Information Security on the Web and App Platforms : An Economic and Socio-Behavioral Perspective

Chia, Pern Hui

January 2012

Various security measures are ineffective having been designed without adequate usability and economic considerations. The primary objective of this thesis is to add an economic and socio-behavioral perspective to the traditional computer science research in information security. The resulting research is interdisciplinary, and the papers combine different approaches, ranging from analytic modeling to empirical measurements and user studies. Contributing to the fields of usable security and security economics, this thesis fulfills three motivations. First, it provides a realistic game theoretical model for analyzing the dynamics of attack and defense on the Web. Adapted from the classical Colonel Blotto games, our Colonel Blotto Phishing model captures the asymmetric conflict (resource, information, action) between a resource-constrained attacker and a defender. It also factors in the practical scenario where the attacker creates large numbers of phishing websites (endogenous dimensionality), while the defender reactively detects and strives to take them down promptly. Second, the thesis challenges the conventional view that users are always the weakest link or liability in security. It explores the feasibility of leveraging inputs from expert and ordinary users for improving information security. While several potential challenges are identified, we find that community inputs are more comprehensive and relevant than automated assessments. This does not imply that users should be made liable to protect themselves; it demonstrates the potentials of community efforts in complementing conventional security measures. We further analyze the contribution characteristics of serious and casual security volunteers, and suggest ways for improvement. Third, following the rise of third party applications (apps), the thesis explores the security and privacy risks and challenges with both centralized and decentralized app control models. Centralized app control can lead to the risk of central judgment and the risk of habituation, while the increasingly widespread decentralized user-consent permission model also suffers from the lack of effective risk signaling. We find the tendency of popular apps requesting more permissions than average. Compound with the absence of alternative risk signals, users will habitually click through the permission request dialogs. In addition, we find the free apps, apps with mature content, and apps with names mimicking the popular ones, request more permissions than typical. These indicate possible attempts to trick the users into compromising their privacy.

Information Security

Security Economics

Usable Security

Informationssäkerhet : en undersökning om säkerhetsarbetet bland företag i Dals-Ed

Bengtsson, Jenny, Olsson, Jenny

January 2003

No description available.

Informationssäkerhet

Datasäkerhet

Säkerhetspolicy

Information security management

Säkerhetslösningar

Secret sharing using artificial neural network

Alkharobi, Talal M.

15 November 2004

Secret sharing is a fundamental notion for secure cryptographic design. In a secret sharing scheme, a set of participants shares a secret among them such that only pre-specified subsets of these shares can get together to recover the secret. This dissertation introduces a neural network approach to solve the problem of secret sharing for any given access structure. Other approaches have been used to solve this problem. However, the yet known approaches result in exponential increase in the amount of data that every participant need to keep. This amount is measured by the secret sharing scheme information rate. This work is intended to solve the problem with better information rate.

Secret sharing

artificial neural network

information security

Linking Information Security Awareness to Information Security Management Strategy.A Study in an IT Company

Spandonidis, Bladimiros

January 2015

There is a great concern when it comes to the investigation of the parameters that affect the formulation of an information security management strategy in an organization. Amongst others, information security awareness is of great interest, mainly because it links the implementation of the information security policies to the consciousness and the psychology of the employees of an organization. State it otherwise, the information security awareness positively beholds the role of a bridge so as to help the IS managers to evaluate the level that the critical information of the organization are secured, and it offers to IS managers opportunities to develop suitable training programs and information security policies for all the employees of an organization. In the current thesis, we focused on the investigation of the factors that influence the behavior of the employees in order to accept any information security policy of the organization and to adopt information security awareness.The psychology of security and technology (POST™) framework (Layton, 2005) together with a PEST (Political, Economic, Social, Technology) analysis guide the investigation and offer the theoretical background for the conduction of a study in an IT Company. A qualitative research has been conducted and semi-structured interviews helped for the collection of the desired data. Also a thematic analysis and the use of a generic approach (Lichtman, 2013) helped for the analysis of the data. The final results gave the ability to identify in practice the employees’ information security awareness adoption level, to link the measurement findings to the development of an information security management strategy and to refine the POST™ framework for its greater advance.

Information security awareness

information security policies

compliance

psychology

security

measurement

information security training programs

POST™ framework

PEST analysis.

Factors determining e-government security

Razzaqi, Hasan Ali

January 2013

E-Government security is a major area of concern that has the potential to affect the success of e-Government services across the world. Much of the literature has addressed this phenomenon by applying principles of computer science or engineering which tend to be objective. User concern of e-Government service security has not been addressed applying social science principles or management that tend to be subjective and have not been addressed in the literature. Objective research outcomes are unfortunately not suitable to address subjective factors. Further, user centric approach has not been adopted in most of the empirical studies that have dealt with e-Government security leading to lack of an understanding of how users perceive or feel or comprehend about e-Government services, particularly e-Government service security. Most of the research efforts addressing e-Government security have focused on either technological issues or engineering issues neglecting user perceptions and behavioural aspects. This disadvantage has led to possible reduction in the up-take of e-Government services. There was a need to have an in-depth understanding of user centric e-Government security and user centric factors that affect it as its antecedents addressing which it is possible to enhance user confidence in e-Government and hence its success. This research has addressed this partially. While addressing the concerns raised above, this research has defined and identified certain user centric factors that are required to examine the user centric nature of e-Government service security from the management and social sciences perspective. E-Government literature was critically reviewed to determine the user centric factors and their relationship to user centric e-Government security with the help of theories, models, concepts and frameworks that have not been applied so far. Contextual factors have been identified as important user centric ones that affect user centric e-Government security with e-Government technology chosen as the main contextual determinant of user centric e-Government security. User trust and user felt risk in using e-Government services were brought in as mediators of this relationship due to the prime importance these two user centric factors carry with regard to affecting the relationship between technology and user centric e-Government security. In addition demographic factors and culture (nationality) as a factor were applied to test their influence on the relationship between user trust and user centric e-Government security mediated by user felt risk to find whether they have any impact. Moderators (Human Computer Interaction (HCI), user privacy and web design quality) of this relationship were added to the investigation as literature showed that e-Government technology could not operate in isolation. Finally empirical outcomes of testing the above relationships were practically tested by examining the influence of perceived ease of use and usefulness on the relationship between user trust and user centric e-Government security mediated by user felt risk to find whether technology impacted users in reality. Theoretical framework was drawn from the literature review leading to a conceptual model that was used to answer the research question. 12 hypotheses were tested in all. The research was conducted in the Kingdom of Bahrain which ranks high in the implementation of e-Government (e.g. 14th ranked in the world in implementing e-participation in 2014 ranked by UN). The country offered a fertile ground for conducting research as the e-Government service provided were updated technologically constantly with the latest technological advancement cloud computing introduced in e-Government service provision. Most government services were offered now through e-Government services. The population was cosmopolitan and education levels of the users of e-Government were reasonably high providing a strong basis for conducting this research. Quantitative research method and survey questionnaire strategy were used. Users of e-Government services were the target population. Sampling procedure yielded 309 valid responses. Rigourous statistical analysis provided the findings. Except for 2 hypotheses the remaining were verified and established. Technology was found to determine user centric e-Government security with the mediation by trust being stronger than risk. HCI and web design quality moderated the relationship between technology and user centric e-Government security significantly. User education and experience were found to influence user trust and user centric e-Government security. User privacy and nationality were not found to be statistically significant. Perceived ease of use and usefulness of the technology were found to influence e-Government security mediated by trust and risk. This research was perhaps one of the first to have been conducted in a context where e-Government technology used cloud computing. The research contributed to the growing body of knowledge in the field of e-Government security that has viewed this phenomenon from the lens of social sciences and management. Theoretical contribution showed how the operationalization and relationship amongst the factors could be explained by expanding the application of theories including socio-technical, behavioural, managerial, technology adoption, organiational and HCI. Practical implications showed the usefulness of this research to users, service providers and policy makers involved with e-Government services. Methodologically this research has introduced a verification stage by which it has verified the theoretical results using practical outcomes.

352.3

Řízení a kontrola bezpečnosti serverů a koncových zařízení v kontextu informační bezpečnosti (DEVSEC) / Management and Control of Servers and User Devices in the Context of Information Security

Jech, Vladimír

January 2011

Securing user devices and servers requires a complex approach which includes not only the configuration of the device itself but also many other factors. The goal of this thesis is to present principles of a new guideline aimed at security and management of user devices and servers in the context of information security. The first part of this paper is devoted to the analysis of existing industry standards, frameworks, guidelines, and other collections of best practice commonly used in the management of informatics and information and IT security. The analysis is complemented with a field research conducted among forefront specialists. Based on the analysis and research, a new methodic concept for the management and control of user devices and servers security called DEVSEC is described in the next part. The concept is constructed with emphasis on security requirements, security measures, processes, resources and the overall security assurance process. The last part of the paper provides results of the final research aimed at testing the concept in the envitonment of one financial firm and also results of another field research among security specialists. The DEVSEC contributes to the theory of management of informatics as well as to its practice. The concept represents a complex approach to the management and control of security of servers and user devices as well as a new guideline ready for practical utilization.

DEFY: A Deniable File System for Flash Memory

Peters, Timothy M

01 June 2014

While solutions for file system encryption can prevent an adversary from determining the contents of files, in situations where a user wishes to hide even the existence of data, encryption alone is not enough. Indeed, encryption may draw attention to those files, as they most likely contain information the user wishes to keep secret, and coercion can be a very strong motivator for the owner of an encrypted file system to surrender their secret key. Herein we present DEFY, a deniable file system designed to work exclusively with solid-state drives, particularly those found in mobile devices. Solid-state drives have unique properties that render previous deniable file system designs impractical or insecure. Further, DEFY provides features not offered by any single prior work, including: support for multiple layers of deniability, authenticated encryption, and an ability to quickly and securely delete data from the device. We have implemented a prototype based on the YAFFS and WhisperYaffs file systems. An evaluation shows DEFY performs comparatively with WhisperYaffs.

YAFFS

Cryptography

Databases and Information Systems

Information Security

Detecting The Intensity of Denial-of-Service Cyber Attacks using Supervised Machine Learning

Hubbard, Abigail

01 May 2022

Denial-of-Service (DoS) attacks are aimed at shutting a machine or network down to block users from accessing it. These attacks can be difficult to detect and can cost millions in damages or lost earnings. Since the first DoS attack occurred in 1999, the way DoS attacks have been launched has become more complicated, making them more elusive and harder to detect. The first step to detect and mitigate a DoS attack is for a system to identify the malicious traffic. In this experiment, we aim to identify the malicious traffic within ten seconds. To do this the project was divided into 3 phases: data collection, feature extraction and construction of classification. The first phase was to collect malicious and legitimate data using Wireshark. The second phase of the project was to convert the PCAP files into features that are meaningful and easy to read. The third phase of the project is the construction of classification models. We used the Naïve Bayes and decision tree classification models to identify malicious traffic data and differentiate it from legitimate traffic data. This approach yielded an 𝐹1 score average of 92% in detecting DoS attacks and an 𝐹1 𝑠𝑐𝑜𝑟𝑒 accuracy range of 37% to 71% to accurately determine the intensity of the DoS attack, a reasonable accuracy for this problem. These results show that it is possible to not only detect DoS attacks, but also, to determine the intensity of such attacks with a reasonable accuracy.

Computer Sciences

Information Security

Other Computer Sciences

Enhancing the governance of information security in developing countries : the case of Zanzibar

Shaaban, Hussein Khamis

January 2014

Organisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area.

005.8

Strategic framework to minimise information security risks in the UAE

Alkaabi, Ahmed

January 2014

The transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work.

005.8