Global ETD Search

1	Extending a Platform for IT-Security Exercises Björn, Johan January 2011 (has links) The Swedish Defence Research Agency, FOI, has developed a platform that is used to train and study IT-security. This platform was used during the cyber Baltic shield, an international cyber security exercise. During the exercise, a number of teams acting as system administrators, tried to secure and defend the system of a fictive power supply company. Another team acted as a terrorist organisation with the goal to compromise the systems of the power supply companies and shut down their power generators. FOI has also developed a security assessment method, named XMASS, which is implemented in a software tool called SANTA. This can be used to model a networked IT-system and get a picture of its current state of security. This thesis aims to integrate the tool, SANTA, with the platform for cyber security exercises to get the ability to visualise a system and analyse its security during an IT-security exercise. The thesis also identifies some problems with XMASS regarding how traffic mediators, for example firewalls, are modelled. A literature review is performed to get a picture of the current state of research on security assessment methods and leads to a proposition of a new model for traffic mediators. IT-Security IT-Security Assessment IT-Security Exercise Traffic Filtering Firewalls Computer and Information Sciences Data- och informationsvetenskap
2	How companies manage IT security : A comparative study of Pakistan and Sweden Qureshi, Mustafa Ali, Khalid, Farhan January 2013 (has links) IT security provides comprehensive picture both internally and externally by act of ensuring that data is not lost when critical issues arise. In spite of the world has now been replaced with an imperative approach. The companies are using widely desktop computers, laptops, ipads, smart phones and workstation. The sum of all this has been influence to the IT based information and communication system in companies. The purpose is to do research by taking a critical look at how different kind of business and non-business companies manage their IT security in Pakistan and Sweden with specific emphasis on the administrative controls. As the IT security has a list of steps but the authors focused on three major functions: IT security policy, IT security plan and IT security risk analysis. As soon as the topic was selected the emphasis was laid on collecting and reading material related to the IT security. It became clear that the most relevant and interesting task was not merely to investigate how different companies in Pakistan and Sweden manage their IT security but infact try to understand what kind of steps and measures lies behind to achieve them. The method was adopted qualitative because it fulfil the requirements which authors want to achieve in the form of deeper understanding how different companies manage IT security in two different countries. This study concluded that Pakistani companies in terms of IT security policy should focus on data ware houses by implementing policies for securing of exploiting the data and in case of Swedish company IT managers should implement policies for securing of personal data. Evaluation techniques are missing from the companies of Pakistan and Sweden in IT security plan. Enhancing the performing of IT risk analysis to countermeasure the threat. Pakistani companies should focus on business model of information asset. In case of Swedish company higher level and more detailed analysis can apply to core areas of the IT system. These proposed points for improvements could also help in more understanding of IT security in Pakistan and Sweden. Information systems IT security IT security Policy IT security Planning Perform IT security risk analysis IT security Bulletin Information Systems
3	IT security : Education, Knowledge and Awareness / IT Säkerhet : utbildning, kunskap och medvetenhet Schiöld, Ellinor, Andersson, Sanna January 2022 (has links) IT systems that contain large volumes of information are today extremely valuable to organizations. As the IT systems grow bigger, more challenges are emerging, vulnerability increases and control decreases. Organizations are using IT security to protect their IT systems from different threats and the human factor can be seen as one of the biggest risks towards IT security. Therefore it is not optimal to only focus on the technical solutions and measures, the focus should also be on the employees IT security knowledge and IT security awareness. To increase the knowledge of IT security and to make the employees more IT security aware requires continuous work and IT security education is often mentioned as a factor to increase IT security- knowledge and awareness. Despite this, challenges are mentioned in previous research, which means that even if an employee participates in an IT security education, the organizations can not take for granted that their employees have gained IT security knowledge or know how to act more security aware. IT security education, IT security knowledge and IT security is mentioned as three factors that can affect IT security. Three research questions were intended to be answered within this research with the purpose to investigate if these factors increase each other. Three hypotheses were also forming the basis for answering the research questions. With a quantitative method and questionnaire this research reached out to 158 employees at different Swedish branches within machine manufacturing, advertising, municipal work and sales industry. Results showed that one of the three hypotheses was accepted and the other two hypotheses were not accepted. This result also gave answers to the research questions regarding that IT security education does not increase IT security knowledge, IT security knowledge does not increase IT security awareness but IT security education increases IT security awareness. IT security IT security education IT security knowledge IT security awareness IT security measures employees insider threats human factor Information Systems
4	How is it possible to calculate IT security effectiveness? Kivimaa, Kristjan January 2022 (has links) In IT Security world, there is lack of available, reliable systems for measuring securitylevels/posture. They lack the range of quantitative measurements and easy and fast deployment,and potentially affects companies of all sizes.Readily available security standards provide qualitative security levels, but not quantitative results– that would be easily comparable. This deficiency makes it hard for companies to evaluate theirsecurity posture accurately. Absence of security metrics makes it complicated for customers toselect the appropriate measures for particular security level needed.The research question for this research project is – “How is it possible to calculate IT securityeffectiveness?”.The aim of this research is to use this reference model to calculate and to optimize majoruniversity’s and a small CSP-s (Cloud Service Provider) security posture and their spending’s onsecurity measures. Aim is to develop a reference model to support IT Security team and businessside to make reasoned and optimal decisions about IT security and all that with a reasonablenumber of manhours.In this Graded Security Expert System (GSES) aka Graded Security Reference Model (GSRM) thequantitative metrics of the graded security approach are used to express the relations betweensecurity goals, security confidence and security costs.What makes this model unique, is the option to use previous customers security templates/models– cutting the implementation time from 500+ manhours to as low as 50 manhours. The firstcustomers 500+ manhours will also be cut down to 50+ manhours on the second yearimplementing the expert system.The Graded Security Reference Model (GSRM) was developed using a combination oftheoretical method and design science research. The model is based on InfoSec (info security)activities and InfoSec spendings from previous year – cost and effectiveness – gathered fromexpert opinionsBy implementing GSRM, user can gather quantitative security levels as no other model, or astandard provides those.GSRM delivers very detailed and accurate (according to university’s IT Security Team)effectiveness levels per spendings brackets.GSRM was created as a graded security reference model on CoCoViLa platform, which is unique asit provides quantitative results corresponding to company’s security posture.Freely available models and standards either provide vague quantitative security postureinformation or are extremely complicated to use – BIS/ISKE (not supported any more).This Graded Security Reference Model has turned theories presented in literature review into afunctional, graphical model.The GSRM was used with detailed data from the 15+k users university and their IT security team(all members have 10+ years of IT security experience) concluded that the model is reasonablysimple to implement/modify, and results are precise and easily understandable. It was alsoobserved that the business side had no problems understanding the results and very fewexplanatory remarks were needed. Security effectiveness IT security Computer Systems Datorsystem
5	Improvement and Scenario-Based Evaluation of the eXtended Method for Assessment of System Security Sundmark, Thomas January 2008 (has links) <p>This master’s thesis consists of a scenario-based evaluation of an IT-security assessment method known as the eXtendedMethod for Assessment of System Security (XMASS), as well as an assessment of a real-world network using the softwareimplementation of this method known as the Security AssessmeNT Application (SANTA).This thesis also describes a number of improvements made to the software implementation, some which could also be addedto the method itself. These were performed during the preparation of the assessment but had no effect on the outcome.The evaluation showed that the method and implementation contained a number of flaws in the way the filtering effect ofthe traffic mediators of a network, such as network-based firewalls, was implemented. When it comes to the assessment ofthe real-world network it was seen that the network, given the supplied information regarding the software and hardwaresetup of its entities, appeared to be sufficiently secure to handle the transmission of data at the lowest classification level(Restricted). However, as with almost all security assessments, this does not mean that the network is guaranteed to besecure enough; it just indicates that, given the information specified, the network has the potential of being sufficientlysecure.The main conclusion of this thesis is that the way XMASS and SANTA calculates the effect of filtering traffic mediatorsshould be looked into and improved to increase the usability of the tool. The method can however still be used in its currentstate, but requires the individual(s) performing the assessment to be aware of the drawbacks of the current implementationand thus compensate for these when producing the input for the assessment method.</p> Combined Endeavor Scenario-Based Evaluation IT Security Assessment Tool IT Security Assessment IT Security Information technology Informationsteknik Other information technology Övrig informationsteknik
6	Improvement and Scenario-Based Evaluation of the eXtended Method for Assessment of System Security Sundmark, Thomas January 2008 (has links) This master’s thesis consists of a scenario-based evaluation of an IT-security assessment method known as the eXtendedMethod for Assessment of System Security (XMASS), as well as an assessment of a real-world network using the softwareimplementation of this method known as the Security AssessmeNT Application (SANTA).This thesis also describes a number of improvements made to the software implementation, some which could also be addedto the method itself. These were performed during the preparation of the assessment but had no effect on the outcome.The evaluation showed that the method and implementation contained a number of flaws in the way the filtering effect ofthe traffic mediators of a network, such as network-based firewalls, was implemented. When it comes to the assessment ofthe real-world network it was seen that the network, given the supplied information regarding the software and hardwaresetup of its entities, appeared to be sufficiently secure to handle the transmission of data at the lowest classification level(Restricted). However, as with almost all security assessments, this does not mean that the network is guaranteed to besecure enough; it just indicates that, given the information specified, the network has the potential of being sufficientlysecure.The main conclusion of this thesis is that the way XMASS and SANTA calculates the effect of filtering traffic mediatorsshould be looked into and improved to increase the usability of the tool. The method can however still be used in its currentstate, but requires the individual(s) performing the assessment to be aware of the drawbacks of the current implementationand thus compensate for these when producing the input for the assessment method. Combined Endeavor Scenario-Based Evaluation IT Security Assessment Tool IT Security Assessment IT Security Computer and Information Sciences Data- och informationsvetenskap Other Computer and Information Science Annan data- och informationsvetenskap
7	IT-Security Investment Models Wolff, Janik January 2010 (has links) No description available. IT security investment model ROSI network management administration
8	IT-Security Investment Models Wolff, Janik January 2010 (has links) No description available. IT security investment model ROSI network management administration
9	Mathematical foundation needed for development of IT security metrics Bengtsson, Mattias January 2007 (has links) <p>IT security metrics are used to achieve an IT security assessment of certain parts of the IT security environment. There is neither a consensus of the definition of an IT security metric nor a natural scale type of the IT security. This makes the interpretation of the IT security difficult. To accomplish a comprehensive IT security assessment one must aggregate the IT security values to compounded values.</p><p>When developing IT security metrics it is important that permissible mathematical operations are made so that the information are maintained all the way through the metric. There is a need for a sound mathematical foundation for this matter.</p><p>The main results produced by the efforts in this thesis are:</p><p>• Identification of activities needed for IT security assessment when using IT security metrics.</p><p>• A method for selecting a set of security metrics in respect to goals and criteria, which also is used to</p><p>• Aggregate security values generated from a set of security metrics to compounded higher level security values.</p><p>• A mathematical foundation needed for development of security metrics.</p> IT security metrics mathematics aggregation interpretation assessment Information technology Informationsteknologi
10	Design and Implementation of an Environment to Support Development of Methods for Security Assessment Bengtsson, Johan, Brinck, Peter January 2008 (has links) <p>There is no debate over the importance of IT security. Equally important is the research on security assessment; methods for evaluating the security of IT systems. The Swedish Defense Research Agency has for the last couple of years been conducting research on the area of security assessment. To verify the correctness of these methods, tools are implemented.</p><p>This thesis presents the design and implementation of an environment to support and aid future implementations and evaluations of security assessment methods. The aim of this environment, known as the New Tool Environment, NTE, is to assist the developer by facilitating the more time consuming parts of the implementation. A large part of this thesis is devoted to the development of a database solution, which results in an object/relational data access layer.</p> IT Security Security Assessment Security Assessment Tool Information technology Informationsteknologi

Search results