Perception of employees concerning information security policy compliance : case studies of a European and South African university

Lububu, Steven

January 2018

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available.

Computer security

Computer networks -- Security measures

Data protection

A data protection methodology to preserve critical information from the possible threat of information loss

Schwartzel, Taryn

03 October 2011

M.Tech. / Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.

Data protection

Computer security management

Electronic commerce - Security measures

A methodology for measuring and monitoring IT risk

Tansley, Natalie Vanessa

January 2007

The primary objective of the research is to develop a methodology for monitoring and measuring IT risks, strictly focusing on internal controls. The research delivers a methodology whereby an organization can measure its system of internal controls, providing assurance that the risks are at an acceptable level. To achieve the primary objective a number of secondary objectives were addressed: What are the drivers forcing organizations to better corporate governance in managing risk? What is IT risk management, specifically focusing on operational risk. What is internal control and specifically focusing on COSO’s internal control process. Investigation of measurement methods, such as, Balance Scorecards, Critical Success Factors, Maturity Models, Key Performance Indicators and Key Goal Indicators. Investigation of various frameworks such as CobiT, COSO and ISO 17799, ITIL and BS 7799 as to how they manage IT risk relating to internal control.

Information resources management

Security in university residence halls: effects of physical design and management policies

Boal, John K.

January 1978

Call number: LD2668 .T4 1978 B62 / Master of Architecture

Masters theses

Design of Anonymity scheme for communication systems

Zhang, Cong, 張聰

January 2002

published_or_final_version / Computer Science and Information Systems / Master / Master of Philosophy

Data protection.

Cryptography.

Computer networks - Security measures.

Risk assessment of the Naval Postgraduate School gigabit network

Shumaker, Todd, Rowlands, Dennis

09 1900

Approved for public release; distribution is unlimited / This research thoroughly examines the current Naval Postgraduate School Gigabit Network security posture, identifies any possible threats or vulnerabilities, and recommends any appropriate safeguards that may be necessary to counter the found threats and vulnerabilities. The research includes any portion of computer security, physical security, personnel security, and communication security that may be applicable to the overall security of both the .mil and .edu domains. The goal of the research was to ensure that the campus network is operating with the proper amount of security safeguards to protect the confidentiality, integrity, availability, and authenticity adequately from both insider and outsider threats. Risk analysis was performed by assessing all of the possible threat and vulnerability combinations to determine the likelihood of exploitation and the potential impact the exploitation could have on the system, the information, and the mission of the Naval Postgraduate School. The results of the risk assessment performed on the network are to be used by the Designated Approving Authority of the Naval Postgraduate School Gigabit network when deciding whether to accredit the system. / Civilian, Research Associate

Computer networks

Security measures

Technology

Risk assessment

A prototype to improve the security and integrity of mobile banking

26 June 2015

M.Sc. (Computer Science) / In the rapidly evolving world that we live in, the methods by which items are purchased are starting to be revolutionized. In a developing country such as South Africa, financial institutions within the banking sector are starting to implement their own systems or processes to process bank transactions. These processes include the identification and authentication of bank transactions, as well as the validation of the integrity of bank transactions between buyer and merchant. The changing of these processes by the banking sector could be viewed as a result of the increase in mobile device users. The purpose of the research presented within this dissertation is to explore an alternative method for identifying and authenticating a user in order to authorize a purchase made from a mobile device. The research will include evidence for the necessity of an alternative process as well as investigate the current technology by examining a few mobile banking solutions provided by the banking sector. The alternative process will be based upon a prototype design, which will employ Near Field Communication (NFC) technology to forward the purchase information from a point-of-sale (POS) device to the client’s mobile device, as well as employ fingerprint recognition technology to improve the identification and authentication of a user in order to authorize the purchase. The prototype will be known as BankAuth. The researcher hopes that this dissertation encourages other academics to discover new approaches in further researching mobile banking solutions.

Mobile computing

Redefining attack: taking the offensive against networks

Michael, Robert J., Staples, Zachary H.

03 1900

Approved for public release; distribution is unlimited / This thesis done in cooperation with the MOVES Institute / The Information Age empowers individuals, and affords small groups an opportunity to attack states' interests with an increasing variety of tactics and great anonymity. Current strategies to prevail against these emerging threats are inherently defensive, relying on potential adversaries to commit mistakes and engage in detectable behavior. While defensive strategies are a critical component of a complete solution set, they cede initiative to the adversary. Moreover, reactive measures are not suited to quickly suppress adversary networks through force. To address this shortfall in strategic planning, the science of networks is rapidly making clear that natural systems built over time with preferential attachment form scale-free networks. These networks are naturally resilient to failure and random attack, but carry inherent vulnerabilities in their highly connected hubs. Taking the offensive against networks is therefore an exercise in discovering and attacking such hubs. To find these hub vulnerabilities in network adversaries, this thesis proposes a strategy called Stimulus Based Discovery, which leads to rapid network mapping and then systematically improves the accuracy and validity of this map while simultaneously degrading an adversary's network cohesion. Additionally, this thesis provides a model for experimenting with Stimulus Based Discovery in a Multi-Agent System. / Lieutenant, United States Navy

Information warfare

Computer networks

Security measures

Implementing security in an IP Multimedia Subsystem (IMS) next generation network - a case study

Unknown Date

The IP Multimedia Subsystem (IMS) has gone from just a step in the evolution of the GSM cellular architecture control core, to being the de-facto framework for Next Generation Network (NGN) implementations and deployments by operators world-wide, not only cellular mobile communications operators, but also fixed line, cable television, and alternative operators. With this transition from standards documents to the real world, engineers in these new multimedia communications companies need to face the task of making these new networks secure against threats and real attacks that were not a part of the previous generation of networks. We present the IMS and other competing frameworks, we analyze the security issues, we present the topic of Security Patterns, we introduce several new patterns, including the basis for a Generic Network pattern, and we apply these concepts to designing a security architecture for a fictitious 3G operator using IMS for the control core. / by Jose M. Ortiz-Villajos. / Thesis (M.S.C.S.)--Florida Atlantic University, 2009. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 2009. Mode of access: World Wide Web.

Computer networks--Security measures

Electronic money and the derived applications: anonymous micropayment, receipt-free electronic voting and anonymous internet access.

January 2000

by Chan Yuen Yan. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2000. / Includes bibliographical references (leaves 91-[97]). / Abstracts in English and Chinese. / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Transition to a New Monetary System --- p.3 / Chapter 1.2 --- Security and Cryptography --- p.3 / Chapter 1.3 --- Electronic Cash: More than an Electronic Medium of Transaction --- p.4 / Chapter 1.4 --- Organisation of the Thesis --- p.5 / Chapter 2 --- Cryptographic Primitives --- p.7 / Chapter 2.1 --- One-way Hash Functions --- p.7 / Chapter 2.2 --- The Bit Commitment Protocol --- p.8 / Chapter 2.3 --- Secret Splitting --- p.8 / Chapter 2.4 --- Encryption / Decryption --- p.9 / Chapter 2.4.1 --- Symmetric Encryption --- p.10 / Chapter 2.4.2 --- Asymmetric Encryption --- p.10 / Chapter 2.5 --- The RSA Public Key Cryptosystem --- p.11 / Chapter 2.6 --- Blind Signature --- p.12 / Chapter 2.7 --- Cut-and-choose procotol --- p.13 / Chapter 2.8 --- The Elliptic Curve Cryptosystem (ECC) --- p.14 / Chapter 2.8.1 --- The Elliptic Curve Discrete Logarithm Problem --- p.15 / Chapter 2.8.2 --- Cryptographic Applications Implemented by ECC --- p.15 / Chapter 2.8.3 --- Analog of Diffie-Hellman Key Exchange --- p.15 / Chapter 2.8.4 --- Data Encryption [11] --- p.16 / Chapter 2.8.5 --- The ECC Digital Signature --- p.17 / Chapter 3 --- What is Money? --- p.18 / Chapter 3.1 --- Money --- p.18 / Chapter 3.1.1 --- The History of Money [17] --- p.19 / Chapter 3.1.2 --- Functions of Money --- p.20 / Chapter 3.2 --- Existing Payment Systems --- p.22 / Chapter 3.2.1 --- Cash Payments --- p.22 / Chapter 3.2.2 --- Payment through Banks --- p.22 / Chapter 3.2.3 --- Using Payment Cards --- p.23 / Chapter 4 --- Electronic Cash --- p.24 / Chapter 4.1 --- The Basic Requirements --- p.24 / Chapter 4.2 --- Basic Model of Electronic Cash --- p.25 / Chapter 4.2.1 --- Basic Protocol --- p.26 / Chapter 4.2.2 --- Modified Protocol --- p.27 / Chapter 4.2.3 --- Double Spending Prevention --- p.30 / Chapter 4.3 --- Examples of Electronic Cash --- p.31 / Chapter 4.3.1 --- eCash --- p.31 / Chapter 4.3.2 --- CAFE --- p.31 / Chapter 4.3.3 --- NetCash --- p.32 / Chapter 4.3.4 --- CyberCash --- p.32 / Chapter 4.3.5 --- Mondex --- p.33 / Chapter 4.4 --- Limitations of Electronic Cash --- p.33 / Chapter 5 --- Micropayments --- p.35 / Chapter 5.1 --- Basic Model of Micropayments --- p.36 / Chapter 5.1.1 --- Micropayments generation --- p.37 / Chapter 5.1.2 --- Spending --- p.37 / Chapter 5.1.3 --- Redemption --- p.38 / Chapter 5.2 --- Examples of Micropayments --- p.39 / Chapter 5.2.1 --- Pay Word --- p.39 / Chapter 5.2.2 --- MicroMint --- p.40 / Chapter 5.2.3 --- Millicent --- p.41 / Chapter 5.3 --- Limitations of Micropayments --- p.41 / Chapter 5.4 --- Digital Money - More then a Medium of Transaction --- p.42 / Chapter 6 --- Anonymous Micropayment Tickets --- p.45 / Chapter 6.1 --- Introduction --- p.45 / Chapter 6.2 --- Overview of the Systems --- p.46 / Chapter 6.3 --- Elliptic Curve Digital Signature --- p.48 / Chapter 6.4 --- The Micropayment Ticket Protocol --- p.49 / Chapter 6.4.1 --- The Micropayment Ticket --- p.50 / Chapter 6.4.2 --- Payment --- p.51 / Chapter 6.4.3 --- Redemption --- p.52 / Chapter 6.4.4 --- Double Spending --- p.52 / Chapter 6.5 --- Security Analysis --- p.52 / Chapter 6.5.1 --- Conditional Anonymity --- p.53 / Chapter 6.5.2 --- Lost Tickets --- p.53 / Chapter 6.5.3 --- Double Spending --- p.53 / Chapter 6.5.4 --- Collusion with Vendors --- p.53 / Chapter 6.6 --- Efficiency Analysis --- p.55 / Chapter 6.7 --- Conclusion --- p.56 / Chapter 7 --- Anonymous Electronic Voting Systems --- p.57 / Chapter 7.1 --- Introduction --- p.57 / Chapter 7.2 --- The Proposed Electronic Voting System --- p.58 / Chapter 7.2.1 --- The Proposed Election Model --- p.58 / Chapter 7.3 --- Two Cryptographic Protocols --- p.60 / Chapter 7.3.1 --- Protocol One - The Anonymous Authentication Protocol --- p.61 / Chapter 7.3.2 --- Protocol Two - Anonymous Commitment --- p.64 / Chapter 7.4 --- The Electronic Voting Protocol --- p.65 / Chapter 7.4.1 --- The Registration Phase --- p.66 / Chapter 7.4.2 --- The Polling Phase --- p.66 / Chapter 7.4.3 --- Vote-Opening Phase --- p.67 / Chapter 7.5 --- Security Analysis --- p.68 / Chapter 7.5.1 --- Basic Security Requirements --- p.68 / Chapter 7.5.2 --- Receipt-freeness --- p.71 / Chapter 7.5.3 --- Non-transferability of Voting Right --- p.72 / Chapter 7.6 --- Conclusion --- p.72 / Chapter 8 --- Anonymous Internet Access --- p.74 / Chapter 8.1 --- Introduction --- p.74 / Chapter 8.2 --- Privacy Issues of Internet Access Services --- p.75 / Chapter 8.2.1 --- Present Privacy Laws and Policies --- p.75 / Chapter 8.2.2 --- Present Anonymous Internet Services Solutions --- p.76 / Chapter 8.2.3 --- Conditional Anonymous Internet Access Services --- p.76 / Chapter 8.3 --- The Protocol --- p.77 / Chapter 8.3.1 --- ISP issues a new pass to Alice using blind signature [1] scheme --- p.77 / Chapter 8.3.2 --- Account Operations --- p.78 / Chapter 8.4 --- Modified Version with Key Escrow on User Identity --- p.79 / Chapter 8.4.1 --- Getting a new pass --- p.79 / Chapter 8.4.2 --- Account operations --- p.82 / Chapter 8.4.3 --- Identity revocation --- p.83 / Chapter 8.5 --- Security Analysis --- p.83 / Chapter 8.5.1 --- Anonymity --- p.83 / Chapter 8.5.2 --- Masquerade --- p.84 / Chapter 8.5.3 --- Alice cheats --- p.84 / Chapter 8.5.4 --- Stolen pass --- p.84 / Chapter 8.6 --- Efficiency --- p.85 / Chapter 8.6.1 --- Random number generation --- p.85 / Chapter 8.6.2 --- Signing on the pass --- p.86 / Chapter 8.6.3 --- Pass validation --- p.86 / Chapter 8.6.4 --- Identity recovery --- p.87 / Chapter 8.7 --- Conclusion --- p.87 / Chapter 9 --- Conclusion --- p.88 / Bibliography --- p.91

Cryptography