Perception of employees concerning information security policy compliance : case studies of a European and South African university

Lububu, Steven

January 2018

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available.

Computer security

Computer networks -- Security measures

Data protection

Dynamic capabilities and strategic management : explicating the multi-level nature of dynamic capabilities : insights from the information technology security consulting industry

Akpobi, Tega Cosmos

January 2017

The dynamic capabilities perspective has become one of the most vibrant approaches to strategic management. Despite its growing popularity, it has faced criticism because of ambiguity and contradictions in dynamic capabilities literature. There has been increasing calls to address the fragmentation in the literature and provide empirically collaborated insights if it is to fulfil its potential as a distinct approach to strategic management. The microfoundations research agenda remains an emerging theme in the dynamic capabilities literature and since the overarching emphasis of a microfoundational approach is in the explanatory primacy of the micro-level especially in its relation to macro-level entities, it covers a wide array of subjects at several levels. One of the main criticisms of the microfoundations approach is a lack of multi-level analysis and there has been calls for multi-level theory development to connect levels within particular contexts since dynamic capabilities are path dependent and context-specific. This thesis explores the multi-level nature of dynamic capabilities in the Information Technology Security context and empirically investigates the impact of microfoundations of dynamic capabilities on firm capability renewal and reconfiguration. It overcomes the challenge associated with fragmentation in dynamic capabilities by presenting a conceptual model for the multi-level nature of dynamic capabilities. By explicating where dynamic capabilities reside, we can more purposely impact on them to advance our scholarly understanding and proffer practical managerial interventions to directly enhance specific abilities of sensing, seizing and reconfiguring to achieve superior outcomes. The research employed the Gioia qualitative case study research methodology and research methods used were 35 semi-structured interviews and observations. The research findings suggest that firms renew and reconfigure their capabilities to align with the changing industry and industry standards, and client needs. Firms also renew and reconfigure capabilities and capability framework due to internal strategic organisational learning and to align with firm’s specific business strategies. Capability renewal and reconfiguration is vital to achieve technical and evolutionary fitness. In addition, findings inform that dynamic capabilities in the form of ability to sense, seize and reconfigure exhibit at macro, meso and micro levels. Actor’s external engagement with significant institutions enables superior sensing ability. Accumulated experience is exploited to gain credibility with clients to win business, and demystifying firm processes and clarity of language in firm artefacts achieve superior knowledge articulation and codification processes by actors. Structuring of simple routines and capabilities enable ease of internal knowledge transfer but susceptibility to intellectual property theft by outsiders whereas complex routines and capabilities create challenges for knowledge transfer but are harder for competitors to discern and copy. Drawing on the research findings, the thesis presents a conceptual model for the multi-level microfoundations of dynamic capabilities in knowledge-intensive domains with relevance for theory and practice.

Cloud information security : a higher education perspective

Van der Schyff, Karl Izak

January 2014

In recent years higher education institutions have come under increasing financial pressure. This has not only prompted universities to investigate more cost effective means of delivering course content and maintaining research output, but also to investigate the administrative functions that accompany them. As such, many South African universities have either adopted or are in the process of adopting some form of cloud computing given the recent drop in bandwidth costs. However, this adoption process has raised concerns about the security of cloud-based information and this has, in some cases, had a negative impact on the adoption process. In an effort to study these concerns many researchers have employed a positivist approach with little, if any, focus on the operational context of these universities. Moreover, there has been very little research, specifically within the South African context. This study addresses some of these concerns by investigating the threats and security incident response life cycle within a higher education cloud. This was done by initially conducting a small scale survey and a detailed thematic analysis of twelve interviews from three South African universities. The identified themes and their corresponding analyses and interpretation contribute on both a practical and theoretical level with the practical contributions relating to a set of security driven criteria for selecting cloud providers as well as recommendations for universities who have or are in the process of adopting cloud computing. Theoretically several conceptual frameworks are offered allowing the researcher to convey his understanding of how the aforementioned practical concepts relate to each other as well as the concepts that constitute the research questions of this study.

Cloud computing -- Security measures

Data protection

Internet in higher education

A methodology for measuring and monitoring IT risk

Tansley, Natalie Vanessa

January 2007

The primary objective of the research is to develop a methodology for monitoring and measuring IT risks, strictly focusing on internal controls. The research delivers a methodology whereby an organization can measure its system of internal controls, providing assurance that the risks are at an acceptable level. To achieve the primary objective a number of secondary objectives were addressed: What are the drivers forcing organizations to better corporate governance in managing risk? What is IT risk management, specifically focusing on operational risk. What is internal control and specifically focusing on COSO’s internal control process. Investigation of measurement methods, such as, Balance Scorecards, Critical Success Factors, Maturity Models, Key Performance Indicators and Key Goal Indicators. Investigation of various frameworks such as CobiT, COSO and ISO 17799, ITIL and BS 7799 as to how they manage IT risk relating to internal control.

Information resources management

Towards a framework to ensure alignment among information security professionals, ICT security auditors and regulatory officials in implementing information security in South Africa

Basani, Mandla

02 1900

Information security in the form of IT governance is part of corporate governance. Corporate governance requires that structures and processes are in place with appropriate checks and balances to enable directors to discharge their responsibilities. Accordingly, information security must be treated in the same way as all the other components of corporate governance. This includes making information security a core part of executive and board responsibilities. Critically, corporate governance requires proper checks and balances to be established in an organisation; consequently, these must be in place for all information security implementations. In order to achieve this, it is important to have the involvement of three key role players, namely information security professionals, ICT security auditors and regulatory officials (from now on these will be referred to collectively as the ‘role players’). These three role players must ensure that any information security controls implemented are properly checked and evaluated against the organisation’s strategic objectives and regulatory requirements. While maintaining their individual independence, the three role players must work together to achieve their individual goals with a view to, as a collective, contributing positively to the overall information security of an organisation. Working together requires that each role player must clearly understand its individual role, as well the role of the other players at different points in an information security programme. In a nutshell, the role players must be aligned such that their involvement will deliver maximum value to the organisation. This alignment must be based on a common framework which is understood and accepted by all three role players. This study proposes a South African Information Security Alignment (SAISA) framework to ensure the alignment of the role players in the implementation and evaluation of information security controls. The structure of the SAISA framework is based on that of the COBIT 4.1 (Control Objectives for Information and Related Technology). Hence, the SAISA framework comprises four domains, namely, Plan and Organise Information Security (PO-IS), Acquire and Implement Information Security (AI-IS), Deliver and Support Information Security (DS-IS) and Monitor and Evaluate Information Security (ME-IS). The SAISA framework brings together the three role players with a view to assisting them to understand their respective roles, as well as those of the other role players, as they implement and evaluate information security controls. The framework is intended to improve cooperation among the role players by ensuring that they view each other as partners in this process. Through the life cycle structure it adopts, the SAISA framework provides an effective and efficient tool for rolling out an information security programme in an organisation / Computer Science / M. Sc. (Computer Science)

Information security professionals,

ICT security auditors,

Regulatory officials

Framework

Role players

Information security programme

Corporate governance

IT governance

COBIT

005.80968

The governance of significant enterprise mobility security risks

Brand, Johanna Catherina

12 1900

Thesis (MComm)--Stellenbosch University, 2013. / ENGLISH ABSTRACT: Enterprise mobility is emerging as a megatrend in the business world. Numerous risks originate from using mobile devices for business-related tasks and most of these risks pose a significant security threat to organisations’ information. Organisations should therefore apply due care during the process of governing the significant enterprise mobility security risks to ensure an effective process to mitigate the impact of these risks. Information technology (IT) governance frameworks, -models and -standards can provide guidance during this governance process to address enterprise mobility security risks on a strategic level. Due to the existence of the IT gap these risks are not effectively governed on an operational level as the IT governance frameworks, -models and -standards do not provide enough practical guidance to govern these risks on a technical, operational level. This study provides organisations with practical, implementable guidance to apply during the process of governing these risks in order to address enterprise mobility security risks in an effective manner on both a strategic and an operational level. The guidance given to organisations by the IT governance frameworks, -models and -standards can, however, lead to the governance process being inefficient and costly. This study therefore provides an efficient and cost-effective solution, in the form of a short list of best practices, for the governance of enterprise mobility security risks on both a strategic and an operational level. / AFRIKAANSE OPSOMMING: Ondernemingsmobiliteit kom deesdae as ‘n megatendens in die besigheidswêreld te voorskyn. Talle risiko's ontstaan as gevolg van die gebruik van mobiele toestelle vir sake-verwante take en meeste van hierdie risiko's hou 'n beduidende sekuriteitsbedreiging vir organisasies se inligting in. Organisasies moet dus tydens die risikobestuursproses van wesenlike mobiliteit sekuriteitsrisiko’s die nodige sorg toepas om ‘n doeltreffende proses te verseker ten einde die impak van hierdie risiko’s te beperk. Informasie tegnologie (IT)- risikobestuurraamwerke, -modelle en -standaarde kan op ‘n strategiese vlak leiding gee tydens die risikobestuursproses waarin mobiliteit sekuriteitsrisiko’s aangespreek word. As gevolg van die IT-gaping wat bestaan, word hierdie risiko’s nie effektief op ‘n operasionele vlak bestuur nie aangesien die ITrisikobestuurraamwerke, -modelle en -standaarde nie die nodige praktiese leiding gee om hierdie risiko’s op ‘n tegniese, operasionele vlak te bestuur nie. Om te verseker dat organisasies mobiliteit sekuriteitsrisiko’s op ‘n effektiewe manier op beide ‘n strategiese en operasionele vlak bestuur, verskaf hierdie studie praktiese, implementeerbare leiding aan organisasies wat tydens die bestuursproses van hierdie risiko’s toegepas kan word. Die leiding aan organisasies, soos verskaf in die IT-risikobestuurraamwerke, - modelle en -standaarde, kan egter tot’n ondoeltreffende en duur risikobestuursproses lei. Hierdie studie bied dus 'n doeltreffende, koste-effektiewe oplossing, in die vorm van 'n kort lys van beste praktyke, vir die bestuur van die mobiliteit sekuriteitsrisiko’s op beide 'n strategiese en 'n operasionele vlak.

Dissertations -- Accountancy

Theses -- Accountancy

Dissertations -- Computer auditing

Theses -- Computer auditing

Computer security -- Management

Mobile computing -- Security measures

Defining the Information Security Posture: An Empirical Examination of Structure, Integration, and Managerial Effectiveness

Young, Randall Frederick

08 1900

The discipline of information security management is still in its infancy as evidenced by the lack of empirical scholarly work in this area. Most research within the information security domain focuses on specific technologies and algorithms and how it impacts the principles of confidentiality, integrity, and availability. But, an important area receiving little attention is the antecedents of effective information security management at the organizational level (Stanton, Guzman, Stam & Caldera, 2003). The little empirical research that has been conducted in this area has shown that information security management in many organizations is poor (Baskerville, 1993; Shimeall & McDermott, 1999). Several researchers have identified the need for methods to measure the organization-wide information security posture of organizations (Eloff & Von Solms, 2000; James, 1996). This dissertation attempts to measure the organization-wide information security posture by examining benchmark variables that assess role, planning orientation, and performance structure within the organization. Through this conceptualization of an organization's information security posture, a means is presented to measure overall information security and how it impacts the effective utilization of information security strategies. The presence of the dependent variable, effectiveness, gives academics and practitioners a success measure which can guide more effective decision making in the information security domain. An additional aim of this dissertation is to empirically examine the influence of management practices and decisions on effective use of information security strategies within the organization. The issues of centralization versus decentralization of information security activities will be evaluated along with its impact on information security posture of organizations and the effectiveness of the organization's information security strategies. Data was collected from 119 IT and information security executives. Results show that how the organization structures information security activities is not correlated with more effective utilization of information security strategies. Meanwhile, the organization's information security posture is significantly correlated with more effective utilization of information security strategies. The implications of this research is discussed.

recovery

centralization

Information security

decentralization

prevention

deterrence

detection

Computer networks -- Security measures.

Computer security -- Management.

Information technology audits in South African higher education institutions

Angus, Lynne

11 September 2013

The use of technology for competitive advantage has become a necessity, not only for corporate organisations, but for higher education institutions (HEIs) as well. Consequently, corporate organisations and HEIs alike must be equipped to protect against the pervasive nature of technology. To do this, they implement controls and undergo audits to ensure these controls are implemented correctly. Although HEIs are a different kind of entity to corporate organisations, HEI information technology (IT) audits are based on the same criteria as those for corporate organisations. The primary aim of this research, therefore, was to develop a set of IT control criteria that are relevant to be tested in IT audits for South African HEIs. The research method used was the Delphi technique. Data was collected, analysed, and used as feedback on which to progress to the next round of data collection. Two lists were obtained: a list of the top IT controls relevant to be tested at any organisation, and a list of the top IT controls relevant to be tested at a South African HEI. Comparison of the two lists shows that although there are some differences in the ranking of criteria used to audit corporate organisations as opposed to HEIs, the final two lists of criteria do not differ significantly. Therefore, it was shown that the same broad IT controls are required to be tested in an IT audit for a South African HEI. However, this research suggests that the risk weighting put on particular IT controls should possibly differ for HEIs, as HEIs face differing IT risks. If further studies can be established which cater for more specific controls, then the combined effect of this study and future ones will be a valuable contribution to knowledge for IT audits in a South African higher education context.

Electronic data processing -- Auditing

Delphi method

IT infrastructure library

An integrated approach for information security compliance in a financial services organisation

Desai, Mohammed Reza

January 2016

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2016. / The aim of this research is to identify and explore the factors affecting information security compliance of information security policies and regulations, in a financial services organisation. The organisation has to comply with information security regulations and legislations by righteousness of its operations in light of the fact that any wrong doing together with misuse of data, are continually expanding. Corporate embarrassments comes about due to rupture of security, results in expanded thoughtfulness regarding corporate consistency. Legislature and policies have been set up to counter information security issues. This legislature and policies are not adequately addressing the compliance issues that arise, but are needed within organisations. Compliance targets are not met due to inconsistent guidelines that turns out to be significant in diminishing the financial position, reputation and security of information. This research further aims to explore whether employees comply with laws and regulations regarding information in an organisation. This is done in order to confirm whether governance and human factors play any significant part in compliance. The research is an exploratory study and specifically analyses the governance function and which stakeholders influence its operations in information compliance. The research investigates certain questions on organisational culture and the human factor, do influence employee’s compliance to laws and regulations. The objectives of the research are to investigate which factors, and how such factors influence compliance of information security policies and compliance with the goal of designing an integrated framework to assist in counteracting these findings. The research is underpinned by the Neo-institutional theory, Agency Theory and Rational choice theory. The Denison organisational cultural model and a framework proposed by von Solms are used as lenses to interpret the data of the research.

Computer networks -- Security measures

Computer security

Uma abordagem para a correlação de eventos de segurança baseada em tecnicas de aprendizado de maquina / An approach to the correlation of security events based upon machine learning techniques

Stroeh, Kleber

08 March 2009

Orientador: Edmundo Roberto Mauro Madeira / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-15T00:38:33Z (GMT). No. of bitstreams: 1 Stroeh_Kleber_M.pdf: 2516792 bytes, checksum: c036c25bc2fd2e2815780d3a5fedfde0 (MD5) Previous issue date: 2009 / Resumo: Organizações enfrentam o desafio crescente de garantir a segurança da informação junto às suas infraestruturas tecnológicas. Abordagens estáticas à segurança, como a defesa de perímetros, têm se mostrado pouco eficazes num novo cenário marcado pelo aumento da complexidade dos sistemas _ e conseqüentemente de suas vulnerabilidades - e pela evolução e automatização de ataques. Por outro lado, a detecção dinâmica de ataques por meio de IDSs (Intrusion Detection Systems) apresenta um número demasiadamente elevado de falsos positivos. Este trabalho propõe uma abordagem para coleta e normalização, e fusão e classificação de alertas de segurança. Tal abordagem envolve a coleta de alertas de diferentes fontes, e sua normalização segundo modelo de representação padronizado - IDMEF (Intrusion Detection Message Exchange Format). Os alertas normalizados são agrupados em meta-alertas (fusão ou agrupamento), os quais são classificados _ através de técnicas de aprendizado de máquina _ entre ataques e alarmes falsos. Uma implementação desta abordagem foi testada junto aos dados do desafio DARPA e Scan of the Month, contando com três implementações distintas de classificadores (SVM - Support Vector Machine -, Rede Bayesiana e Árvore de Decisão), bem como uma coletânea (ensemble) de SVM com Rede Bayesiana, atingindo resultados bastante relevantes. / Abstract: Organizations face the ever growing challenge of providing security within their IT infrastructures. Static approaches to security, such as perimetral defense, have proven less than effective in a new scenario characterized by increasingly complex systems _ and, therefore, more vulnerable - and by the evolution and automation of cyber attacks. Moreover, dynamic detection of attacks through IDSs (Instrusion Detection Systems ) presents too many false positives to be effective. This work presents an approach to collect and normalize, as well as to fuse and classify security alerts. This approach involves collecting alerts from different sources and normalizing them according to standardized structures - IDMEF (Intrusion Detection Message Exchange Format ). The normalized alerts are grouped into meta-alerts (fusion or clustering), which are later classified - through machine learning techniques _ into attacks or false alarms. An implementation of this approach is tested against DARPA Challenge and Scan of the Month, using three different classification techniques, as well as an ensemble of SVM and Bayesian Network, having achieved very relevant results. / Mestrado / Redes de Computadores / Mestre em Ciência da Computação

Inteligência artificial

Aprendizado de máquina

Computer networks - Security measures

Artificial intelligence

Machine learning