Establishing an information security culture in organizations : an outcomes based education approach

Van Niekerk, Johannes Frederick

January 2005

Information security is crucial to the continuous well-being of modern orga- nizations. Humans play a signfiicant role in the processes needed to secure an organization's information resources. Without an adequate level of user co-operation and knowledge, many security techniques are liable to be misused or misinterpreted by users. This may result in an adequate security measure becoming inadequate. It is therefor necessary to educate the orga- nization's employees regarding information security and also to establish a corporate sub-culture of information security in the organization, which will ensure that the employees have the correct attitude towards their security responsibilities. Current information security education programs fails to pay su±cient attention to the behavioral sciences. There also exist a lack of knowledge regarding the principles, and processes, that would be needed for the establishment of an corporate sub-culture, specific to information security. Without both the necessary knowledge, and the desired attitude amongst the employee, it will be impossible to guarantee that the organi- zation's information resources are secure. It would therefor make sense to address both these dimensions to the human factor in information security, using a single integrated, holistic approach. This dissertation presents such an approach, which is based on an integration of sound behavioral theories.

Computer security

Competency-based education

Hardware-Assisted Dependable Systems

Kuvaiskii, Dmitrii

22 March 2018

Unpredictable hardware faults and software bugs lead to application crashes, incorrect computations, unavailability of internet services, data losses, malfunctioning components, and consequently financial losses or even death of people. In particular, faults in microprocessors (CPUs) and memory corruption bugs are among the major unresolved issues of today. CPU faults may result in benign crashes and, more problematically, in silent data corruptions that can lead to catastrophic consequences, silently propagating from component to component and finally shutting down the whole system. Similarly, memory corruption bugs (memory-safety vulnerabilities) may result in a benign application crash but may also be exploited by a malicious hacker to gain control over the system or leak confidential data. Both these classes of errors are notoriously hard to detect and tolerate. Usual mitigation strategy is to apply ad-hoc local patches: checksums to protect specific computations against hardware faults and bug fixes to protect programs against known vulnerabilities. This strategy is unsatisfactory since it is prone to errors, requires significant manual effort, and protects only against anticipated faults. On the other extreme, Byzantine Fault Tolerance solutions defend against all kinds of hardware and software errors, but are inadequately expensive in terms of resources and performance overhead. In this thesis, we examine and propose five techniques to protect against hardware CPU faults and software memory-corruption bugs. All these techniques are hardware-assisted: they use recent advancements in CPU designs and modern CPU extensions. Three of these techniques target hardware CPU faults and rely on specific CPU features: ∆-encoding efficiently utilizes instruction-level parallelism of modern CPUs, Elzar re-purposes Intel AVX extensions, and HAFT builds on Intel TSX instructions. The rest two target software bugs: SGXBounds detects vulnerabilities inside Intel SGX enclaves, and “MPX Explained” analyzes the recent Intel MPX extension to protect against buffer overflow bugs. Our techniques achieve three goals: transparency, practicality, and efficiency. All our systems are implemented as compiler passes which transparently harden unmodified applications against hardware faults and software bugs. They are practical since they rely on commodity CPUs and require no specialized hardware or operating system support. Finally, they are efficient because they use hardware assistance in the form of CPU extensions to lower performance overhead.

Fehlertoleranz

Informationssicherheit

Fault Tolerance

Systems Security

ddc:004

rvk:ST 277

MISSTEV : model for information security shared tacit espoused values

Thomson, Kerry-Lynn

January 2007

One of the most critical assets in most organisations is information. It is often described as the lifeblood of an organisation. For this reason, it is vital that this asset is protected through sound information security practices. However, the incorrect and indifferent behaviour of employees often leads to information assets becoming vulnerable. Incorrect employee behaviour could have an extremely negative impact on the protection of information. An information security solution should be a fundamental component in most organisations. It is, however, possible for an organisation to have the most comprehensive physical and technical information security controls in place, but the operational controls, and associated employee behaviour, have not received much consideration. Therefore, the issue of employee behaviour must be addressed in an organisation to assist in ensuring the protection of information assets. The corporate culture of an organisation is largely responsible for the actions and behaviour of employees. Therefore, to address operational information security controls, the corporate culture of an organisation should be considered. To ensure the integration of information security into the corporate culture of an organisation, the protection of information should become part of the way the employees conduct their everyday tasks – from senior management, right throughout the entire organisation. Therefore, information security should become an integral component of the corporate culture of the organisation. To address the integration of information security into the corporate culture of an organisation, a model was developed which depicted the learning stages and modes of knowledge creation necessary to transform the corporate culture into one that is information security aware.

Computer security -- Management

Data protection

High Assurance Models for Secure Systems

Almohri, Hussain

08 May 2013

Despite the recent advances in systems and network security, attacks on large enterprise networks consistently impose serious challenges to maintaining data privacy and software service integrity. We identify two main problems that contribute to increasing the security risk in a networked environment: (i) vulnerable servers, workstations, and mobile devices that suffer from vulnerabilities, which allow the execution of various cyber attacks, and, (ii) poor security and system configurations that create loopholes used by attackers to bypass implemented security defenses. Complex attacks on large networks are only possible with the existence of vulnerable intermediate machines, routers, or mobile devices (that we refer to as network components) in the network. Vulnerabilities in highly connected servers and workstations, that compromise the heart of today's networks, are inevitable. Also, modern mobile devices with known vulnerabilities cause an increasing risk on large networks. Thus, weak security mechanisms in vulnerable  network components open the possibilities for effective network attacks On the other hand, lack of systematic methods for an effective static analysis of an overall complex network results in inconsistent and vulnerable configurations at individual network components as well as at the network level. For example, inconsistency and faults in designing firewall rules at a host may result in enabling more attack vector. Further, the dynamic nature of networks with changing network configurations, machine availability and connectivity, make the security analysis a challenging task This work presents a hybrid approach to security by providing two solutions for analyzing the overall security of large organizational networks, and a runtime  framework for protecting individual network components against misuse of system resources by cyber attackers. We  observe that to secure an overall computing environment, a static analysis of a network is not sufficient. Thus, we couple our analysis with a framework to secure individual network components including high performance machines as well as mobile devices that repeatedly enter and leave networks. We also realize the need for advancing the theoretical foundations for analyzing the security of large networks. To analyze the security of large enterprise network, we present the first scientific attempt to compute an optimized distribution of defensive resources with the objective of minimizing the chances of successful attacks. To achieve this minimization, we develop a rigorous probabilistic model that quantitatively measures the chances of a successful attack on any network component. Our model provides a solid theoretical foundation that enables efficient computation of unknown success probabilities on every stage of a network attack. We design an algorithm that uses the computed attack probabilities for optimizing security configurations of a network. Our optimization algorithm  uses state of the art sequential linear programming to approximate the solution to a complex single objective nonlinear minimization problem that formalizes various attack steps and candidate defenses at the granularity of attack stages. To protect individual network components, we develop a new approach under our novel idea of em process authentication. We argue that to provide high assurance security, enforcing authorization is necessary but not sufficient. In fact, existing authorization systems lack a strong and reliable process authentication model for preventing the execution of malicious processes (i.e., processes that intentionally contain malicious goals that violate integrity and confidentiality of legitimate processes and data). Authentication is specially critical when malicious processes may use various system vulnerabilities to install on the system and stealthily execute without the user's consent. We design and implement the Application Authentication (A2) framework that is capable of monitoring application executions and ensuring proper authentication of application processes. A2 has the advantage of strong security guarantees, efficient runtime execution, and compatibility with legacy applications. This authentication framework reduces the risk of infection by powerful malicious applications that may disrupt proper execution of legitimate applications, steal users' private data, and spread across the entire organizational network. Our process authentication model is extended and applied to the Android platform. As Android imposes its unique challenges (e.g., virtualized application execution model), our design and implementation of process authentication is extended to address these challenges. Per our results, process authentication in Android can protect the system against various critical vulnerabilities such as privilege escalation attacks and drive by downloads. To demonstrate process authentication in Android, we implement DroidBarrier. As a runtime system, DroidBarrier includes an authentication component and a lightweight permission system to protect legitimate applications and secret authentication information in the file system. Our implementation of DroidBarrier is compatible with the Android runtime (with no need for modifications) and shows efficient performance with negligible penalties in I/O operations and process creations. / Ph. D.

Systems Security

Authentication

Mathematical Programming

Optimization

Security Risk

Modeling and Analysis of Intentional And Unintentional Security Vulnerabilities in a Mobile Platform

Fazeen, Mohamed, Issadeen, Mohamed

12 1900

Mobile phones are one of the essential parts of modern life. Making a phone call is not the main purpose of a smart phone anymore, but merely one of many other features. Online social networking, chatting, short messaging, web browsing, navigating, and photography are some of the other features users enjoy in modern smartphones, most of which are provided by mobile apps. However, with this advancement, many security vulnerabilities have opened up in these devices. Malicious apps are a major threat for modern smartphones. According to Symantec Corp., by the middle of 2013, about 273,000 Android malware apps were identified. It is a complex issue to protect everyday users of mobile devices from the attacks of technologically competent hackers, illegitimate users, trolls, and eavesdroppers. This dissertation emphasizes the concept of intention identification. Then it looks into ways to utilize this intention identification concept to enforce security in a mobile phone platform. For instance, a battery monitoring app requiring SMS permissions indicates suspicious intention as battery monitoring usually does not need SMS permissions. Intention could be either the user's intention or the intention of an app. These intentions can be identified using their behavior or by using their source code. Regardless of the intention type, identifying it, evaluating it, and taking actions by using it to prevent any malicious intentions are the main goals of this research. The following four different security vulnerabilities are identified in this research: Malicious apps, spammers and lurkers in social networks, eavesdroppers in phone conversations, and compromised authentication. These four vulnerabilities are solved by detecting malware applications, identifying malicious users in a social network, enhancing the encryption system of a phone communication, and identifying user activities using electroencephalogram (EEG) for authentication. Each of these solutions are constructed using the idea of intention identification. Furthermore, many of these approaches have utilized different machine learning models. The malware detection approach performed with an 89% accuracy in detecting the given malware dataset. In addition, the social network user identification model's accuracy was above 90%. The encryption enhancement reduced the mobile CPU usage time by 40%. Finally, the EEG based user activities were identified with an 85% accuracy. Identifying intention and using it to improve mobile phone security are the main contributions of this dissertation.

Intention

mobile security

malware

spammers

encryption

electroencephalogram

General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large versus Small Businesses

Schuessler, Joseph H.

05 1900

This research sought to shed light on information systems security (ISS) by conceptualizing an organization's use of countermeasures using general deterrence theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed in prior research. Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm's ISS effectiveness is affected. Six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth; the final instrument was further refined by pilot testing with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization's use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research can be used by practitioners to both assess their current ISS effectiveness as well as to prescriptively target desired levels of ISS effectiveness.

countermeasures

Information systems security

threats

risk assessment

Computer networks -- Security measures.

Computer security.

The Burner Project: Privacy and Social Control in a Networked World

Shade, Molly

05 1900

As mobile phones become increasingly ubiquitous in today’s world, academic and public audiences alike are curious about the interaction between mobile technologies and social norms. To investigate this phenomenon, I examined how individuals use technology to actively manage their communication behaviors. Through a three-month research project on usage patterns of Burner, a mobile application, this thesis explores the relationships among technology, culture, and privacy. Burner is a service that equips individuals with the means to create, maintain, and/or dissolve social ties by providing temporary, disposable numbers to customers. The application offers a way to communicate without relying on a user’s personal phone number. In other words, Burner acts as a “privacy layer” for mobile phones. It also provides a valuable platform to examine how customers use the application as a strategy for communication management. This thesis represents a marriage of practice and theory: (1) As an applied enterprise, the project was constructed as a customer needs assessment intending to examine how the service was situated in the lives of its users. The findings have successfully been applied to my client’s company strategy and have led to a more informed customer approach. (2) As an academic endeavor, this research contributes to existing scholarship in anthropology, computer-mediated communication, privacy, and design. The results provide rich fodder for discussions about the impact of mobile communication and services.

design anthropology

privacy

technical communication

computer mediated communication

cultural anthropology

Social norms.

Privacy, Right of.

High-performance advanced encryption standard (AES) security co-processor design

Tandon, Prateek

01 December 2003

see PDF

Data encryption (Computer science)

Data encryption (Computer science)

An investigation of high school learners using MXIT, and their attitudes towards mobile security.

Bhoola, Nisha.

10 October 2013

This research encompassed an investigation of high school learners using MXiT, and their attitudes towards mobile security guidelines. The research was conducted across thirteen schools in the Pinetown, ILembe and Umlazi districts of KwaZulu-Natal. The literature review has shown that the majority of security guidelines and their successful use depend on education and awareness of what these security measures are. Secure use of mobile social networking sites such as MXiT are best regulated by parental awareness and monitoring of children‟s online habits. This needs parents to be abreast of technology, its uses and benefits, the associated dangers, as well as how to encourage and monitor usage. The research was conducted by administering questionnaires to grades 8 to 11 inclusive in the three districts of KwaZulu-Natal. Out of the 1300 questionnaires handed out to learners, a total of 856 completed questionnaires (66%) were received and analysed. It was found from the study that 89,5% of under age users that participated in this research are using MXiT. Users are also not fully aware of the security features when using MXiT. It has also been found that African respondents as compared with non- African respondents are less aware of the possible dangers in using MXiT, less aware that criminals can use fake IDs and pretend to be someone they are not, and less aware that people can get addicted to MXiT. Learners are aware of the dangers that can be associated with MXiT; however they are prepared to talk to strangers and meet new people online, thus exposing themselves to these dangers. In conclusion, there is scope to improve the security measures for MXiT users, and there is a need to improve the levels of education around using these security features. / Thesis (M.Com.)-University of KwaZulu-Natal, Westville, 2011.

Does Device Matter? Understanding How User, Device, and Usage Characteristics Influence Risky IT Behaviors of Individuals

Negahban, Arash

08 1900

Over the past few years, there has been a skyrocketing growth in the use of mobile devices. Mobile devices are ushering in a new era of multi-platform media and a new paradigm of “being-always-connected”. The proliferation of mobile devices, the dramatic growth of cloud computing services, the availability of high-speed mobile internet, and the increase in the functionalities and network connectivity of mobile devices, have led to creation of a phenomenon called BYOD (Bring Your Own Device), which allows employees to connect their personal devices to corporate networks. BYOD is identified as one of the top ten technology trends in 2014 that can multiply the size of mobile workforce in organizations. However, it can also serve as a vehicle that transfers cyber security threats associated with personal mobile devices to the organizations. As BYOD opens the floodgates of various device types and platforms into organizations, identifying different sources of cyber security threats becomes indispensable. So far, there are no studies that investigated how user, device and usage characteristics affect individuals’ protective and risky IT behaviors. The goal of this dissertation is to expand the current literature in IS security by accounting for the roles of user, device, and usage characteristics in protective and risky IT behaviors of individuals. In this study, we extend the protection motivation theory by conceptualizing and measuring the risky IT behaviors of individuals and investigating how user, device, and usage characteristics along with the traditional protection motivation factors, influence individuals’ protective and risky IT behaviors. We collected data using an online survey. The results of our study show that individuals tend to engage in different levels of protective and risky IT behaviors on different types of devices. We also found that certain individual characteristics as well as the variety of applications that individuals use on their computing devices, influence their protective and risky IT behaviors.

risky IT behavior

IT security

mobile devices

protective IT behavior

information systems security

Mobile computing -- Security measures.

Computer security.