An information security policy architecture with special reference to a tertiary institution.

Jordaan, Ansa

02 June 2008

This dissertation will be limited to the compilation of an Information Security Policy Architecture for a Tertiary Institution. An Information Security Policy Architecture for a Tertiary Institution is probably the most challenging architecture to develop in an environment where information accessibility is promoted. The Security Policy Architecture is a component of a complete Information Security Architecture, which will not be addressed in this dissertation. To mitigate and manage risks, it is essential to know what the information technology risks are and as a second step, to actively manage these risks to ensure that they stay within acceptable limits. The reporting and the monitoring of these risks open new fields of research and will not be discussed in this dissertation. / von Solms, S.H., Prof.

Information technology security measures

Computer security

Infosure: an information security management system.

Venter, Diederik Petrus

04 June 2008

Information constitutes one of an organisation’s most valuable assets. It provides the modern organisation with a competitive edge and in some cases, is a requirement merely to survive. An organisation has to protect its information but due to the distributed, networked environment of today, faces a difficult challenge; it has to implement a system of information security management. Software applications can provide significant assistance in managing information security. They can be used to provide for centralised feedback of information security related activities as well as for centralised configuration activities. Such an application can be used in enforcing compliance to the organisation’s information security policy document. Currently there are a number of software products that provide this function in varying measures. In this research the major players in this space were examined to identify the features commonly found in these systems, and where they were lacking in terms of affordability, flexibility and scalability. A framework for an information security management application was defined based on these features and requirements and incorporating the idea of being affordable, but still flexible and extendable. This shifted the focus from attempting to provide a comprehensive list of interfaces and measurements into general information security related activities, to focusing on providing a generic tool that could be customised to handle any information fed back to it. The measurements could then be custom-developed as per the needs of the organisation. This formed the basis on which the prototype information security management application (InfoSure) was developed. / Prof. S.H. Solms

data protection

computer network security

computer security management

Establishing an information security culture in organizations : an outcomes based education approach

Van Niekerk, Johannes Frederick

January 2005

Information security is crucial to the continuous well-being of modern orga- nizations. Humans play a signfiicant role in the processes needed to secure an organization's information resources. Without an adequate level of user co-operation and knowledge, many security techniques are liable to be misused or misinterpreted by users. This may result in an adequate security measure becoming inadequate. It is therefor necessary to educate the orga- nization's employees regarding information security and also to establish a corporate sub-culture of information security in the organization, which will ensure that the employees have the correct attitude towards their security responsibilities. Current information security education programs fails to pay su±cient attention to the behavioral sciences. There also exist a lack of knowledge regarding the principles, and processes, that would be needed for the establishment of an corporate sub-culture, specific to information security. Without both the necessary knowledge, and the desired attitude amongst the employee, it will be impossible to guarantee that the organi- zation's information resources are secure. It would therefor make sense to address both these dimensions to the human factor in information security, using a single integrated, holistic approach. This dissertation presents such an approach, which is based on an integration of sound behavioral theories.

Computer security

Competency-based education

A cyber security awareness and education framework for South Africa

Kortjan, Noloxolo

January 2013

The Internet is becoming increasingly interwoven in the daily life of many individuals, organisations and nations. It has, to a large extent, had a positive effect on the way people communicate. It has also introduced new avenues for business and has offered nations an opportunity to govern online. Nevertheless, although cyberspace offers an endless list of services and opportunities, it is also accompanied by many risks. One of these risks is cybercrime. The Internet has given criminals a platform on which to grow and proliferate. As a result of the abstract nature of the Internet, it is easy for these criminals to go unpunished. Moreover, many who use the Internet are not aware of such threats; therefore they may themselves be at risk, together with businesses and governmental assets and infrastructure. In view of this, there is a need for cyber security awareness and education initiatives that will promote users who are well versed in the risks associated with the Internet. In this context, it is the role of the government to empower all levels of society by providing the necessary knowledge and expertise to act securely online. However, there is currently a definite lack in South Africa (SA) in this regard, as there are currently no government-led cyber security awareness and education initiatives. The primary research objective of this study, therefore, is to propose a cyber security awareness and education framework for SA that will assist in creating a cyber secure culture in SA among all of its users of the Internet.

Computer networks -- Security measures

Computer crimes -- Prevention

Computer security

A framework to evaluate usable security in online social networking

Yeratziotis, Alexandros

January 2011

It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks.

Computer security

Data protection

Security in wireless networks : Vulnerabilities and Countermeasures / Säkerhet i trådlösa nätverk : Sårbarheter och motåtgärder

Larsson, Josephine, Waller, Ida

January 2003

The market for wireless networks has increased over the years, more and more organizations implement this technology. The need to work flexible, convenient and cost-effective are three reasons for the technology’s raised popularity. The use of wireless networks has exposed new aspects of network security. The information is no longer dependent on wires because it can be transmitted trough radio waves instead. The exposure of information increases, therefore also the vulnerabilities. This leads to more security problems related to the exposure of the transmitted information. It is difficult to understand the importance of network security and why to invest resources for it. Investing in security can lead to lower costs in the long run, because incidents can be perceived before it is too late. This thesis will describe why it is important to perform a risk assessment before developing a security policy. One of the reasons for having a security policy is to clarify the responsibilities for the network security to raise understanding for security within the organization. Other motive is to define how the information should be protected when transmitted in the wireless network. For example, by using the IEEE standard protocol (WEP), which may not be the best encryption solution. For organization that handles sensitive information it is important to be aware of the security problems that exist and to prevent the security risks. A case study was performed at several county councils in Sweden. The reason for this was that county councils handle sensitive information. The case study’s main purpose was to evaluate the level of knowledge about wireless security at county councils.

Wireless networks

Security

Security policy

WEP

Computer Sciences

Datavetenskap (datalogi)

A Method for Analyzing Security of SOA-basd Systems

Lu, Qifei, Wang, Zhishun

January 2010

SOA-based systems o er high degree of exibility and interoperabil- ity. However, the securing of SOA-based applications is still a challenge. Although some related techniques have been proposed and presented in academia and industry, it is still dicult to check SOA quality in security aspect from an architecture view. In this thesis project, a method for security analysis in SOA is intro- duced and investigated. The method intends to be used for analyzing security of SOA-based systems on architecture level. To demonstrate the method, a prototype supporting the method is introduced and imple- mented. And the method and prototype are also evaluated respectively based on Technology Acceptance Model. The evaluation result shows that the prototype supporting the method is a promising inspection tool to detect software vulnerability.

Software Security

SOA

Security Analysis

Software Engineering

Programvaruteknik

Develop a Secure Network – A Case Study

Rayapati, Habeeb

January 2010

In recent years, so many networks are being built and some of the organizations are able to provide security to their networks. The performance of a network depends on the amount of security implemented on the network without compromising the network capabilities. For building a secure network, administrators should know all the possible attacks and their mitigation techniques and should perform risk analysis to find the risks involved in designing the network. And they must also know how to design security policies for implement the network and to educate the employees, to protect the organization’s information. The goal behind this case-study is to build a campus network which can sustain from reconnaissance attacks. This thesis describes all the network attacks and explores their mitigation techniques. This will help an administrator to be prepared for the coming attacks. This thesis explains how to perform risk analysis and the two different ways to perform risk analysis. It also describes the importance of security policies and how security policies are designed in real world.

Network Security

Attacks

Risk analysis

Security Policy

Computer Engineering

Datorteknik

Modelling security requirements through extending Scrum agile development framework

Alotaibi, Minahi

January 2016

Security is today considered as a basic foundation in software development and therefore, the modelling and implementation of security requirements is an essential part of the production of secure software systems. Information technology organisations are moving towards agile development methods in order to satisfy customers' changing requirements in light of accelerated evolution and time restrictions with their competitors in software production. Security engineering is considered difficult in these incremental and iterative methods due to the frequency of change, integration and refactoring. The objective of this work is to identify and implement practices to extend and improve agile methods to better address challenges presented by security requirements consideration and management. A major practices is security requirements capture mechanisms such as UMLsec for agile development processes. This thesis proposes an extension to the popular Scrum framework by adopting UMLsec security requirements modelling techniques with the introduction of a Security Owner role in the Scrum framework to facilitate such modelling and security requirements considerations generally. The methodology involved experimentation of the inclusion of UMLsec and the Security Owner role to determine their impact on security considerations in the software development process. The results showed that overall security requirements consideration improved and that there was a need for an additional role that has the skills and knowledge to facilitate and realise the benefits of the addition of UMLsec.

005.1

Advantages and Risks of Sensing for Cyber-Physical Security

Han, Jun

01 May 2018

With the the emergence of the Internet-of-Things (IoT) and Cyber-Physical Systems (CPS), modern computing is now transforming from residing only in the cyber domain to the cyber-physical domain. I focus on one important aspect of this transformation, namely shortcomings of traditional security measures. Security research over the last couple of decades focused on protecting data in regard to identities or similar static attributes. However, in the physical world, data rely more on physical relationships, hence requires CPS to verify identities together with relative physical context to provide security guarantees. To enable such verification, it requires the devices to prove unique relative physical context only available to the intended devices. In this work, I study how varying levels of constraints on physical boundary of co-located devices determine the relative physical context. Specifically, I explore different application scenarios with varying levels of constraints – including smart-home, semi-autonomous vehicles, and in-vehicle environments – and analyze how different constraints affect binding identities to physical relationships, ultimately enabling IoT devices to perform such verification. Furthermore, I also demonstrate that sensing may pose risks for CPS by presenting an attack on personal privacy in a smart home environment.

Context-based Pairing

IoT Security

Sensor Fusion

Sensor Security