31 |
Information Security Management: A Critical Success Factors AnalysisTu, Zhiling 11 1900 (has links)
Information security has been a crucial strategic issue in organizational management. Information security management (ISM) is a systematic process of effectively coping with information security threats and risks in an organization, through the application of a suitable range of physical, technical or operational security controls, to protect information assets and achieve business goals. There is a strong need for rigorous qualitative and quantitative empirical studies in the field of organizational information security management in order to better understand how to optimize the ISM process.
Applying critical success factors approach, this study builds a theoretical model to investigate main factors that contribute to ISM success. The following tasks were carried out: (1) identify critical success factors of ISM performance; (2) build an ISM success model and develop related hypotheses; (3) develop construct measures for critical success factors and ISM performance evaluations; (4) collect data from the industry through interviews and surveys; and (5) empirically verify the model through quantitative analysis.
The proposed theoretical model was empirically tested with data collected from a survey of managers who were presently involved with decision making regarding their company's information security (N=219). Overall, the theoretical model was successful in capturing the main antecedents of ISM performance. The results suggest that with business alignment, organizational support, IT competences, and organizational awareness of security risks and controls, information security controls can be effectively developed, resulting in successful information security management.
This study contributes to the advancement of the information security management literature by (1) proposing a theoretical model to examine the effects of critical organizational success factors on the organization’s ISM performance, (2) empirically validating this proposed model, (3) developing and validating an ISM performance construct, and (4) reviewing the most influential information security management standards and trying to validate some basic guidelines of the standard. / Thesis / Doctor of Philosophy (PhD) / This thesis addresses three research questions: (1) How to measure ISM performance? (2) What are the critical factors that must be present to make ISM effective? And, (3) how do these factors contribute to the success of ISM?
To the best of the researcher’s knowledge, this is the first known study to empirically investigate the most important factors for ISM success and their impact on ISM performance. This study contributes to the advancement of the information security management literature by (1) proposing a theoretical model to examine the effects of critical organizational success factors on the organization’s ISM performance, (2) empirically validating this proposed model, (3) developing and validating an ISM performance construct, and (4) reviewing the most influential information security management standards and trying to validate some basic guidelines of the standard.
|
32 |
Towards a Holistic and Comparative Analysis of the Free Content Web: Security, Privacy, and PerformanceAlabduljabbar, Abdulrahman 01 January 2023 (has links) (PDF)
Free content websites that provide free books, music, games, movies, etc., have existed on the Internet for many years. While it is a common belief that such websites might be different from premium websites providing the same content types in terms of their security, a rigorous analysis that supports this belief is lacking from the literature. In particular, it is unclear if those websites are as safe as their premium counterparts. In this dissertation, we set out to investigate the similarities and differences between free content and premium websites, including their risk profiles. Moreover, we analyze and quantify through measurements the potential vulnerability of free content websites. For this purpose, we compiled a dataset of free content websites offering books, games, movies, music, and software. For comparison purposes, we also sampled a dataset of premium content websites, where users need to pay for using the service for the same type of content. For our modality of analysis, we use the SSL certificate's public information, HTTP header information, reported privacy and data sharing practices, top-level domain information, and website files and loaded scripts. The analysis is not straightforward, and en route, we address various challenges, including labeling and annotation, privacy policy understanding through a highly accurate pre-trained language model using advanced ensemble-based classification technique at the sentence and paragraph level, and data augmentation through various sources. This dissertation delivers various significant findings and conclusions concerning the security of free content websites. Our findings raise several concerns, including that the reported privacy policies may not reflect the data collection practices used by service providers, and pronounced biases across privacy policy categories. Overall, our study highlights that while there are no explicit costs associated with those websites, the cost is often implicit, in the form of compromised security and privacy.
|
33 |
Security Breach DisclosureLee, Yao-Tien 11 1900 (has links)
Security breach disclosure is the public disclosure of information regarding a data security incident. It allows organizations to communicate salient information to the affected parties and stakeholders regarding the nature and impact of the breach, and remediating solutions undertaken regarding the breach. Recent cases of large-scale security breaches have revealed that security breach disclosure remains a challenging subject for policymakers, practitioners, and researchers. There is a lack of understanding and consensus on what breaches need to be disclosed and little evidence on how actual practices are employed.
Using an adapted grounded theory methodology that combines computerized textual extraction and ground theory coding techniques, this study explores relevant issues through four research questions with distinct objectives that would enhance understanding of the issues in public breach disclosure. First, recent regulations from the US, EU, and Canada are reviewed to identify the core elements in breach disclosure. Second, this study develops methods to extract information content from disclosures. Third, matrices and measuring instruments are developed to evaluate the quality, and last, a framework is proposed to map out the paths and directions for future research. These advancements lay the crucial groundwork in the field of security breach disclosure and will contribute greatly towards future policies, practice, and research.
The expected societal significance of this research is profound. The research is relevant to practitioners, regulators, and the information security community as it provides valuable insight on current challenges and future directions. The ultimate goal is to strengthen our understanding of security breach disclosure and enhance the accumulation and transfer of knowledge obtained through security breach disclosure; thereby providing organizations, regulators, and the information security community with the information necessary to develop policies, tools, and controls for identifying, managing, and reducing the risks of future security incidents. The proposed core elements, methods of extracting relevant information content, quality evaluation matrices, and framework mark a significant advancement towards this vision. / Thesis / Doctor of Philosophy (PhD) / Recent cases of security breach at Equifax, Yahoo, and Uber have raised attention from the public and regulators on the issues of public disclosure of security incidents. However, the lack of understanding and research in security breach disclosures has hampered our ability in defining what needs to be disclosed, understanding what are actually disclosed, and determining how well the incidents are disclosed. These issues are urgent and important thus warrant considerable efforts to carefully examine the current landscape of policy and practice, and to provide methods to evaluate disclosures so that meaningful advancements in research and improvements in practice can be made. This study recommends a set of core elements in disclosure, develops methods to extract information from disclosure, establishes ways to evaluate quality, and proposes a framework that maps out future research. These are important advancements in the study of security breach disclosure and will contribute greatly towards future policies, practice, and research.
|
34 |
CLOSUREX: Transforming Source Code for Correct Persistent FuzzingRanjan, Rishi 29 May 2024 (has links)
Fuzzing is a popular technique which has been adopted for automated vulnerability research for software hardening.
Research reveals that increasing fuzzing throughput directly increases bug discovery rate.
Given fuzzing revolves around executing a large number of test cases, test case execution rate is the dominant component of overall fuzzing throughput.
To increase test case execution rate, researchers provide techniques that reduce the amount of time spent performing work that is independent of specific test case data.
The highest performance approach is persistent fuzzing, which reuses a single process for all test cases by looping back to the start instead of exiting.
This eliminates all process initialization and tear-down costs.
Unfortunately, persistent fuzzing leads to semantically inconsistent program states because process state changes from one test case remains for subsequent test cases.
This semantic inconsistency results in both missed crashes and false crashes, undermining fuzzing effectiveness.
I observe that existing fuzzing execution mechanisms exist on a continuum, based on the amount of state that gets discarded and restored between test cases.
I present a fuzzing execution mechanism that sits at a new spot on this state restoration continuum, where only test-case-execution-specific state is reset.
This fine-grain state restoration provides near-persistent performance with the correctness of heavyweight state restoration.
I construct CLOSUREX as a set of LLVM compiler passes that integrate with AFL++.
Our evaluation on ten popular open-source fuzzing targets show that CLOSUREX maintains semantic correctness all while increasing test case execution rate by over 3.5x, on average, compared to AFL++.
CLOSUREX also finds bugs more consistently and 1.9x faster than AFL++, with CLOSUREX discovering 15 0-day bugs (4 CVEs). / Master of Science / Fuzzing is a technique of automated vulnerability research which tries to find bugs in programs by generating randomised inputs and feeding it to the program under test. It then monitors the program execution to identify any crashing inputs which can be later triaged by a human in order to concretely identify any bugs, as well as perform root-cause analysis. In this work, I introduce a new program state restoration technique to achieve correctness in persistent mode, the fastest execution mechanism in fuzzing.
|
35 |
Discovering Vulnerabilities and Designing Trustworthy Defenses in IoT Systems and DevicesPearson, Bryan 01 January 2023 (has links) (PDF)
Internet of Things (IoT) dominates many functions in the modern world, from sensing and reporting temperature, humidity, and air quality, to controlling and automating homes, commercial buildings, and equipment. However, IoT systems have received scrutiny in recent years due to countless security incidents, which can have physical and even deadly consequences. This research provides a comprehensive assessment of the security of IoT systems and devices, including low-cost microcontroller (MCU) based sensors, cloud services, and Building Automation Systems (BAS). We begin by exploring the current landscape of vulnerabilities and defenses in modern IoT applications. We show that many security needs can be satisfied by modern low-cost MCUs. We discuss how to implement crucial security features in IoT and illustrate use cases through ESP32 MCUs. Next, we investigate vulnerabilities against popular IoT systems and devices. We present a systematic attack model against Message Queuing Telemetry Transport (MQTT) software implementations. We design, implement, and evaluate a fuzz testing framework for MQTT using Markov chain modeling to rigorously exhaust the protocol and identify vulnerabilities. We then demonstrate the plausibility of well-known software attacks on IoT devices. These attacks can be used to remotely steal private keys that are hard coded in the firmware. We also expand our fuzzing research to Building Automation Systems (BAS) devices and software, which are susceptible to similar vulnerabilities as conventional IoT systems and devices. We use dynamic instrumentation and packet analysis to probe the communications between BAS clients and BAS IP interfaces to extract an annotated corpus for mutational fuzzing. Our fuzzer discovered vulnerabilities in various KNX and BACnet devices and software. After exploring these attacks, we discuss how to protect sensitive data in IoT applications using crypto coprocessors. We present a framework for secure key provisioning that protects end users' private keys from software attacks and untrustworthy manufacturers.
|
36 |
Enhancing information security in organisations in QatarAl-Hamar, Aisha January 2018 (has links)
Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats. Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Many researchers have noted that the significance of information security, particularly information security policies and awareness, is growing due to increasing use of IT and computerization. In the last 15 years, the State of Qatar has witnessed remarkable growth and development of its civilization, having embraced information technology as a base for innovation and success. The country has undergone tremendous improvements in the health care, education and transport sectors. Information technology plays a strategic role in building the country's knowledge-based economy. Due to Qatar s increasing use of the internet and connection to the global environment, it needs to adequately address the global threats arising online. As a result, the scope of this research is to investigate information security in Qatar and in particular the National Information Assurance (NIA) policy. There are many solutions for information security some technical and some non-technical such as policies and making users aware of the dangers. This research focusses on enhancing information security through non-technical solutions. The aim of this research is to improve Qatari organisations information security processes by developing a comprehensive Information Security Management framework that is applicable for implementation of the NIA policy, taking into account Qatar's culture and environment. To achieve the aim of this research, different research methodologies, strategies and data collection methods will be used, such as a literature review, surveys, interviews and case studies. The main findings of this research are that there is insufficient information security awareness in organisations in Qatar and a lack of a security culture, and that the current NIA policy has many barriers that need to be addressed. The barriers include a lack of information security awareness, a lack of dedicated information security staff, and a lack of a security culture. These barriers are addressed by the proposed information security management framework, which is based on four strategic goals: empowering Qataris in the field of information security, enhancing information security awareness and culture, activating the Qatar National Information Assurance policy in real life, and enabling Qatar to become a regional leader in information security. The research also provides an information security awareness programme for employees and university students. At the time of writing this thesis, there are already indications that the research will have a positive impact on information security in Qatar. A significant example is that the information security awareness programme for employees has been approved for implementation at the Ministry of Administrative Development Labour and Social Affairs (ADLSA) in Qatar. In addition, the recommendations proposed have been communicated to the responsible organisations in Qatar, and the author has been informed that each organisation has decided to act upon the recommendations made.
|
37 |
ISM: Irrelevant Soporific Measures - Giving Information Security Management back its groove using sociomaterialityKanane, Aahd, Grundstrom, Casandra January 2015 (has links)
Information security management is now a major concern for any organization regardless of its type, size, or activity field. Having an information security system that ensures theavailability, the confidentiality, and the integrity of information is not an option anymorebut a necessity. Information security management identifies difficulties with user behaviourand compliance that is centralized around policies, perceptions, and practices. In order to address how they affect information security management, these three issues are holistically explored using a sociomaterial framework to engage the understanding of human andnonhuman components. A case study of a university in Sweden was conducted and it was found that despite the sophistication of the IT system, human behaviours are a pertinent component of information security management, and not one that can be ignored.
|
38 |
A model for monitoring end-user security policy complianceAlotaibi, Mutlaq January 2017 (has links)
Organisations increasingly perceive their employees as a great asset that needs to be cared for; however, at the same time, they view employees as one of the biggest potential threats to their cyber security. Organizations repeatedly suffer harm from employees who are not obeying or complying with their information security policies. Non-compliance behaviour of an employee, either unintentionally or intentionally, pose a real threat to an organization’s information security. As such, more thought is needed on how to encourage employees to be security compliant and more in line with a security policy of their organizations. Based on the above, this study has proposed a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. The proposed approach is based on two main concepts: a taxonomy of the response strategy to non-compliance behaviour, and a compliance points system. The response taxonomy is comprised of two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour, and penalise noncompliant behaviour. A prototype system has been developed to simulates the proposed model in order to provide a clear image of its functionalities and how it is meant to work. Therefore, it was developed to work as a system that responds to the behaviour of users (whether violation or compliance behaviour) in relation to the information security policies of their organisations. After designing the proposed model and simulating it using the prototype system, it was significant to evaluate the model by interviewing different experts with different backgrounds from academic and industry sectors. Thus, the interviewed experts agreed that the identified research problem is a real problem that needs to be researched and solutions need to be devised. It also can be stated that the overall feedback of the interviewed experts about the proposed model was very encouraging and positive. The expert participants thought that the proposed model addresses the research gap, and offers a novel approach for managing the information security policies.
|
39 |
Vulnerabililty Analysis of Multi-Factor Authentication ProtocolsGarrett, Keith 01 January 2016 (has links)
In this thesis, the author hypothesizes that the use of computationally intensive mathematical operations in password authentication protocols can lead to security vulnerabilities in those protocols. In order to test this hypothesis: 1. A generalized algorithm for cryptanalysis was formulated to perform a clogging attack (a formof denial of service) on protocols that use computationally intensive modular exponentiation to guarantee security. 2. This technique was then applied to cryptanalyze four recent password authentication protocols, to determine their susceptibility to the clogging attack. The protocols analyzed in this thesis differ in their usage of factors (smart cards, memory drives, etc.) or their method of communication (encryption, nonces, timestamps, etc.). Their similarity lies in their use of computationally intensivemodular exponentiation as amediumof authentication. It is concluded that the strengths of all the protocols studied in this thesis can be combined tomake each of the protocols secure from the clogging attack. The conclusion is supported by designing countermeasures for each protocol against the clogging attack.
|
40 |
An Exploratory Study of the Approach to Bring Your Own Device (BYOD) in Assuring Information SecuritySantee, Coleen D. 01 January 2017 (has links)
The availability of smart device capabilities, easy to use apps, and collaborative capabilities has increased the expectations for the technology experience of employees. In addition, enterprises are adopting SaaS cloud-based systems that employees can access anytime, anywhere using their personal, mobile device. BYOD could drive an IT evolution for powerful device capabilities and easy to use apps, but only if the information security concerns can be addressed. This research proposed to determine the acceptance rate of BYOD in organizations, the decision making approach, and significant factors that led to the successful adoption of BYOD using the expertise of experienced internal control professionals. The approach and factors leading to the decision to permit the use of BYOD was identified through survey responses, which was distributed to approximately 5,000 members of the Institute for Internal Controls (IIC). The survey participation request was opened by 1,688 potential respondents, and 663 total responses were received for a response rate of 39%. Internal control professionals were targeted by this study to ensure a diverse population of organizations that have implemented or considered implementation of a BYOD program were included. This study provided an understanding of how widely the use of BYOD was permitted in organizations and identified effective approaches that were used in making the decision. In addition, the research identified the factors that were influential in the decision making process. This study also explored the new information security risks introduced by BYOD. The research argued that there were several new risks in the areas of access, compliance, compromise, data protection, and control that affect a company’s willingness to support BYOD. This study identified new information security concerns and risks associated with BYOD and suggested new elements of governance, risk management, and control systems that were necessary to ensure a secure BYOD program. Based on the initial research findings, future research areas were suggested.
|
Page generated in 0.0353 seconds