Global ETD Search

341	Decision Making for Information Security Investments Yeo, M. Lisa Unknown Date No description available. Information Security Elasticity of Demand Continuous Time Markov Chain Regulation Customer Utility Hotelling Workflows Controls
342	The Risk Assessment based on international standards, a credibility evaluation: A case study on international standards of Risk Assessment and Management in the Information Security context Hedian, Daniel, Silva Neto, Gil January 2015 (has links) Summary Organizations face risks regardless of the type of industry or government. Historically risks have been undertaken in various processes and coped with differently by society. An appropriate application of risk management is widely acknowledged as one of the most critical aspects of undertaking business activities across all sectors in society, public and private. In order to carry out this activity as part of the crucial actions the organizations implement as part of their culture, many standards have been developed at the international level. These standards provide the groundwork for entities to start implementing these processes and reduce the risk they face with a standardized set of procedures across sectors. Risk assessment faces abundant arguments that lead to doubt the credibility of the standards implemented by different organizations, as not a single method or definition is agreed upon across cultural and sectorial barriers. Therefore, the credibility of the standardized assessment is doubted. This study aims to evaluate the credibility of standardized risk assessments with a focus on the Information Security Risk Assessment Standards, in particular ISO 27005 and NIST 800-30 in collaboration with the Swedish Armed Forces. The research adapts the frameworks available in literature to evaluate credibility of risk assessments to the international standardized assessment procedure. The standards credibility will be evaluated with different criteria divided in five categories considered applicable to the standardised risk assessment procedure. Also, input from experts in organizations currently employing the standards and academic experts in the field will also be utilized. This study utilizes a qualitative case study approach. The credibility evaluation performance of each international standard is similar; the only category that NIST 800-30 has a significant better performance is the category related to the final Risk Assessment Results (Report). The NIST provides a further step in the process as well as the guidelines and templates in order to develop different parts of the assessment process including the report, which is considered a best practice of a standardised risk assessment. The findings of the research contradict four criteria of the framework found in the literature, related to with what can be learned from past risk assessments, to the wide ranging of the required scope of a risk assessment, the relevance of the disclosure of information on the final risk assessment report related to the composition of the assessment group and finally the procedure for finding consensus among stakeholders. The research question “How credible are standardized risk assessments?” provide a holistic understanding of the credibility of the standards previously mentioned, determining that these provide a solid framework for companies to start assessing the risks in a regulated and standardized procedure. These oversee the problems embedded in the subjectivity of a risk assessment and the ever-changing (intrinsic and extrinsic) aspects of stakeholder behaviour with a lack of a systemic approach to solve these issues, which also include the lack of proper handling of risk uncertainty and the lack of transparency on the final risk assessment report. The study provides a groundwork which can be used in order to develop future research. This study also provides a grounded framework which can be used by entities utilizing the standards in order to reflect their procedures of their risk assessment activities. Keywords: Credibility, risk assessment, risk management, international standards, risk, information security, ISO 27005, NIST 800-30. Credibility risk assessment risk management international standards risk information security ISO 27005 NIST 800-30.
343	Framework for botnet emulation and analysis Lee, Christopher Patrick 12 March 2009 (has links) Criminals use the anonymity and pervasiveness of the Internet to commit fraud, extortion, and theft. Botnets are used as the primary tool for this criminal activity. Botnets allow criminals to accumulate and covertly control multiple Internet-connected computers. They use this network of controlled computers to flood networks with traffic from multiple sources, send spam, spread infection, spy on users, commit click fraud, run adware, and host phishing sites. This presents serious privacy risks and financial burdens to businesses and individuals. Furthermore, all indicators show that the problem is worsening because the research and development cycle of the criminal industry is faster than that of security research. To enable researchers to measure botnet connection models and counter-measures, a flexible, rapidly augmentable framework for creating test botnets is provided. This botnet framework, written in the Ruby language, enables researchers to run a botnet on a closed network and to rapidly implement new communication, spreading, control, and attack mechanisms for study. This is a significant improvement over augmenting C++ code-bases for the most popular botnets, Agobot and SDBot. Rubot allows researchers to implement new threats and their corresponding defenses before the criminal industry can. The Rubot experiment framework includes models for some of the latest trends in botnet operation such as peer-to-peer based control, fast-flux DNS, and periodic updates. Our approach implements the key network features from existing botnets and provides the required infrastructure to run the botnet in a closed environment. Simulation Simulators Emulation Spam DDoS Information security Botnets Network security Computer networks Security measures Computer crimes
344	Australian Legal Ramifications of Information System and Data Security Compromise: A review of issues, technology and law. Quentin Cregan Unknown Date (has links) Computer intrusions and attacks compromise individuals, companies and communities. Whilst it is clear that computer and information security studies point to a generalised increase in the number and sophistication of computer security attacks over the past decade and that nations now entirely rely upon computer systems, insufficient attention is paid to the protection of those systems. Computer data and network systems affect our everyday lives, from the supply-chain software that ensures that the shelves are stocked at the supermarket, to systems that manage finance and share markets. Compromises of computer security are, therefore, rightly seen both as an attack on those individual entities whose systems and information are compromised, and as a communal attack upon the people and organisations that rely upon or use computer systems, both directly and indirectly. The aim of this thesis is to give an analysis of computer system security, information protections and the legal ramifications of computer security compromise, notably, data security compromise in Australia. Ultimately, the aim is to address three overlapping questions: what are the ways in which systems are breached, what are the legal consequences of a breach and are those consequences adequate? This paper looks at the underlying technology and relationships between actors involved in the majority of security compromises and looks at the common factors in how systems and networks are attacked and actors damaged. The paper then goes on to look at criminal liability for security compromises and shows how a criminal analysis feeds into the proper civil law consideration of the topic. Finally, the paper looks at data security through the lens of privacy. Ultimately, this paper concludes that Australia is inconsistent in its legal responses to information security incidents. Such variations are based on the area of law being discussed and dependent on the breach methodology and outcome. The criminal law provides the most current and potent legal protection any business or individual has had in this field. This is followed by statutory privacy law which provides a narrow degree of coverage and provides only a weak conciliation process for addressing data security issues. Finally, common law and equity provide the most uncertain commercial remedies for those that suffer data security breach. This paper concludes that present protections are inadequate and uncertain, and that change is required. 18 Law and Legal Studies
345	The development of an efficient and secure product entitlement system for Pay-TV in modern attack scenarios Coetzee, Dirk Badenhorst 03 1900 (has links) Thesis (MScEng)--Stellenbosch University, 2013. / ENGLISH ABSTRACT: A secure product entitlement system allows one party, such as a pay-TV operator, to broadcast the same collection of information to several receiving parties while only allowing a certain subset of the receiving parties to access the information. This system must still be secure in the scenario where all receiving parties who are not allowed access to the information, pool their resources in an attempt to gain access to the information. Such a product entitlement system must also be bandwidth e cient since it can be deployed in networks where bandwidth is at a premium. The foundations of modern encryption techniques is reviewed and a survey of existing techniques, used to secure content in broadcast environments, is studied. From this collection of techniques two were identi ed as bandwidth e cient and are discussed in more detail before being implemented. An attempt is then made to design a new secure bandwidth e cient encryption scheme for protecting content in a broadcast environment. Several iterations of the design is detailed, including the security aw which makes each design insecure. The nal design was implemented and compared in several metrics to the two previously selected bandwidth e cient schemes. A framework to test the correctness of the schemes over a network is also designed and implemented. Possible future avenues of research are identi ed with regards to creating a secure broadcast encryption scheme and improving the software solution in which to use such a scheme. / AFRIKAANSE OPSOMMING: 'n Veilige produk-aanspraak-stelsel stel een party, soos byvoorbeeld 'n betaal-TV-operateur, in staat om dieselfde versameling inligting na verskeie partye uit te saai, terwyl slegs 'n bepaalde deelversameling van die ontvangende partye toegelaat sal word om toegang tot die inligting te bekom. Hierdie stelsel moet steeds die inligting beskerm in die geval waar al die ontvangende partye wat toegang geweier word, hul hulpbronne saamsmee in 'n poging om toegang te verkry. So 'n produk-aanspraak-stelsel moet ook bandwydte doeltre end benut, aangesien dit gebruik kan word in netwerke waar bandwydte baie duur is. Die fondamente van die moderne enkripsietegnieke word hersien. 'n Opname van bestaande tegnieke wat gebruik word om inligting te beskerm in 'n uitsaai omgewing word bestudeer. Uit hierdie versameling tegnieke word twee geïdenti seer as tegnieke wat bandwydte doeltre end benut en word meer volledig bespreek voordat dit geïmplementeer word. 'n Poging word dan aangewend om 'n nuwe veilige bandwydte doeltre ende enkripsietegniek te ontwerp vir die beskerming van inligting wat uitgesaai word. Verskeie iterasies van die ontwerp word uiteengesit, met 'n bespreking van die sekuriteitsfout wat elke ontwerp onveilig maak. Die nale ontwerp is geïmplementeer en aan die hand van verskeie maatstawwe vergelyk met die twee bandwydte doeltre ende tegnieke, wat voorheen gekies is. 'n Raamwerk om die korrektheid van die tegnieke oor 'n netwerk te toets, is ook ontwerp en geïmplementeer. Moontlike toekomstige rigtings van navorsing word geïdenti seer met betrekking tot die skep van 'n veilige uitsaai enkripsietegniek en die verbetering van die sagtewareoplossing wat so 'n tegniek gebruik. Encryption Information security Broadcast networks Cryptography Dissertations -- Electronic engineering Theses -- Electronic engineering Data encryption (Computer science)
346	An integrated intelligent approach to enhance the security control of it systems : a proactive approach to security control using artificial fuzzy logic to strengthen the authentication process and reduce the risk of phishing Salem, Omran S. A. January 2012 (has links) Hacking information systems is continuously on the increase. Social engineering attacks is performed by manipulating the weakest link in the security chain; people. Consequently, this type of attack has gained a higher rate of success than a technical attack. Based in Expert Systems, this study proposes a proactive and integrated Intelligent Social Engineering Security Model to mitigate the human risk and reduce the impact of social engineering attacks. Many computer users do not have enough security knowledge to be able to select a strong password for their authentication. The author has attempted to implement a novel quantitative approach to achieve strong passwords. A new fuzzy logic tool is being developed to evaluate password strength and measures the password strength based on dictionary attack, time crack and shoulder surfing attack (social engineering). A comparative study of existing tools used by major companies such as Microsoft, Google, CertainKey, Yahoo and Facebook are used to validate the proposed model and tool. A comprehensive literature survey and analytical study performed on phishing emails representing social engineering attacks that are directly related to financial fraud are presented and compared with other security threats. This research proposes a novel approach that successfully addresses social engineering attacks. Another intelligent tool is developed to discover phishing messages and provide educational feedback to the user focusing on the visible part of the incoming emails, considering the email’s source code and providing an in-line awareness security feedback.
347	Gestão de segurança da informação : implementação da Norma BS7799-2:2002 em uma instituição financeira Lessa, Guilherme Gonçalves January 2006 (has links) Na sociedade contemporânea, não há dúvidas sobre a importância, a relevância e o poder que a informação possui. Nas organizações, também são crescentes a sua importância estratégica e os riscos que lhe são associados, bem como a necessidade de uma boa Gestão da Informação. Certos eventos de maiores conseqüências, tais como os ocorridos em 11 de setembro de 2001, nos Estados Unidos da América, apresentaram uma nova realidade relacionada às necessidades de um sistema para a preservação adequada de informações e aos impactos da integridade destas informações sobre a continuidade dos negócios. A partir de preocupações relacionadas a este tema, foram estabelecidos os fundamentos da Segurança da Informação. A presente pesquisa identifica quais as melhores práticas atualmente existentes para uma gestão adequada da Segurança da Informação nas organizações, a partir de um estudo de caso sobre o processo de implementação de um Sistema de Gestão de Segurança de Informação em uma Instituição Financeira de pequeno porte, baseado na norma BS7799-2:2002. Ao final do presente trabalho, será apresentado o modelo genérico resultante desta pesquisa, contendo as etapas e as atividades necessárias para a implementação de um Sistema de Gestão de Segurança de Informação, os principais componentes a serem implementados e alguns dos principais fatores críticos de sucesso desta implementação. / In modern society, there is no doubt upon the importance, the relevance or the power that information possesses. Within organizations, its strategic importance and its associated risks are also growing, as well as the needs for a good Information Managing. Certain events with more significant consequences, such as the ones occurred in September 11, 2001, in the United States of America, have presented a new reality related to the necessity of an adequate system to preserve information, as well as related to this integrity impacts on business continuity. From questions concerning this subject, were established the main points of Information Security. The present research identifies the best current existing practices for an adequate Information Security Management in organizations, from a case study performed on the implementation process of a System of Information Security Management in a small size Financial Institution, based on the norm BS7799-2:2002. At the end of the present work, it will be presented the generic model that resulted from this research, containing the different steps and activities which are necessary for implementing of a System of Information Security Management, and the main components to be implemented, and some of the most critical success factors on this implementation. Gestão da informação Informação : Segurança Tecnologia da informação Estudo de caso Information security BS7799 Risk management Information technology
348	Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework Alkahtani, Hend K. January 2018 (has links) The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application.
349	Exploring the conflict of interest between knowledge-sharing and information security practices : an empirical case study Ahmed, Ghosia January 2017 (has links) Knowledge sharing and information security have become well-established concepts in academia and within organisations. Knowledge sharing aims to encourage individuals to share tacit and explicit knowledge with colleagues and stakeholders, yet on the other hand, information security initiatives aim to apply controls and restrictions to the knowledge that can be shared and how it can be shared, where the primary focus is usually on protecting explicit knowledge or information. This thesis draws attention to the largely unexplored and under-developed area of knowledge protection ; it investigates the paradoxical and concurrent nature of knowledge sharing and information security practices by exploring their relationship and understanding how this can affect an organisation and subsequently identifies ways of achieving a balance between the two practices. The empirical work was carried out through an interpretivist case study approach in the Energy Technologies Institute (ETI) an organisation that combines knowledge and expertise from partnerships with academia, industry and the UK government, in order to deliver innovative low carbon solutions. A novel team-based action learning approach was developed to generate individual, team and organisational learning and to help initiate change; the data was collected from three project teams about their knowledge and experiences of knowledge sharing and information security practices, which was then analysed and further supplemented with the ETI s organisational perspective and the researcher s own experience of collaborating with the ETI to contextualise the findings. Eight predominant overarching themes were identified that play an important role in and influence the organisation s knowledge sharing and information security practices. When looking at the practices of knowledge sharing and information security independently at the ETI, proactive and conscious efforts towards achieving the goals of each practice are evident. Knowledge is recognised as the ETI s core product and its effective dissemination is key for the organisation s success, which is why there is a keen attitude towards improving knowledge sharing internally and externally. On the other hand, a great deal of importance is given to protecting valuable knowledge and meeting stakeholders confidentiality requirements, thus, there are good systems, access controls, and information restrictions in place. In addition, strict legal and approval processes to protect information value and accuracy are implemented. However, when both knowledge sharing and information security - practices are compared from a broader perspective, evidence of issues arising from their conflicting nature is evident. Moreover, operating in a complex governance structure with various expectations and contractual agreements with stakeholders regarding confidentiality, has created a protective culture in the organisation surrounding its knowledge, which causes a hindrance to formal and informal knowledge sharing (including both, tacit and explicit forms) and makes identifying opportunities for fully exploiting knowledge and Intellectual Property an ongoing operational challenge. The research process facilitated the achievement of effective learning at individual, team and organisational level for the ETI about its practices, identification of challenges and areas of improvement, incorporation of learning and recommendations into its knowledge management strategy alongside existing activities to improve knowledge sharing. The contents of this thesis particularly the eight themes that have emerged from the research findings - are also contributing significantly to a project the organisation is carrying out to reflect on and review what has been learned from operating the ETI for the last 10 years. The thesis contributes to the existing body of knowledge, theoretically and practically, in the disciplines of knowledge management and information security; what was predominantly overlooked by previous literature, the empirical research findings surface evidence of the relationship between knowledge sharing and information security practices, showing their interconnectedness, and, the negative consequences of the two practices being treated and managed separately. For the action learning arena, a novel methodological approach underpinned by the action learning philosophy has been introduced that demonstrates how team action learning (i.e. using intact teams as opposed to conventional action learning teams) can be used to engage employees to share and combine their knowledge on real organisational issues, generate new learning and develop actions to initiate improvements in the organisation.
350	Internet Safety for Children : Stranger danger, misbehaviour and problems when online Fergus, Seamus January 2018 (has links) The Internet has evolved and continues to evolve rapidly and as adults we understand the need to be careful with various issues including our privacy, scams, bullying and as adults we stumble across unwanted material that might be considered inappropriate. Children also need to be protected and this thesis will research what children do when they are online, and what protection is currently given to children. The research will also include input from teachers and parents and find out what experiences they have and what they are doing to protect children. The thesis will involve software testing to evaluate how effective parental control software is, and possibilities of it being hacked. This research will concentrate on smartphones, and in particular the Android operating system, the reason is that Android phones can be purchased cheaper than an iPhone, and therefore are more likely to be used by a child. A developer’s version of Android can also be configured to run it in a virtual machine running on a PC which makes various testing possible. The thesis will also involve reviewing other organisation’s research and findings and how it compares to my own research. The thesis will give advice on how to move forward in relation to keeping children safe online. Information security parental control smartphone Android systems experimental study qualitative research. Computer Sciences Datavetenskap (datalogi)

Search results