Three Essays on Information Security Risk Management

Ogbanufe, Obiageli

05 1900

Today's environment is filled with the proliferation of cyber-attacks that result in losses for organizations and individuals. Hackers often use compromised websites to distribute malware, making it difficult for individuals to detect. The impact of clicking through a link on the Internet that is malware infected can result in consequences such as private information theft and identity theft. Hackers are also known to perpetrate cyber-attacks that result in organizational security breaches that adversely affect organizations' finances, reputation, and market value. Risk management approaches for minimizing and recovering from cyber-attack losses and preventing further cyber-attacks are gaining more importance. Many studies exist that have increased our understanding of how individuals and organizations are motivated to reduce or avoid the risks of security breaches and cyber-attacks using safeguard mechanisms. The safeguards are sometimes technical in nature, such as intrusion detection software and anti-virus software. Other times, the safeguards are procedural in nature such as security policy adherence and security awareness and training. Many of these safeguards fall under the risk mitigation and risk avoidance aspects of risk management, and do not address other aspects of risk management, such as risk transfer. Researchers have argued that technological approaches to security risks are rarely sufficient for providing an overall protection of information system assets. Moreover, others argue that an overall protection must include a risk transfer strategy. Hence, there is a need to understand the risk transfer approach for managing information security risks. Further, in order to effectively address the information security puzzle, there also needs to be an understanding of the nature of the perpetrators of the problem – the hackers. Though hacker incidents proliferate the news, there are few theory based hacker studies. Even though the very nature of their actions presents a difficulty in their accessibility to research, a glimpse of how hackers perpetrate attacks can be obtained through the examination of their knowledge sharing behavior. Gaining some understanding about hackers through their knowledge sharing behavior may help researchers fine-tune future information security research. The insights could also help practitioners design more effective defensive security strategies and risk management efforts aimed at protecting information systems. Hence, this dissertation is interested in understanding the hackers that perpetrate cyber-attacks on individuals and organizations through their knowledge sharing behavior. Then, of interest also is how individuals form their URL click-through intention in the face of proliferated cyber risks. Finally, we explore how and why organizations that are faced with the risk of security breaches, commit to cyberinsurance as a risk management strategy. Thus, the fundamental research question of this dissertation is: how do individuals and organizations manage information security risks?

hackers

security risk management

malware

cyberinsurance

risk transfer

knowledge sharing

social network analysis

Computer security -- Management.

Data protection.

Hackers.

Návrh zavedení nutných oblastí ISMS ve veřejné správě / The proposal for implementation of essential ISMS sections at the public administration

Klepárník, Roman

January 2018

This diploma thesis focuses on the application of information security management system in the public administration. Thesis focuses on the most frequent threats on information security and describes the best practices which are compliant with the ISO/IEC 27000. It contains the proposal of security recommendation that will help the organisation with ensuring better information security and with the preparation for GDPR

Modul rozšiřující funkcionalitu GDPR řešení / Module Extending Functionality of GDPR Solution

Janeček, Vít

January 2018

The goal of this thesis is to introduced the principles of access control technologies, the General Data Protection Regulation and the software for data leakage protection. An essential part of the work is a draft and implementation of the expansion module for user device authentication including shared storage access authorization. Therefore, this module allows to verify whether a user can access shared corporate resources. It also allows to enable or disable access based on specified attributes, such as the type of the protected service or user permission. The basic verification of the module's functionality is realized through different sets of tests and a virtual environment that simulates the corporate environment. The result of the draft is a module that allows to verify access based on the device, and this module is moreover integrated into the Safetica security platform.

Metodika zálohování v souladu s Obecným nařízením o ochraně osobních údajů - GDPR / The methodology of data backup in accordance to General data protection regulation

Smutka, Miloslav

January 2019

The main topic of this thesis is creating a methodology for data backups in compliance with the General Data Protection Regulation (GDPR). After analysis of individual regulation sections, processes and methods of proper data backups will be defined. The thesis will also concern itself with different backup media types and related technology. Outcome of the text will be the creation of a specific method useful for change control.

Cybersecurity framework for cloud computing adoption in rural based tertiary institutions

Patala, Najiyabanu Noormohmed

18 May 2019

MCom (Business Information Systems) / Department of Business Information Systems / Although technology is being progressively used in supporting student learning and enhancing business processes within tertiary institutions, certain aspects are hindering the decisions of cloud usage. Among many challenges of utilizing cloud computing, cybersecurity has become a primary concern for the adoption. The main aim of the study was to investigate the effect of cloud cyber-security usage at rural based tertiary institutions in order to compare the usage with an urban-based institution and propose a cybersecurity framework for adoption of cloud computing cybersecurity. The research questions focused on determining the drivers for cloud cybersecurity usage; the current adoption issues; how cybersecurity challenges, benefits, and quality affects cloud usage; the adoption perceptions and awareness of key stakeholders and identifying a cloud cybersecurity adoption framework. A quantitative approach was applied with data collected from a simple random sample of students, lecturers, admin and IT staff within the tertiary institutions through structured questionnaires. The results suggested compliance with legal law as a critical driver for cloud cybersecurity adoption. The study also found a lack of physical control of data and harmful activities executed on the internet as challenges hampering the adoption. Prevention of identity fraud and cheaper security costs were identified as benefits of adoption. Respondents found cloud cybersecurity to be accurate and effective, although most of the students and employees have not used it. However, respondents were aware of the value of cybersecurity adoption and perceive for it to be useful and convenient, hence have shown the intention of adopting it. There were no significant elements identified to differentiate the perceptions of usage at rural and urban-based tertiary institutions. The results of the study are to be used for clarifying the cybersecurity aspects of cloud computing and forecasting the suitability cloud cybersecurity within the tertiary institutions. Recommendations were made on how tertiary institutions and management can promote cloud cybersecurity adoption and how students, lecturers, and staff can effectively use cloud cybersecurity. / NRF

Cloud computing adoption

Cloud computing security

Cloud cyber-security framework

005.57071168257

Computer networks -- Security measures.

Security system

Flächennutzungsmonitoring VI

Meinel, Gotthard, Schumacher, Ulrich, Behnisch, Martin

09 September 2015

Das Thema Fläche gewinnt angesichts zunehmender Flächenkonkurrenzen und ambitionierter Flächensparziele an Bedeutung. Ein der Nachhaltigkeit verpflichtetes Flächenmanagement und ein zuverlässiges Flächennutzungsmonitoring sind für die Flächenhaushaltspolitik und die Bewertung der Flächenentwicklung unerlässlich. Doch wie implementiert man ein effizientes Siedlungsflächenmanagement und wie entwickeln sich die dafür notwendigen Geobasisdaten? Darauf neue Antworten aus Wissenschaft und Praxis zu geben ist Ziel der Buchreihe Flächennutzungsmonitoring. Im sechsten Band werden aktuelle Entwicklungen der Flächenhaushaltspolitik, der modellhafte Handel mit Flächenzertifikaten, die Erfassung von Innenentwicklungspotenzialen, Methoden zur Generierung kleinräumiger Daten, Indikatoren zur Beschreibung von Zersiedelung und Biodiversität, der Entwicklungsstand relevanter Geobasisdaten, sowie Methoden der Regional- und Städtestatistik einschließlich Prognosetechniken vorgestellt.

info:eu-repo/classification/ddc/550

ddc:550

info:eu-repo/classification/ddc/710

ddc:710

Zur Erzeugung hochauflösender datenschutzkonformer Mischrasterkarten

Dießelmann, Markus, Meinel, Gotthard

January 2013

Die zunehmende Verfügbarkeit adressbezogener Daten im Zusammenhang mit der Nutzung geometrischer Raster zur Raumuntergliederung haben die Voraussetzungen für kleinräumige Analysen deutlich verbessert. Bei der Verwendung personenbezogener Daten müssen datenschutzrechtliche Vorgaben eingehalten werden, falls die Rasterzellen zu wenig Fallzahlen enthalten. Vielfach werden diese Rasterzellen ausgeblendet, wodurch Informationen in der Karte verloren gehen. Eine datenschutzkonforme Alternative stellt die Aggregation von Rasterzellen dar, bis die Fallzahlen einen vorgegebenen Grenzwert überschreiten. In diesem Beitrag werden Möglichkeiten vorgestellt und bewertet, nach denen sich datenschutzkonforme Mischrasterkarten erzeugen lassen. Besonderes Augenmerk wird auf die Auflösungsverluste der erzeugten Mischrasterkarten gelegt, um geeignete Datengrundlagen für kleinräumige Analysen zu schaffen.

info:eu-repo/classification/ddc/004

ddc:004

info:eu-repo/classification/ddc/550

ddc:550

info:eu-repo/classification/ddc/711

ddc:711

Geodaten

Mise en oeuvre d’une approche sociotechnique de la vie privée pour les systèmes de paiement et de recommandation en ligne

EL Haddad, Ghada

12 1900

Depuis ses fondements, le domaine de l’Interaction Homme-Machine (IHM) est marqué par le souci constant de concevoir et de produire des systèmes numériques utiles et utilisables, c’est-à-dire adaptés aux utilisateurs dans leur contexte. Vu le développement exponentiel des recherches dans les IHM, deux états des lieux s’imposent dans les environnements en ligne : le concept de confiance et le comportement de l’usager. Ces deux états ne cessent de proliférer dans la plupart des solutions conçues et sont à la croisée des travaux dans les interfaces de paiements en ligne et dans les systèmes de recommandation. Devant les progrès des solutions conçues, l’objectif de cette recherche réside dans le fait de mieux comprendre les différents enjeux dans ces deux domaines, apporter des améliorations et proposer de nouvelles solutions adéquates aux usagers en matière de perception et de comportement en ligne. Outre l’état de l’art et les problématiques, ce travail est divisé en cinq parties principales, chacune contribue à mieux enrichir l’expérience de l’usager en ligne en matière de paiement et recommandations en ligne : • Analyse des multi-craintes en ligne : nous analysons les différents facteurs des sites de commerce électronique qui influent directement sur le comportement des consommateurs en matière de prise de décision et de craintes en ligne. Nous élaborons une méthodologie pour mesurer avec précision le moment où surviennent la question de la confidentialité, les perceptions en ligne et les craintes de divulgation et de pertes financières. • Intégration de personnalisation, contrôle et paiement conditionnel : nous proposons une nouvelle plateforme de paiement en ligne qui supporte à la fois la personnalisation et les paiements multiples et conditionnels, tout en préservant la vie privée du détenteur de carte. • Exploration de l’interaction des usagers en ligne versus la sensibilisation à la cybersécurité : nous relatons une expérience de magasinage en ligne qui met en relief la perception du risque de cybercriminalité dans les activités en ligne et le comportement des utilisateurs lié à leur préoccupation en matière de confidentialité. • Équilibre entre utilité des données et vie privée : nous proposons un modèle de préservation de vie privée basé sur l’algorithme « k-means » et sur le modèle « k-coRating » afin de soutenir l’utilité des données dans les recommandations en ligne tout en préservant la vie privée des usagers. • Métrique de stabilité des préférences des utilisateurs : nous ciblons une meilleure méthode de recommandation qui respecte le changement des préférences des usagers par l’intermédiaire d’un réseau neural. Ce qui constitue une amélioration à la fois efficace et performante pour les systèmes de recommandation. Cette thèse porte essentiellement sur quatre aspects majeurs liés : 1) aux plateformes des paiements en ligne, 2) au comportement de l’usager dans les transactions de paiement en ligne (prise de décision, multi-craintes, cybersécurité, perception du risque), 3) à la stabilité de ses préférences dans les recommandations en ligne, 4) à l’équilibre entre vie privée et utilité des données en ligne pour les systèmes de recommandation. / Technologies in Human-Machine Interaction (HMI) are playing a vital role across the entire production process to design and deliver advanced digital systems. Given the exponential development of research in this field, two concepts are largely addressed to increase performance and efficiency of online environments: trust and user behavior. These two extents continue to proliferate in most designed solutions and are increasingly enriched by continuous investments in online payments and recommender systems. Along with the trend of digitalization, the objective of this research is to gain a better understanding of the various challenges in these two areas, make improvements and propose solutions more convenient to the users in terms of online perception and user behavior. In addition to the state of the art and challenges, this work is divided into five main parts, each one contributes to better enrich the online user experience in both online payments and system recommendations: • Online customer fears: We analyze different components of the website that may affect customer behavior in decision-making and online fears. We focus on customer perceptions regarding privacy violations and financial loss. We examine the influence on trust and payment security perception as well as their joint effect on three fundamentally important customers’ aspects: confidentiality, privacy concerns and financial fear perception. • Personalization, control and conditional payment: we propose a new online payment platform that supports both personalization and conditional multi-payments, while preserving the privacy of the cardholder. • Exploring user behavior and cybersecurity knowledge: we design a new website to conduct an experimental study in online shopping. The results highlight the impact of user’s perception in cybersecurity and privacy concerns on his online behavior when dealing with shopping activities. • Balance between data utility and user privacy: we propose a privacy-preserving method based on the “k-means” algorithm and the “k-coRating” model to support the utility of data in online recommendations while preserving user’s privacy. • User interest constancy metric: we propose a neural network to predict the user’s interests in recommender systems. Our aim is to provide an efficient method that respects the constancy and variations in user preferences. In this thesis, we focus on four major contributions related to: 1) online payment platforms, 2) user behavior in online payments regarding decision making, multi-fears and cyber security 3) user interest constancy in online recommendations, 4) balance between privacy and utility of online data in recommender systems.

Vie privée

Paiements en ligne

Protocole

Protection des données

Contrôle

Système de recommandation

Cyber sécurité

Filtrage collaboratif

Privacy

Online payment

Payment protocol

Data protection

Data control

Recommender system

Cybersecurity

Collaborative filtering

Der Videocampus Sachsen - strategische Potentiale und juristische Rahmenbedingungen

Lauber-Rönsberg, Anne, Bergert, Aline, Hartlaub, Anneliese

26 August 2016

Der Videocampus Sachsen (VCS) ist eines von fünf strategischen Handlungsfeldern der Landesinitiative Bildungsportal Sachsen (vgl. AKeL 2015, S. 2). Es handelt sich um ein ebenen- und fachbereichsübergreifendes Verbundprojekt von acht sächsischen Hochschulen zum Aufbau/Betrieb einer gemeinsamen Videoplattform. Gefördert durch das SMWK entsteht aktuell eine Machbarkeitsstudie, die u.a. aktuelle Nutzungsbedarfe, technische Möglichkeiten, Geschäftsmodelle wie auch didaktische Potentiale in den Blick nimmt. Im Beitrag werden Idee, Notwendigkeit und Nutzenerwartung des VCS ausgeführt. Ein Schwerpunkt liegt auf der Integration medienrechtlicher Überlegungen. Es werden einerseits exemplarisch die Ergebnisse der juristischen Expertise vorgestellt, andererseits anhand konkreter Einsatzszenarien sogenannte rechtliche Fallstricke identifiziert und diskutiert.

info:eu-repo/classification/ddc/370

ddc:370

Analysis of Customer Personal Data Processing in a Swedish Public Transport Organization

Jovic, Katarina

January 2020

Purpose: The purpose of this research is to analyze the current routine for processing customers’ personal data in a Swedish public transport organization and advise on improvements that might be made to better comply with GDPR. Methodology: A qualitative study of personal data (as defined in the GDPR) based on five telephone interviews. The interviews were held in Swedish, then transcribed and finally translated to English for analysis. Literature perspectives: A research (neutral) perspective of the implementation regarding the General Data Protection Regulation (GDPR) within an organization. It is reported that GDPR tend to increase the tension in an organization. Some organizations expect GDPR will increase the annual budget and believe the business strategy will be changed. Findings: The organization is interested to clearly implement the regulation to their best interest they can. The organization see the centralization of customers’ data as a positive outcome and want to continue with IT-support for the GDPR process to get automated. The organization expresses they want to create a good relationship with their customers and be clear with the purpose of data collection. Conclusions: The research suggests that the organization should invest in IT support, help guiding the employees to understand the purpose of GDPR and produce staff guidelines. The staff guidelines should cover most of the issues that may occur during daily routines. However, if any anomalies occur regarding GDPR, the data processor should act as a guide to the employee. / Syfte: Syftet med kandidatuppsatsen är att analysera den nuvarande processen för bearbetning av kunders personuppgifter i en svensk kollektivtrafikorganisation samt ge förbättringsråd angående saker som kan förbättras för att bättre följa GDPR. Metod: En kvalitativ studie som handlar om personuppgifter (enligt definitionen i GDPR); baserat på fem telefonintervjuer. Intervjuerna hölls på svenska, transkriberades och översattes sedan till engelska för en analys. Teoretiska perspektiv: Ett forsknings- (objektivt) perspektiv på implementeringen av den allmänna dataskyddsförordningen (GDPR) inom en organisation. Det rapporteras att GDPR tenderar att öka stressen i en organisation. Vissa organisationer förväntar sig att GDPR kommer öka den årliga utgiften för databehandling samt tror att deras affärsstrategi kommer förändras. Resultat: Region Värmland Kollektivtrafik är intresserade av att genomföra GDPR förordningen i högsta grad. Organisationen ser centraliseringen av kundens personliga data som ett positivt resultat och vill fortsätta med IT-stöd för GDPR- processen för att den ska kunna bli automatiserad. Organisationen uttrycker att de vill skapa en bra relation med sina kunder och vara tydliga med syftet av datainsamlingen. Slutsatser: Studien antyder att organisationen bör investera i IT-stöd, hjälpa anställda att förstå syftet med GDPR samt ta fram personalriktlinjer. Personalriktlinjerna bör täcka de flesta problem som kan uppstå i de dagliga rutinerna. Om det däremot uppstår några avvikelser gällande GDPR, bör personbiträde fungera som en hjälpande hand för de anställda.

Customer Data

Organization

Process

Public Transport

GDPR Implementation

Personlig Data

Organisation

Process

Kollektivtrafik

GDPR Implementation

Information Systems