paradigms, it is probably more correct to say that Wheeler has taken tried and tested elements in security management, and has presented them in a more accessible way to the professional who might not necessarily have a security background. The success of the book is in its presentation of the security risk management lifecycle.

With the admission that the qualitative versus quantitative approach to risk assessment continues to be debated by the industry, Wheeler spends some time describing the implementation of each approach, tending toward a little bit of this, and a little bit of that, in his self-professed cookbook of risk management. But for the greater part, Wheeler is obviously encouraging of the qualitative assessment given the length of space attributed to this approach in the book. One criticism of solely using either a qualitative approach or a quantitative approach to risk assessment has very much to do with how to interpret the meaning behind the results. Take for example a quantitative assessment based on annualized loss expectancy (ALE). It is very likely to have two risks end up with exactly the same dollar figure. The fallback position in this situation is to a qualitative assessment result to weigh up which is more significant to the given organizational context when addressing the risk concerns. Innovative modeling approaches which utilize a hybrid approach are now being implemented in many organisations. The absence of this discussion from the book is noted, Wheeler taking the perspective that most organisations use a qualitative approach alone because the quantitative assessment approach relies on too many historical facts which are usually unknown, and based upon complex equations.

Another detail that seems to have not been addressed is that security risk requires business owners to consider interdependencies at a variety of layers. These layers can be considered as categories of resources, i.e., applications, infrastructure, environment, facility, business unit and vendor, each of which have impacts at the financial, legal, reputational or regulatory levels. The failure to recognize interdependencies as being an integral dimension of risk assessments can lead to detrimental effects in any risk management program. Scenario analyses conducted to gauge the consequences of negative effects on a crucial element in the security value chain might mean that controls and mechanisms to protect that element are of greater significance than another element that might have a bigger risk exposure but is not underlying most other processes. Much of this work on interdependencies was begun in the critical infrastructure protection (CIP) domain but has been applied in many other areas, including in the banking sector which has been preoccupied with risk appetite since consumers have begun to use emerging technologies do conduct their transactions.

Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant, with examples from this sector discussed or alluded to.

Citation: [Book Review]: Katina Michael, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, E. Wheeler.  Volume 31, Issue 2, March 2012, pp. 249-250, Syngress, Elsevier. Accepted 22 December 2011, Available online 5 January 2012, DOI: https://doi.org/10.1016/j.cose.2011.12.011