Informationssäkerhet : en undersökning om säkerhetsarbetet bland företag i Dals-Ed

Bengtsson, Jenny, Olsson, Jenny

January 2003

No description available.

Informationssäkerhet

Datasäkerhet

Säkerhetspolicy

Information security management

Säkerhetslösningar

Secret sharing using artificial neural network

Alkharobi, Talal M.

15 November 2004

Secret sharing is a fundamental notion for secure cryptographic design. In a secret sharing scheme, a set of participants shares a secret among them such that only pre-specified subsets of these shares can get together to recover the secret. This dissertation introduces a neural network approach to solve the problem of secret sharing for any given access structure. Other approaches have been used to solve this problem. However, the yet known approaches result in exponential increase in the amount of data that every participant need to keep. This amount is measured by the secret sharing scheme information rate. This work is intended to solve the problem with better information rate.

Secret sharing

artificial neural network

information security

Factors determining e-government security

Razzaqi, Hasan Ali

January 2013

E-Government security is a major area of concern that has the potential to affect the success of e-Government services across the world. Much of the literature has addressed this phenomenon by applying principles of computer science or engineering which tend to be objective. User concern of e-Government service security has not been addressed applying social science principles or management that tend to be subjective and have not been addressed in the literature. Objective research outcomes are unfortunately not suitable to address subjective factors. Further, user centric approach has not been adopted in most of the empirical studies that have dealt with e-Government security leading to lack of an understanding of how users perceive or feel or comprehend about e-Government services, particularly e-Government service security. Most of the research efforts addressing e-Government security have focused on either technological issues or engineering issues neglecting user perceptions and behavioural aspects. This disadvantage has led to possible reduction in the up-take of e-Government services. There was a need to have an in-depth understanding of user centric e-Government security and user centric factors that affect it as its antecedents addressing which it is possible to enhance user confidence in e-Government and hence its success. This research has addressed this partially. While addressing the concerns raised above, this research has defined and identified certain user centric factors that are required to examine the user centric nature of e-Government service security from the management and social sciences perspective. E-Government literature was critically reviewed to determine the user centric factors and their relationship to user centric e-Government security with the help of theories, models, concepts and frameworks that have not been applied so far. Contextual factors have been identified as important user centric ones that affect user centric e-Government security with e-Government technology chosen as the main contextual determinant of user centric e-Government security. User trust and user felt risk in using e-Government services were brought in as mediators of this relationship due to the prime importance these two user centric factors carry with regard to affecting the relationship between technology and user centric e-Government security. In addition demographic factors and culture (nationality) as a factor were applied to test their influence on the relationship between user trust and user centric e-Government security mediated by user felt risk to find whether they have any impact. Moderators (Human Computer Interaction (HCI), user privacy and web design quality) of this relationship were added to the investigation as literature showed that e-Government technology could not operate in isolation. Finally empirical outcomes of testing the above relationships were practically tested by examining the influence of perceived ease of use and usefulness on the relationship between user trust and user centric e-Government security mediated by user felt risk to find whether technology impacted users in reality. Theoretical framework was drawn from the literature review leading to a conceptual model that was used to answer the research question. 12 hypotheses were tested in all. The research was conducted in the Kingdom of Bahrain which ranks high in the implementation of e-Government (e.g. 14th ranked in the world in implementing e-participation in 2014 ranked by UN). The country offered a fertile ground for conducting research as the e-Government service provided were updated technologically constantly with the latest technological advancement cloud computing introduced in e-Government service provision. Most government services were offered now through e-Government services. The population was cosmopolitan and education levels of the users of e-Government were reasonably high providing a strong basis for conducting this research. Quantitative research method and survey questionnaire strategy were used. Users of e-Government services were the target population. Sampling procedure yielded 309 valid responses. Rigourous statistical analysis provided the findings. Except for 2 hypotheses the remaining were verified and established. Technology was found to determine user centric e-Government security with the mediation by trust being stronger than risk. HCI and web design quality moderated the relationship between technology and user centric e-Government security significantly. User education and experience were found to influence user trust and user centric e-Government security. User privacy and nationality were not found to be statistically significant. Perceived ease of use and usefulness of the technology were found to influence e-Government security mediated by trust and risk. This research was perhaps one of the first to have been conducted in a context where e-Government technology used cloud computing. The research contributed to the growing body of knowledge in the field of e-Government security that has viewed this phenomenon from the lens of social sciences and management. Theoretical contribution showed how the operationalization and relationship amongst the factors could be explained by expanding the application of theories including socio-technical, behavioural, managerial, technology adoption, organiational and HCI. Practical implications showed the usefulness of this research to users, service providers and policy makers involved with e-Government services. Methodologically this research has introduced a verification stage by which it has verified the theoretical results using practical outcomes.

352.3

DEFY: A Deniable File System for Flash Memory

Peters, Timothy M

01 June 2014

While solutions for file system encryption can prevent an adversary from determining the contents of files, in situations where a user wishes to hide even the existence of data, encryption alone is not enough. Indeed, encryption may draw attention to those files, as they most likely contain information the user wishes to keep secret, and coercion can be a very strong motivator for the owner of an encrypted file system to surrender their secret key. Herein we present DEFY, a deniable file system designed to work exclusively with solid-state drives, particularly those found in mobile devices. Solid-state drives have unique properties that render previous deniable file system designs impractical or insecure. Further, DEFY provides features not offered by any single prior work, including: support for multiple layers of deniability, authenticated encryption, and an ability to quickly and securely delete data from the device. We have implemented a prototype based on the YAFFS and WhisperYaffs file systems. An evaluation shows DEFY performs comparatively with WhisperYaffs.

YAFFS

Cryptography

Databases and Information Systems

Information Security

Olika perspektiv på informationssäkerhet : En fallstudie på ett universitet

Wallin, Emma, Andersson, Ellinor

January 2022

Utbildningssektorn har sedan en tid tillbaka varit extra utsatt för cyberattacker, dels på grund av dess öppna nätverk och det stora antalet användare, men ofta också på grund av ett bristande informationssäkerhetsarbete (Wood 2014). Syftet med uppsatsen är att undersöka vad ett svenskt universitet och dess anställda har för uppfattning av informationssäkerhet samt om och i så fall hur dessa syner skiljer sig åt. Det med hjälp av teorin Technological frames (Orlikowski & Gash 1994). I studien har sex anställda och enheten för informationssäkerhet på universitetet intervjuats. Författarna har även utfört en deltagande observation vid en internutbildning i informationssäkerhet. Resultaten visar att de två grupperna bland annat har en samsyn om att människan är det största hotet för infektioner och attacker, att information i olika former är viktig att skydda, att den fysiska säkerheten samt lösenord är viktiga, att organisationen måste hitta en lagom nivå av informationssäkerhet och att ansvar för informationssäkerhetsutbildning för anställda främst ligger hos organisationen men att det trots allt också finns ett ansvar hos individen att själv ta reda på information. Det förelåg olika syner på huruvida phishing-mejl skulle raderas direkt eller rapporteras och vilka kommunikationsvägar som bör användas mellan enheten för informationssäkerhet och de anställda. De anställda hade dessutom en snävare syn på vad informationssäkerhet är jämfört med enheten för informationssäkerhet. / The education sector has recently been particularly exposed to cyber attacks, partly due to its open networks and the large number of users, but also due to a lack of information security (Wood 2014). The purpose of the thesis is to investigate what image a Swedish university and its employees have of information security and if these views differ, and in that case how. This study draws on the theory Technological frames (Orlikowski & Gash 1994). In the study, six employees and the information security unit at the university were interviewed. We also per­formed participatory observation during an internal course in information security. The results show that the two groups agree that humans are the biggest threat when it comes to cyber at­tacks, that information in various forms is important to protect, that physical security and pass­words are important, that the organization must find a reasonable level of information security and that the organization should have the primary responsibility for information security train­ing for employees, but that individuals also have a responsibility. There were different views on whether phishing emails should be deleted directly or reported. The views differ when it comes to which communication channels should be used between the unit of information secu­rity and the employees. The employees also had a narrower view of what information security is compared to the unit for information security.

Information security

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Informationssäkerhet

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Information Systems

Detecting The Intensity of Denial-of-Service Cyber Attacks using Supervised Machine Learning

Hubbard, Abigail

01 May 2022

Denial-of-Service (DoS) attacks are aimed at shutting a machine or network down to block users from accessing it. These attacks can be difficult to detect and can cost millions in damages or lost earnings. Since the first DoS attack occurred in 1999, the way DoS attacks have been launched has become more complicated, making them more elusive and harder to detect. The first step to detect and mitigate a DoS attack is for a system to identify the malicious traffic. In this experiment, we aim to identify the malicious traffic within ten seconds. To do this the project was divided into 3 phases: data collection, feature extraction and construction of classification. The first phase was to collect malicious and legitimate data using Wireshark. The second phase of the project was to convert the PCAP files into features that are meaningful and easy to read. The third phase of the project is the construction of classification models. We used the Naïve Bayes and decision tree classification models to identify malicious traffic data and differentiate it from legitimate traffic data. This approach yielded an 𝐹1 score average of 92% in detecting DoS attacks and an 𝐹1 𝑠𝑐𝑜𝑟𝑒 accuracy range of 37% to 71% to accurately determine the intensity of the DoS attack, a reasonable accuracy for this problem. These results show that it is possible to not only detect DoS attacks, but also, to determine the intensity of such attacks with a reasonable accuracy.

Computer Sciences

Information Security

Other Computer Sciences

Enhancing the governance of information security in developing countries : the case of Zanzibar

Shaaban, Hussein Khamis

January 2014

Organisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area.

005.8

Strategic framework to minimise information security risks in the UAE

Alkaabi, Ahmed

January 2014

The transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work.

005.8

A Study of the Effect of Information Security Policies on Information Security Breaches in Higher Education Institutions

Waddell, Stanie Adolphus

01 January 2013

Many articles within the literature point to the information security policy as one of the most important elements of an effective information security program. Even though this belief is continually referred to in many information security scholarly articles, very few research studies have been performed to corroborate this sentiment. Doherty and Fulford undertook two studies in 2003 and in 2005 respectively that sought to catalogue the impact of the information security policy on breaches at businesses in the United Kingdom. The pair went on to call for additional studies in differing industry segments. This dissertation built upon Doherty and Fulford (2005). It sought to add to the body of knowledge by determining the statistical significance of the information security policy on breaches within Higher education. This research was able to corroborate the findings from Doherty and Fulford's original research. There were no observed statistically significant relationships between information security policies and the frequency and severity of information security breaches. This study also made novel contributions to the body of knowledge that included the analysis of the statistical relationships between information security awareness programs and information security breaches. This effort also analyzed the statistical relationships between information security policy enforcement and breaches. The results of the analysis indicated no statistically significant relationships. Additionally, this research observed that while information security policies are heavily utilized by colleges and universities, security awareness training is not heavily employed by institutions of higher education. This research noted that many institutions reported not having consistent enforcement of information security policies. The data observed during this research implies there is room for additional coverage of formal information security awareness programs and potentially a call to attempt alternative training methods to achieve a reduction of the occurrences and impact of security breaches. There is room for greater adoption of consistent enforcement of policy at higher education organizations. The results of this dissertation suggest that the existence of policy, training, and enforcement activities in and of themselves are not enough to sufficiently curtail breaches. Additional studies should be performed to better understand how breaches can be reduced.

Awareness Programs

Colleges and Universities

Information Security

Information Security Policies

Policy Enforcement

Security Breaches

Computer Sciences

Investigating the Impact of Self-Control and Deterrents on Noncompliant Information Security Behavior

Chuma, Ramadhan

01 January 2012

Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior. Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies.

Compliance

Criminal Propensity

General Deterrence Theory

information security behavior

Information security policy

Self-control

Computer Sciences