Global ETD Search

1	Analysis of information security risks and protection management requirements for enterprise networks Saleh, Mohamed Saad Morsy January 2011 (has links) With widespread of harmful attacks against enterprises' electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness. 338.0068
2	Factors Influencing the Implementation of Information Security Risk Management : A case study of Nigerian Commercial Banks Aghaunor, Gabriel, Okojie, Bukky E January 2022 (has links) The banking industry is one of the critical infrastructures in any economy. The services rendered by banks are systematically based on innovation, products, and technology to leverage their services. Several associated risks come along with the rendering of these banking services. The protection of critical information assets of any banking organization should be a top priority of the management. They must ensure that adequate provision is made to develop a strong strategy to control, reduce, and mitigate tasks, such as fraud, cyber-attacks, and other forms of cybersecurity exploitations. Risk management is a series of actions to identify, assess and control threats and vulnerabilities in an organization's capital investment and revenue. These potential risks arise from diverse sources like credit risk, liquidity risk, financial uncertainties, legal actions, technology failures, business strategic management errors, accidental occurrences, and natural disasters. This research study aimed to investigate the factors influencing the implementation of information security risk management in Nigerian Commercial Banks, using a social-technical system framework to address a fundamental human risk factor, which contributes predominately to the failure in information security risk management. These research was motivated by the fact that Nigerian banking sector is facing serious threats' threat emanate from cyber-attacks. Evidenced by the ever-increasing cyber-attacks, as demonstrated by a total of 1,612 complaints from consumers of financial services over banking fraud and aggressive charges received between July and December 2018 of which 99.38% of these incidences were against the commercial banks. The banks are faced with a lot of vulnerabilities and cybersecurity threats, and most of the attacks that happened within the banking sector are focused on the customers, and employees through phishing and social engineering. These showed weaknesses in information security management within the Nigerian banking industry. However, the study was guided by the social-technical theory that advocates for overall training to the stakeholders that helps in changing their beliefs and norms about organization of IS security. In order to find out the factors influencing the implementation of information security risks management in respect of Nigerian Commercial Banks, this study evaluated the influence of management support, technical experts support, funding and users’ security awareness to curb the cyber-attacks in Nigerian financial sector. The contribution of this research is expected to lead to the improvement in the financial system, and organizations, where cybersecurity and information security risk management processes are taken seriously, to reduce the high level of information security risk, threats, and vulnerabilities. Nigeria is a developing country, and at the same time fighting to develop a more conducive business investment environment to attract both national and international investors. A mixed approach research (qualitative and quantitative) method was used to validate this research study. Data collection tools used included interviews and questionnaires. Data analysis was done using the SPSS and logistic regression model. Information Security Risk Assessment Qualitative Quantitative Management Support Funding Technical Experts’ Support Cyber Security Banking ATM Information Systems
3	Attack Tree Based Information Technology Security Metric Integrating Enterprise Objectives With Vulnerabilities Karabey, Bugra 01 September 2011 (has links) (PDF) Security is one of the key concerns in the domain of Information Technology systems. Maintaining the confidentiality, integrity and availability of such systems, mandates a rigorous prior analysis of the security risks that confront these systems. In order to analyze, mitigate and recover from these risks a metrics based methodology is essential in prioritizing the response strategies to these risks and also this approach is required for resource allocation schedules to mitigate such risks. In addition to that the Enterprise Objectives must be focally integrated in the definition, impact calculation and prioritization stages of this analysis to come up with metrics that are useful both for the technical and managerial communities within an organization. Also this inclusion will act as a preliminary filter to overcome the real life scalability issues inherent with such threat modeling efforts. Within this study an attack tree based approach will be utilized to offer an IT Security Risk Evaluation Method and Metric called TEOREM (Tree based Enterprise Objectives Risk Evaluation Method and Metric) that integrates the Enterprise Objectives with the Information Asset vulnerability analysis within an organization. Applicability of the method has been analyzed within a real life setting and the findings are discussed as well within this study.
4	Den praktiska hanteringen av informationsrisker : En kvalitativ fallstudie av hur ett svenskt tillverkningsföretag hanterar informationsrisker. / Information Security Risk Management in Practice : A qualitative case study of how a Swedish manufacturing firm manages information risks. Renning, Jacob, Gustafsson, Alexander January 2020 (has links) Bakgrund: Informationssäkerhet är någonting som företag inom alla branscher bör ägna sig åt eftersom samtliga organisationer är utsatta för informationsrisker. Avsikten med informationssäkerhet är att skydda information så att den finns tillgänglig vid behov, är tillförlitlig och för att säkerställa att endast behöriga har åtkomst (Informationssäkerhet, 2015). Bristande informationshantering kan exempelvis resultera i dataförluster och läckt kunddata vilket i sin tur kan leda till försämrat kundförtroende och stora intäktsförluster. Företags utsatthet för informationsrisker påverkas både av interna och externa faktorer. Utbrottet av Covid-19 är ett exempel på en extern faktor (Humla, 2020). Enligt en rapport är svensk tillverkningsindustris hantering av informationsrisker kraftigt eftersatt i förhållande till övriga sektorers hantering av informationsrisker (Radar Ecosystems Specialists, 2017). Syfte: Denna uppsats undersöker hur ett företag inom svensk tillverkningsindustri arbetar med informationssäkerhet (eng. information security risk management, ISRM). Vidare applicerar vi en teoretisk lins i form av prospektteorin för att förklara informationssäkerhetsarbetet. Vi undersöker även om beslutfattare inom IT-säkerhet uppvisar tendens till övermod och huruvida detta kan påverka företagets arbete med informationssäkerhet. Metod: Uppsatsen är en kvalitativ fallstudie och det empiriska materialet har inhämtats genom semistrukturerade intervjuer med beslutfattare och utvecklare som arbetar medinformationssäkerhet. Fallföretaget är ett anonymiserat svenskt tillverkningsföretag som tillhandahåller produkter och tjänster inom säkerhetsbranschen. Resultat: Enligt vår studie utgår beslutfattare från tidigare erfarenheter av informationssäkerhet när hanteringsstrategier utformas. Det framkommer även att beslutfattarens resonemang och riskhantering förändras i takt med personens erfarenhet. Vi kan även konstatera att beslutfattarens agerande kan förklaras utifrån prospektteorin och att hanteringen påverkas av kognitiva aspekter såsom övermod. / Background: Every organization needs to manage its information security risks (ISRM) as all industries are exposed to information risks. The purpose of ISRM is to protect information so that it is accessible when needed, reliable and to ensure only authorized access (Informationssäkerhet, 2015). Lack of ISRM may result in data loss or personal data leaks, which in turn may lead to a decrease of consumer confidence and reduced revenue streams. Enterprises exposure to information risks are affected by both internal and external factors. The outbreak of Covid-19 is an example of an external factor (Humla, 2020). According to a report, the Swedish manufacturing industry's management of information risks is severely neglected in relation to other sectors ́ handling of information risks (Radar Ecosystems Specialists, 2017). Purpose: This thesis explores how a Swedish manufacturing company manages its information security risks. This is explored by applying a theoretical framework of Prospect Theory to explain decision makers ́ reasoning behind its current ISRM practices. We are also exploring whether decision makers within IT-security have a tendency towards Overconfidence bias and whether it may affect the company's ISRM. Method: The thesis is a qualitative case study and the empirical data has been obtained through semi structured interviews with decision-makers and developers working with information security. The case company is an anonymous Swedish manufacturing company that provides products and services in the security industry. Results: According to our thesis, decision makers rely on previous information security experiences when designing management strategies. It also appears that the decision maker's reasoning and risk management change as the person's experience. We can also note that the decision maker's behavior can be explained on the basis of Prospect Theory and that the ISRM is influenced by cognitive aspects such as overconfidence. Information Security Risk Management ISRM Manufacturing industry Prospect Theory Overconfidence Bias Informationssäkerhet ISRM Tillverkningsindustri Prospektteori Övermod bias Information Systems, Social aspects
5	Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks. Saleh, Mohamed S.M. January 2011 (has links) With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness. Information security Risk management Analytical models Protection measures ISO/IEC 27002 Standard Cost-Benefit Analysis Six-Sigma Compliance
6	An investigation of information security policies and practices in Mauritius Sookdawoor, Oumeshsingh 30 November 2005 (has links) With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems) Adherence to established standards Information security framework Information security policy Information security practices Security standards Compliance Information security risk Procedures 005.8096982 Information policy -- Mauritius
7	An investigation of information security policies and practices in Mauritius Sookdawoor, Oumeshsingh 30 November 2005 (has links) With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems) Adherence to established standards Information security framework Information security policy Information security practices Security standards Compliance Information security risk Procedures 005.8096982 Information policy -- Mauritius
8	Bezpečnostní rizika podle standardu ISO 27001 / Security risks according to ISO 27001 Doubková, Veronika January 2020 (has links) This diploma thesis deals with the management of security information, according to ISO/IEC 27005 and it is implementation in the Verinice software environment. The risk information management process is applied to a critical infrastructure, that is connected to a optical fiber network. The work focuses on incidents aimed at threatening data from optical threats and active network elements in transmission systems. The result of the work is defined as a risk file in the .VNA format containing identified risks, for which appropriate measures are implemented in connection with the requirements of ISO/IEC 27001, for the protection of critical infrastructures and transmitted data in the transmission system.
9	Actions to enhance and support the informationsecurity risk assessment process in corporations / Åtgärder för att förbättra och stödja informationssäkerhetsriskbedömningsprocessen på företag Karlsson, Karolin January 2019 (has links) Information security is growing in importance as the world becomes more digital, at the same time the importance of usability implementation in software development is also growing. In this study, an evaluation was done on what affects usability and how important usability is in a reporting tool handling information security risk assessment (ISRA). The research question from which the study is based on: What actions can enhance and support the information security risk assessment process in corporations? In order to investigate the research question a study was organized consisting of a survey (N=30) and a think-aloud usability test (N=7). As a part of the analysis process a usability heuristic analysis was performed. According to this study, the ISRA process is complicated and creating a well-functioning supporting tool for it is complex. In order for the tool to facilitate for the users work, usability is an important aspect and should be taken in consideration early in the development process of a tool. Based on the findings in this study actions that can contribute to enhanced usability were discussed. The recommended actions are: 1) Include all types of roles in the ISRA process to determine the purpose of the tool and what it should support. 2) Implement clear guiding information in all parts of the tool, all people involved in the ISRA process should be able to understand the tool. 3) Keep an intuitive flow throughout the tool, the user should intuitively always know what the next step is and what to expect. 4) Have a search function that supports all aspects in the tool. / Informationssäkerheten växer i betydelse i takt med att världen blir mer digital, samtidigt så ökar även betydelsen av implementering av användbarhet i mjukvaruutveckling. I denna studie gjordes en utvärdering av vad som påverkar användbarheten och hur viktigt användbarheten är i ett rapporteringsverktyg som hanterar informationssäkerhetsriskbedömning (ISRB). Den forskningsfråga som studien bygger på: Vilka åtgärder kan förbättra och stödja informationssäkerhetsriskbedömningsprocessen i företag? För att undersöka forskningsfrågan organiserades en studie bestående av en enkätundersökning (N = 30) och ett användbarhetstest med ”Think-Aloud” (N = 7). Som en del av analysprocessen utfördes en användbarhets heuristisks analys. Enligt denna studie är ISRB-processen komplicerad och att skapa ett välfungerande stödjande verktyg för att det är komplext. För att verktyget ska underlätta för användarnas arbete är användbarheten en viktig aspekt och bör tas i beaktning tidigt i utvecklingsprocessen för ett verktyg. Baserat på resultaten i dessa studie så diskuterades åtgärder som kan bidra till ökad användbarhet. De rekommenderade åtgärderna är: 1) Inkludera alla typer av roller i ISRB-processen för att bestämma syftet med verktyget och vad det ska stödja. 2) Implementera tydlig guidande information i alla delar av verktyget, alla personer som är involverade i ISRB-processen ska kunna förstå och använda verktyget. 3) Ha ett intuitivt flöde genom alla delar i verktyget, användaren bör intuitivt alltid veta vad nästa steg är och vad de kan förvänta sig. 4) Har en sökfunktion som stöder alla aspekter i verktyget Computer and Information Sciences Data- och informationsvetenskap
10	Dynamic Risk Management in Information Security : A socio-technical approach to mitigate cyber threats in the financial sector / Dynamisk riskhantering inom informationssäkerhet : Ett sociotekniskt tillvägagångssätt för att hantera cyberhot i den finansiella sektorn Lundberg, Johan January 2020 (has links) In the last decade, a new wave of socio-technical cyber threats has emerged that is targeting both the technical and social vulnerabilities of organizations and requires fast and efficient threat mitigations. Yet, it is still common that financial organizations rely on yearly reviewed risk management methodologies that are slow and static to mitigate the ever-changing cyber threats. The purpose of this research is to explore the field of Dynamic Risk Management in Information Security from a socio-technical perspective in order to mitigate both types of threats faster and dynamically to better suit the connected world we live in today. In this study, the Design Science Research methodology was utilized to create a Dynamic Information Security Risk Management model based on functionality requirements collected through interviews with professionals in the financial sector and structured literature studies. Finally, the constructed dynamic model was then evaluated in terms of its functionality and usability. The results of the evaluation showed that the finalized dynamic risk management model has great potential to mitigate both social and technical cyber threats in a dynamic fashion. / Under senaste decenniet har en ny våg av sociotekniska cyberhot uppkommit som är riktade både mot de sociala och tekniska sårbarheterna hos organisationer. Dessa hot kräver snabba och effektiva hotreduceringar, dock är det fortfarande vanligt att finansiella organisationer förlitar sig på årligen granskade riskhanteringsmetoder som både är långsamma och statiska för att mildra de ständigt föränderliga cyberhoten. Syftet med denna forskning är att undersöka området för dynamisk riskhantering inom informationssäkerhet ur ett sociotekniskt perspektiv, med målsättningen att snabbare och dynamiskt kunna mildra bägge typerna av hot för att bättre passa dagens uppkopplade värld. I studien användes Design Science Research för att skapa en dynamisk riskhanteringsmodell med syfte att hantera sociotekniska cyberhot mot informationssäkerheten. Riskhanteringsmodellen är baserad på funktionskrav insamlade genom intervjuer med yrkesverksamma inom finanssektorn, samt strukturerade litteraturstudier. Avslutningsvis utvärderades den konstruerade dynamiska modellen avseende dess funktionalitet och användbarhet. Resultaten av utvärderingen påvisade att den slutgiltiga dynamiska riskhanteringsmodellen har en stor potential att mitigera både sociala och tekniska cyberhot på ett dynamiskt sätt. DISRMM Dynamic Risk Management Adaptive Risk Management Socio-Technical Sociotechnical Social Triggers Technical Triggers Information Security Usability SEO Search Engine Optimization SEAREvasion SEAR Evasion Approach Dynamic Risk Management Socio-technical Threats Risk Management Finance Technical Risk Management Finance Social Risk Management Finance Socio-technical Model Design Science Research. Dynamisk Riskhantering Informationssäkerhet Finans Finansiell Organisation Dynamisk Informationssäkerhet Sociotekniska Cyberhot Riskhantering. Information Systems

Search results