Management informační bezpečnosti v podniku / The Information Security Management in Company

Kalabis, Petr

January 2016

This master thesis is focused on the design of implementation the information security management system in the company according to standards ISO/IEC 27000. First of all, it was described the theory of information security management system and it was explained the relevant terms and other requirements in the context of this issue. This assignment involves analysis of the current situation of the company and suggestions that lead to reducing discovered risks and bring improvement of the general information security.

Den praktiska hanteringen av informationsrisker : En kvalitativ fallstudie av hur ett svenskt tillverkningsföretag hanterar informationsrisker. / Information Security Risk Management in Practice : A qualitative case study of how a Swedish manufacturing firm manages information risks.

Renning, Jacob, Gustafsson, Alexander

January 2020

Bakgrund: Informationssäkerhet är någonting som företag inom alla branscher bör ägna sig åt eftersom samtliga organisationer är utsatta för informationsrisker. Avsikten med informationssäkerhet är att skydda information så att den finns tillgänglig vid behov, är tillförlitlig och för att säkerställa att endast behöriga har åtkomst (Informationssäkerhet, 2015). Bristande informationshantering kan exempelvis resultera i dataförluster och läckt kunddata vilket i sin tur kan leda till försämrat kundförtroende och stora intäktsförluster. Företags utsatthet för informationsrisker påverkas både av interna och externa faktorer. Utbrottet av Covid-19 är ett exempel på en extern faktor (Humla, 2020). Enligt en rapport är svensk tillverkningsindustris hantering av informationsrisker kraftigt eftersatt i förhållande till övriga sektorers hantering av informationsrisker (Radar Ecosystems Specialists, 2017). Syfte: Denna uppsats undersöker hur ett företag inom svensk tillverkningsindustri arbetar med informationssäkerhet (eng. information security risk management, ISRM). Vidare applicerar vi en teoretisk lins i form av prospektteorin för att förklara informationssäkerhetsarbetet. Vi undersöker även om beslutfattare inom IT-säkerhet uppvisar tendens till övermod och huruvida detta kan påverka företagets arbete med informationssäkerhet. Metod: Uppsatsen är en kvalitativ fallstudie och det empiriska materialet har inhämtats genom semistrukturerade intervjuer med beslutfattare och utvecklare som arbetar medinformationssäkerhet. Fallföretaget är ett anonymiserat svenskt tillverkningsföretag som tillhandahåller produkter och tjänster inom säkerhetsbranschen. Resultat: Enligt vår studie utgår beslutfattare från tidigare erfarenheter av informationssäkerhet när hanteringsstrategier utformas. Det framkommer även att beslutfattarens resonemang och riskhantering förändras i takt med personens erfarenhet. Vi kan även konstatera att beslutfattarens agerande kan förklaras utifrån prospektteorin och att hanteringen påverkas av kognitiva aspekter såsom övermod. / Background: Every organization needs to manage its information security risks (ISRM) as all industries are exposed to information risks. The purpose of ISRM is to protect information so that it is accessible when needed, reliable and to ensure only authorized access (Informationssäkerhet, 2015). Lack of ISRM may result in data loss or personal data leaks, which in turn may lead to a decrease of consumer confidence and reduced revenue streams. Enterprises exposure to information risks are affected by both internal and external factors. The outbreak of Covid-19 is an example of an external factor (Humla, 2020). According to a report, the Swedish manufacturing industry's management of information risks is severely neglected in relation to other sectors ́ handling of information risks (Radar Ecosystems Specialists, 2017). Purpose: This thesis explores how a Swedish manufacturing company manages its information security risks. This is explored by applying a theoretical framework of Prospect Theory to explain decision makers ́ reasoning behind its current ISRM practices. We are also exploring whether decision makers within IT-security have a tendency towards Overconfidence bias and whether it may affect the company's ISRM. Method: The thesis is a qualitative case study and the empirical data has been obtained through semi structured interviews with decision-makers and developers working with information security. The case company is an anonymous Swedish manufacturing company that provides products and services in the security industry. Results: According to our thesis, decision makers rely on previous information security experiences when designing management strategies. It also appears that the decision maker's reasoning and risk management change as the person's experience. We can also note that the decision maker's behavior can be explained on the basis of Prospect Theory and that the ISRM is influenced by cognitive aspects such as overconfidence.

Information Security Risk Management

ISRM

Manufacturing industry

Prospect Theory

Overconfidence Bias

Informationssäkerhet

ISRM

Tillverkningsindustri

Prospektteori

Övermod bias

Information Systems, Social aspects

Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks.

Saleh, Mohamed S.M.

January 2011

With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.

Information security

Risk management

Analytical models

Protection measures

ISO/IEC 27002 Standard

Cost-Benefit Analysis

Six-Sigma

Compliance

Security Requirements and Practices for Smart Grids

Gopalakrishnan, Pavithra

January 2021

The electricity sector has a huge role in decarbonization of the energy system in order to meet climate targets and achieve net zero emission goals in different countries across the world. Present day electric power systems are increasingly dependent on less carbon intensive renewable energy sources for power generation. Rapid penetration of renewables leads to an increase in distributed generation and active consumer participation resulting in complex interactions within the power system. Therefore, traditional electric power grids are evolving to smart grids with the help of information and communication advancements. As a result, there is greater integration of Information Technology (IT) and Operational Technology (OT) actors, inclusion of clean energy sources, improved connectivity, sustainable supply and demand balance management of power etc. However, this sustainable transition gives rise to new attack points for malicious actors, who intend to disrupt the functioning of these smart grids. Therefore, this study aims to identify and analyse the most significant risks to smart grids in the next 10 years. The methodology for this research is two-fold: reviewing state-of-the-art research publications on smart grid security and conducting a semi-qualitative power grid security assessment through interviews with experts across countries. False Data Injection (FDI), Denial of Service (DoS) and supply chain attacks are some of the most important threats according to these methods. Finally, findings from the two research methods are compared to provide a comprehensive overview of the most significant risks to smart grids. / Elsektorn har en enorm roll att spela när det gäller att minska koldioxidutsläppen från energisystemet för att uppfylla klimatmålen och uppnå nettonollutsläpp i länder runt om i världen. Dagens elsystem är alltmer beroende av mindre koldioxidintensiva förnybara energikällor för elproduktion. Den snabba utbyggnaden av förnybara energikällor leder till en ökning av distribuerad produktion och aktivt konsumentdeltagande, vilket leder till komplexa interaktioner inom elsystemet. Traditionella elnät håller därför på att utvecklas till smarta nät med hjälp av informations- och kommunikationsframsteg. Som ett resultat av detta sker en större integration av aktörer inom informationsteknik (IT) och driftsteknik (OT), införande av förnyelsebara energikällor, förbättrad konnektivitet, hållbar hantering av balans mellan konsumtion och produktion av el. Denna hållbara övergång ger dock upphov till nya ingångar för illasinnade aktörer som vill störa de smarta nätmens funktion. Syftet med denna studie är därför att identifiera och analysera de viktigaste riskerna för smarta nät under de kommande tio åren. Metoden för denna forskning är tvåfaldig: genomgång av de senaste forskningspublikationerna om säkerhet i smarta nät och en semikvalitativ bedömning av säkerheten i smarta nät genom intervjuer med experter från olika länder. FDI (False Data Injection), DoS (Denial of Service) och attacker mot leveranskedjan är några av de största hoten enligt dessa metoder. Slutligen jämförs resultaten från de två forskningsmetoderna för att ge en heltäckande översikt över de viktigaste riskerna för smarta nät.

smart grids

security risk assessment

risk identification

risk analysis.

smarta nät

säkerhetsriskbedömning

riskidentifiering

riskanalys.

Elektroteknik och elektronik

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

Safety as a priority at shopping centres in Gauteng: an assessment of existing security measures

Lutchminarain, Natasha

02 1900

Text in English / Violent crime and more specifically armed robberies constitute a growing threat to shopping centres in terms of their vulnerability to such criminal acts. These violent crimes are becoming ever more organised and sophisticated. Shopping centres across South Africa have become the latest targets for these syndicates. Due to the increasing number of armed robberies and violent crimes at shopping centres and the nature of violence used in these attacks, it points to a need for improvements to be made to the security measures that are in place at shopping centres. This study explored the risks and vulnerabilities at shopping centres that have led to the phenomenon of armed robberies at shopping centres in Gauteng; evaluated the current physical protection systems that are in place at shopping centres in Gauteng in order to assist with the reduction of shopping centre armed robberies; and recommendations were made for the implementation of effective security risk control measures at shopping centre’s across South Africa and specifically the province of Gauteng. Self-administered questionnaire surveys were used to explore the phenomenon from the perspectives of both retail employees and customers. The data collected from the questionnaires, utilising the non-experimental research design, were quantitatively analysed. Based on the findings from the study recommendations for the improvement of shopping centre security were formulated along with recommendations for future research. / Security Risk Management / M.Tech. (Security Management)

Shopping centre

Shopping mall

Mall

Armed robbery

Violent crimes

Security measures

Security risk control measures

Retail employee

Customer

Retail

363.289096822

The risk of humanitarianism : industry-specific political-security risk analysis for international agencies in conflict zones

Pringle, Catherine Mary

12 1900

Bibliography / Thesis (MA (Political Science. International Studies))--University of Stellenbosch, 2010. / ENGLISH ABSTRACT: International agencies are facing heightened levels of security risk in conflict zones. The nature of contemporary conflicts and the post-9/11 global political-security environment have contributed to a situation whereby the threat of attack as well as recurring criminal violence are a constant reality for their employees, hindering their work and obstructing their access to people in need. Moreover, the ability of international agencies to conduct strategic risk assessment has been called into question. The central research question of this study concerns whether an industry-specific political-security risk model can be applied successfully in order to assist international agencies with strategic political-security risk analysis in conflict zones. In order to develop a political-security risk model for international agencies a number of supplementary research questions are asked. The first of these is what limitations the security risk models currently used by international agencies exhibit. The second question asks what factors and indicators should be included in an industry-specific political-security risk model for international agencies in conflict zones. So as to test the applicability of the model developed in this research study, the last question asks what the level of risk is for international agencies operating in the conflict zone in eastern Chad. Using political risk theory, and drawing upon political risk models specific to the energy industry, this research study proposes an industry-specific political-security risk model for international agencies in conflict zones, in which the limitations of the current models used by international agencies to analyse security risks are overcome. The application of this model to eastern Chad returns an overall risk rating of extreme, which is the highest overall risk rating obtainable. By regularly utilising this model, international agencies are able to monitor the changing levels of security risk in a conflict zone and are therefore better placed to make informed strategic decisions when it comes to risk management and risk mitigation. / AFRIKAANSE OPSOMMING: Internasionale agentskappe trotseer tans verhoogde vlakke van sekuriteitsrisiko in konfliksones. Die aard van hedendaagse konflikte en die post-9/11 globale politieke sekuriteitsomgewing het bygedra tot ’n situasie waar die bedreiging van aanvalle sowel as die herhalende aard van kriminele geweld vir hul werkers ’n voortdurende realiteit is. As gevolg hiervan word werkers verhinder om hul verpligtinge uit te voer en na mense in nood uit te reik. Boonop word internasionale agentskappe se vermoë om strategiese risiko-asessering uit te voer nou bevraagteken. Die hoofnavorsingsvraag van hierdie studie is: kan ’n industrie-spesifieke politieke sekuriteitsrisikomodel suksesvol toegepas word om internasionale agentskappe by te staan met strategiese politieke sekuriteitsrisiko-analise in konfliksones, al dan nie. Ten einde ’n politieke sekuriteitsrisikomodel vir internasionale agentskappe te ontwikkel, word daar ook ’n aantal aanvullende navorsingsvrae gevra. Die eerste hiervan stel ondersoek in na die beperkings van die sekuriteitsrisikomodelle wat teenswoordig deur internasionale agentskappe gebruik word. Die tweede vraag vra watter faktore en indikators by ’n industriespesifieke politieke sekuriteitsrisikomodel vir internasionale agentskappe in konfliksones ingesluit behoort te word. Ten einde die toepaslikheid te toets van die model wat in hierdie studie ontwikkel is, stel die laaste vraag ondersoek in na die risikovlak vir internasionale agentskappe wat in die konfliksone van oostelike Tsjad werksaam is. Met behulp van politieke risikoteorie en met gebruik van politieke risikomodelle wat spesifiek betrekking het tot die energie-industrie, propageer hierdie navorsingstudie ’n industrie-spesifieke politieke sekuriteitsrisikomodel vir internasionale agentskappe in konfliksones wat die beperkings van die modelle wat huidig deur internasionale agentskappe gebruik word, sal oorwin. Hierdie model se toepassing op oostelike Tsjad toon in die geheel ’n risikowaarde van ekstreem, die hoogste algehele risikowaarde moontlik. Deur hierdie model gereeld te gebruik sal dit internasionale agentskappe in staat stel om die veranderende vlakke van sekuriteitsrisiko in ’n konfliksone te monitor; dus sal hulle meer ingeligte strategiese besluite kan neem wat betref risikobestuur en – verligting.

Political-security risk

International agencies

Humanitarian

Conflict zones

Dissertations -- Political science

Theses -- Political science

Country risk -- Chad -- Case study

Investments, Foreign -- Chad

Political Science

Chad -- Politics and government --1990-

Addressing the incremental risks associated with adopting a Bring Your Own Device program by using the COBIT 5 framework to identify keycontrols

Weber, Lyle

04 1900

Thesis (MComm)--Stellenbosch University, 2014. / ENGLISH ABSTRACT: Bring Your Own Device (BYOD) is a technological trend which individuals of all ages are embracing. BYOD involves an employee of an organisation using their own mobile devices to access their organisations network. Several incremental risks will arise as a result of adoption of a BYOD program by an organisation. The research aims to assist organisations to identify what incremental risks they could potentially encounter if they adopt a BYOD program and how they can use a framework like COBIT 5 in order to reduce the incremental risks to an acceptable level. By means of an extensive literature review the study revealed 50 incremental risks which arise as a result of the adoption of a BYOD program. COBIT 5 was identified as the most appropriate framework which could be used to map the incremental risks against. Possible safeguards were identified from the mapping process which would reduce the incremental risks to an acceptable level. It was identified that 13 of the 37 COBIT 5 processes were applicable for the study.

Theses -- Accountancy

Dissertations -- Accountancy

Computer networks -- Security measures

Computer security -- Risk assessment

Dissertations -- Computer auditing

Theses -- Computer auditing

UCTD

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

Safety as a priority at shopping centres in Gauteng: an assessment of existing security measures

Lutchminarain, Natasha

02 1900

Text in English / Violent crime and more specifically armed robberies constitute a growing threat to shopping centres in terms of their vulnerability to such criminal acts. These violent crimes are becoming ever more organised and sophisticated. Shopping centres across South Africa have become the latest targets for these syndicates. Due to the increasing number of armed robberies and violent crimes at shopping centres and the nature of violence used in these attacks, it points to a need for improvements to be made to the security measures that are in place at shopping centres. This study explored the risks and vulnerabilities at shopping centres that have led to the phenomenon of armed robberies at shopping centres in Gauteng; evaluated the current physical protection systems that are in place at shopping centres in Gauteng in order to assist with the reduction of shopping centre armed robberies; and recommendations were made for the implementation of effective security risk control measures at shopping centre’s across South Africa and specifically the province of Gauteng. Self-administered questionnaire surveys were used to explore the phenomenon from the perspectives of both retail employees and customers. The data collected from the questionnaires, utilising the non-experimental research design, were quantitatively analysed. Based on the findings from the study recommendations for the improvement of shopping centre security were formulated along with recommendations for future research. / Security Risk Management / M.Tech. (Security Management)

Shopping centre

Shopping mall

Mall

Armed robbery

Violent crimes

Security measures

Security risk control measures

Retail employee

Customer

Retail

363.289096822