25巻 第2号 2011年9月



                     渡辺研司 1

Research papers

Human-Related Problems in Information Security in Indian Cross-Cultural Environments

Tatsuo ASAI and Suchinthi FERNANDO… 3


Proposal of Information Security Accounting Framework for better Corporate Governance

大木榮二郎、田村仁一、清水惠子、佐野智己、芹沢大地… 15
Eijiroh OHKI, Jinichi TAMURA, Keiko SHIMIZU, Toshiki SANO and Daichi SERIZAWA



Large-Scale Evaluation and Improvement of Content-Based Phishing Detection


加藤 慧、小宮山 功一朗、瀬古敏智、一瀬友祐、河野耕平、中山心太、吉浦 裕… 42
Kei KATO, Koichiro KOMIYAMA, Toshinori SEKO, Yusuke ICHINOSE,
Shinta NAKAYAMA and Hiroshi YOSHIURA



Crisis Management of Higashi Nippon Earthquake



      BCP Practice of a Financial Institution for the Great East Japan Earthquake








 Human-Related Problems in Information Security in Indian Cross-Cultural Environments


Department of Management and Information Systems Science, Nagaoka University of Technology
Tatsuo ASAI


 Graduate School of Information Science & Control Engineering, Nagaoka University of Technology
 Suchinthi FERNANDO



      This paper discusses the potential problems due to cultural differences, which foreign companies may face in India concerning information security. Top 5 investing countries in India, namely, Singapore, US, UK, Netherlands and Japan are examined. Potential problems concerning the management of people are developed by using Hofstede’s framework. To evaluate the magnitude of potential of problems, the recently proposed theory of Level of Potential (LoP) is adopted.

A survey was conducted in India to evaluate the severity of the potential problems and the practicability of LoP. It is shown that the theory of LoP can predict problems in the Indian business environment to a certain extent. The results have revealed that Japanese companies may face problems least, while American companies do most. This paper examines the relations between the conditions of occurrence of problems and the profiles of the respondents. The problem of “Unintentional sharing of confidential information” has the highest severity.



 cultural difference, cultural dimension, information security management, human-related problem, India


1.    Introduction

   Cross-cultural environments are growing in importance in today’s world of business, which strives for competitiveness through diversity. Diversity, which is considered a necessary redundancy to effectively cope with unexpected circumstances in the age of globalization, has encouraged even local domestic companies to nurture cross-cultural environments. Internal Control – Integrated Framework of Committee of Sponsoring Organizations (COSO) refers to Foreign Operations in Circumstances Demanding Special Attention in Managing Change, where it states “The expansion or acquisition of foreign operations carries new and often unique risks that management should address. For instance, the control environment is likely to be driven by the culture and customs of local management [1].” This framework refers to corporate culture, whereas, this paper treats national culture, which may influence the former. Whitfield [2]


studies about the difficulties faced by foreign managers due to cultural barriers between their local workers and themselves.

     Although the early days of information security focused mainly on technological aspects [3], Asai [4] has pointed out the importance of taking human resource security into account as well, since the role of information security has now become more management-oriented than technology- oriented. This change is defined by Lacey [5] as “The shifting focus of information security”. The COSO framework [1] and ISO/IEC 27001 [6] also emphasize the importance of taking the human factor into consideration when managing information security. Bean [7] states that most identified information security breaches occur because of human errors, resulting from lack of proper knowledge and training, and failure to follow procedures. Schneier [8] explains how people feel secure as long as no threat is visible. Thus, being the

weakest link in the chain of security, people may unintentionally reveal confidential information to others.







 Proposal of Information Security Accounting Framework 
for better Corporate Governance

工学院大学 情報学部   大 木 栄二郎

 Faculty of Informatics, Kogakuin University  Eijiroh OHKI

有限責任監査法人トーマツ   田 村 仁 一

Deloitte Touche Tohmatsu LLC  Jinichi TAMURA

株式会社コンシスト   清 水 惠 子

Consist Inc.   Keiko SHIMIZU

凸版印刷株式会社   佐 野 智 己

Toppan Printing Co. Ltd.  Toshiki SANO

伊藤忠テクノソリューションズ株式会社   芹 沢 大 地

ITOCHU Techno-Solutions Corporation  Daichi SERIZAWA

要 旨





1. 意義と目的     




現在ISMS適合性評価制度3]プライバシーマーク制度4]、情報セキュリティ監査制度5] 情報セキュリティベンチマーク6]などがあり、これらは経営者が方針や目標を示し、目標を達成するための道具として大きな効果を





 Large-Scale Evaluation and Improvement of
Content-Based Phishing Detection

電気通信大学     藤    

 The University of Electro-Communications  Kei KATO

JPCERTコーディネーションセンター   小宮山  功一朗

JPCERT Coordination Center  Koichiro KOMIYAMA

JPCERTコーディネーションセンター   瀬 古  敏 智

JPCERT Coordination Center   Toshinori SEKO

JPCERTコーディネーションセンター   一 瀬  友 祐

JPCERT Coordination Center  Yusuke ICHINOSE

電気通信大学    河 野  耕 平

The University of Electro-Communications  Kohei KAWANO

NTT情報流通プラットフォーム研究   中 山  心 太

NTT Information Sharing Platform Laboratory  Shinta NAKAYAMAA

電気通信大学    吉 浦   裕

The University of Electro-Communications  Hiroshi YOSHIURA


要 旨