Global ETD Search

51	Shaping Strategic Information Systems Security Initiatives in Organizations Tejay, Gurvirender 09 May 2008 (has links) Strategic information systems security initiatives have seldom been successful. The increasing complexity of the business environment in which organizational security must be operationalized presents challenges. There has also been a problem with understanding the patterns of interactions among stakeholders that lead to instituting such an initiative. The overall aim of this research is to enhance understanding of the issues and concerns in shaping strategic information systems security initiative. To be successful, a proper undertaking of the content, context and process of the formulation and institutionalization of a security initiative is essential. It is also important to align the interconnections between these three key components. In conducting the argument, this dissertation analyzes information systems security initiatives in two large government organizations – Information Technology Agency and Department of Transportation. The research methodology adopts an interpretive approach of inquiry. Findings from the case studies show that the strategic security initiative should be harmonious with the cultural continuity of an organization rather than significantly changing the existing opportunity and constraint structures. The development of security cultural resources like security policy may be used as a tool for propagating a secure view of the social world. For secure organizational transformation, one must consider the organizational security structure, knowledgeability of agents in perceiving secure organizational posture, and global security catalysts (such as establishing trust relations and security related institutional reflexivity). The inquiry indicates that strategic security change would be successful in an organization if developed and implemented in a brief yet quantum leap adopting an emergent security strategy in congruence with organizational security values. Information systems security Cultural analysis Contextualism Interpretive case study Structuration theory Action analysis Business Management Information Systems
52	Institutionalization of Information Security: Case of the Indonesian Banking Sector Nasution, Muhamad Faisal Fariduddin Attar 10 May 2012 (has links) This study focuses on the institutionalization of information security in the banking sector. This study is important to pursue since it explicates the internalization of information security governance and practices and how such internalization develops an organizational resistance towards security breach. The study argues that information security governance and practices become institutionalized through social integration of routines and system integration of relevant technologies. The objective is to develop an understanding of how information security governance and practices in the Indonesian banking sector become institutionalized. Such objective is built on an argument that information security governance and practices become institutionalized through social integration of routines and system integration of relevant technologies. Pursuing this study is necessary to conceptualize the incorporation of security governance and practices as routines, the impact of security breaches on such routines, and the effects of a central governing body on such routines altogether. Accordingly, the concept of institutionalization is developed using Barley and Tolbert’s (1997) combination of institutional theory and structuration theory to explain the internalization of security governance and practices at an organizational level. Scott’s (2008) multilevel institutional processes based on institutional theory is needed to elaborate security governance and practices in an organization-to-organization context. The research design incorporates the interpretive case-study method to capture communicative interactions among respondents. Doing so provides answers to the following research questions: (1) how institutions internalize information security governance and practices, (2) how an external governing body affects the institutionalization of information security governance and practices in institutions, and (3) how security breaches re-institutionalize information security governance and practices in institutions. Several important findings include the habitualized security routines, information stewardship, and institutional relationship in information-security context. This study provides contributions to the body of literature, such as depicting how information security becomes internalized in an organization and the interaction among organizations engaged in implementing information security. Information Systems Security Information Security Governance Institutionalization Institutional Theory Structuration Theory Banking Sector Business Management Information Systems
53	DIVERGENCE IN STAKEHOLDER PERCEPTIONS OF SECURITY POLICIES: A REPGRID ANALYSIS FOR NORM-RULE COMPLIANCE Almusharraf, Ahlam 01 January 2016 (has links) Many organizations have a problem with synchronizing individual values regarding information security with expectations set by the relevant security policy. Such discordance leads to failure in compliance or simply subversion of existing or imposed controls. The problem of the mismatch in understanding the security policies amongst individuals in an organization has devastating effect on security of the organization. Different individuals hold different understanding and knowledge about IS security, which is reflected on IS security policies design and practice (Vaast, 2007). Albrecthsen and Hovdena (2009) argue that users and managers practice IS security differently because they have different rationalities. This difference in rationalities may reflect the mismatch between the security policies and individuals’ values. In this research, we argue that occurrence of security breach can change individuals’ values in light of security policy of organization. These changes in the values can be reflected on the compliance between individuals’ norms and security rules and standards. Indeed, organizations need to guarantee the compliance between security policy and values of their employees. Thus, they can alleviate or prevent violations of security of organization. However, it is difficult to find a common method that all organizations can adopt to guarantee the synch between security rules and individuals’ norms. The main aim of this research is to investigate how people perceive information security policy and how their perceptions change in response to security breaches. Besides, this research aims to investigate the relationship between individuals’ values and security policy. Thus, organizations can have the intended level of compliance between individual norms and security rules and standards. With the aid of the Repertory Grid technique, this research examines how a security breach shapes people’s values with respect to security policy of an organization. To conduct the argument, this research offers an assessment mechanism that aids the organization to evaluate employees’ values in regard to security policy. Based on that evaluation, the organization can develop a proper mechanism to guarantee compliance between individuals’ norms and security rules. The results of this research show that employees in an organization hold different perceptions regarding the security policy. These perceptions change in response to security incident. This change in perceptions dose not necessarily result in better compliance with the security policy. Factors like the type of breach and people’s experience can affect the amount of change in the perceptions. Contributions, implications, and directions for future research of this study will be discussed. information system security policy Repertory Grid Action Design Research security rules norms values norm-rule compliance. Business Management Information Systems
54	Informationsäkerhet vid användning av SaaS : En studie om vilka aspekter som påverkar om informationsäkerheten höjs vid användning av Saas / Informations system security when using SaaS : A study of wich aspects affecting information system security when using SaaS Åman, Petter January 2019 (has links) I den tidiga IT-historien utgick data från att endast kunna angripas genom att befinna sig på fysisk plats för att kunna genomföra ett intrång och tillförskaffa sig data eller information. I äldre actionfilmer syns ofta någon rysk eller amerikansk spion som överför data från en fysisk dator till en lika fysisk disk. I takt med den ökade globaliseringen finns också ett ökat behov av tillgång till data och information på olika platser samt på olika sätt. För att tillfredsställa ett ökande behov av tillgänglighet och rörlighet har IT-världen fått skapa nya lösningar vilka uppfyller det behovet. Första steget var i och med införandet av internet och numera med nya olika molnlösningar tillgängliga för företag, privatpersoner och även angripare via internet. Moderna tekniker frambringar också i princip alltid nya risker och hot. Där det tidigare i mänskligheten användes lås för dörrar, måste nu beaktning tas där vilken typ av kryptering, virusskydd och andra åtgärder krävs för att skydda privat information. Cloud Computing och användningen av molntjänster som Software as a Service (SaaS), Plattform as a Service (PaaS) och Infrastructure as a Service (IaaS) fortsätter att öka vilket kan bidrar med många fördelar för företag (Balco, Drahošová & Law, 2017; Basishtha & Boruah, 2013; SCB, 2018; Sultan, 2011; Shahzad, 2014). Dock ger inte en flytt av data, från marken upp till molnet, en garanti för säkerhet eftersom molnets tillgänglighet och förflyttning av data utanför företagets gränser ställer frågor kring informationssäkerheten och kommer med många utmaningar samt risker (Kavitha & Subashini, 2011; Dorey & Leite, 2011). I och med utökad globalitet borde det väl vara passande att data lagras på olika platser i världen. Men hur säkert är det egentligen när ett företag baserat i exempelvis Finland har viktig data lagrad på andra sidan jordklotet? Eftersom ”Molnet” fortsätter att öka finns ett behov att undersöka hur, var och när användning av molnet kan bidra till att öka informationssäkerheten samt även varför och under vilka omständigheter. Studien kommer fokusera på användningen kring informationssäkerheten inom SaaS och vilka aspekter som påverkar om företag kan tillförskaffa ökad informationssäkerhet. SaaS har valts ut då molntjänsten är mest frekvent förekommen inom företag. Studiens rapport är uppbyggd på följande sätt: kapitel två tar upp relevanta begrepp samt bakgrund till ämnet. Därefter i kapitel tre beskrivs problemområdet samt rapportens syfte och frågeställning. I kapitel fyra presenteras studiens vetenskapliga metod vilken har använts för att samla in och analysera data. I kapitel fem presenteras analysen av arbetet vilket har lett fram till kapitel sex slutmodell. Slutligen följer en diskussion kring studien. Information System Security SAAS Cloud Informationsäkerhet SAAS Molntjänster Information Systems, Social aspects
55	Perception of employees concerning information security policy compliance : case studies of a European and South African university Lububu, Steven January 2018 (has links) Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available. Computer security Computer networks -- Security measures Data protection
56	Studies on Employees’ Information Security Awareness Häußinger, Felix 13 May 2015 (has links) No description available. 330 Information Security Awareness Information Security Behahavior Information Systems Security Antecedents of Information Security Endogenous Motivation Wirtschaftswissenschaften (PPN621567140)
57	Physical-layer security Bloch, Matthieu 05 May 2008 (has links) As wireless networks continue to flourish worldwide and play an increasingly prominent role, it has become crucial to provide effective solutions to the inherent security issues associated with a wireless transmission medium. Unlike traditional solutions, which usually handle security at the application layer, the primary concern of this thesis is to analyze and develop solutions based on coding techniques at the physical layer. First, an information-theoretically secure communication protocol for quasi-static fading channels was developed and its performance with respect to theoretical limits was analyzed. A key element of the protocol is a reconciliation scheme for secret-key agreement based on low-density parity-check codes, which is specifically designed to operate on non-binary random variables and offers high reconciliation efficiency. Second, the fundamental trade-offs between cooperation and security were analyzed by investigating the transmission of confidential messages to cooperative relays. This information-theoretic study highlighted the importance of jamming as a means to increase secrecy and confirmed the importance of carefully chosen relaying strategies. Third, other applications of physical-layer security were investigated. Specifically, the use of secret-key agreement techniques for alternative cryptographic purposes was analyzed, and a framework for the design of practical information-theoretic commitment protocols over noisy channels was proposed. Finally, the benefit of using physical-layer coding techniques beyond the physical layer was illustrated by studying security issues in client-server networks. A coding scheme exploiting packet losses at the network layer was proposed to ensure reliable communication between clients and servers and security against colluding attackers. Wiretap channel Information-theoretic security Physical-layer security Secret-key agreement LDPC codes Wireless communication systems Computer networks Security measures
58	Cifrassinatura sem certificados / Certificateless signcryption Nascimento, Érick Nogueira do, 1986- 19 August 2018 (has links) Orientador: Ricardo Dahab / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-19T18:18:25Z (GMT). No. of bitstreams: 1 Nascimento_ErickNogueirado_M.pdf: 1495712 bytes, checksum: 78071cf5caaca7655f9e7fd705e3fb92 (MD5) Previous issue date: 2011 / Resumo: A criptografia de chave pública está cada vez mais presente nos sistemas computacionais, provendo a estes diversas propriedades de segurança, dentre as quais: confidencialidade, integridade, autenticidade e irretratabilidade. O modelo de criptografia de chave pública explicitamente certificado é o mais comumente empregado, e compreende uma infraestrutura de chave pública (PKI) composta por procedimentos, hardware, software e pessoal administrativo para a sua operação. Tal infraestrutura é complexa e onerosa, o que torna o seu uso proibitivo em diversas situações. Neste trabalho foram abordados paradigmas de criptografia de chave pública alternativos ao paradigma PKI, com foco no paradigma sem certificados. Dentro deste paradigma, e com ênfase em segurança demonstrável, foram estudados os esquemas de cifrassinatura, os quais provêem eficientemente e simultaneamente as propriedades da encriptação de chave pública com as propriedades da assinatura digital: confidencialidade, integridade, autenticidade e irretratabilidade. Este trabalho tem como contribuições: (i) ataque contra a propriedade de indistinguibilidade do IBSC McCullagh-Barreto [MB04], (ii) proposta de correção do esquema CLSC Barbosa-Farshim [BF08], o qual havia sido quebrado por Selvi et al [SVR10b], (iii) exposição sistemática sobre segurança demonstrável, criptografia de chave pública sem certificados e cifrassinatura sem certificados / Abstract: Public-key cryptography is ever more present on computational systems, providing them several security properties, including: confidentiality, integrity, authenticity and nonrepudiation. The explicitly certified public-key cryptography model is the most commonly employed one, and it consists of a public-key infrastructure (PKI) which requires procedures, hardware, software and management personnel for its operations. Such infrastructure is complex and costly, making its use prohibitive in many cenarios. This work approached alternative paradigms for public-key cryptography, with focus on the certificateless paradigm. On this paradigm, and with emphasis on provable security, we studied signcryption schemes, which provide efficiently and simultaneously the properties of public-key encryption with those of digital signature: confidentiality, integrity, authenticity and non-repudiation. This work has the following contributions: (i) attack against the indistinguishability property of IBSC McCullagh-Barreto [MB04] (ii) correction for the CLSC Barbosa- Farshim [BF08], which had been broken by Selvi et al [SVR10b], (iii) systematic exposition about provable security, certificateless public-key cryptography and certificateless signcryption / Mestrado / Ciência da Computação / Mestre em Ciência da Computação Criptografia Criptografia - Certificados e licenças Cifrassinatura Crypotography Information tecnology - Security Computer network protocols Signcryption
59	Um modelo de sistema de gestão da segurança da informação baseado nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008 / A model of information security management system based in the NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008 ABNT standards Santos, Valdeci Otacilio dos 21 August 2018 (has links) Orientador: Renato Baldini Filho / Dissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação / Made available in DSpace on 2018-08-21T18:11:43Z (GMT). No. of bitstreams: 1 Santos_ValdeciOtaciliodos_M.pdf: 1681366 bytes, checksum: 4ed0e181fcbc30a368afc34e5d374cec (MD5) Previous issue date: 2012 / Resumo: O crescimento constante de ameaças e vulnerabilidades nos sistemas de informação faz com que a preocupação por parte dos administradores sobre a segurança desses sistemas também seja intensificada. Na busca de um nível adequado de segurança da informação, estão sendo criadas e aperfeiçoadas, não somente no Brasil, mas em escala mundial, legislações e normatizações que tratam sobre esse tema tão importante nos dias atuais. Este trabalho tem como objetivo propor um modelo de sistema de gestão da segurança da informação, com modelagem de processos e descrição das atividades, que contemple as principais diretrizes preconizadas nas normas ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. O modelo proposto visa guiar a implementação de um novo sistema de gestão da segurança da informação em uma organização ou verificar a conformidade de um sistema já existente. O trabalho compreende uma aplicação prática do modelo proposto, em que foi executado um levantamento do nível de aderência das atividades desenvolvidas nos diversos processos que compõem um sistema de gestão da segurança da informação de uma organização, com o que está previsto no modelo e, consequentemente, nas normas utilizadas como referência. Na avaliação dos resultados da verificação realizada foi possível obter uma visão geral da situação em que se encontra a gestão da segurança da informação da organização, bem como a verificação dos pontos que estão de acordo com a normatização e daqueles que necessitam aprimoramentos / Abstract: The steady growth of threats and vulnerabilities in the information systems causes an intensified concern among administrators about the security of these systems. In search of an appropriate level of information security are being created and improved, not only in Brazil but worldwide, laws and regulations that deal with this important issue. This work aims to propose a model of information security management system with process modeling and description of activities, covering the main guidelines recommended in the standards ABNT NBR ISO/IEC 27001:2006, 27002:2005 e 27005:2008. The proposed model aims to guide the implementation of a new system for managing information security in an organization or verify the conformity of an existing system. The work includes a practical application of the proposed model, that was carried out a survey on the level of activities adhesion in the various processes that comprise a information security management system within an organization, what is envisaged in the model and consequently, the standards used as reference. In assessing the results of the verification carried out was possible to obtain an overview of the situation in which the information security management system of the organization is, as well as the verification of the points that are in accordance with norms and those that need improvement / Mestrado / Telecomunicações e Telemática / Mestre em Engenharia Elétrica Informação Redes de informação Serviços de informação Information Information technology - Security Information networks Information networks
60	Posouzení informačního systému firmy a návrh změn / Information System Assessment and Proposal for ICT Modification Vránová, Nikola January 2012 (has links) This thesis focuses on the analysis of current information system of the selected points to its possible shortcomings and errors. Information obtained from the analyzes will lead to appropriate solutions to problems. The aim of the current system is customized to meet the needs of its users, so that the information system should be flexible, intuitive and clear

Search results