Spelling suggestions: "subject:"forminformation security"" "subject:"informationation security""
221 |
Hacking Systems, Hacking Values: Interactive Theories For An Interactive WorldKelly, Liam Patrick 12 January 2004 (has links)
Langdon Winner's article "Do Artifacts Have Politics?" (1986) has become a classic piece within Science and Technology Studies. While Winner was certainly not the first to consider the inherently political qualities of technology, his article has assumed the role of a touchstone for both supporters and critics of the idea that artifacts embody political and social relationships. In the chapters that follow, I shall try to answer Winner and his critics, by studying a particular technology that I believe to be capable of shedding some much-needed light on the issue. My aim is provide a restatement of Winner's question in the pages that follow, with the hope of getting past such problematic terms as "embodiment" and "encapsulation." My hope is to make the issue itself clearer, so that we can get to the heart of how technology, values, and human beings systematically interact.
I shall utilize in my discussion computer network scanning software. I shall first discuss the background to the question "Do Artifacts Have Politics?" and then describe some of the ethical and political forces alive in the computer security world. Next I shall closely examine two particular pieces of network scanning software and describe their interactions in terms of political and ethical motivations. Finally, I shall use this case study as a basis for a broader discussion of how values may be better conceived in terms of complex interactive systems of human beings and technologies. / Master of Science
|
222 |
The Social Engineering Attack Spiral (SEAS)Cullen, Andrea J., Armitage, Lorna January 2016 (has links)
Yes / Cybercrime is on the increase and attacks are becoming
ever more sophisticated. Organisations are investing huge sums of
money and vast resources in trying to establish effective and timely
countermeasures. This is still a game of catch up, where hackers
have the upper hand and potential victims are trying to produce
secure systems hardened against what feels like are inevitable
future attacks.
The focus so far has been on technology and not people and the
amount of resource allocated to countermeasures and research into
cyber security attacks follows the same trend. This paper adds to the
growing body of work looking at social engineering attacks and
therefore seeks to redress this imbalance to some extent. The
objective is to produce a model for social engineering that provides
a better understanding of the attack process such that improved and
timely countermeasures can be applied and early interventions
implemented.
|
223 |
Factors impacting information security noncompliance when completing job tasksHarrell, Martha Nanette 26 November 2014 (has links)
Work systems are comprised of the technical and social systems that should harmoniously work together to ensure a successful attainment of organizational goals and objectives. Information security controls are often designed to protect the information system and seldom consider the work system design. Using a positivist case study, this research examines the user's perception of having to choose between completing job tasks or remaining compliant with information security controls. An understanding of this phenomenon can help mitigate the risk associated with an information system security user's choice. Most previous research fails to consider the work system perspective on this issue. This study is based on the socio-technical system theory, the Leavitt Diamond Model (1965). Using this model as a lens to examine user information security behavior and perspectives, the Synergistic Security Model was developed. The research data indicated that the relationships between the structure, technology, task and people constructs can have an impact on user information security behavior. The research found that a change in the organization's information security policies, technology, or a change in employee processes for task completion can impact a user's information security choice. Some of the information security situations found in the research could be easily changed to lower the risk of a user's choice to circumvent information security. This change could be a technical configuration change, a purchase of a new technology or a change in a process to help impact a user's choice to circumvent information security controls.
The Synergistic Security Model can help researchers understand the relationships between the general constructs found in a work system and how those relationships can influence user behaviors. The research presented in the paper examines a triad relationship between each work system construct, consisting of: Structure-Technology-People; Structure-Task-People; Task-Technology-People; and Task-Technology-Structure. The findings indicate that the relationship between the constructs can have a significant impact on user information security behavior and therefore should be a consideration when designing an efficient and effective information security program.
|
224 |
Examining the Security Awareness, Information Privacy, and the Security Behaviors of Home Computer UsersEdwards, Keith 01 January 2015 (has links)
Attacks on computer systems continue to be a problem. The majority of the attacks target home computer users. To help mitigate the attacks some companies provide security awareness training to their employees. However, not all people work for a company that provides security awareness training and typically, home computer users do not have the incentive to take security awareness training on their own. Research in security awareness and security behavior has produced conflicting results. Therefore, it is not clear, how security aware home computer users are or to what extent security awareness affects the security behavior of home computer users. The goal of this study was to determine if there is a relationship between security awareness and users practicing good security behavior.
This study adapted its research model from the health belief model (HBM), which accesses a patient’s decision to perform health related activities. The research model included the HBM constructs of perceived severity, perceived susceptibility, perceived threat, perceived benefits, perceived barriers, cues to action, and self-efficacy. The research model also contained the security awareness (SA) and concern for information privacy (CFIP) constructs. The model used SA to ascertain the effect of security awareness on a person’s self-efficacy in information security (SEIS), perceived threat, CFIP, and security behavior. The research model included CFIP to ascertain its effect on security behavior.
The developed survey measured the participants' security awareness, concern for information privacy, self-efficacy, expectations of security actions, perceived security threats, cues to action, and security behavior. SurveyMonkey administered the survey. SurveyMonkey randomly selected 267 participants from its 30 million-member base.
The findings of this study indicate home computer users are security aware. SA does not have a direct effect on a user’s security behavior, perceived threat, or CFIP. However, it does have influence on SEIS. SEIS has a weak effect on expectations. CFIP has an effect on a user’s security behavior after removing perceived threat from the research model. Perceived susceptibility has a direct effect on a user’s security behavior, but perceived severity or perceived threat does not.
|
225 |
Towards evaluating security implementations using the Information Security Maturity Model (ISMM)Alaboodi, Saad Saleh January 2007 (has links)
Information security is a common and ever-present concern for both private and public sector organizations. Information security protects information from a wide range of threats, risks, and vulnerabilities in order to ensure information availability, integrity and confidentiality, and hence business continuity.
This research seeks to use a heuristic-based investigation of the Information Security Maturity Model (ISMM), developed by the author, combined with a thorough review of existing models, to suggest considerable extensions. This shall merit various applications leading to establish a connective body of knowledge and bridge a gap in existing literature and industry regarding the information security implementation in light of use of international standards and models.
The ISMM model is neither based on a specific technology/protocol (e.g. PKI, IPSec, SSL) nor a certain system/product (e.g. Firewall, Antivirus, IDS), but rather an engineering approach towards a structured and efficient implementation of those technologies. The ISMM is a security-centric model that consists of five distinctive and ordered security layers, each of which has its own definition, scope, and characteristics. The model reflects the three key security processes (prevention, detection and recovery) and captures effects of people (visibility and sophistication) on every layer. It aims essentially to assess the maturity of any security implementation of any size and type (i.e. device, system, or environment).
New extensions of the ISMM work are put forward. Literature review is augmented by introducing a new classification of information security models. Additionally, new abstractions are introduced, first: the abstraction of security conceptual boundaries, which signifies rational priorities and captures the unavoidable interferences between information and physical security in any security context, second: the abstraction of ratios of resources utilization (i.e. computational power, energy, memory, and other costs). Further extensions include a new attack model that classifies attacks in terms of their impact. This leads to a new approach for analyzing attacks and study adversary’s capabilities at different layers of both the ISMM and network models in the whole system, as one integrated entity against both single and hybrid attacks. As an example of one possible mapping and compatibility of the ISMM with other security-related models, the ISMM layers are mapped to their pertinent peers in network models (i.e. ISO/OSI and TCP/IP), which offers more information about security controls at each layer and its contribution to the actual overall security posture.
The ISMM offers a prompt and structured approach to identify the current security state of small communication devices, computing platforms, and large computing environments in a consistent manner. A cost-effective realization is achieved through the optimization of IT and security expenditure. Therefore, the model assists to minimize deficiencies in security implementation. Also, the identification of needs and goals of the following level in the ISMM hierarchy allows a strategic approach proportional to allowable resources to take place, as a result, both goals are reached and cost is reduced much faster.
This work is believed to facilitate grounds for future research endeavors such as applying these propositions on simulated examples, real life case studies, and developing a formula for the optimized distribution of security resources in a consistent manner with the best possible security level.
|
226 |
Towards evaluating security implementations using the Information Security Maturity Model (ISMM)Alaboodi, Saad Saleh January 2007 (has links)
Information security is a common and ever-present concern for both private and public sector organizations. Information security protects information from a wide range of threats, risks, and vulnerabilities in order to ensure information availability, integrity and confidentiality, and hence business continuity.
This research seeks to use a heuristic-based investigation of the Information Security Maturity Model (ISMM), developed by the author, combined with a thorough review of existing models, to suggest considerable extensions. This shall merit various applications leading to establish a connective body of knowledge and bridge a gap in existing literature and industry regarding the information security implementation in light of use of international standards and models.
The ISMM model is neither based on a specific technology/protocol (e.g. PKI, IPSec, SSL) nor a certain system/product (e.g. Firewall, Antivirus, IDS), but rather an engineering approach towards a structured and efficient implementation of those technologies. The ISMM is a security-centric model that consists of five distinctive and ordered security layers, each of which has its own definition, scope, and characteristics. The model reflects the three key security processes (prevention, detection and recovery) and captures effects of people (visibility and sophistication) on every layer. It aims essentially to assess the maturity of any security implementation of any size and type (i.e. device, system, or environment).
New extensions of the ISMM work are put forward. Literature review is augmented by introducing a new classification of information security models. Additionally, new abstractions are introduced, first: the abstraction of security conceptual boundaries, which signifies rational priorities and captures the unavoidable interferences between information and physical security in any security context, second: the abstraction of ratios of resources utilization (i.e. computational power, energy, memory, and other costs). Further extensions include a new attack model that classifies attacks in terms of their impact. This leads to a new approach for analyzing attacks and study adversary’s capabilities at different layers of both the ISMM and network models in the whole system, as one integrated entity against both single and hybrid attacks. As an example of one possible mapping and compatibility of the ISMM with other security-related models, the ISMM layers are mapped to their pertinent peers in network models (i.e. ISO/OSI and TCP/IP), which offers more information about security controls at each layer and its contribution to the actual overall security posture.
The ISMM offers a prompt and structured approach to identify the current security state of small communication devices, computing platforms, and large computing environments in a consistent manner. A cost-effective realization is achieved through the optimization of IT and security expenditure. Therefore, the model assists to minimize deficiencies in security implementation. Also, the identification of needs and goals of the following level in the ISMM hierarchy allows a strategic approach proportional to allowable resources to take place, as a result, both goals are reached and cost is reduced much faster.
This work is believed to facilitate grounds for future research endeavors such as applying these propositions on simulated examples, real life case studies, and developing a formula for the optimized distribution of security resources in a consistent manner with the best possible security level.
|
227 |
Information Security Management: The Study of Lithuanian State Institutions / Informacijos saugumo valdymas: Lietuvos Respublikos valstybės institucijų atvejisJastiuginas, Saulius 27 December 2012 (has links)
Growing information security cases and scope illustrate that the relevance of information security issues becomes critical and present information security means are not sufficient enough to manage information security. Narrow comprehension of information security merely as technological problem is broadened by the research results of economic, managerial, psychological, legal and other related aspects’ influence to information security. Information is named as the object of information security management in this thesis, and new information security management solutions are searched in the information management sciences. Critical analysis of information management and information security management links, was established a theoretical basis to form an integral information security management model. Integral information security management model, constructed at a theoretical level, shows a complex approach towards information security, integrates information management and information security management. Integral information security management model allows indentifying information security management weaknesses in the Lithuanian State institutions, rectifying deficiencies, provide an integrated and efficient information security management. A practical research and obtained results grounded the constructed model’s applicability both for further theoretical academic research and for practical application in the Lithuanian State institutions. / Nuolat augantys informacijos saugumo incidentų atvejai ir mastai iliustruoja, kad informacijos saugumo problemų aktualumas tampa kritinis, o esamos informacijos saugumo valdymo priemonės nėra pakankamos informacijos saugumui valdyti. Siaurą informacijos saugumo, kaip technologinės problemos, supratimą plečia ekonominių, vadybinių, psichologinių, teisinių ir kitų susijusių aspektų įtaka informacijos saugumui. Disertacijoje teigiama, kad informacijos saugumo valdymo objektas yra informacija, todėl informacijos saugumui valdyti pasitelktini informacijos vadybos metodai ir būdai. Identifikavus ir kritiškai įvertinus informacijos vadybos bei informacijos saugumo valdymo diskursų sąsajas sukurtas teorinis pagrindas suformuoti integralų informacijos saugumo valdymo modelį. Teoriniame lygmenyje sukonstruotas integralus informacijos saugumo valdymo modelis atskleidžia kompleksinį požiūrį į informacijos saugumą, integruoja informacijos vadybą ir informacijos saugumo valdymą bei leidžia identifikuoti informacijos saugumo valdymo Lietuvos valstybės institucijose trūkumus, o šiuos trūkumus pašalinus, užtikrinti kompleksišką ir efektyvų informacijos saugumo valdymą. Empirinis tyrimas ir gauti rezultatai pagrindė teoriniame lygmenyje sukonstruoto modelio pritaikomumą tiek tolesniems teoriniams moksliniams tyrimams, tiek praktinėje Lietuvos valstybės institucijų veikloje.
|
228 |
Information security awareness and behaviour: of trained and untrained home users in Sweden.Hammarstrand, Johanna, Fu, Tommy January 2015 (has links)
Today we live in an information society that is constantly growing in terms of the amount of information that are processed, stored, and communicated. Information security is a field that is of concern for both the individual and the society as a whole, as both groups are exposed to information every day. A society like this will demand more emphasis on information security. Previous researchers that has addressed this problem argues that security awareness is the most significant factor in order to raise the general security level. They also mention education as a solution to increase the security awareness and thereby achieve a secure environment. The aim of this thesis is to examine the differences between trained and untrained home users in security awareness and behaviour. The research was conducted, using a quantitative method in form of a survey research with the distribution of self-completion questionnaires. The study has a total of 162 respondents that participated. The result was presented and analysed through the use of the software program, IBM SPSS. The results of the findings suggest that the awareness of the trained home users is higher than of those who are untrained home users. Additionally, the discussion suggests that the home users who have participated in awareness raising initiatives, such as education and training, does not necessarily apply more security measures in their home environment, than those who are regarded as untrained home users. Hence, this study suggests that the increase in awareness may not necessarily be the only factor that affects the user’s behaviour, since those who have not participated in awareness raising initiatives applies security measures, almost to the same extent to those who have. This thesis might be able to act as a foundation for future research within the field, considering that the research is a comparative study between trained and untrained home users of the variables security awareness and behaviour where the found results, does not fully agree with previous research. However, an increase in awareness is a good start, but may need to be paired with appropriate training from other parties, such as internet service providers (ISPs) and banks. Maybe the solution could be to develop and strive for a continuous information security culture of the Swedish society, which may result in a deeper learning and understanding of security issues and inspire home users to be engaged and proactive about their information security behaviour.
|
229 |
INTRUSION EXECUTION SYSTEMS : Prototype: IMPETUSKayahan, Hüseyin January 2013 (has links)
In nature, it is inspiring to observe such an extensive variety of defensive skills distributed among species. The speed of an antelope, and the sting of a scorpion, wasp or a bee are some examples of such defensive tools or mechanisms important to survive against predators. However sophisticated the skills or tools are, the correct accurate use and on-time triggering of those tools is a matter of life and death for animals. With those defensive measures, animals come with a complementary ability called "vigilance". Vigilance is costly and the human tries to minimize vigilant behaviour in every aspect of life. The absence of vigilance, or negligence in other words, allows humans to spend more time and cognition on matters that he or she wants rather than on problems that need time. The human has an inherent and intricate mechanism that determine the vigilance level required for a particular problem. The consequences of the lack of vigilance in a work environment, more especially in the Information Technologies Security field are catastrophic and even lethal as humanity becomes an increasingly associated habitant of cyberspace ecosystem. Intrusion Execution Systems (IES) which is one of my conceptual propositions in this research, is my approach to reduce negligent behaviour in IT Security personnel. Impetus is the name of the first prototype for IES concept with limitations, which is included in this research. Impetus can successfully achieve desired behaviour in test environment, however the conceptual propositions in this research among with Impetus, should further be experimented in real-world in order to be convinced of its effectiveness.
|
230 |
Why do employees violate is security policies?:insights from multiple theoretical perspectivesVance, A. (Anthony) 12 October 2010 (has links)
Abstract
Employee violations of IS security policies is recognized as a key concern for organizations. Although interest in IS security has risen in recent years, little empirical research has examined this problem. To address this research gap, this dissertation identifies deliberate IS security policy violations as a phenomenon unique from other forms of computer abuse. To better understand this phenomenon, three guidelines for researching deliberate IS security violations are proposed. An analysis of previous behavioral IS security literature shows that no existing study meets more than one of these guidelines.
Using these guidelines as a basis, this dissertation examines IS security policy violations using three theoretical models drawn from the following perspectives: neutralization theory, rational choice theory, and protection motivation theory. Three field studies involving surveys of 1,423 professional respondents belonging to 7 organizations across 47 countries were performed for empirical testing of the models.
The findings of these studies identify several factors that strongly predict intentions to violate IS security policies. These results significantly increase our understanding of why employees choose to violate IS security policies and provide empirically-grounded implications for how practitioners can improve employee IS security policy compliance.
|
Page generated in 0.1227 seconds