The Norwich University Journal of Information Assurance has some new postings that readers may be interested in.The NUJIA is a peer-reviewed professional journal focusing on scholarly papers that are useful to working information assurance practitioners. The PDF files are freely downloadable, but we request that no one re-post them on a public site (so that we can easily make corrections as necessary without chasing down duplicates).Below are some summaries.* * *One paper is \u201cAn Introduction to Factor Analysis of Information Risk (FAIR): A framework for Understanding, Analyzing, and Measuring Information Risk,\u201d by Jack A. Jones. Jones, a CISO with 22 years of experience in information technology, argues that the lack of well-defined terminology interferes with our credibility in our organizations. He explores concepts of risk and risk management, and challenges received wisdom with his interesting approach to the precise analysis and description of risk. I was particularly taken with his introductory challenge - the \u201cBald Tire Scenario\u201d - where he poses the following questions (quoting):As you proceed through each of the steps within the scenario below, ask yourself how much risk is associated with what\u2019s being described.* Picture in your mind a bald car tire. Imagine that it\u2019s so bald you can hardly tell that it ever had tread. How much risk is there?* Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?* Next, imagine that the rope is frayed about halfway through, just below where it\u2019s tied to the tree branch. How much risk is there?* Finally, imagine that the tire swing is suspended over an 80-foot cliff \u2013 with sharp rocks below. How much risk is there?Now, identify the following components within the scenario. What were the:* Threats* Vulnerabilities* RisksYou will enjoy reading his analysis of the errors that continually crop up in discussions of this scenario.* * *Another interesting paper on the NUJIA Web site is \u201cLitigation Management as Part of a Comprehensive Compliance Management Program,\u201d by Keith D. Willett. Willett is \u201ca Principal Computer Scientist for Computer Sciences Corporation\u2019s (CSC\u2019s) Global Security Solutions (GSS) Department \u2026 [and]\u2026 performs the tasks of a security architect for CSC\u2019s commercial, federal, intelligence, and defense clients.\u201d He was also the valedictorian in his graduating class from the MSIA program in 2005. Willett presents practical advice on what to do if - Heaven forfend - one\u2019s organization should end up in court charged with violations of regulatory requirements. Such planning should be part of one\u2019s disaster prevention, mitigation and recovery processes.* * *\u201cLegal Implications of Warfare in the Information Age\u201d by Cory Mazzola is a short and thought-provoking essay about the growing interdependence of organizations all over the world - in the absence of a sound international legal framework for governing electronic misbehavior. Mazzola writes:\u201cIn the absence of legal hurdles preventing and penalizing illegitimate actions, rogue states face little incentive to scuttle self-serving IW [information warfare] programs. International agreements and restrictions must restrain states from recklessly pursuing offensive programs at the expense of fellow nations. We need legal parameters to guide logical and legislative actions on a national and transnational plain. We must lay a foundation through domestic and international legal initiatives, armed with incentives and sanctions, to provide political and technological solutions while legitimizing avenues of approach and formal engagement.\u201dMazzola has an extensive background in communications security and network defense as an officer in the U.S. Air Force.* * *The NUJIA welcomes original papers from all sources for consideration, and I encourage readers with the time and interest to write thoughtful essays with appropriate references for further reading to consider our journal as a useful place to reach information assurance professionals.