Global ETD Search

371	Design and implementation of a framework for security metrics creation / Konstruktion och användning av ett ramverk för säkerhetsmetriker Lundholm, Kristoffer January 2009 (has links) Measuring information security is the key to unlocking the knowledge of how secure information systems really are. In order to perform these measurements, security metrics can be used. Since all systems and organizations are different, there is no single set of metrics that is generally applicable. In order to help organizations create metrics, this thesis will present a metrics creation framework providing a structured way of creating the necessary metrics for any information system. The framework takes a high level information security goal as input, and transforms it to metrics using decomposition of goals that are then inserted into a template. The thesis also presents a set of metrics based on a minimum level of information security produced by the Swedish emergency management agency. This set of metrics can be used to show compliance with the minimum level or as a base when a more extensive metrics program is created. Information security Metrics framework Security assessment Computer and Information Sciences Data- och informationsvetenskap
372	Identifying Factors Contributing Towards Information Security Maturity in an Organization Edwards, Madhuri M. 01 January 2018 (has links) Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees. Capability Maturity Information Security Information Systems Audit Risk Management Security Maturity Security Process Maturity Computer Sciences
373	The Current State of DDoS Defense Nilsson, Sebastian January 2014 (has links) A DDoS attack is an attempt to bring down a machine connected to the Internet. This is done by having multiple computers repeatedly sending requests to tie up a server making it unable to answer legitimate requests. DDoS attacks are currently one of the biggest security threats on the internet according to security experts. We used a qualitative interview with experts in IT security to gather data to our research. We found that most companies are lacking both in knowledge and in their protection against DDoS attacks. The best way to minimize this threat would be to build a system with redundancy, do a risk analysis and revise security policies. Most of the technologies reviewed were found ineffective because of the massive amount of data amplification attacks can generate. Ingress filtering showed promising results in preventing DDoS attacks by blocking packages with spoofed IP addresses thus preventing amplification attacks. Information Security Distributed denial of service attacks Botnet Computer Sciences Datavetenskap (datalogi)
374	Information Hiding : Steganografic Content in Streaming Media Bayer, Peter, Widenfors, Henrik January 2002 (has links) For a long time, information hiding has focused on carriers like images and audio files. A problem with these carriers is that they do not support hiding in new types of network-based services. Nowadays, these services often arise as a consequence of the increasingly demand for higher connection speed to the Internet. By introducing streaming media as a carrier of hidden information, hiding in new network-based services is supported. The main purposes with this thesis are to investigate how information can be hidden in streaming media and how it measures up compared to images and audio files. In order to evaluate the approach, we have developed a prototype and used it as a proof of concept. This prototype hides information in some of the TCP/IP header fields and is used to collect experimental data as well. As reference, measurements have been collected from other available carriers of hidden information. In some cases, the results of these experiments show that the TCP/IP header is a good carrier of information. Its performance is outstanding and well suited for hiding information quickly. The tests showed that the capacity is slightly worse though. Information hiding steganography information security hidden communication Computer Sciences Datavetenskap (datalogi) Software Engineering Programvaruteknik
375	Information Security in Home Healthcare Åhlfeldt, Rose-Mharie January 2001 (has links) Healthcare is very information-intensive. Hence, it has become necessary to use the support of computers in order to efficiently improve such an information-intensive organisation. This thesis points out deficiencies in the area of information security in home healthcare regarding personal integrity and secrecy. Home healthcare is, in Sweden, performed by the municipalities. The work is based on the recommendations and common advice for processing of personal data compiled by the Data Inspection Board. Two municipalities in the Västra Götaland Region have been investigated. One of the municipalities has a manual system and the other has a computerized system for personal data management. The work includes a field study where persons from both municipalities have been observed. It also includes interviews based on the comprehensive questions from the Data Inspection Board and questions arisen from the observations. The work shows that a very clear need of training among personnel involved in home healthcare. It also shows the need for elaborate security measures including levels on access profiles. A weak point concerning security is also the heavy use of facsimile transmission for information distribution. Information security home healthcare healthcare informatics personal integrity secrecy Information Systems
376	En undersökning kring informationssäkerhet i datalager : En litteratur- och fältstudie Crnic, Enes January 2010 (has links) Allt hårdare konkurrens har medfört att det är desto viktigare att beslutsansvariga i ett företag fattar snabba och korrekta beslut. För att förbättra och effektivisera beslutsfattandet och samtidigt skapa sig fördelar i förhållande till marknadskonkurrenterna, kan beslutsansvariga använda sig av ett datalager. Datalagret kan genom enorma mängder data som är insamlade från ett stort antal olika system, generera stora fördelar för ett företag. Men detta gäller dock endast under förutsättningen att datalagret är skyddat på ett lämpligt vis. Syftet med studien är att undersöka vilka lämpliga skyddsåtgärder som kan användas för att uppnå och bibehålla ett säkert datalager. För att besvara frågeställningen genomfördes en litteraturstudie och två intervjuer med företag som använder sig av datalager. Resultatet av den teoretiska undersökningen visar att fyra administrativa och fem logiska skyddsåtgärder är lämpliga att användas i syfte med att uppnå och bibehålla god informationssäkerhet i ett datalager. Den empiriska undersökningen bekräftar det sistnämnda, dock med vissa undantag. Data Warehouse Information security Datalager Informationssäkerhet Computer and Information Sciences Data- och informationsvetenskap
377	A lens towards reality : A comparison between theory and reality regarding employees IT-risk awareness at B2B-companies Hörndahl, Magda, Dervisevic, Sebila January 2015 (has links) The development of IT-resources today has reached a level towards making companies,especially B2B-companies, depend on the use of IT-resources to a certain level.This contributes to a large scope of important data being used on a daily basis, as a result thisdata becomes an important factor that can help a company succeed or lead them the otherway. The use of IT-risk planning becomes a great factor that can help direct the company inthe correct route. Nevertheless, the amount of time that is put on IT-risk planning today isquite high due to the development of IT-resources. Still there are some human factors thatcontinually get forgotten about that could help make this IT-risk planning even morerighteous. Underlying reasons to why every company within B2B slows down their processeswhen handling a crisis varies pretty often and there is really no consensus to which the mainreasons are. For this cause we’ve had the intent to study the most important factor withinevery business, the human factor e.g. the employees of the business. Thus this study treats thesubject of B2B-employees information security awareness. This work intends to research ifB2B-companies follow information security frameworks that have been developed in thesubject of information security awareness. The aim is to summarize existing theory and createan understanding of different key elements that are needed for an operative business and see ifthese key elements can be recognized within B2B-companies. To be able to investigate thisarea an empirical study has been created and conducted with six different B2B-companies.The primary data consists of semi-structured interviews with employees within both Swedishand European B2B-companies. The collected theory comes from published materials andprevious studies done about IT-risks and employees awareness. Comparison between theoryand empiricism will give answers about B2B-employees information security awareness andwhat can be improved. As result of the research findings it was concluded that there are somekey elements developed about how to improve IT-risk awareness. It has also been empiricallyproven that B2B-employees have lack of knowledge about how to handle IT-risks andmajority of the key elements in information security framework have not been adapted in theinterviewed B2B-companies. Business continuity management IT-awareness information security B2Bemployees Computer and Information Sciences Data- och informationsvetenskap
378	Analysis of information classification best practices Mikkelinen, Nicklas January 2015 (has links) Information security, information management systems and more specifically information classification are important parts of an organisations information security. More and more information is being processed each day, and needs to be secured. Without proper information classification guidelines in place and lacking research within the subject, organisations could be vulnerable to attacks from third parties. This project displays a list of best practices found within information classification guidelines published online by different organisations. Out of 100 reviewed documents, 30 included information classification guidelines, and when analysed with a thematic analysis provides best practices within information classification. information classification information security guidelines ISO Standards best practices Computer and Information Sciences Data- och informationsvetenskap
379	Kommuner i interorganisatorisk samverkan : Att säkert och effektivt styra informationssäkerhetsarbete / Municipalities in interorganizational cooperation : Effective and efficient information security governance Donnerin, Oscar, Mouwafi, Adham January 2015 (has links) Samverkan mellan kommuner är något som varit en aktuell fråga för svenska myndigheter under en längre tid. Mer specifikt har en tydlig ökning identifierats sedan kommunallagen trädde i kraft 1991 och samverkansformen visade sig möta reella politiska behov på ett positivt sätt. Samtidigt har offentliga organisationer de senaste 15 åren gått från att förespråka skyddandet av information till att bli mer öppna och utbyta information över organisatoriska gränser. Denna kvalitativa fallstudie undersöker informationssäkerhet i en interorganisatorisk samverkan mellan svenska kommuner. Teorier som behandlas i uppsatsen är informationssäkerhet, information security governance och samverkan. Studiens syfte är att undersöka utmaningarna med styrning av informationssäkerhetsarbete i en interorganisatorisk samverkan mellan svenska kommuner. Vi ämnar således bidra till forskningen genom att dels förfina befintliga teorier kring de separata ämnesområdena men även utveckla teori där dessa ämnen möts. Vi syftar även till att bidra till praktiken genom att generera värdefull kunskap för de studerade organisationerna men även generalisera resultatet för liknande organisationer. Resultatet visar att vi identifierat ett antal centrala utmaningar där vissa är svårare att hantera än andra. En central utmaning är att det politiska självstyret är tydligt uttalat vilket sätter begräsningar för vad som är möjligt att realisera gemensamt. Vi kan även konstatera att resurser och prioriteringar påverkas av detta. Vi har presenterat ett antal förslag på behov som kan beaktas, både internt i kommunerna men även gemensamt över kommunala gränser. De rekommendationer vi har till kommunerna är att ta ett steg tillbaka gällande samverkan, detta då de ligger på så pass olika nivåer och kan få svårt att skapa en gemensam grund. Kommunerna bör även fokusera på den interna verksamheten och öka säkerhetsmedvetandet för att bli mer redo för att ingå i en samverkan. Uppfylls detta kan de börja fokusera på att anta principer och andra gemensamma aktiviteter som till exempel utbildningar. Detta gör att informationssäkerhetsarbetet går från att vara reaktivt till att bli mer proaktivt. Detta är något som vi anser att både offentliga- och privata organisationer borde sträva mot men även forskare borde ta hänsyn till. Interorganisatorisk samverkan informationssäkerhet informationsutbyte offentlig sektor policy information security governance säkerhetsmedvetande Information Systems
380	Informationsläckage : Orsaker, hantering och påverkan av informationsläckage enligt enskilda individer på organisationer inom den privata samt offentliga sektorn. Gajek, Arneo, Bard Forsberg, Amanda January 2015 (has links) Idag är information en av de viktigaste resurser som en organisation kan ha. På grund av den stora mängden information som flödar inom organisationen har det blivit en allt svårare resurs att skydda. Informationsläckage av hemligstämplad information blir därmed ett vanligt problem och kan leda till förödande konsekvenser för organisationer. Informationsläckage kan hanteras samt påverka organisationer på olika sätt och i denna studie undersöker vi huruvida det finns någon skillnad på hur de organisationer vi intervjuat inom den offentliga samt privata sektorn hantera samt påverkas av informationsläckage. Undersökningen inkluderar även vad enskilda individer, som på något sätt är kopplade till informationssäkerheten, inom organisationerna anser är anledningen till att någon väljer att bryta mot informationssäkerheten och läcka information. En kvalitativ studie har gjorts på sex olika organisationer i Ljungby kommun där vi alltså intervjuat 11 personer med någon anknytning till informationssäkerhet med inriktning mot sekretessavtal. Enligt resultatet framgår det att samtliga informanter är medvetna om problemet informationsläckage och till stor del eniga om hur organisationerna de arbetar på skulle påverkas vid ett informationsläckage samt hur detta skulle hanteras. De informanter som kunde svara på hur de upplevde att organisationerna skulle kunna påverkas menade att organisationernas anseende och förtroende skulle kunna skadas på sikt. Enligt informanterna finns det även likheter i hur organisationerna hanterar informationsläckage, där fem av sex individer i organisationer inom den privata sektorn samt tre av fem informanter i organisationer inom den offentliga sektorn, arbetar med någon typ av avtal/handlingsplan. 10 av 11 informanter tror att det är ett omedvetet val till att läcka information och att det oftast sker till följd av misstag och obetänksamhet. / Information is one of the most important resources of an organization in today’s society. Because of the large amount of information that flows within the organization, information has become an increasingly difficult resource to protect. Information leakage of classified information has become a common problem and can lead to devastating consequences for organizations if it is not handled with care. Information leakage can be managed and affect organizations differently. In this paper we aim to further examine whether there are any differences between how organizations in the public and the private sectors are managing and being affected by information leakage. This paper also aims to examine what the individuals of each organization believe is the reason to why an employee would leak information. A qualitative study has been made on six different organizations in the municipality of Ljungby, where 11 people were interviewed with association to information security with focus on confidentiality agreements. According to our results it appears that all informants are aware of information leakage and agree upon how information leakage should be handled in their organizations and how it would affect them. The informants who could answer on how they believe the organization would be affected said that the organization’s reputation and trust could be affected over time. There are also similarities in how the organizations manage information leakage according to our informants, were five of six informants within the private sector and three of six informants within the public sector, work with some type of contract/action plan. 10 of 11 informants believe it’s an unconscious choice to leak information and that is mostly happens because of mistakes and recklessness. Information leakage information security Informationsläckage informationssäkerhet Computer and Information Sciences Data- och informationsvetenskap

Search results