Personalising information security education

Talib, Shuhaili

January 2014

Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.

005.8

A generalized trust model using network reliability

Mahoney, Glenn R.

10 April 2008

Economic and social activity is increasingly reflected in operations on digital objects and network-mediated interactions between digital entities. Trust is a prerequisite for many of these interactions, particularly if items of value are to be exchanged. The problem is that automated handling of trust-related concerns between distributed entities is a relatively new concept and many existing capabilities are limited or application-specific, particularly in the context of informal or ad-hoc relationships. This thesis contributes a new family of probabilistic trust metrics based on Network Reliability called the Generic Reliability Trust Model (GRTM). This approach to trust modelling is demonstrated with a new, flexible trust metric called Hop-count Limited Transitive Trust (HLTT), and is also applied to an implementation of the existing Maurer Confidence Valuation (MCV) trust metric. All metrics in the GRTM framework utilize a common probabilistic trust model which is the solution of a general reliability problem. Two generalized algorithms are presented for computing GRTM based on inclusion-exclusion and factoring. A conservative approximation heuristic is defined which leads to more practical algorithm performance. A JAVA-based implementation of these algorithms for HLTT and MCV trust metrics is used to demonstrate the impact of the approximation. An XML-based trust-graph representation and a random power-law trust graph generator is used to simulate large informal trust networks.

Computer networks -- Security measures

Internet -- Security measures

What is the situation in Finland’s and Sweden’s security policy and what are their choices with it? : Analyses of the security policy from the past years in Finland and Sweden and about their current challenges.

Uino, Siiri

January 2016

The current situation in the world has forced many states to have a look at their security policy in a more demanding way. The instability around the world has become harder to prevent and for the states to protect their citizens, which requires efficient work from the states. Therefore, this paper is going to have a look at the security policy that Finland and Sweden are performing currently, to give us understanding of their current situation. To do that, it is necessary to have a look at their backgrounds as well. The aim of this paper is to understand security policies of these countries, and how that have effected to their choices that are done today. After that, new future possible choices will be analysed based on the given information. Since the instability has also reached these two countries, we shall have look what could be their choices in improving their current policies.   Theories that will be used in this paper, are playing important role in achieving the selected aim of this paper. Throughout this paper, theories are tools for us, guiding us to focus on the arguments that are supported by these theories. These different points of views will be collected from arguments that are presented about the security policy of these countries and are supporting theories Liberalism and/or Realism. Theories are also allowing us to use our method, argument analyse, by working as a great instrument in finding arguments that are relevant for the paper. Since this paper will not aim to give any specific idea of good security policy, the focus is to look the things where Finland and Sweden could improve their policies, and/or to have a look into new possibilities. Since the world is changing rapidly, also the security policies of countries have to keep up with the new challenges.

Finland

Sweden

Security Policy

NATO

Security

Future of the U.S.-Japan security alliance [electronic resource] : foundation for a multilateral security regime in Asia? / Future of the United States-Japan security alliance

Allen, Keith W.

06 1900

The U.S.-Japan Security Alliance was the foundation of the United States' bilateral alliance system during the Cold War. The alliance suffered severe strains in the immediate aftermath of the Cold War primarily due to the loss of its primary mission, containment of Soviet expansion. The terrorist attacks of September 11, 2001 breathed new life into the alliance. Japan quickly joined in the anti-terrorism coalition, providing logistical support to U.S. forces involved in the War on Terrorism. North Korea's October 2002 admission of a covert nuclear weapons program also changed the strategic dynamic for Japan, pushing it towards "normal" nation status. Multilateralism in Asia developed a life of its own during the 1990's. Numerous multilateral organizations were created to help resolve regional security issues. China is attempting to use multilateral security forums as a means to balance against U.S. regional power. Japan also proposed developing a new multilateral security regime in the Asia-Pacific. This thesis examines issues related to the future of the U.S.-Japan Security Alliance and the possible emergence of a new multilateral security regime in the Asia-Pacific. The United States should enhance the U.S.- Japan Security and lead the way on developing a new multilateral security regime for the Asia-Pacific. / US Navy (USN) author.

Security, International

National security

Asia

Pacific Area

Supporting Password-Security Decisions with Data

Ur, Blase Eric

01 September 2016

Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers or make other decisions (e.g., reusing the same password across accounts) that harm their security. In this thesis, I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user’s candidate password. I first quantify the impact on password security and usability of showing users different passwordstrength meters that score passwords using basic heuristics. I find in a 2,931-participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords. I also examine the relationship between users’ perceptions of password security and passwords’ actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong. Finally, I integrate these insights into an open-source password-strength meter that gives users data-driven feedback about their specific password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study.

Usable security

computer security

passwords

authentication

A new approach to dynamic internet risk analysis

18 August 2009

D.Econ.

Internet security measures

Computer network security measures

An analysis of the impact of emerging technology on organisations’ internal controls

11 September 2013

M.Comm. (Computer Auditing) / This study presents an evaluation of emerging information communication technology (ICT) solutions to the security internal control systems in South African organisations. Information systems have enabled companies to communicate more efficiently, gain competitive advantage and get a larger market share. These information systems therefore need to be protected securely as they are the vehicles and containers for critical information assets in decision-making processes. Therefore, this research study seeks to provide an overview of the emerging ICT solutions used to conduct business transactions, and share and communicate information. It identifies and analyses the new security risk associated with the emerging technology, and, finally, outlines the ICT security frameworks that can be used to identify, assess and evaluate organisations‟ security internal controls.

Computer auditing

Information security

Computer security

A Lightweight Secure Development Process for Developers / En resurseffektiv säkerhetsprocess för utvecklare

Hellström, Jesper, Moberg, Anton

January 2019

Following a secure development process when developing software can greatly increase the security of the software. Several secure development processes have been developed and are available for companies and organizations to adopt. However, the processes can be expensive and complex to adopt in terms of expertise, education, time, and other resources.In this thesis, a software service, developed by a small IT-consulting company, was tested with security tools and manual code review to find security vulnerabilities. These vulnerabilities showed that there was room for security improvement in the software development life cycle. Therefore, a lightweight secure development process that can be used by developers, is proposed. The secure development process called Lightweight Developer-Oriented Security Process (LDOSP) is based on activities from other secure development processes and the choice of these activities were based on interviews with representatives of the IT-consulting company. The interviews showed that the process would need to be lightweight, time- and cost-efficient, and possible to be performed by a developer without extensive security experience. LDOSP contains 11 activities spread across different phases of the software development life cycle and an exemplification of the process was made to simplify the adoption of LDOSP.

computer security

security

Computer Sciences

Datavetenskap (datalogi)

改革時期中國政府的社會治安管理控制手段: 公安機關重要性的提高與地方基層公安機關力量的構建. / 公安機關重要性的提高與地方基層公安機關力量的構建 / Gai ge shi qi Zhongguo zheng fu de she hui zhi an guan li kong zhi shou duan: gong an ji guan zhong yao xing de ti gao yu di fang ji ceng gong an ji guan li liang de gou jian. / Gong an ji guan zhong yao xing de ti gao yu di fang ji ceng gong an ji guan li liang de gou jian

January 2000

李家翹. / "2000年8月" / 論文 (哲學碩士)--香港中文大學, 2000. / 參考文獻 (leaves 1-12) / 附中英文摘要. / "2000 nian 8 yue" / Li Jiaqiao. / Lun wen (zhe xue shuo shi)--Xianggang Zhong wen da xue, 2000. / Can kao wen xian (leaves 1-12) / Fu Zhong Ying wen zhai yao. / Chapter 第一章 --- 引論 如何認識改革時期中國政府的社會治安管理控制手段 / Chapter 一 --- 緒論 --- p.1 / Chapter 二 --- 硏究方法 --- p.5 / Chapter 三 --- 文章的組織 --- p.6 / Chapter 第二章 --- 文獻回顧 「延續」還是「倉新」的政府社會治安管控手段？ / Chapter 一 --- 改革時期的「群眾路線」 「延續」而來的手段！ --- p.8 / Chapter 二 --- 改革時期的「群眾路線」 「延續」而來的手段？ --- p.11 / Chapter 三 --- 如何認識傳統的「群眾路線」？ 西方理論模型的適用性 --- p.14 / Chapter 四 --- 政府、非政府、「或多或少」政府社會控制的三分理論模型 --- p.18 / Chapter 五 --- 三分理論模型的不足 --- p.20 / Chapter 六 --- 小結 --- p.29 / Chapter 第三章 --- 改革前中國政府社會治安管控手段的根本 一般性社會集體中的社會治安管控 / Chapter 一 --- 前言 --- p.33 / Chapter 二 --- 社會資源、組織與社會控制 --- p.35 / Chapter 三 --- 共產中國的一般性社會集體 --- p.38 / Chapter 四 --- 一般性社會集體 政府社會治安管控手段的根本 --- p.44 / Chapter 五 --- 一般性社會集體與政府「群眾路線」式社會治安控制手段 --- p.53 / Chapter 六 --- 公安機關與政府整體性社會秩序的維持 --- p.55 / Chapter 七 --- 改革以前的中國政府社會治安管理控制手段 社會集體中的社會治安管理控制 --- p.57 / Chapter 八 --- 小結 一般性社會集體中社會控制的特質 --- p.62 / Chapter 第四章 --- 改革時期中國舊有社會治安管控手段根本的動搖 / Chapter 一 --- 前言 --- p.65 / Chapter 二 --- 改革時期政府舊有社會治安管控手段根本的動搖 --- p.66 / Chapter 三 --- 改革時期的「群眾路線」式社會治安管控手段 表面的「延續」、實質的「創新」 --- p.70 / Chapter 四 --- 改革時期的公安派出所警務改革 政府「創新」其社會治安管控手段的基礎 --- p.74 / Chapter 五 --- 「獻身式」基層民警隊伍的建立 派出所警務改革的目標 --- p.78 / Chapter 六 --- 小結 --- p.81 / Chapter 第五章 --- 改革時期中國政府的社會治安管控手段 / Chapter 一 --- 前言 --- p.83 / Chapter 二 --- 改革時期的「群眾路線」 新意義的群眾網絡的構建 --- p.83 / Chapter 三 --- 民警深入轄區做群眾工作 以民警爲中心的一般群眾網絡的構建 --- p.86 / Chapter 四 --- 加強對「業餘」社會治安管控機制的「指導」 以派出所爲中心的群眾工作網絡的構建 --- p.95 / Chapter 五 --- 小結 --- p.103 / Chapter 第六章 --- 結論 / Chapter 一 --- 論點摘要 --- p.106 / Chapter 二 --- 中國政府社會治安管控手段的「創新」 中國國家與社會關係重構的一面 --- p.110

Internal security

Internal security--China

Social conditions

On LTE Security: Closing the Gap Between Standards and Implementation

DeMarinis, Nicholas AF

08 May 2015

Modern cellular networks including LTE (Long Term Evolution) and the evolving LTE- Advanced provide high-speed and high-capacity data services for mobile users. As we become more reliant on wireless connectivity, the security of voice and data transmissions on the network becomes increasingly important. While the LTE network standards provide strict security guidelines, these requirements may not be completely followed when LTE networks are deployed in practice. This project provides a method for improving the security of LTE networks by 1) characterizing a gap between security requirements defined in the standards and practical implementations, 2) designing a language to express the encoding formats of one of LTE’s network-layer protocols, 3) developing a compiler to translate a protocol description in our language into an implementation, and 4) providing recommendations on lessons learned during development of the language and compiler to support development of future protocols that employ formal representations. In this way, our work demonstrates how a formal language can be utilized to represent a cellular network protocol and serves as an example for further research on how adding formalism to network standards can help ensure that the security goals defined in the standards can be upheld in an implementation.

cellular networks

network security

cellular network security