Information Security Culture and Threat Perception : Comprehension and awareness of latent threats in organisational settings concerned with information security

Lambe, Erik

January 2018

A new challenge for organisations in the 21st century is how they should ensure information security in a time and environment where the widespread use of Information Communication Technologies (ICTs), such as smartphones, means that information has been made vulnerable in numerous new ways. Recent research on information security has focused on information security culture and how to successfully communicate security standards within an organisation. This study aims to examine how latent threats to information security are conceptualised and examined within an organisation in which information security is important. Since threats posed by ICTs are said to be latent, this study wishes to explore in what ways an inclusion of threat conceptualisation can have in understanding what constitutes an efficacious information security culture when the intention is to ensure information security. The study focuses on the Swedish armed forces, and compare how threats to information security posed by interaction with private ICTs are communicated in information security policies and how they are conceptualised by the members of the organisation. Through interviews conducted with service members, the findings of this study indicate that it is possible to successfully communicate the contents of information security policies without mandating the members of the organisation to read the sources themselves. Furthermore, the study identified a feature of information security culture, in this paper called supererogatory vigilance to threats to information security, which might be of interest for future studies in this area, since it offers adaptive protection to new threats to information security that goes beyond what the established sources protects against.

Information security

information security culture

information security policy

administration

policy implementation

latent threats

ICT

dynamic frame analysis

Political Science

Statsvetenskap

A simplified ISMS : Investigating how an ISMS for a smaller organization can be implemented

Asp Sandin, Agnes

January 2021

Over the past year, cyber threats have been growing tremendously, which has led to an essential need to strengthen the organization's security. One way of strengthening security is to implement an information security management system (ISMS). Although an ISMS will help improve the information security work within the business, organizations struggle with its implementation, and significantly smaller organizations. That results in smaller organization's information being potentially less protected.This thesis investigates how an ISMS based on MSB can be simplified to make it suitable for a small organization to implement. This thesis aims to open for further research about how it can be simplified and if it has a value of doing it.The study is based on a qualitative approach where semi-structured interviews with experts were conducted. This thesis concludes that it is possible to simplify an ISMS based on MSB for a small organization by removing external analysis, information classification, information classification model, continuity management for information assets, and incident management. In addition, the study provides tips on what a small organization should think about before and during implementation.

Information security management system

ISMS

Information security

ISO/IEC 27001

Simplify

ISO/IEC 27000

MSB

Computer Sciences

Datavetenskap (datalogi)

Mitigating information manipulation

Xing, Xinyu

07 January 2016

The advent of information services introduces many advantages, for example, in trade, production and services. While making important descisons today, people increasingly rely on the information gleaned from such services. Presumably, as such, information from these services has become a target of manipulation. During the past decade, we have already observed many forms of information manipulation that misrepresents or alters reality. Some popular manipulation -- we have ever witnessed on the Internet -- include using black hat SEO techniques to drive up the ranking of a disreputable business, creating disinformative campaigns to conceal political dissidence, and employing less-than-honest product assessments to paint a rosy picture for inferior wares. Today, emerging web services and technologies greatly facilitated and enhanced people's lives. However, these innovations also enrich the arsenal of manipulators. The sheer amount of online information available today can threaten to overwhelm any user. To help ensure that users do not drown in the flood of information, modern web services are increasing relying upon personalization to improve the quality of their customers' experience. At the same time, personalization also represents new ammunition for all manipulators seeking to steer user eyeballs, regardless of their intents. In this thesis, I demonstrate a new unforeseen manipulation that exploits the mechanisms and algorithms underlying personalization. To undermine the effect of such manipulation, this thesis also introduces two effective, efficient mitigation strategies that can be applied to a number of personalization services. In addition to aforementioned personalization, increasingly prevalent browser extensions augment the ability to distort online information. In this thesis, I unveil an overlooked but widespread manipulation phenomenon in which miscreants abuse the privilege of browser extensions to tamper with the online advertisement presented to users. Considering that online advertising business is one of the primary approaches used to monetize free online services and applications available to users, and reckless ad manipulation may significantly roil advertising ecosystem, this thesis scrutinizes the potential effect of ad manipulation, and develops a technical approach to detect those browser extensions that falsify the ads presented to end users. Although the thesis merely discusses several manipulation examples in the context of the Internet, the findings and technologies presented in this thesis introduce broad impacts. First, my research findings raise Internet users' awareness about pervasive information manipulation. Second, the proposed technologies help users alleviate the pernicious effects of existing information manipulation. Finally, accompanying the findings and technologies is publicly available open-source software and tools that will help an increasing number of users battle against the growing threat of information manipulation.

Information manipulation

Information security

Personalization systems

Web browser

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

Electronic patient record security policy in Saudi Arabia National Health Service

Aldajani, Mouhamad

January 2012

Saudi Arabia is in the process of implementing Electronic Patient Records (EPR) throughout its National Health services. One of the key challenges during the adoption process is the security of EPR. This thesis investigates the current state of EPR security in Saudi Arabia’s National Health Services (SA NHS) both from a policy perspective and with regard to its implementation in SA NHS’s information systems. To facilitate the analysis of EPR security, an EPR model has been developed that captures the information that is stored as part of the electronic record system in conjunction with stated security requirements. This model is used in the analysis of policy consistency and to validate operational reality against stated policies at various levels within the SA NHS. The model is based on a comprehensive literature survey and structured interviews which established the current state of practice with respect to EPRs in a representative Saudi Arabian hospital. The key contribution of this research is the development and evaluation of a structured and model-based analysis approach to EPR security at the early adoption stage in SA, based on types of information present in EPRs and the needs of the users of EPRs. The key findings show that the SA EPR adoption process is currently proceeding without serious consideration for security policy to protect EPR and a lack of awareness amongst hospital staff.

600

A framework for usable and secure system design

Faily, Shamal

January 2011

Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. The research problem this thesis addresses is how techniques and tools can be integrated and improved to support the design of usable and secure systems. To develop this understanding, we present IRIS (Integrating Requirements and Information Security) --- a framework for specifying usable and secure systems. IRIS considers the system design process from three different perspectives --- Usability, Security, and Requirements --- and guides the selection of techniques towards integrative Security, Usability, and Requirements Engineering processes. This thesis claims that IRIS is an exemplar for integrating existing techniques and tools towards the design of usable and secure systems. In particular, IRIS makes three significant contributions towards the stated research problem. First, a conceptual model for usable secure Requirements Engineering is presented, upon which the IRIS framework is founded; this meta-model informs changes to elicitation and specification techniques for improved interoperability in the design process. Second, several characteristics of tool-support needed to elicit and specify usable and secure systems are introduced; the CAIRIS (Computer Aided Integration of Requirements and Information Security) software tool is presented to illustrate how these characteristics can be embodied. Third, we describe how the results of applying IRIS can be used to improve the design of existing User-Centered Design techniques for secure systems design. We validate the thesis by applying the IRIS framework to three case studies. In the first, IRIS is used to specify requirements for a software repository used by a UK water company. In the second, IRIS is used to specify security requirements for a meta-data repository supporting the sharing of medical research data. In the final case study, IRIS is used to analyse a proposed security policy at a UK water company, and identify missing policy requirements. In each case study, IRIS is applied within the context of an Action Research intervention, where findings and lessons from one case study are fed into the action plan of the next.

005.3

Managing near field communication (NFC) payment applications through cloud computing

Pourghomi, Pardis

January 2014

The Near Field Communication (NFC) technology is a short-range radio communication channel which enables users to exchange data between devices. NFC provides a contactless technology for data transmission between smart phones, Personal Computers (PCs), Personal Digital Assistants (PDAs) and such devices. It enables the mobile phone to act as identification and a credit card for customers. However, the NFC chip can act as a reader as well as a card, and also be used to design symmetric protocols. Having several parties involved in NFC ecosystem and not having a common standard affects the security of this technology where all the parties are claiming to have access to client’s information (e.g. bank account details). The dynamic relationships of the parties in an NFC transaction process make them partners in a way that sometimes they share their access permissions on the applications that are running in the service environment. These parties can only access their part of involvement as they are not fully aware of each other’s rights and access permissions. The lack of knowledge between involved parties makes the management and ownership of the NFC ecosystem very puzzling. To solve this issue, a security module that is called Secure Element (SE) is designed to be the base of the security for NFC. However, there are still some security issues with SE personalization, management, ownership and architecture that can be exploitable by attackers and delay the adaption of NFC payment technology. Reorganizing and describing what is required for the success of this technology have motivated us to extend the current NFC ecosystem models to accelerate the development of this business area. One of the technologies that can be used to ensure secure NFC transactions is cloud computing which offers wide range advantages compared to the use of SE as a single entity in an NFC enabled mobile phone. We believe cloud computing can solve many issues in regards to NFC application management. Therefore, in the first contribution of part of this thesis we propose a new payment model called “NFC Cloud Wallet". This model demonstrates a reliable structure of an NFC ecosystem which satisfies the requirements of an NFC payment during the development process in a systematic, manageable, and effective way.

004.1675

A Distributed Security Scheme to Secure Data Communication between Class-0 IoT Devices and the Internet

King, James

January 2015

This thesis focuses on securing data exchanged between highly constrained IoT devices and the internet. This thesis builds on existing research by combining elements of different research solutions to create a more secure solution. This solution helps to solve gaps in security left behind by existing solutions through the use of symmetric cryptography in data objects and IoT security gateways which act as intermediaries between devices and the internet. The goal of this research is to provide a security solution for devices which do not have the resources necessary to effectively implement the recommended TLS based protocols for secure communication over the internet. The solution provides confidentiality to data traveling between device and gateway while also providing confidentiality, integrity and authenticity to data traveling across the internet. The solution works by delegating demanding security processes to an IoT security gateway which securely processes communications to and from the internet using HTTPS (SSL/TLS). Security of data being passed between device and gateway is provided with AES symmetric encryption at the Data Link and Data Object layers. The performance of the solution is measured by timing the security process of the IoT device while also measuring the resource requirements of applying the solution to the device. / <p>Validerat; 20150622 (global_studentproject_submitter)</p>

Technology

Information Security

Internet of Things

Constrained Devices

IoT

Teknik

Assessment of Web-Based Authentication Methods in the U.S.: Comparing E-Learning Systems to Internet Healthcare Information Systems

Mattord, Herbert J.

01 January 2012

Organizations continue to rely on password-based authentication methods to control access to many Web-based systems. This research study developed a benchmarking instrument intended to assess authentication methods used in Web-based information systems (IS). It developed an Authentication Method System Index (AMSI) to analyze collected data from representative samples of e-learning systems in the U.S. and from healthcare ISs, also in the U.S. This data were used to compare authentication methods used by those systems. The AMSI measured 1) password strength requirements, 2) password usage methods, and 3) password reset requirements. Those measures were combined into the single index that represents the current authentication methods. This study revealed that there is no significant difference in the ways that authentication methods are employed between the two groups of ISs. This research validated the criteria proposed for the AMSI using a panel of experts drawn from industry and academia. Simultaneously, the same panel provided preferences for the relative weight of specific criteria within some measures. The panel of experts also assessed the relative weight of each measure within the AMSI. Once the criteria were verified and the elicited weights were computed, an opportunity sample of Web-based ISs in the two groups identified earlier were assessed to ascertain the values for the criteria that comprise the AMSI. After completion of pre-analysis data screening, the collected data were assessed using the results of the AMSI benchmarking tool. Results of the comparison within and between the two sample groups are presented. This research found that the AMSI can be used as a mechanism to measure some aspects of the authentication methods used by Web-based systems. There was no measurable significance in the differences between the samples groups. However, IS designers, quality assurance teams, and information security practitioners charged with validating ISs methods may choose to use it to measure the effectiveness of such authentication methods. This can enable continuous improvement of authentication methods employed in such Web-based systems.

Authentication

E-learning

Healthcare

Information Security

Security Management

Computer Sciences

An Examination of an Information Security Framework Implementation Based on Agile Values to Achieve Health Insurance Portability and Accountability Act Security Rule Compliance in an Academic Medical Center: The Thomas Jefferson University Case Study

Reis, David W.

01 January 2012

Agile project management is most often examined in relation to software development, while information security frameworks are often examined with respect to certain risk management capabilities rather than in terms of successful implementation approaches. This dissertation extended the study of both Agile project management and information security frameworks by examining the efficacy of implementing a security framework using a nontraditional project management approach. Such an investigation is significant because of the high rate of failed IT projects, gaps in the current security framework implementation literature, and increased regulatory pressure on Health Insurance Portability and Accountability (HIPAA)-covered entities to become compliant with the HIPAA Security Rule. HIPAA-covered entities have struggled to achieve HIPAA compliance since the Act's enforcement date. Specifically, academic medical centers have struggled to achieve and authoritatively document their compliance with the HIPAA Security Rule. To aid HIPAA-covered entities in confirming and documenting their HIPAA Security Rule compliance, the HITRUST Alliance has published the Common Security Framework. Thomas Jefferson University selected the Common Security Framework to help them assess and document their HIPAA Security Rule compliance. However, there is a documented gap in the literature on successful methods for implementing information security-related projects, particularly HIPAA compliance. In this single-case case study, the author examined the implementation of an Information Security Framework based on Agile values. Specifically examined were the values of (a) individuals and interactions over processes and tools; (b) working software over comprehensive documentation; (c) customer collaboration over contract negotiation; and (d) responding to change over following a plan. The results of this investigation indicated that an information security framework implementation based on Agile values is a viable approach for successfully implementing the Common Security Framework at an academic medical center.

Agile

HIPAA

HITRUST

Information Security

Project Management

Computer Sciences