Dark patterns - obemärkta hot mot dataskyddet? : En undersökning av övertalande design som avser att samla personuppgifter / Dark patterns - unnoticed threats to data protection : An analysis of pervasive design intended to collect personal data

Willamo, Kristin

January 2022

I uppsatsen beskrivs vad dark patterns är och hur de påverkar enskildas dataskydd. Det konstateras att metoderna faktiskt är ett gammalt fenomen som nu även förekommer inom den relativt nya datadrivna marknaden i den digitala världen. Det finns flera olika varianter av dark patterns och de kan förefalla överlappa varandra. Gemensamt är att dark patterns inom data-skydd påverkar enskildas integritetsval genom att nudgea enskilda till att dela personuppgifter. Metoderna inverkar på enskildas rätt till kontroll över sina personuppgifter och därmed borde dark patterns i de flesta fall utgöra överträdelser av dataskyddet i EU. Ingen lagstiftning omfattar dark patterns uttryckligen men i uppsatsen visas på att det torde vara få dark patterns som inte träffas av gällande dataskyddsregler. Det är inte svagheter i gällande dataskyddsreglering som uppmärksammas i uppsatsen utan snarare svagheter i efterlevnad och tillsyn av vederbörande regler. Bristerna i tillsyn påverkar inte endast förekomsten av dark patterns utan det gäller för samtliga dataskyddsöverträdelser. I uppsatsen föreslås behov av ytterligare riktlinjer och klargöranden från EDPB för att effektivisera efterlevnad och tillsyn av gällande regler. Därutöver förespråkas ytterligare finansiering till dataskyddsmyndigheter samt utbildning av enskilda tillika konsumenter om vad dark patterns är. I uppsatsen analyseras även konsumentområdets koppling till dataskydd samt eventuella tillsynsansvar av dark patterns för att sedermera diskuteras som ett ytterligare alternativ till att motverka dark patterns. Uttryckliga förbud i EU-lagstiftningsakter anses också vara önskvärd för att öka efterlevnad. En utblick över framtida regleringar görs, dels i USA där reglering som uttryckligen omfattar dark patterns införs år 2023, dels i EU där ett uttryckligt förbud mot dark patterns är under förhandling till att införas i DSA. Samtidigt kan kakväggar, vilket är en typ av dark pattern, komma att bli delvis tillåtna i och med ePrivacy-förordningen

data

gdpr

dark patterns

dark pattern

data security

data protection

nudge

nudging

pervasive design

information security

data

gdpr

dark patterns

dark pattern

dataskydd

personuppgifter

GDPR

dataskyddsförordningen

informationssäkerhet

övertalande design

nudge

nudging

samtycke

databehandling

Law and Society

Juridik och samhälle

Implementering av Zero Trust i ett händelsestyrt meddelandesystem / Implementation of Zero Trust in an Event-Driven Messaging System

Wilson, Paul-Stefan Luay, Bahadi, Georges

January 2024

Denna rapport adresserar den centrala problemställningen kring säkerheten i händelsestyrda meddelandesystem genom att undersöka och implementera Zero Trust-arkitektur. Problemet är av stor relevans på grund av den ökande användningen av sådana system och det växande behovet av robusta säkerhetslösningar för att hantera utmaningar relaterade till asynkron kommunikation och datahantering. Zero Trust-modellen erbjuder en innovativ strategi för att förstärka säkerheten genom att eliminera implicit tillit och istället kontinuerligt verifiera användare och enheter, vilket gör det särskilt lämpligt för dynamiska och distribuerade system. Genom att utforska och analysera egenskaperna hos händelsestyrda meddelandesystem och identifiera de utmaningar som de presenterar för säkerhetsarkitekturen, undersöker rapporten en mängd olika metoder för att genomföra Zero Trust-principen. Genom en noggrann integrering av dessa metoder framhäver rapporten en effektiv och skalbar lösning för att säkra och skydda känsliga resurser och data i händelsestyrda meddelandesystem. Den presenterade lösningen belyser värdet av Zero Trust som en tillförlitlig modell för att hantera säkerhetsrisker och säkerställa en hållbar och robust arkitektur för asynkron kommunikation i moderna IT-system. / This report addresses the central issue of security in event-driven messaging systems by examining and implementing Zero Trust architecture. The problem is highly relevant due to the increasing use of such systems and the growing need for robust security solutions to manage challenges related to asynchronous communication and data handling. The Zero Trust model offers an innovative approach to enhancing security by eliminating implicit trust and instead continuously verifying users and devices, making it particularly suitable for dynamic and distributed systems. By exploring and analyzing the characteristics of event-driven messaging systems and identifying the challenges they present for security architecture, the report investigates various methods for implementing the Zero Trust principle. Through careful integration of these methods, the report highlights an effective and scalable solution for securing and protecting sensitive resources and data in event-driven messaging systems. The presented solution underscores the value of Zero Trust as a reliable model for addressing security risks and ensuring a sustainable and robust architecture for asynchronous communication in modern IT systems.

Zero Trust

Event-Driven Messaging Systems

Security

Asynchronous Communication

Access Control

Identity Management

Implementation

Data Protection

Authorization Control

Zero Trust

händelsestyrt meddelandesystem

säkerhet

asynkron kommunikation

identitetshantering

implementering

skydd av data

behörighetskontroll

Computer Engineering

Datorteknik

Mapping out the Key Security Components in Relational Databases (MK-SCoRe) : Enhancing the Security of Relational Database Technology / Kartläggning av Nyckelkomponenter för Säkerhet i Relationsdatabaser (MK-SCoRe) : Förbättring av Säkerheten i Relationsdatabasteknik

Alobaidi, Murtadha, Trabulsiah, Abdullah

January 2024

Relational database security has become an increasingly important issue for organizations worldwide in the current era of data-driven operations. The urgent need for an extensive knowledge of relational database security components in relational databases is addressed in this thesis. Database security is constantly improving, but there is still a lack of research that analyzes these important factors. Because of this gap, databases are not sufficiently secured from new cyber threats, which endangers its accessibility, confidentiality, and integrity. The problem that the thesis addresses is the lack of comprehensive research covering all key security components in relational databases which, presents a challenge for organizations seeking to comprehensively secure their database systems. The purpose of this thesis is to systematically map the key security components essential to relational databases. The goal is to assist organizations and Database professionals to secure their relational databases against diverse cyber threats. Using a qualitative and exploratory methodology, the research analyzes a wide range of literature on database security. The research offers a balanced and comprehensive perspective on the current security landscape in relational databases by integrating theoretical study with structured interviews. This method guarantees that all essential security components is fully investigated. The results of this thesis involve a detailed mapping of the key security components within relational databases, which are uniquely informed by a combination of academic research and empirical findings from structured interviews with Database security experts. This thesis analyzes these security components based on how well they address current security threats, how well they secure databases, and how well they can adapt to different organizational needs. / Säkerhet i relationsdatabaser har blivit en allt viktigare fråga för organisationer världen över i den nuvarande eran av datadriven verksamhet. I den här avhandlingen behandlas det akuta behovet av en omfattande kunskap om säkerhetskomponenter för relationsdatabaser i relationsdatabaser. Databassäkerheten förbättras ständigt, men det finns fortfarande en brist på forskning som analyserar dessa viktiga faktorer. På grund av denna brist är databaser inte tillräckligt skyddade mot nya cyberhot, vilket äventyrar deras tillgänglighet, konfidentialitet och integritet. Problemet som avhandlingen tar upp är bristen på omfattande forskning som täcker alla viktiga säkerhetskomponenter i relationsdatabaser, vilket utgör en utmaning för organisationer som vill säkra sina databassystem på ett heltäckande sätt. Syftet med denna avhandling är att systematiskt kartlägga de viktigaste säkerhetskomponenterna som är väsentliga för relationsdatabaser. Målet är att hjälpa organisationer och databasspecialister att säkra sina relationsdatabaser mot olika cyberhot. Med hjälp av en kvalitativ och explorativ metod analyseras ett brett spektrum av litteratur om databassäkerhet. Forskningen erbjuder ett balanserat och omfattande perspektiv på det nuvarande säkerhetslandskapet i relationsdatabaser genom att integrera teoretiska studier med strukturerade intervjuer. Denna metod garanterar att alla väsentliga säkerhetskomponenter undersöks fullständigt. Resultatet av denna avhandling innebär en detaljerad kartläggning av de viktigaste säkerhetskomponenterna inom relationsdatabaser, som är unikt informerade av en kombination av akademisk forskning och empiriska resultat från strukturerade intervjuer med databassäkerhetsexperter. Denna avhandling analyserar dessa säkerhetskomponenter utifrån hur väl de hanterar aktuella säkerhetshot, hur väl de säkrar databaser och hur väl de kan anpassas till olika organisatoriska behov.

Relational Database Security

Database Security

Cyber Threats

Data Protection

Access Control

Database Vulnerabilities

Encryption

Network Security.

Säkerhet i Relationsdatabaser

Databassäkerhet

Cyberhot

Datasäkerhet

Åtkomstkontroll

Sårbarheter i Databaser

Kryptering

Nätverkssäkerhet.

Computer and Information Sciences

Data- och informationsvetenskap

Data Subject Rights in Mental Health Applications : Assessing the Exercise of Data Subject Rights under the GDPR / Rättigheter för Registrerade Personer i Mentala Hälsoappar : En Bedömning Enligt GDPR

Gustafsson, Oliver

January 2024

The rapid growth of Mobile Health (mHealth) applications, particularly those focusedon mental health, has provided accessible and affordable support for users’ well-being.However, this growth has raised substantial privacy concerns, especially regardinghandling sensitive personal health data. This thesis evaluates the extent to whichmental health apps allow users to exercise their Data Subject Rights (DSRs) under theEuropean General Data Protection Regulation (GDPR) and provides recommendationsfor enhancing data protection and user privacy. The primary objectives are to identifythe relevant DSRs for mental health apps, empirically assess the extent to which suchrights are respected on the existing apps, and propose actionable recommendationsfor improvement. The study’s methodology involved a comprehensive review ofprivacy policies, using automated tools for privacy assessment, and submitting DataSubject Access Requests (DSARs) to app providers. Findings indicate that whilesome apps demonstrate high conformity with DSRs, the majority still falls short invarious aspects. Common issues include inadequate transparency in privacy policies,incomplete responses to DSARs, and non-compliance with the right to data portability.Specifically, only 45.5% of apps responded to the DSARs with a partial or completeanswer, and only 40% of the responses contained data in machine-readable formats,meeting the requirements for data portability. The study emphasizes the need formental health app developers to enhance privacy practices, ensuring users are fullyinformed about data collection and usage, can easily access and delete their personaldata, and receive their data in portable formats. Recommendations include improvingthe clarity and accessibility of privacy policies, adopting best practices for datasecurity, and implementing user-friendly mechanisms for data access and deletion. Inconclusion, while progress has been made in GDPR compliance among mental healthapps, significant improvement is still needed. Addressing these challenges will betterprotect user privacy, build trust, and support the responsible development of digitalhealth technologies. / Den snabba tillväxten av mobila hälsoappar, särskilt de som fokuserar på psykisk hälsa,har gjort det möjligt för användare att få tillgång till prisvärt och lättillgängligt stöd förderas välbefinnande. Men denna tillväxt har också väckt betydande integritetsfrågor,särskilt när det gäller hantering av känsliga personuppgifter om hälsa. Dettaexamensarbete utvärderar i vilken utsträckning hälsoappar för psykisk ohälsa tillåteranvändare att utöva sina rättigheter enligt den europeiska dataskyddsförordningenoch bidrar med rekommendationer för att förbättra dataskydd och användarintegritet.De primära målen är att identifiera relevanta rättigheter för hälsoappar för psykiskohälsa, empiriskt bedöma i vilken utsträckning sådana rättigheter respekteras ibefintliga appar och föreslå konkreta rekommendationer för förbättring. Studienhar genomförts med en omfattande granskning av integritetspolicys, användning avautomatiserade verktyg för integritetsbedömning och inlämning av begäranden omregisterutdrag till applikationsleverantörer. Resultaten visar att även om vissa apparuppvisar hög överensstämmelse med rättigheterna från GDPR, faller majoritetenfortfarande kort på flera områden. Vanliga problem inkluderar otillräcklig transparensi integritetspolicys, ofullständiga svar på DSARs och bristande efterlevnad av rätten tilldataportabilitet. Specifikt svarade endast 45,5% av apparna på DSARs med ett delviseller komplett svar, och endast 40% av svaren innehöll data i maskinläsbara format,vilket uppfyller kraven för dataportabilitet. Studien betonar behovet för utvecklare avhälsoappar för psykisk ohälsa att förbättra deras integritet, säkerställa att användareär fullt informerade om datainsamling och användning, lätt kan komma åt och raderasina personuppgifter samt ta emot sin data i portabla format. Rekommendationerinkluderar att förbättra tydligheten och tillgängligheten av integritetspolicys, antabästa praxis för datasäkerhet och implementera användarvänliga mekanismer fördataåtkomst och radering. Sammanfattningsvis, även om framsteg har gjorts i GDPR-efterlevnad bland hälsoappar för psykisk ohälsa, behövs betydande förbättringar. Attta itu med dessa utmaningar kommer att bättre skydda användarnas integritet, byggaförtroende och stödja den ansvarsfulla utvecklingen av digitala hälsoteknologier.

data protection

privacy

Data Subject Rights

GDPR

mobile health

mHealth

mental health apps

empirical study

dataskydd

integritet

Datasubjektets rättigheter

GDPR

mobil hälsa

mentala hälsoappar

empirisk studie

Computer Sciences

Datavetenskap (datalogi)

Three Essays on Information Security Risk Management

Ogbanufe, Obiageli

05 1900

Today's environment is filled with the proliferation of cyber-attacks that result in losses for organizations and individuals. Hackers often use compromised websites to distribute malware, making it difficult for individuals to detect. The impact of clicking through a link on the Internet that is malware infected can result in consequences such as private information theft and identity theft. Hackers are also known to perpetrate cyber-attacks that result in organizational security breaches that adversely affect organizations' finances, reputation, and market value. Risk management approaches for minimizing and recovering from cyber-attack losses and preventing further cyber-attacks are gaining more importance. Many studies exist that have increased our understanding of how individuals and organizations are motivated to reduce or avoid the risks of security breaches and cyber-attacks using safeguard mechanisms. The safeguards are sometimes technical in nature, such as intrusion detection software and anti-virus software. Other times, the safeguards are procedural in nature such as security policy adherence and security awareness and training. Many of these safeguards fall under the risk mitigation and risk avoidance aspects of risk management, and do not address other aspects of risk management, such as risk transfer. Researchers have argued that technological approaches to security risks are rarely sufficient for providing an overall protection of information system assets. Moreover, others argue that an overall protection must include a risk transfer strategy. Hence, there is a need to understand the risk transfer approach for managing information security risks. Further, in order to effectively address the information security puzzle, there also needs to be an understanding of the nature of the perpetrators of the problem – the hackers. Though hacker incidents proliferate the news, there are few theory based hacker studies. Even though the very nature of their actions presents a difficulty in their accessibility to research, a glimpse of how hackers perpetrate attacks can be obtained through the examination of their knowledge sharing behavior. Gaining some understanding about hackers through their knowledge sharing behavior may help researchers fine-tune future information security research. The insights could also help practitioners design more effective defensive security strategies and risk management efforts aimed at protecting information systems. Hence, this dissertation is interested in understanding the hackers that perpetrate cyber-attacks on individuals and organizations through their knowledge sharing behavior. Then, of interest also is how individuals form their URL click-through intention in the face of proliferated cyber risks. Finally, we explore how and why organizations that are faced with the risk of security breaches, commit to cyberinsurance as a risk management strategy. Thus, the fundamental research question of this dissertation is: how do individuals and organizations manage information security risks?

hackers

security risk management

malware

cyberinsurance

risk transfer

knowledge sharing

social network analysis

Computer security -- Management.

Data protection.

Hackers.

Der Schutz der Privatsphäre bei der Anfragebearbeitung in Datenbanksystemen

Dölle, Lukas

13 June 2016

In den letzten Jahren wurden viele Methoden entwickelt, um den Schutz der Privatsphäre bei der Veröffentlichung von Daten zu gewährleisten. Die meisten Verfahren anonymisieren eine gesamte Datentabelle, sodass sensible Werte einzelnen Individuen nicht mehr eindeutig zugeordnet werden können. Deren Privatsphäre gilt als ausreichend geschützt, wenn eine Menge von mindestens k sensiblen Werten existiert, aus der potentielle Angreifer den tatsächlichen Wert nicht herausfinden können. Ausgangspunkt für die vorliegende Arbeit ist eine Sequenz von Anfragen auf personenbezogene Daten, die durch ein Datenbankmanagementsystem mit der Rückgabe einer Menge von Tupeln beantwortet werden. Das Ziel besteht darin herauszufinden, ob Angreifer durch die Kenntnis aller Ergebnisse in der Lage sind, Individuen eindeutig ihre sensiblen Werte zuzuordnen, selbst wenn alle Ergebnismengen anonymisiert sind. Bisher sind Verfahren nur für aggregierte Anfragen wie Summen- oder Durchschnittsbildung bekannt. Daher werden in dieser Arbeit Ansätze entwickelt, die den Schutz auch für beliebige Anfragen gewährleisten. Es wird gezeigt, dass die Lösungsansätze auf Matchingprobleme in speziellen Graphen zurückgeführt werden können. Allerdings ist das Bestimmen größter Matchings in diesen Graphen NP-vollständig. Aus diesem Grund werden Approximationsalgorithmen vorgestellt, die in Polynomialzeit eine Teilmenge aller Matchings konstruieren, ohne die Privatsphäre zu kompromittieren. / Over the last ten years many techniques for privacy-preserving data publishing have been proposed. Most of them anonymize a complete data table such that sensitive values cannot clearly be assigned to individuals. Their privacy is considered to be adequately protected, if an adversary cannot discover the actual value from a given set of at least k values. For this thesis we assume that users interact with a data base by issuing a sequence of queries against one table. The system returns a sequence of results that contains sensitive values. The goal of this thesis is to check if adversaries are able to link uniquely sensitive values to individuals despite anonymized result sets. So far, there exist algorithms to prevent deanonymization for aggregate queries. Our novel approach prevents deanonymization for arbitrary queries. We show that our approach can be transformed to matching problems in special graphs. However, finding maximum matchings in these graphs is NP-complete. Therefore, we develop several approximation algorithms, which compute specific matchings in polynomial time, that still maintaining privacy.

Datenbanken

Datenschutz

Anfragebearbeitung

Schutz der Privatsphäre

Anonymisierung

privacy

databases

data protection

query processing

anonymization

004 Informatik

28 Informatik, Datenverarbeitung

ST 277

RW 60447

RW 60501

ST 270

ddc:004

Development of a diagnostic instrument and privacy model for student personal information privacy perceptions at a Zimbabwean university

Maguraushe, Kudakwashe

05 1900

Orientation: The safety of any natural being with respect to the processing of their personal information is an essential human right as specified in the Zimbabwe Data Protection Act (ZDPA) bill. Once enacted, the ZDPA bill will affect universities as public entities. It will directly impact how personal information is collected and processed. The bill will be fundamental in understanding the privacy perceptions of students in relation to privacy awareness, privacy expectations and confidence within university. These need to be understood to give guidelines to universities on the implementation of the ZPDA. Problem Statement: The current constitution and the ZDPA are not sufficient to give organisations guidelines on ensuring personal information privacy. There is need for guidelines to help organisations and institutions to implement and comply with the provisions of the ZDPA in the context of Zimbabwe. The privacy regulations, regarded as the three concepts (awareness, expectations and confidence), were used to determine the student perceptions. These three concepts have not been researched before in the privacy context and the relationship between the three concepts has not as yet been established. Research purpose: The main aim of the study was to develop and validate an Information Privacy Perception Survey (IPPS) diagnostic tool and a Student Personal Information Privacy Perception (SPIPP) model to give guidelines to universities on how they can implement the ZDPA and aid universities in comprehending student privacy perceptions to safeguard personal information and assist in giving effect to their privacy constitutional right. Research Methodology: A quantitative research method was used in a deductive research approach where a survey research strategy was applied using the IPPS instrument for data collection. The IPPS instrument was designed with 54 items that were developed from the literature. The preliminary instrument was taken through both the expert review and pilot study. Using the non-probability convenience sampling method, 287 students participated in the final survey. SPSS version 25 was used for data analysis. Both descriptive and inferential statistics were done. Exploratory factor analysis (EFA) was used to validate the instrument while confirmatory factor analysis (CFA) and the structural equation modelling (SEM) were used to validate the model. Main findings: diagnostic instrument was validated and resulted in seven new factors, namely university confidence (UC), privacy expectations (PE), individual awareness (IA), external awareness (EA), privacy awareness (PA), practice confidence (PC) and correctness expectations (CE). Students indicated that they had high expectations of the university on privacy. The new factors showed a high level of awareness of privacy and had low confidence in the university safeguarding their personal information privacy. A SPIPP empirical model was also validated using structural equation modelling (SEM) and it indicated an average overall good fit between the proposed SPIPP conceptual model and the empirically derived SPIPP model Contribution: A diagnostic instrument that measures the perceptions (privacy awareness, expectations and confidence of students) was developed and validated. This study further contributed a model for information privacy perceptions that illustrates the relationship between the three concepts (awareness, expectations and confidence). Other universities can use the model to ascertain the perceptions of students on privacy. This research also contributes to improvement in the personal information protection of students processed by universities. The results will aid university management and information regulators to implement measures to create a culture of privacy and to protect student data in line with regulatory requirements and best practice. / School of Computing / Ph. D. (Information Systems)

Confirmatory factor analysis

Correctness expectations

Diagnostic instrument

Exploratory factor analysis

External awareness

Individual awareness

Practice confidence

Perceptions

Personal information

Privacy

Privacy education

Privacy expectations

Instrument

Structural equation modelling

University confidence

005.807116891

Zimbabwe Data Protection Act

Protection of Personal Data, a Power Struggle between the EU and the US: What implications might be facing the transfer of personal data from the EU to the US after the CJEU’s Safe Harbour ruling?

Strindberg, Mona

January 2016

Since the US National Security Agency’s former contractor Edward Snowden exposed the Agency’s mass surveillance, the EU has been making a series of attempts toward a more safeguarded and stricter path concerning its data privacy protection. On 8 April 2014, the Court of Justice of the European Union (the CJEU) invalidated the EU Data Retention Directive 2006/24/EC on the basis of incompatibility with the Charter of Fundamental Rights of the European Union (the Charter). After this judgment, the CJEU examined the legality of the Safe Harbour Agreement, which had been the main legal basis for transfers of personal data from the EU to the US under Decision 2000/520/EC. Subsequently, on 6 October 2015, in the case of Schrems v Data Protection Commissioner, the CJEU declared the Safe Harbour Decision invalid. The ground for the Court’s judgment was the fact that the Decision enabled interference, by US public authorities, with the fundamental rights to privacy and personal data protection under Article 7 and 8 of the Charter, when processing the personal data of EU citizens. According to the judgment, this interference has been beyond what is strictly necessary and proportionate to the protection of national security and the persons concerned were not offered any administrative or judicial means of redress enabling the data relating to them to be accessed, rectified or erased. The Court’s analysis of the Safe Harbour was borne out of the EU Commission’s own previous assessments. Consequently, since the transfers of personal data between the EU and the US can no longer be carried out through the Safe Harbour, the EU legislature is left with the task to create a safer option, which will guarantee that the fundamental rights to privacy and protection of personal data of the EU citizens will be respected. However, although the EU is the party dictating the terms for these transatlantic transfers of personal data, the current provisions of the US law are able to provide for derogations from every possible renewed agreement unless they become compatible with the EU data privacy law. Moreover, as much business is at stake and prominent US companies are involved in this battle, the pressure toward the US is not only coming from the EU, but some American companies are also taking the fight for EU citizens’ right to privacy and protection of their personal data.

EU

EU Law

US Privacy Law

Safe Harbour

Safe Harbor

Data Protection

Personal Data transfer

Facebook

Articles 7

8 and 47 of the Charter

Article 16(1) of the TFEU

Article 8 ECHR

EDPS

Decision 2000/520/EC

Directive 95/46/EC

Personal Integrity

Right to Privacy

Right to Private Life

Data Retention

Surveillance

IT Law

Article 29 Working Party

EU-rätt

EU-stadgan

datalagring

datalagringsdirektivet

personlig integritet

dataskydd

grundläggande rättigheter

proportionalitetsprincipen

Strafregtelike beskerming van inligting

Nienaber, Catharina Wilhelmina

11 1900

In hierdie proefskrif is die belangrike rol wat inligting tans en toenemend in die samelewing speel ondersoek, om te beklemtoon hoe noodsaaklik dit tans is om `n misdryf wat die wederregtelike en opsetlike verkryging van inligting strafbaar sal reël, te verorden. Die rol wat industriële spioenasie in die verband speel word uitgelig. As gevolg van die bepaalde onliggaamlike aard van inligting kan inligting nie soos liggaamlike eiendom `n persoon ontneem word nie. Inligting word gewoonlik bloot gekopieer en die oorspronklike houer van die inligting behou die inligting hoewel die dader ook die inligting verkry. Die gemeenregtelike misdaad van diefstal maak dus nie voorsiening vir die diefstal van inligting waar die inligting bloot gekopieer of gedupliseer is nie. Om te bepaal hoe hierdie bepaalde probleem in ander lande se regstelsels aangespreek word en om kennis op te doen oor hoe dit in die Suid-Afrikaanse reg aangespreek behoort te word, is die strafregtelike bepalings en selfs nie-strafregtelike bepalings in lande soos Engeland, Amerika, Kanada en Nederland ondersoek. Ten einde vas te stel welke inligting deur die strafreg beskerm behoort te word, is selfs sekere nie-strafregtelike bepalings van vermelde lande en van die Suid-Afrikaanse reg nagegaan. Insigte is verkry oor welke elemente sodanige inligting aan moet voldoen en `n definisie van beskermwaardige inligting word aanbeveel. Vir hierdie doel is `n nuwe begrip van beskermwaardige inligting geskep. Die redes waarom diefstal van inligting nie in Suid-Afrikaanse en die ander lande se regstelsels nie erken word nie, is bespreek. Die wyse waarop die gemeenregtelike misdaad van diefstal na die diefstal van onliggaamlike geld uitgebrei is, is ondersoek waarna `n aanbeveling gemaak word oor hoe die definisie van diefstal uitgebrei kan word om ook ander onliggaamlike objekte in te sluit. As gevolg van die bepaalde aard van inligting kan die gemeenregtelike definisie van diefstal nie uitgebrei word om inligting as `n objek in te sluit nie en word `n statutêre misdryf van diefstal van inligting voorgestel. / Jurisprudence / LL. D.

Inligting

Handelsgeheime

Onliggaamlike sake

Onliggaamlike eiendom

Spioenasie

Vertroulikheid

Diefstal

Gemeenregtelike misdaad

Kriminalisering

Geld

Data

Beskermwaardige inligting

Ekonomiese waarde

Kommunikasies

Intellektuele eiendom

Business intelligence -- South Africa

Computer crimes -- South Africa

Commercial crimes -- South Africa

Information warfare -- South Africa

Legal and policy aspects to consider when providing information security in the corporate environment

Dagada, Rabelani

11 1900

E-commerce is growing rapidly due to the massive usage of the Internet to conduct commercial transactions. This growth has presented both customers and merchants with many advantages. However, one of the challenges in E-commerce is information security. In order to mitigate e-crime, the South African government promulgated laws that contain information security legal aspects that should be integrated into the establishment of information security. Although several authors have written about legal and policy aspects regarding information security in the South African context, it has not yet been explained how these aspects are used in the provision of information security in the South African corporate environment. This is the premise upon which the study was undertaken. Forty-five South African organisations participated in this research. Data gathering methods included individual interviews, website analysis, and document analysis. The findings of this study indicate that most organisations in South Africa are not integrating legal aspects into their information security policies. One of the most important outcomes of this study is the proposed Concept Model of Legal Compliance in the Corporate Environment. This Concept Model embodies the contribution of this study and demonstrates how legal requirements can be incorporated into information security endeavours. The fact that the proposed Concept Model is technology-independent and that it can be implemented in a real corporate environment, regardless of the organisation’s governance and management structure, holds great promise for the future of information security in South Africa and abroad. Furthermore, this thesis has generated a topology for linking legislation to the provision of information security which can be used by any academic or practitioner who intends to implement information security measures in line with the provisions of the law. It is on the basis of this premise that practitioners can, to some extent, construe that the integration of legislation into information security policies can be done in other South African organisations that did not participate in this study. Although this study has yielded theoretical, methodological and practical contributions, there is, in reality, more research work to be done in this area. / School of Computing / D. Phil. (Information Systems)

343.9944068

Intellectual property -- South Africa