Methods for Hospital Network and Computer Security

Hausrath, Nathaniel L.

16 August 2011

No description available.

Information Technology

hospital it Security

information security

network security

computer security

hospital information security

security

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

Shaping information security behaviors related to social engineering attacks

Rocha Flores, Waldo

January 2016

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis. The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization. This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture. / <p>QC 20160503</p>

Information security

Behavioral information security

Social engineering

Phishing

Measuring information security behaviors

Information security governance

Experiments

National culture

Mixed method research design

Quantitative methods

Study on Architecture-Oriented Coast Guard Information Security Management Model

Chen, Chih-Ming

20 December 2011

With the popularity of computer networks, e-systems have enhanced the information flow within the Coast Guard Institute. Due to constant information security incidents, formulating policies and managing mechanisms become an important task of the internal security authorities. In this study, we construct an Architecture-Oriented Coast Guard Information Security Management Model (AOCGISMM) which is based on the six fundamental diagrams of Structure-Behavior Coalescence (SBC) Architecture. AOCGISMM, not only provides an integrated description of structure and behavior on the Coast Guard Institute Information Security operations, but also makes the employees within the organization easily to promote compliance.. AOCGISMM covers all structure and behavior of the whole Coast Guard Institute Information Security operations. Therefore, AOCGISMM describes the complete picture of Coast Guard Institute Information Security so that every employee shall understand and communicate well to meet the organization needs.

Architecture

Information Security Management

Linking Information Security Awareness to Information Security Management Strategy.A Study in an IT Company

Spandonidis, Bladimiros

January 2015

There is a great concern when it comes to the investigation of the parameters that affect the formulation of an information security management strategy in an organization. Amongst others, information security awareness is of great interest, mainly because it links the implementation of the information security policies to the consciousness and the psychology of the employees of an organization. State it otherwise, the information security awareness positively beholds the role of a bridge so as to help the IS managers to evaluate the level that the critical information of the organization are secured, and it offers to IS managers opportunities to develop suitable training programs and information security policies for all the employees of an organization. In the current thesis, we focused on the investigation of the factors that influence the behavior of the employees in order to accept any information security policy of the organization and to adopt information security awareness.The psychology of security and technology (POST™) framework (Layton, 2005) together with a PEST (Political, Economic, Social, Technology) analysis guide the investigation and offer the theoretical background for the conduction of a study in an IT Company. A qualitative research has been conducted and semi-structured interviews helped for the collection of the desired data. Also a thematic analysis and the use of a generic approach (Lichtman, 2013) helped for the analysis of the data. The final results gave the ability to identify in practice the employees’ information security awareness adoption level, to link the measurement findings to the development of an information security management strategy and to refine the POST™ framework for its greater advance.

Information security awareness

information security policies

compliance

psychology

security

measurement

information security training programs

POST™ framework

PEST analysis.

Mitigating information manipulation

Xing, Xinyu

07 January 2016

The advent of information services introduces many advantages, for example, in trade, production and services. While making important descisons today, people increasingly rely on the information gleaned from such services. Presumably, as such, information from these services has become a target of manipulation. During the past decade, we have already observed many forms of information manipulation that misrepresents or alters reality. Some popular manipulation -- we have ever witnessed on the Internet -- include using black hat SEO techniques to drive up the ranking of a disreputable business, creating disinformative campaigns to conceal political dissidence, and employing less-than-honest product assessments to paint a rosy picture for inferior wares. Today, emerging web services and technologies greatly facilitated and enhanced people's lives. However, these innovations also enrich the arsenal of manipulators. The sheer amount of online information available today can threaten to overwhelm any user. To help ensure that users do not drown in the flood of information, modern web services are increasing relying upon personalization to improve the quality of their customers' experience. At the same time, personalization also represents new ammunition for all manipulators seeking to steer user eyeballs, regardless of their intents. In this thesis, I demonstrate a new unforeseen manipulation that exploits the mechanisms and algorithms underlying personalization. To undermine the effect of such manipulation, this thesis also introduces two effective, efficient mitigation strategies that can be applied to a number of personalization services. In addition to aforementioned personalization, increasingly prevalent browser extensions augment the ability to distort online information. In this thesis, I unveil an overlooked but widespread manipulation phenomenon in which miscreants abuse the privilege of browser extensions to tamper with the online advertisement presented to users. Considering that online advertising business is one of the primary approaches used to monetize free online services and applications available to users, and reckless ad manipulation may significantly roil advertising ecosystem, this thesis scrutinizes the potential effect of ad manipulation, and develops a technical approach to detect those browser extensions that falsify the ads presented to end users. Although the thesis merely discusses several manipulation examples in the context of the Internet, the findings and technologies presented in this thesis introduce broad impacts. First, my research findings raise Internet users' awareness about pervasive information manipulation. Second, the proposed technologies help users alleviate the pernicious effects of existing information manipulation. Finally, accompanying the findings and technologies is publicly available open-source software and tools that will help an increasing number of users battle against the growing threat of information manipulation.

Information manipulation

Information security

Personalization systems

Web browser

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

Electronic patient record security policy in Saudi Arabia National Health Service

Aldajani, Mouhamad

January 2012

Saudi Arabia is in the process of implementing Electronic Patient Records (EPR) throughout its National Health services. One of the key challenges during the adoption process is the security of EPR. This thesis investigates the current state of EPR security in Saudi Arabia’s National Health Services (SA NHS) both from a policy perspective and with regard to its implementation in SA NHS’s information systems. To facilitate the analysis of EPR security, an EPR model has been developed that captures the information that is stored as part of the electronic record system in conjunction with stated security requirements. This model is used in the analysis of policy consistency and to validate operational reality against stated policies at various levels within the SA NHS. The model is based on a comprehensive literature survey and structured interviews which established the current state of practice with respect to EPRs in a representative Saudi Arabian hospital. The key contribution of this research is the development and evaluation of a structured and model-based analysis approach to EPR security at the early adoption stage in SA, based on types of information present in EPRs and the needs of the users of EPRs. The key findings show that the SA EPR adoption process is currently proceeding without serious consideration for security policy to protect EPR and a lack of awareness amongst hospital staff.

600

A framework for usable and secure system design

Faily, Shamal

January 2011

Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. The research problem this thesis addresses is how techniques and tools can be integrated and improved to support the design of usable and secure systems. To develop this understanding, we present IRIS (Integrating Requirements and Information Security) --- a framework for specifying usable and secure systems. IRIS considers the system design process from three different perspectives --- Usability, Security, and Requirements --- and guides the selection of techniques towards integrative Security, Usability, and Requirements Engineering processes. This thesis claims that IRIS is an exemplar for integrating existing techniques and tools towards the design of usable and secure systems. In particular, IRIS makes three significant contributions towards the stated research problem. First, a conceptual model for usable secure Requirements Engineering is presented, upon which the IRIS framework is founded; this meta-model informs changes to elicitation and specification techniques for improved interoperability in the design process. Second, several characteristics of tool-support needed to elicit and specify usable and secure systems are introduced; the CAIRIS (Computer Aided Integration of Requirements and Information Security) software tool is presented to illustrate how these characteristics can be embodied. Third, we describe how the results of applying IRIS can be used to improve the design of existing User-Centered Design techniques for secure systems design. We validate the thesis by applying the IRIS framework to three case studies. In the first, IRIS is used to specify requirements for a software repository used by a UK water company. In the second, IRIS is used to specify security requirements for a meta-data repository supporting the sharing of medical research data. In the final case study, IRIS is used to analyse a proposed security policy at a UK water company, and identify missing policy requirements. In each case study, IRIS is applied within the context of an Action Research intervention, where findings and lessons from one case study are fed into the action plan of the next.

005.3

Managing near field communication (NFC) payment applications through cloud computing

Pourghomi, Pardis

January 2014

The Near Field Communication (NFC) technology is a short-range radio communication channel which enables users to exchange data between devices. NFC provides a contactless technology for data transmission between smart phones, Personal Computers (PCs), Personal Digital Assistants (PDAs) and such devices. It enables the mobile phone to act as identification and a credit card for customers. However, the NFC chip can act as a reader as well as a card, and also be used to design symmetric protocols. Having several parties involved in NFC ecosystem and not having a common standard affects the security of this technology where all the parties are claiming to have access to client’s information (e.g. bank account details). The dynamic relationships of the parties in an NFC transaction process make them partners in a way that sometimes they share their access permissions on the applications that are running in the service environment. These parties can only access their part of involvement as they are not fully aware of each other’s rights and access permissions. The lack of knowledge between involved parties makes the management and ownership of the NFC ecosystem very puzzling. To solve this issue, a security module that is called Secure Element (SE) is designed to be the base of the security for NFC. However, there are still some security issues with SE personalization, management, ownership and architecture that can be exploitable by attackers and delay the adaption of NFC payment technology. Reorganizing and describing what is required for the success of this technology have motivated us to extend the current NFC ecosystem models to accelerate the development of this business area. One of the technologies that can be used to ensure secure NFC transactions is cloud computing which offers wide range advantages compared to the use of SE as a single entity in an NFC enabled mobile phone. We believe cloud computing can solve many issues in regards to NFC application management. Therefore, in the first contribution of part of this thesis we propose a new payment model called “NFC Cloud Wallet". This model demonstrates a reliable structure of an NFC ecosystem which satisfies the requirements of an NFC payment during the development process in a systematic, manageable, and effective way.

004.1675