An integrated intelligent approach to enhance the security control of it systems : a proactive approach to security control using artificial fuzzy logic to strengthen the authentication process and reduce the risk of phishing

Salem, Omran S. A.

January 2012

Hacking information systems is continuously on the increase. Social engineering attacks is performed by manipulating the weakest link in the security chain; people. Consequently, this type of attack has gained a higher rate of success than a technical attack. Based in Expert Systems, this study proposes a proactive and integrated Intelligent Social Engineering Security Model to mitigate the human risk and reduce the impact of social engineering attacks. Many computer users do not have enough security knowledge to be able to select a strong password for their authentication. The author has attempted to implement a novel quantitative approach to achieve strong passwords. A new fuzzy logic tool is being developed to evaluate password strength and measures the password strength based on dictionary attack, time crack and shoulder surfing attack (social engineering). A comparative study of existing tools used by major companies such as Microsoft, Google, CertainKey, Yahoo and Facebook are used to validate the proposed model and tool. A comprehensive literature survey and analytical study performed on phishing emails representing social engineering attacks that are directly related to financial fraud are presented and compared with other security threats. This research proposes a novel approach that successfully addresses social engineering attacks. Another intelligent tool is developed to discover phishing messages and provide educational feedback to the user focusing on the visible part of the incoming emails, considering the email’s source code and providing an in-line awareness security feedback.

Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework

Alkahtani, Hend K.

January 2018

The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application.

Information Security Awareness amongst students : A study about information security awareness at universities

Lund, Per

January 2018

In the era of information, it has become vital for companies to make sure that their information is properly protected. They are therefore, willing to spend large amounts of resources on protecting their information. This can usually be done in a large variety of ways. The root of information security is first and foremost, having policies that regulate how information security is upheld. And secondly, by teaching employees proper practice of information security. These are however procedures that are not all that common in a university environment, and even more so in relation to students.   In order to explore this phenomenon further, an exploratory study have been carried out to find more information on the subject. This has been done in several ways in order to grasp as much information as possible. Firstly, by doing a literary study to find out what is already known within the field of information security in regard to students. Secondly, by doing a quantitative study that evaluates the student’s information security awareness. And lastly, by conducting an interview with a member of staff at a university to find out their attitude towards the phenomenon.    The thesis concludes by suggesting how universities might want to handle information security in relationship to students.

Information security awareness

information security

students

University

Information Systems

Avaliação de pracinhas infantis em conjuntos habitacionais

Marques, Claudia Adriana Nichetti

January 2016

Esta pesquisa investiga como aspectos locacionais e aspectos físico-espaciais das pracinhas infantis podem influenciar, de forma positiva ou negativa, no estado de conservação destas pracinhas, na percepção de segurança e, consequentemente, na sua frequência e intensidade de uso por crianças e acompanhantes. Dentre os aspectos locacionais estão, o controle de acesso aos conjuntos habitacionais e as pracinhas infantis, os caminhos de acesso às pracinhas infantis a partir das moradias, a localização das pracinhas nos conjuntos habitacionais, as conexões visuais entre as moradias e as pracinhas infantis e o entorno imediato às pracinhas infantis. Em relação aos aspectos físicos das pracinhas são tratados, o dimensionamento físico das pracinhas infantis, a adequação dos equipamentos de brincar e do mobiliário e a adequação da vegetação. Assim, o objetivo é investigar a relação entre os aspectos locacionais das pracinhas infantis e a adequação no uso por criança e acompanhantes, e a relação entre os aspectos físicos das pracinhas infantis e as suas avaliações pelas crianças e acompanhantes. Para tanto, são selecionadas oito pracinhas infantis em seis conjuntos habitacionais localizados em Porto Alegre. Os métodos de coletas de dados fazem parte dos utilizados na área de estudo Ambiente e Comportamento, sistematizados por meio de levantamento de arquivo, levantamento físico, observações de comportamento, questionários e entrevistas. Os dados coletados foram analisados de forma qualitativa e quantitativa, através de testes estatísticos não-paramétricos. Os resultados desta investigação demonstram que, a falta de controle de acesso aos conjuntos afeta negativamente o estado de conservação das pracinhas infantis, bem como a percepção de segurança das crianças e dos acompanhantes. A intensidade de uso tende a ser pior nas pracinhas mal localizadas e com menor controle visual. A conservação dos equipamentos tendem a ser pior nas pracinhas com dimensionamento físico e equipamentos inadequados à intensidade de uso. Por fim, espera-se que os dados obtidos possam contribuir para qualificar projetos de pracinhas infantis em conjuntos habitacionais, a fim de responder melhor às necessidades das crianças e dos acompanhantes. / This research investigates how locational and physical aspects of playground can influence, positively or negatively, in the state of conservation of these small squares, the perception of safety and consequently the intensity of use by children and companions. Among the locational aspects are, the control of access to housing and children's small squares, access roads to playground from the villas, the location of playground in the projects, the visual connections between housing and children's small squares and immediate surroundings to playground. Regarding the physical aspects of playground are treated, the physical design of children's small squares, the adequacy of equipment to play and the furniture and the adequacy of vegetation. The objective is to investigate the relationship between the locational aspects of children's grunts and adapt them to the children and their companions, and the relationship between the physical aspects of playground and their assessments by the children and their companions. Therefore, eight playground are selected in six housing estates located in Porto Alegre. The methods of data collection are part of the area used in environment studies and behavior, systematized through archival survey, physical survey, behavioral observations, questionnaires and interviews. The collected data were analyzed qualitatively and quantitatively, using non-parametric statistical tests. The results of this research show that the lack of control of access to sets negatively affect the conservation status of playground and the perception of safety of children and companions. The intensity of use tends to be worse in poorly located playground and less visual control. The conservation tend to be worse in small squares with physical design and equipment unsuited to the intensity of use. Finally, it is expected that the data obtained can help to qualify playground projects in housing, in order to better meet the needs of children and their carers.

Conservação (Arquitetura)

Percepção ambiental

Praças

Crianças

Conservation playground

Security awareness

Use of playground

Adequacy of playground

Avaliação de pracinhas infantis em conjuntos habitacionais

Marques, Claudia Adriana Nichetti

January 2016

Esta pesquisa investiga como aspectos locacionais e aspectos físico-espaciais das pracinhas infantis podem influenciar, de forma positiva ou negativa, no estado de conservação destas pracinhas, na percepção de segurança e, consequentemente, na sua frequência e intensidade de uso por crianças e acompanhantes. Dentre os aspectos locacionais estão, o controle de acesso aos conjuntos habitacionais e as pracinhas infantis, os caminhos de acesso às pracinhas infantis a partir das moradias, a localização das pracinhas nos conjuntos habitacionais, as conexões visuais entre as moradias e as pracinhas infantis e o entorno imediato às pracinhas infantis. Em relação aos aspectos físicos das pracinhas são tratados, o dimensionamento físico das pracinhas infantis, a adequação dos equipamentos de brincar e do mobiliário e a adequação da vegetação. Assim, o objetivo é investigar a relação entre os aspectos locacionais das pracinhas infantis e a adequação no uso por criança e acompanhantes, e a relação entre os aspectos físicos das pracinhas infantis e as suas avaliações pelas crianças e acompanhantes. Para tanto, são selecionadas oito pracinhas infantis em seis conjuntos habitacionais localizados em Porto Alegre. Os métodos de coletas de dados fazem parte dos utilizados na área de estudo Ambiente e Comportamento, sistematizados por meio de levantamento de arquivo, levantamento físico, observações de comportamento, questionários e entrevistas. Os dados coletados foram analisados de forma qualitativa e quantitativa, através de testes estatísticos não-paramétricos. Os resultados desta investigação demonstram que, a falta de controle de acesso aos conjuntos afeta negativamente o estado de conservação das pracinhas infantis, bem como a percepção de segurança das crianças e dos acompanhantes. A intensidade de uso tende a ser pior nas pracinhas mal localizadas e com menor controle visual. A conservação dos equipamentos tendem a ser pior nas pracinhas com dimensionamento físico e equipamentos inadequados à intensidade de uso. Por fim, espera-se que os dados obtidos possam contribuir para qualificar projetos de pracinhas infantis em conjuntos habitacionais, a fim de responder melhor às necessidades das crianças e dos acompanhantes. / This research investigates how locational and physical aspects of playground can influence, positively or negatively, in the state of conservation of these small squares, the perception of safety and consequently the intensity of use by children and companions. Among the locational aspects are, the control of access to housing and children's small squares, access roads to playground from the villas, the location of playground in the projects, the visual connections between housing and children's small squares and immediate surroundings to playground. Regarding the physical aspects of playground are treated, the physical design of children's small squares, the adequacy of equipment to play and the furniture and the adequacy of vegetation. The objective is to investigate the relationship between the locational aspects of children's grunts and adapt them to the children and their companions, and the relationship between the physical aspects of playground and their assessments by the children and their companions. Therefore, eight playground are selected in six housing estates located in Porto Alegre. The methods of data collection are part of the area used in environment studies and behavior, systematized through archival survey, physical survey, behavioral observations, questionnaires and interviews. The collected data were analyzed qualitatively and quantitatively, using non-parametric statistical tests. The results of this research show that the lack of control of access to sets negatively affect the conservation status of playground and the perception of safety of children and companions. The intensity of use tends to be worse in poorly located playground and less visual control. The conservation tend to be worse in small squares with physical design and equipment unsuited to the intensity of use. Finally, it is expected that the data obtained can help to qualify playground projects in housing, in order to better meet the needs of children and their carers.

Conservação (Arquitetura)

Percepção ambiental

Praças

Crianças

Conservation playground

Security awareness

Use of playground

Adequacy of playground

Mikroträning som utbildningsmetod inom informationssäkerhet / Micro training as a education approach in information security

Skärgård, Marie

January 2017

Cyberbrott har idag blivit en multimiljard-industri och det utövas mer och mer sofistikerade attacker där människan är måltavlan. Det är därför dags att ta utbildning och träning inom informationssäkerhet till en ny nivå. Detta för att skapa högre grad av medvetenhet gällande säkerhetsrisker. Det finns redan fungerande metoder, men bara för de som är motiverade att lära sig. Detta arbete har undersökt hur mikroträning uppfattas som utbildningsmetod inom informationssäkerhet. En studie som utförts med hjälp av både kvalitativa och kvantitativa metoder. Mikroträningsmaterial har tagits fram i form av videoklipp som på ett kort, koncist och konkret sätt presenterar olika områden inom informationssäkerhet på 60 sekunder. Dessa har sedan utvärderats av 198 subjekt i en enkätundersökning där subjektens attityd både till materialet och till mikroträning som koncept har analyserats. Studiens resultat visar att mikroträning är en uppskattad metod för att träna och lära ut specifika områden inom informationssäkerhet. Denna studie ska bidra till ett framtida forskningsprojekt som vill undersöka om mikroträning i den stund som användaren behöver den kommer bidra till högre grad av informationssäkerhetsmedvetenhet. Detta för att se om medvetenhetsträningen ger den eftersträvade effekt som önskas, att klokare och säkrare beslut fattas i en riskfylld situation. / Cybercrime has become a multimillion industry and it is practicing more and more sophisticated attacks where the human is the main target. Thus it is time to take education and training in information security to a new level, to create a higher degree of awareness about security risks. There are already working methods, but only for those who are motivated to learn. This work has investigated how micro training is perceived as an education method of information security, a study conducted using both qualitative and quantitative methods. Micro training material has been developed in the form of video clips that briefly, concisely and concretely present various areas of information security in 60 seconds. These have been evaluated by 198 subjects in a questionnaire survey where the subject's attitude to the material and micro training as concept has been analysed. The study's findings show that micro training is an appreciated method for training and learning specific areas of information security. This study will contribute to a future research project that wants to investigate whether micro training in the moment the user needs it will contribute a greater degree of information security awareness. This to see whether awareness training will provide the desired effect, that a wiser and safer decision is made in a risky situation.

information security

information security awareness

micro training

informationssäkerhet

informationssäkerhetsmedvetenhet

mikroträning

Information Systems

Informationssäkerhetspolicy och Säkerhetsmedvetenhet : En undersökning av kommunala förvaltningars praktiska arbete med att uppnå informationsäkerhet

Malis, Johanna, Falck, Josette

January 2016

No description available.

Information

security

Information security policy

Security awareness

Informationssäkerhet

Informationssäkerhetspolicy

Säkerhetsmedvetenhet

Information Systems

Det trådlösa samhället : En utredning av rättsläget, säkerhetsläget och säkerhetsmedvetandet vid användning av trådlöst hemmanätverk.

Engström, Mattias, Arneng, Karl

January 2006

Användningen av trådlöst nätverk blev under början av 2000-talet mycket populärt bland privatpersoner, genom dess mobila fördelar, Tekniken medförde många fördelar, men också många nackdelar och frågan var hur många som verkligen hade blivit uppmärksammade på eller kände till dessa och därefter valt att skydda sina trådlösa nätverk. Det främsta syftet med denna uppsats var därmed att undersöka på vilken nivå säkerhetsmedvetandet låg i samhället vid användning av trådlöst nätverk vid gällande tidpunkt. Vidare handlade det också om att reda ut gällande rättsläge , vid handlingar mot eller via ett trådlöst nätverk, och mäta hur utbredd säkerhetsanvändningen var bland trådlösa hemmanätverk. För att besvara detta utgick vi från ett positivistiskt och deduktivt synsätt, med kvalitativa intervjuer för att reda ut gällande rättsläge, pejling av trådlöst nätverk för att mäta säkerhetsläget och kvantitativa enkätintervjuer, för att få fram typer av säkerhetsmedvetande, bland användare av trådlöst hemmanätverk. Innehållet i alla intervjuer baserades på fastställd fakta kring trådlöst nätverk, risker med tekniken, riskförebyggande säkerhetsrutiner och Svensk lag. Vi konstaterade slutligen att gällande rättsläge för närvarande var föråldrat och inte anpassat att hantera de risker som trådlöst nätverk hade medfört. Vidare visade resultatet på ökad säkerhetsanvändning bland trådlösa nätverk i samhället, och att det överlag var yngre användare som stod för denna ökning. Yngre användare visade sig även överlag ha ett högre säkerhetsmedvetande, än äldre, och då särskilt hög teknisk kunskap / The usage of Wireless local area networks (WLAN) became very popular amongst private citizens, during the beginning of the 21 century, because of its mobile advantages. The technology brought many advantages, but also many disadvantages and the question was how many had noticed or knew that these existed and afterwards had chosen to secure their WLAN. The main purpose of this thesis was to examine the current level of security awareness, in the community, when using WLAN. Other goals were to investigate the current general legal context, about actions against or through a WLAN, and measure the widespread usage of security within WLAN. To answer this we used a positivistic and deductive approach, with qualitative interviews to sort out the current general legal context, Wardriving to find and measure the current state of security within WLAN's and quantitative questionnaires to find out the most common types of security awareness amongst users of WLAN. The content of all this was based on facts about the WLAN technology, the risks that comes with it, risk preventing security routines and the Swedish law. Finally we established that the current general legal context was out-of-date and not adapted to handle the new risks that WLAN had brought. Further on the result also showed a increased usage of security amongst WLAN in the community and that the main reason for this was the younger WLAN owners. Younger users also turned out to have higher security awareness, than older users, and particularly very high technical knowledge.

Wireless local area network

security awareness

WLAN

trådlöst nätverk

säkerhetsmedvetande

Wardriving

Information Systems

A design theory for information security awareness

Puhakainen, P. (Petri)

01 August 2006

Abstract When implementing their information security solutions organizations have typically focused on technical and procedural security measures. However, from the information systems (IS) point of view, this is not enough: effective IS security requires that users are aware of and use the available security measures as described in their organizations' information security policies and instructions. Otherwise, the usefulness of the security measures is lost. The research question of this thesis is to explore how IS users' compliance with IS security policies and instructions can be improved. Solving this research question is divided into two steps. Since there is a lack of a comprehensive review of existing IS security awareness approaches, the first step aims at reviewing the existing IS security awareness approaches. This kind of analysis is useful for practitioners as they do not necessarily have the time to go through a large body of literature. For scholars, such an analysis shows what areas of IS security awareness have been studied, and to where the need for future research is of greatest importance. The second step in this dissertation is to address the shortcomings detected by the analysis by developing three novel design theories for improving IS users' security behavior: (1) IS security awareness training, (2) IS security awareness campaigns, and (3) punishment and reward. These design theories aim to help practitioners to develop their own IS security awareness approaches. Finally, testing of the design theory for IS security awareness training (1) in two action research interventions is described. The results of the interventions suggest that this design theory provides a useful and applicable means for developing a training program in organizations. In addition, the results provide empirically evaluated information regarding the obstacles to user compliance with IS security policies and instructions. In the action research studies described, the goal was to solve practical problems experienced by the host organizations and to understand them and the results achieved from the viewpoint of theory. Consequently, the results as such can not be generalized, but they are of use in the host organizations in planning and delivering subsequent IS security awareness training programs. In addition, the results are utilizable in similar organizations as a point of departure in planning IS security awareness training programs.

information systems security

information systems security - awareness

information systems security - training

Establishing an information security awareness and culture

Korovessis, Peter

January 2015

In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.

005.8