Správa uživatelů jako zdroje rizik / Managing Users as a Source of Risk

Pospíšil, Petr

January 2017

This diploma thesis focuses on human resources mainly in Critical information infrastructure and Important information systems. Thesis focuses on the most frequent threats for users and design possible model of threat reduction. Integral part of results is designing of effective security awareness education program according to the Law on Cyber Security.

Návrh metodiky budování bezpečnostního povědomí na střední škole / Design Methodology of Security Awareness at the Secondary School

Sobotková, Hana

January 2017

The diploma thesis addresses the topic of security awareness education at secondary schools. The goal is to develop a standardized methodology for building security awareness, which can be used by secondary schools to ensure the protection of their perimeter, their users and others from the user’s actions. The introductory part deals with the basic terminology, existing and forthcoming Czech and international legal acts, norms, regulations and certification in the area of information and cyber security. The practical part includes the methodology chapters describing the building of security awareness at secondary schools.

Simulace správy informační bezpečnosti ve fakultním prostředí / Simulating information security management within a university environment

Hložanka, Filip

January 2020

This diploma thesis is concerned with simulating information security management within a university environment. It is divided into three parts. The theoretical part focuses on describing the assets which could be part of a faculty network, attacks that could target it, security processes which could protect it and users that are active within it. The analytical part then applies these segments on a real faculty network. Based on this analysis, a set of specific assets, attacks, security processes and other tasks is created in order to simulate a simplified version of the analyzed network using a sophisticated cybernetic polygon. The security of the network is then assessed after several iterations of the simulations. Its parameters are adjusted in the effort to increase its security and the module is tested on an academic employee in order to assess its effectiveness. The conclusion evaluates the possibilities of increasing the security of the simulated network as well as the usability of the cybernetic polygon in practice.

Factors Influencing the Implementation of Information Security Risk Management : A case study of Nigerian Commercial Banks

Aghaunor, Gabriel, Okojie, Bukky E

January 2022

The banking industry is one of the critical infrastructures in any economy. The services rendered by banks are systematically based on innovation, products, and technology to leverage their services. Several associated risks come along with the rendering of these banking services. The protection of critical information assets of any banking organization should be a top priority of the management. They must ensure that adequate provision is made to develop a strong strategy to control, reduce, and mitigate tasks, such as fraud, cyber-attacks, and other forms of cybersecurity exploitations.  Risk management is a series of actions to identify, assess and control threats and vulnerabilities in an organization's capital investment and revenue. These potential risks arise from diverse sources like credit risk, liquidity risk, financial uncertainties, legal actions, technology failures, business strategic management errors, accidental occurrences, and natural disasters.  This research study aimed to investigate the factors influencing the implementation of information security risk management in Nigerian Commercial Banks, using a social-technical system framework to address a fundamental human risk factor, which contributes predominately to the failure in information security risk management. These research was motivated by the fact that Nigerian banking sector is facing serious threats' threat emanate from cyber-attacks. Evidenced by the ever-increasing cyber-attacks, as demonstrated by a total of 1,612 complaints from consumers of financial services over banking fraud and aggressive charges received between July and December 2018 of which 99.38% of these incidences were against the commercial banks. The banks are faced with a lot of vulnerabilities and cybersecurity threats, and most of the attacks that happened within the banking sector are focused on the customers, and employees through phishing and social engineering. These showed weaknesses in information security management within the Nigerian banking industry.  However, the study was guided by the social-technical theory that advocates for overall training to the stakeholders that helps in changing their beliefs and norms about organization of IS security. In order to find out the factors influencing the implementation of information security risks management in respect of Nigerian Commercial Banks, this study evaluated the influence of management support, technical experts support, funding and users’ security awareness to curb the cyber-attacks in Nigerian financial sector. The contribution of this research is expected to lead to the improvement in the financial system, and organizations, where cybersecurity and information security risk management processes are taken seriously, to reduce the high level of information security risk, threats, and vulnerabilities. Nigeria is a developing country, and at the same time fighting to develop a more conducive business investment environment to attract both national and international investors.  A mixed approach research (qualitative and quantitative) method was used to validate this research study. Data collection tools used included interviews and questionnaires. Data analysis was done using the SPSS and logistic regression model.

Information Security Risk Assessment

Qualitative

Quantitative

Management Support

Funding

Technical Experts’ Support

Cyber Security

Banking

ATM

Information Systems

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

Informationssäkerhet i kommunala förvaltningar : kultur, medvetenhet och ansvar

Holmström, Anton, Barsk, Anton

January 2019

Information hanteras, lagras och används av alla typer av verksamheter i sambandmed digitaliseringens framfart. Information är en drivande resurs för verksamhetersom en viktig biståndsdel i affärsprocesser och därför finns ett behov att skydda den.Informationssäkerhet är inte bara en teknisk fråga utan påverkas av organisationskultur,anställdas säkerhetsmedvetenhet samt ledning och individ. Studien användersig av en abduktiv forskningsansats med en kvalitativ datainsamling. I studien intervjuadesnio anställda från olika kommunala förvaltningar för att undersöka hurarbetet med informationssäkerhet bedrivs. I analysen undersöker vi hur den nuvarandesituationen ställer sig mot teorier om hur ett effektivt säkerhetsarbete skabedrivas. I diskussionen belyser vi vikten av ledningens delaktighet i verksamhetensinformationssäkerhet och hur det påverkar det systematiska säkerhetsarbetet.Vi diskuterar även hur individens roll påverkar säkerhetsarbetets effektivitet. Studienvisar hur informationssäkerheten i kommunala förvaltningar inte ligger i fas medbehovet och pekar på vikten av individen samt ledningens ansvar i säkerhetsarbetet. / Information is handled, stored and used by all types of organisations in conjunctionwith the digitization. Information is an important business driver in the businessprocesses of most organisations therefore the protection of the information is crucial.Information security is not solely a technical question and therfore is affectedby the organisational culture, employees security awareness and the role of managementand individuals. The study uses a qualitative method for data collectionwith an abductive approach. In the study, we perform interviews with 9 differentemployees within different municipal administrations to examine how they workwith information security. In the analysis we investigate the correlation betweentheory and the existing situation. In the discussion we highlight the importance ofmanagement participation and the effects they have on information security, securityawareness and organisational culture. We also discuss the importance of theinvolvement of individuals in information security and how it affects its effectivness.The study shows the municiapals shortcomings within information security and theimportance of individuals and managements responsibility for an effective and secureorganisation.

informations security

security awareness

organisational culture

municipal administrations

security policy

social learning theory

informationssäkerhet

säkerhetsmedvetenhet

organisationskultur

kommunala förvaltningar

säkerhetspolicys

socialinlärningsteori

Information Systems, Social aspects

Informationssäkerhetsmedvetenhet inom mikro- och småbolag : Medvetenhetsåtgärder hos svenska mikro- och småbolag inom IT-branschen / Information security awareness in micro and small companies.

Vukovic, Alexander, Samet, Özcelik

January 2022

All organizations, regardless of size, are affected by information security awareness. Information security awareness is an important component, especially for organizations in the IT industry, to be able to respond to new cyber threats but also comply with requirements and regulations for handling customer data. The purpose of the study is to improve awareness-raising measures used by Swedish micro and small companies in the IT industry to increase information security awareness among employees. The study is performed through semi-structured interviews and then analyzed using the Grounded theory-method. The study highlights the awareness measures used in the IT industry and how they are used among companies to make employees aware of information security. In addition, the companies' underlying motives for their choice of awareness measure and their perspective on adapting the measure are examined. The study's conclusions present recommendations that can be used by micro and small companies in the IT industry to improve their awareness-raising measures. The study highlights the importance of adapting training measures, but also that companies should present reality-based scenarios to employees. In addition, it is also emphasized that incentives should be used by information security officers for employees to ensure compliance. / Alla organisationer, oavsett storlek påverkas av informationssäkerhetsmedvetenhet. Medvetenhet om informationssäkerhet är en viktig komponent i synnerhet för organisationer inom IT-branschen för att kunna bemöta nya cyberhot men också efterleva krav och regleringar för hantering av kunddata. Syftet med studien är att förbättra medvetenhetshöjande åtgärder som används av svenska mikro- och småbolag inom IT-branschen för att öka informationssäkerhetsmedvetenheten bland anställda. Studien utförs genom semistrukturerade intervjuer och analyseras sedan med hjälp av Grundad teori-metoden. Studien synliggör vilka medvetenhetsåtgärder som används inom IT-branschen och hur de används bland bolagen för att göra anställda medvetna gällande informationssäkerhet. Dessutom framgår bolagens bakomliggande motiv för deras val av medvetenhetsåtgärd samt deras perspektiv på anpassning av åtgärd. Studiens slutsatser presenterar rekommendationer som kan användas av mikro- och småbolag inom IT-branschen för att förbättra deras medvetenhetshöjande åtgärder. Studien lyfter fram betydelsen av anpassning av utbildningsåtgärder, men även att bolagen bör presentera verklighetsförankrade scenarier till de anställda. Därtill framhävs även att incitament bör användas av informationssäkerhetsansvariga till anställda för att säkerställa efterlevnad.

Information security

information security awareness

awareness measures

training measures

compliance

IT industry

micro and small companies

Informationssäkerhet

informationssäkerhetsmedvetenhet

medvetenhetsåtgärder

utbildningsåtgärder

efterlevnad

IT-branschen

mikro- och småbolag

Information Systems

Cyberpandemin: Att vaccinera sjukvården mot digitala hot / The cyber pandemic:Vaccinating healthcare against digital threats

Hermansson, Sandra, Jönsson, Wilma

January 2024

Digitaliseringens framväxt har utvecklat digitala arbetsmiljöer inom verksamheter där informationsteknologi tillämpas för att förbättra medarbetarnas produktivitet. Användningen av digital teknologi har ökat säkerhetsbehovet, med ett större fokus på cyber- och informationssäkerhet för att skydda mot digitala hot. Syftet med studien är att undersöka hur en offentlig verksamhet främjar IT-säkerhetsmedvetenhet i en digital arbetsmiljö, med fokus på hur en region inom hälso- och sjukvården arbetar med cyber- och informationssäkerhet. Forskningen grundar sig på en kvalitativ fallstudie där intervjuer har genomförts med medarbetare på säkerhetsavdelningen samt från sjukvården i den utvalda regionen. Resultatet visar att regionens arbete med att främja säkerhetsmedvetenhet i den digitala arbetsmiljön i flera avseenden anses vara bristfällig. Således belyser studien att en säkerhetsmedvetenhet kan främjas genom olika perspektiv såsom en tydlig kommunikation från verksamhetsledningen ut i organisationen samt att medarbetaren beaktar cyber- och informationssäkerhet som en del av det givna ansvarsområdet, oavsett arbetsuppgifter. Det är även väsentligt att anpassa den digitala arbetsmiljön där tekniken samspelar med människan. Ett förslag har utvecklats till regionen för att främja säkerhetsmedvetenhet och upprätthålla funktionsförmågan i en tidspressad arbetsmiljö, samtidigt som säkerheten prioriteras. / The rise of digitalization has developed digital work environments within organizations where information technology is applied to enhance employee productivity. The use of digital technology has increased security needs, with a greater focus on cyber and information security to protect against digital threats. This study aims to investigate how a public organization promotes IT security awareness in a digital work environment, focusing on a healthcare sector region's cyber and information security practices. The research, based on a qualitative case study where interviews have been conducted with employees of the security department and healthcare workers, indicates that the region's efforts to promote security awareness in the digital work environment are deficient in several respects. Thus, the study highlights that security awareness can be enhanced through various perspectives, such as clear communication from management throughout the organization and employees considering cyber and information security as part of their responsibilities, regardless of their work tasks. It is also essential to adapt the digital work environment where technology interacts with human elements. A proposal has been developed for the region to foster security awareness and maintain functionality in a time-sensitive work environment while prioritizing security.

Cyber and Information Security

IT Security Awareness

Digital work environment

Public Sector

Healthcare

Socio-technical perspective.

Cyber- och informationssäkerhet

IT-säkerhetsmedvetenhet

Digital arbetsmiljö

Offentlig verksamhet

Hälso- och sjukvården

Sociotekniskt perspektiv.

Information Systems