Information security service management : a service management approach to information security management

Rastogi, Rahul

January 2011

In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization.

A policy framework for management of distributed systems

Damianou, Nicodemos Constantinou

January 2002

No description available.

005

Computer security

Defining, measuring and regulating energy security

Winzer, Christian

January 2013

Energy security is one of the three pillars of energy policy next to environmental sustainability and economic efficiency. Despite its importance for policy making, there is no agreement about the definition of energy security and the metrics that could be used to measure the efficiency of different policies. As a result of this, it may be that both a political intervention in one direction and an intervention in the opposite direction could be justified on grounds of energy security. In our thesis we review the multitude of definitions of energy security. They can be characterized according to the sources of risk, the scope of the impacts, and the severity filters in the form of the speed, size, sustention, spread, singularity and sureness of impacts. Using a stylized case study for three European countries, we illustrate how the selection of conceptual boundaries along these dimensions determines the outcome. In order to reduce the overlap between security of supply and other policy objectives we propose the definition of energy security as the continuity of energy supplies relative to demand. The choice of the conceptual boundaries along the other dimensions remains a subjective decision that has to be taken by policy makers in a dialogue with society. Based on the definition of energy security as the continuity of supplies relative to demand, we examine how accurately different modelling approaches and metrics capture this concept. We find most of the wide-spread indicators, such as import shares, concentration measures and composite indicators based on expert elicitation are very rough heuristics that can easily be shown to produce inaccurate results. Simple modelling approaches such as analysis based on portfolio theory, or electricity system simulations offer some improvement, but still suffer from structural shortcomings and limitations in the way they model interdependencies. In this thesis we suggest a modelling approach which allows us to capture the interdependencies between natural, technical and human risk sources and quantify their combined impact on the continuity of energy supplies within a fixed infrastructure system. We use a case study of Italy to compare the outputs of our model with alternative metrics and simplified modelling approaches. Finally, we investigate the degree and the cost at which regulatory interventions in the form of so-called capacity mechanisms may increase the continuity of supplies in the electricity market. In contrast to previous research we find that the choice of a capacity mechanism may both be influenced by the extent to which it should be robust towards different regulatory errors as well as by the question whether it is evaluated from the perspective of consumer cost or from a welfare perspective.

658

Energy security

Multi-factor Authentication Techniques for Video Applications over the Untrusted Internet

Abbadi, Laith

January 2012

Designing a completely secure and trusted system is a challenge that still needs to be addressed. Currently, there is no online system that is: (i) easy to use, (ii) easy to deploy, (iii) inexpensive, and (iv) completely secure and trusted. The proposed authentication techniques aim to enhance security and trust for video applications in the untrustworthy online environments. We propose a transparent multimodal biometric authentication (TMBA) for video conferencing applications. The user is identified based on his/her physiological and behavioral biometrics. The technique is based on a ‘Steps-Free’ method, where the user does not have to perform any specific steps during authentication. The system will authenticate the user in a transparent way. We propose authentication techniques as an additional security layer for various ‘user-to-user’ and ‘user-to-service’ systems. For ‘user-to-user’ video conferencing systems, we propose an authentication and trust establishment procedure to identify users during a video conference. This technique enables users that have never met before to verify the identity of each other, and aims at enhancing the user’s trust in each other. For ‘user-to-service’ video conferencing systems, we propose a transparent multimodal biometric authentication technique for video banking. The technique can be added to online transaction systems as an additional security layer to enhance the security of online transactions, and to resist against web attacks, malware, and Man-In-The-Browser (MITB) attacks. In order to have a video banking conference between a user and a bank employee, the user has to be logged in to an online banking session. This requires a knowledge-based authentication. Knowledge-based authentication includes a text-based password, the ‘Challenge Questions’ method, and graphical passwords. We analyzed several graphical password schemes in terms of usability and security factors. A graphical password scheme can be an additional security layer add-on to the proposed multimodal biometric video banking system. The combined techniques provide a multimodal biometric multi-factor continuous authentication system.

multimodal

biometric

security

Towards an Evaluation of a Recommended Tor Browser Configuration in Light of Website Fingerprinting Attacks

Alshammari, Fayzah

January 2017

Website Fingerprinting (WF) attacks have become an area of concern for advocates of web Privacy Enhancing Technology (PET)s as they may allow a passive, local, eaves- dropper to eventually identify the accessed web page, endangering the protection offered by those PETs. Recent studies have demonstrated the effectiveness of those attacks through a number of experiments. However, some researchers in academia and Tor community demonstrated that the assumptions of WF attacks studies greatly simplify the problem and don’t reflect the evaluation of this vulnerability in practical scenarios. That leads to suspicion in the Tor community and among Tor Browser users about the efficacy of those attacks in real-world scenarios. In this thesis, we survey the literature of WF showing the research assumptions that have been made in the WF attacks against Tor. We then assess their practicality in real-world settings by evaluating their compliance to Tor Browser threat model, design requirements and to the Tor Project recommendations. Interestingly, we found one of the research assumptions related to the active content configuration in Tor Browser to be a reasonable assumption in all settings. Disabling or enabling the active content are both reasonable given the fact that the enabled configuration is the default of the Tor Browser, and the disabled one is the configuration recommended by Tor Project for users who require the highest possible security and anonymity. However, given the current published WF attacks, disabling the active con- tent is advantageous for the attacker as it makes the classification task easier by reducing the level of a web page randomness. To evaluate Tor Browser security in our proposed more realistic threat model, we collect a sample of censored dynamic web pages with Tor Browser in the default setting, which enables active content such as Javascript, and in the recommended setting by the Tor Project which disables the active content. We use Panchenko Support Vector Machine (SVM) classifier to study the identifiability of this sample of web pages. For pages that are very dynamic, we achieve a recognition rate of 42% when JavaScript is disabled, compared to 35% when turned on. Our results show that the recommended ”more secure” setting for Tor Browser is actually more vulnerable to WF attacks than the default and non-recommended setting.

Finger priniting

Security

Information security in a distributed banking environment, with specific reference to security protocols.

Van Buuren, Suzi

22 August 2012

M.Comm. / The principal aim of the present dissertation is to determine the nature of an electronicbanking environment, to determine the threats within such an environment and the security functionality needed to ward off these threats. Security solutions for each area at risk will be provided in short. The main focus of the dissertation will fall on the security protocols that can be used as solutions to protect a banking system. In the dissertation, indication will also be given of what the security protocols, in their turn, depend on to provide protection to a banking system. There are several security protocols that can be used to secure a banking system. The problem, however, is to determine which protocol will provide the best security for a bank in a specific application. This dissertation is also aimed at providing a general security framework that banks could use to evaluate various security protocols which could be implemented to secure a banking system. Such framework should indicate which security protocols will provide a bank in a certain banking environment with the best protection against security threats. It should also indicate which protocols could be used in combination with others to provide the best security.

Banks and banking - Security measures

Internet - Security measures

Computer networks - Security measures

Information security management : processes and metrics

Von Solms, Rossouw

11 September 2014

PhD. (Informatics) / Organizations become daily more dependent on information. Information is captured, processed, stored and distributed by the information resources and services within the organization. These information resources and services should be secured to ensure a high level of availability, integrity and privacy of this information at all times. This process is referred to as Information Security Management. The main objective of this, thesis is to identify all the processes that constitute Information Security Management and to define a metric through which the information security status of the organization can be measured and presented. It is necessary to identify an individual or a department which will be responsible for introducing and managing the information security controls to maintain a high level of security within the organization. The position .and influence of this individual, called the Information Security officer, and/or department within the organization, is described in chapter 2. The various processes and subprocesses constituting Information Security Management are identified and grouped in chapter 3. One of these processes, Measuring and Reporting, is currently very ill-defined and few guidelines and/or tools exist currently to help the Information Security officer to perform this task. For this reason the rest of the thesis is devoted to providing an effective means to enable the Information Security officer to measure and report the information security status in an effective way...

Data protection

Computer security

Near Real-time Risk Assessment Using Hidden Markov Models

Pak, Charles

01 January 2011

Business objectives and methods in an organization change periodically. Their supporting Information Systems (ISs) change even more dynamically for various reasons: system upgrades, software patches, routine maintenance, and intentionally or unintentionally induced attacks. Unless regular, routine, and timely risk assessments are conducted, changes in IS risks may never be noticed. Risk assessments need to be performed more frequently and faster in order to discover potential threats and to determine the changes that must be made to corporate computing environments to address them. Furthermore, conducting risk assessments on organizational assets can be time consuming, burdensome, and misleading in many cases because of the dynamically changing security states of assets. In theory, each asset can change its security states from one of secure, mitigated, vulnerable, or compromised. However, the secure state is only temporary and imaginary; it may never exist. Therefore, it is more accurate to say that each asset changes its security state from mitigated, vulnerable, or compromised. If we can predict an asset's future security state based on its current security state, we would have a good indicator of risk for the organization's mission-critical assets. Similarly, if risk factors of each mission critical asset could be quantified in near real-time, a risk assessment could be valuable in informing organizational stakeholders of the level of risk of their mission critical assets, which would then aid in their risk mitigation decisions. Quantifying organizational IS risk factors could be meaningful to an organization because quantifying risk levels could prompt a solution space in mitigating risks. In this research, we introduce an effective risk assessment using hidden Markov models (HMMs) in order to predict future security states and to quantify dynamically changing organizational IS assets by exploring possible security states from an insider user's perspective. HMMs have been used in many scientific fields to predict future states based on current states. Using these models, organizational mission critical assets could be assessed for their risk levels in a near real-time basis to determine the future risk level of each dynamically changing asset due to internally or externally induced threats.

Information Security

Computer Sciences

The extent to which China's involvement in Africa contributes to the security-development nexus

Mpisane, Sphamandla Percival

January 2015

The concepts of security and development have always existed, even before the end of the Cold War. However, it was the former United Nations Secretary-General, Boutros Boutros-Ghali who introduced to the world, the notion of a ‘security-development nexus’. This notion was encouraged by the shift in security concerns. This was a shift from traditional perspective focusing on protecting the interests and borders of the state, to a focus on ensuring the safety of citizens within a state. Such safety included a duty by the state to protect its citizens from chronic threats such as hunger, disease and repression. Moreover, the focus in this notion of a nexus shifted towards protecting citizens from sudden and harmful disruption in the patterns of their daily lives. This notion of a security-development nexus resulted in the need to appraise the significance of the factors that underpin this fundamental shift in the African context; to conduct an assessment of the understanding and perceptions held about Africa’s approach to this nexus; and to propose some measures which African governments can utilise to sustain the new approach to the security-development nexus, including possible areas of further research. The study discovered that many African countries are unable to utilise this nexus to their advantage because they face too many intra-state conflicts which they couldn’t control, and they were also underdeveloped. It was then clear that many African countries needed external involvement. As a result, the researcher decided to do assess one of Africa’s biggest partners, China. The purpose was to discover the extent to which an external player’s (China) involvement in African contributes to the strengthening on this security-development nexus in Africa. The study was carried out following a qualitative research methodology that combines both the descriptive and analytical approaches. The descriptive approach largely draws from the literature studies of primary and secondary sources, and the analytical approach was useful in analysing the extent to which China’s involvement in Africa contributes to the security-development nexus. The findings confirmed that notwithstanding China’s alleged exploitation and extraction of raw material and natural resources in Africa, they are to a certain extent contributing to the security-development nexus in Africa. The research findings also established that the relationship between China and Africa is a mutual beneficial one. It is not one where China only exploits Africa’s raw material and natural resources. It is based on a give and take partnership. While China provides African countries with development aid, unconditional loans, grants and infrastructure development, China is also gaining in return. It is therefore clear that a number of factors regarding China’s involvement in Africa needs to be debated and researched before one can conclude that China does not contribute to the security-development nexus in Africa, and also to measure the exact extent to which China contributes to the security-development nexus in Africa. / Mini-Dissertation (MA)--University of Pretoria, 2015. / Political Sciences / Unrestricted

Security Studies

UCTD

External Threats to Human Security in Kenya with Reference to the Conflict in Somalia

Nzibo, Rukia Y.A.

January 2016

The study deals with the external threats to human security in Kenya with reference to the conflict in Somalia. The central question of the study is whether the Kenyan government’s conceptualization and response to the human security challenges resulting from the conflict in Somalia is resolving the human security challenges in Kenya. At a theoretical level the research explores the concept of human security and how it is conceptualized in Kenya. At a practical level the paper assesses the conflict in Somalia, the human security challenges that have resulted in Kenya due to the conflict in Somalia and the government’s conceptualization of and response to the threats. The main finding of the study reflected that Kenya’s response to the conflict in Somalia and the human security threats emanating from the conflict were dependent on the security interests of the state and determined by the intensity of threats emanating from Somalia at different times. While some positive outcomes were realised, the state’s aggressive approach towards the conflict in Somalia, through military intervention and counter terrorism efforts, outweighed the good. The failure to also adequately implement policies and manage refugee affairs created human insecurity in the rural areas that affected the access to basic needs, while the urban areas were plagued with issues of ethnic profiling, human rights violations and the marginalisation of the Kenyan Muslim community. While state security was prioritised, the core of Kenya’s main strategies created more human insecurity rather than offering solutions towards acquiring human security. / Mini Dissertation (MSS)--University of Pretoria, 2016. / Political Sciences / Unrestricted

Human Security

UCTD