Information security culture.

Martins, Adele

24 April 2008

The current study originated from the realisation that information security is no longer solely dependent on technology. Information security breaches are often caused by users, most of the time internal to the organisation, who compromise the technology-driven solutions. This interaction between people and the information systems is seemingly the weakest link in information security. A people-oriented approach is needed to address this problem. Incorporating the human element into information security could be done by creating an information security culture. This culture can then focus on the behaviour of users in the information technology environment. The study is therefore principally aimed at making a contribution to information security by addressing information security culture and, for this reason, culminates in the development of an information security culture model and assessment approach. While developing the model, special care was taken to incorporate the behaviour of people in the working environment and hence organisational behaviour coupled with issues concerning information security culture that need to be addressed. An information security culture assessment approach is developed consisting of a questionnaire to assess whether an organisation has an adequate level of information security culture. The assessment approach is illustrated through a case study. Below is an overview of the framework within which the research was conducted: The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1: Introduction and background. Chapter 1 serves as an introduction to the research study by providing the primary motivation for the study and defining the problems and issues to be addressed. In addition, the chapter is devoted to defining a set of standard terms and concepts used throughout the study. The chapter concludes with an overview of the remaining chapters. Chapter 2 gives some background to information security culture and discusses its evolution to date. There is a new trend in information security to incorporate the human element through an information security culture. Information security is divided into two different levels. Level 1 focuses on the human aspects of information security, such as the information security culture, and level 2 incorporates the technical aspects of information security. Part 2: Information security culture model is covered in chapters 3, 4 and 5. In chapter 3, the concept of information security culture is researched. Different perspectives are examined to identify issues that need to be considered when addressing information security culture. A definition of information security culture is constructed based on organisational culture. Chapter 4 is devoted to developing a model that can be used to promote an information security culture. This model incorporates the concept of organisational behaviour as well as the issues identified in chapter 3. Chapter 5 builds upon the information security culture model and aims to identify practical tasks to address in order to implement the model. In Part 3: Assessing information security culture, chapters 6 to 10, attention is given to the assessment of an information security culture, giving management an indication of how adequately the culture is promoted through the model. Chapter 6 considers the use of available approaches such as ISO17799 to aid in promoting and assessing an information security culture. This approach is evaluated against the definition of information security culture and the information security culture model in order to determine whether it could assess information security culture in an acceptable manner. The next four chapters, namely chapters 7 to 10, are devoted to the development of an information security culture assessment approach consisting of four phases. Chapter 7 discusses phase 1. In this phase a questionnaire is developed based on the information security culture model. Chapter 8 uses the information security culture questionnaire as part of a survey in a case study. This case study illustrates phase 2 as well as what information can be obtained through the questionnaire. In chapter 9 the data obtained through the survey is analysed statistically and presented (phase 3). The level of information security culture is then discussed in chapter 10, with interpretations and recommendations to improve the culture (phase 4). Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the usefulness and limitations of the proposed model and assessment approach are highlighted. The research study culminates in a discussion of those aspects of information security culture that could bear further research. / Prof. J.H.P. Eloff

computer security

data protection

Die ontwikkeling van 'n kategoriseringsmeganisme vir beheermaatreëls in die veld van rekenaarsekerheid en die koppeling daarvan met standaarde vir beheermaatreëls

Bosch, Christiaan Johannes

20 November 2014

M.Sc. (Informatics) / Please refer to full text to view abstract

Computer security

Information technology

Cultivating and assessing information security culture

Da Veiga, Adele

24 April 2009

The manner in which employees perceive and interact (behave) with controls implemented to protect information assets is one of the main threats to the protection of such assets and the effective use of information security controls. Should the interaction not be conducive to the protection of the information assets, it could have a profound impact on the profit of an organisation, productive working hours could be lost, confidential information might be disclosed to unauthorised people and compliance with legal and regulatory regulations could be affected - all this, despite the fact that adequate technical and procedural controls might be in place. Current research highlights the importance of a strong information security culture to address the threat that employee behaviour poses to the protection of information assets. Various research perspectives propose how an acceptable level of information security culture should be cultivated, and how to assess this culture to determine whether it is on an acceptable level. These approaches are however not adequate to cultivate information security culture, as all the relevant information security components and the influences on the information security culture have to be considered. This leads to the question as to whether the assessment instruments proposed to assess the information security culture are indeed adequate and valid. The main contribution of this research relates to the development of an information security culture framework and process consisting of an assessment instrument to assess information security culture. In order to develop the information security culture framework, the researcher developed a Comprehensive Information Security Framework (CISF) that equips organisations with a holistic approach to the implementation of information security. The framework provides a single point of reference for the governance of information security. The Information Security Culture Framework (ISCF) is developed using the CISF as foundation. The ISCF can be used by organisations to cultivate an information security culture conducive to the protection of information assets. It considers all the components required for information security culture, namely information security, organisational culture and organisational behaviour. It integrates the aforementioned concepts and illustrates the influence between the components. The ISCF further serves as a basis for designing an information security culture assessment instrument. This instrument is incorporated as part of an Information Security Culture Assessment process (lSCULA) defined by the researcher. ISCULA provides management with the steps to conduct an information security culture assessment, as well as the steps to validate the assessment instrument. The application of ISCULA is tested in an empirical study conducted in an organisation. It illustrates how to validate an information security culture assessment instrument by ensuring that it is designed based on the ISCF and meets the statistical requirements for a valid and reliable assessment instrument. Both the ISCF and the ISCULA process can ultimately be deployed by organisations to minimise the threat that employee behaviour poses to the protection of information assets. / Thesis (PhD)--University of Pretoria, 2009. / Computer Science / unrestricted

Information security culture

UCTD

Amber : a aero-interaction honeypot with distributed intelligence

Schoeman, Adam

January 2015

For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.

Security systems -- Security measures

Computer viruses

Computer security

Challenges, collaborative interactions, and diagnosis performed by IT security practitioners : an empirical study

Werlinger, Rodrigo

11 1900

This thesis investigates four different aspects of information security management: challenges faced by security practitioners, interactive collaborations among security practitioners and other stakeholders, diagnostic work performed by security practitioners during the response to incidents, and factors that impact the adoption of an intrusion detection system in one organization. Our approach is based on qualitative analyzes of empirical data from semi-structured interviews and participatory observation. For each theme under study, the contributions of the qualitative analysis are twofold. First, we provide a richer understanding of the main factors that affect the security within organizations. Second, equipped with this richer understanding, we provide recommendations on how to improve security tools, along with opportunities for future research. Our findings contribute to the understanding of the human, organizational, and technological factors that affect security in organizations and the effectiveness of security tools. Our work also highlights the need for continued refinement of how factors interplay by obtaining more rich data (e.g., contextual inquiry), and the need to generalize and validate these findings through other sources of information to study how these factors interplay (e.g., surveys). / Applied Science, Faculty of / Electrical and Computer Engineering, Department of / Graduate

Information security

Qualitative research

A holistic approach to network security in OGSA-based grid systems

Loutsios, Demetrios

January 2006

Grid computing technologies facilitate complex scientific collaborations between globally dispersed parties, which make use of heterogeneous technologies and computing systems. However, in recent years the commercial sector has developed a growing interest in Grid technologies. Prominent Grid researchers have predicted Grids will grow into the commercial mainstream, even though its origins were in scientific research. This is much the same way as the Internet started as a vehicle for research collaboration between universities and government institutions, and grew into a technology with large commercial applications. Grids facilitate complex trust relationships between globally dispersed business partners, research groups, and non-profit organizations. Almost any dispersed “virtual organization” willing to share computing resources can make use of Grid technologies. Grid computing facilitates the networking of shared services; the inter-connection of a potentially unlimited number of computing resources within a “Grid” is possible. Grid technologies leverage a range of open standards and technologies to provide interoperability between heterogeneous computing systems. Newer Grids build on key capabilities of Web-Service technologies to provide easy and dynamic publishing and discovery of Grid resources. Due to the inter-organisational nature of Grid systems, there is a need to provide adequate security to Grid users and to Grid resources. This research proposes a framework, using a specific brokered pattern, which addresses several common Grid security challenges, which include: Providing secure and consistent cross-site Authentication and Authorization; Single-sign on capabilities to Grid users; Abstract iii; Underlying platform and runtime security, and; Grid network communications and messaging security. These Grid security challenges can be viewed as comprising two (proposed) logical layers of a Grid. These layers are: a Common Grid Layer (higher level Grid interactions), and a Local Resource Layer (Lower level technology security concerns). This research is concerned with providing a generic and holistic security framework to secure both layers. This research makes extensive use of STRIDE - an acronym for Microsoft approach to addressing security threats - as part of a holistic Grid security framework. STRIDE and key Grid related standards, such as Open Grid Service Architecture (OGSA), Web-Service Resource Framework (WS-RF), and the Globus Toolkit are used to formulate the proposed framework.

Computer networks -- Security measures

A SOAP-based Model for secure messaging in a global context

Van Eeden, Johannes Jurie

January 2005

For integration between application-systems in a global context, interoperability needs to be established on a global level; global interoperability, in turn, is based on a global common application-interface. This is achieved through resolving differences in, inter alia, protocol profiles, among participants in the global network. ebXML is used as the point of departure. A messaging framework, which is based on existing Web technology and standards, is proposed. Certain security and Web service standards are examined to determine specific parameters for an interoperable secure messaging environment. A security based framework comprising a predefined message format and architecture is investigated for a secure interoperable global electronic marketspace.

An appraisal of secure, wireless grid-enabled data warehousing

Seelo, Gaolathe

January 2007

In most research, appropriate collections of data play a significant role in aiding decision-making processes. This is more critical if the data is being accessed across organisational barriers. Further, for the data to be mined and analysed efficiently, to aid decision-making processes, it must be harnessed in a suitably-structured fashion. There is, for example, a need to perform diverse data analyses and interpretation of structured (non-personal) HIV/AIDS patient-data from various quarters in South Africa. Although this data does exist, to some extent, it is autonomously owned and stored in disparate data storages, and not readily available to all interested parties. In order to put this data to meaningful use, it is imperative to integrate and store this data in a manner in which it can be better utilized by all those involved in the ontological field. This implies integration of (and hence, interoperability), and appropriate accessibility to, the information systems of the autonomous organizations providing data and data-processing. This is a typical problem-scenario for a Virtual Inter-Organisational Information System (VIOIS), proposed in this study. The VIOIS envisaged is a hypothetical, secure, Wireless Grid-enabled Data Warehouse (WGDW) that enables IOIS interaction, such as the storage and processing of HIV/AIDS patient-data to be utilized for HIV/AIDS-specific research. The proposed WDGW offers a methodical approach for arriving at such a collaborative (HIV/AIDS research) integrated system. The proposed WDGW is virtual community that consists mainly of data-providers, service-providers and information-consumers. The WGDW-basis resulted from systematic literaturesurvey that covered a variety of technologies and standards that support datastorage, data-management, computation and connectivity between virtual community members in Grid computing contexts. A Grid computing paradigm is proposed for data-storage, data management and computation in the WGDW. Informational or analytical processing will be enabled through data warehousing while connectivity will be attained wirelessly (for addressing the paucity of connectivity infrastructure in rural parts of developing countries, like South Africa).

Data warehousing

Computer security

Information security service management : a service management approach to information security management

Rastogi, Rahul

January 2011

In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization.

A policy framework for management of distributed systems

Damianou, Nicodemos Constantinou

January 2002

No description available.

005

Computer security