Global ETD Search

301	A Reading Preference and Risk Taxonomy for Printed Proprietary Information Compromise in the Aerospace and Defense Industry Stalker, Joshua D. 01 January 2012 (has links) The protection of proprietary information that users print from their information systems is a significant and relevant concern in the field of information security to both researchers and practitioners. Information security researchers have repeatedly indicated that human behaviors and perception are important factors influencing the information security of organizations and have called for more research. The aerospace and defense industry commonly deals with its own proprietary information as well its customers. Further, e-training is a growing practice in this industry, it frequently deals with proprietary information, and has unique information security challenge, thus, serves as additional context for this study. This study focused on the investigation of two constructs, user reading preference and user perceived risk of compromising printed proprietary information, as well as seven user demographics. These constructs reflect human behavior and risk perceptions associated with compromising printed proprietary information and, thus, provide valuable insights applicable into information security. This study developed a Reading Preference and Risk (RPR) Taxonomy, which allows users to be classified according to the aforementioned two constructs under investigation and provides insightful characterizations of information security risks. A survey based on existing literature, the primary constructs, and several demographics was implemented to assess two research questions and seven associated hypotheses. The survey was sent to 1,728 employees of an aerospace and defense organization. The response rate was 18% with 311 usable records. The results of the study showed that employees were dispersed across the RPR Taxonomy with 15.1% identified as potentially problematic to the protection of printed proprietary information. The overall results showed that the population had a reading preference for print materials and a high perceived risk for compromising printed proprietary information, as well as significantly higher print preference for e-training materials when it was necessary to retain the content in memory. Significant differences in the two constructs were also found across several demographics including age, gender, frequency of user exposure to proprietary information, the confidentiality level of the proprietary information a user is regularly exposed to, and previous user experience with the compromise of proprietary information. Recommendations for practice and research are provided. Moreover, several areas for future research are also presented. cognitive load e-training security Information security perceived risk protection motivation reading preference Computer Sciences
302	Towards an Integrated Framework for Quality and Information Security Management in Small Companies Große, Christine January 2016 (has links) This master thesis elaborates the construction of an integrated framework for the simultaneous initiation of quality management and information security management within micro and small enterprises. Called QISMO, the model collection consists of three parts: (1) a holistic framework as structure dedicated to achieving a shared understanding among key stakeholders concerned about relations and dependencies, (2) a reference process model for visualising the entire process with the activities related, and (3) a lifecycle model for illustrating the process loop and for clarifying specific phases therein. This study offers an analysis of alternative approaches that results in premises and requirements adapted to micro and small enterprises. Furthermore, major barriers to the improvement of quality and information security management of micro and small enterprises are identified in this study. These include miscalculation of risks, lack of competence, and absence of structured processes. Aside from valuable insights for further development of enhanced training programs, the study contributes a comprehensive analysis of standards and good practices within the field of IT governance. Moreover, the study shares a concrete reference process model that is adapted to the preconditions of micro and small enterprises. These preconditions are acquired throughout the study. The proposition is to provide a basis for the further improvement of business processes and the models related to them, both in practice and in research. Quality Management Information Security Management Information Systems Modelling Reference Process Modelling BISE BPMN
303	Modelo de evaluación de riesgos de seguridad de la información basado en la ISO/IEC 27005 para analizar la viabilidad de adoptar un servicio en la nube Quispe Loarte, Javier Esai, Pacheco Pedemonte, Diego Ludwing 01 September 2018 (has links) El propósito del proyecto es proponer un modelo de evaluación de riesgos de seguridad de la información en base a la ISO/IEC 27005 para determinar la viabilidad de obtener un servicio en la nube, ya que en toda organización es necesario conocer los riesgos de seguridad de información que asumen actualmente con los controles de seguridad implementados, y los riesgos que podría asumir con la adquisición de un nuevo servicio en cloud, y así poder tomar la decisión de optar por el mismo. El modelo fue realizado en base a 3 fases. En primer lugar, se realizó una investigación pertinente de las buenas prácticas en seguridad de la información. en la investigación se utilizó la ISO/IEC 27001, que nos da una visión general de un sistema de gestión de seguridad de información. Asimismo, se optó por la ISO/IEC 27005 orientada a la gestión de riesgos de seguridad de información en una organización. En segundo lugar, se presenta la propuesta de modelo y se describe sus fases como contextualización de la organización, Identificación de riesgos, Evaluación de Riesgos y Tratamiento de Riesgos. Finalmente, se desplego el modelo en el proceso de Exámenes parciales y Finales del área de Registros académicos de la Universidad Peruana de Ciencias aplicadas. / The purpose of the project is to propose an information security risk assessment model based on ISO / IEC 27005 to determine the feasibility of obtaining a service in the cloud, since in every organization it is necessary to know the security risks of information that they currently assume with the security controls implemented and those that could be assumed with the acquisition of a new service in the cloud so that they can make the decision to opt for one or the other. The model was made based on 3 phases. First, a relevant investigation of good practices in information security was carried out. In the research, ISO / IEC 27001 was used, which gives us an overview of an information security management system. Likewise, the ISO / IEC 27005 is chosen oriented to the management of information security risks in an organization. Second, the model proposal is presented and its phases are described as contextualization of the organization, risk identification, risk assessment and risk treatment. Finally, the model was deployed in the process of partial and final examinations of the area of academic records of the “Universidad Peruana de Ciencias Aplicadas”. / Tesis Modelo de riesgos ISO/IEC 27005 Servicios en la nube Seguridad de la información Risk model Cloud services Information security
304	Modelo de gestión de riesgos de seguridad de la información para pymes en el Perú / Information security risk management model for Peruvian SMEs García Porras, Johari Chris, Huamani Pastor, Sarita Cecilia 18 June 2019 (has links) Actualmente, toda empresa debería tener el conocimiento de qué tan importante es y cómo debe tratarse la información para su negocio, ya que es uno de sus activos más importante. Lamentablemente, no todas tienen claro su valor, exponiéndose a grandes pérdidas. Según un estudio de EY, el 41% de empresas consideran que poseen probidades mínimas para detectar un ataque sofisticado. El motivo principal son las restricciones presupuestarias y la falta de recursos especializados. Para proteger la información, las empresas deben determinar su exposición al riesgo, lo recomendable es emplear metodologías, marcos de referencia o estándares de análisis de riesgo de seguridad de la información. Este proyecto consiste en implementar un modelo de gestión de riesgos de seguridad de la información para Pymes, integrando la metodología OCTAVE-S y la norma ISO/IEC 27005. Se abarca el análisis de las metodologías y normas de gestión de riesgos, el diseño del modelo de gestión de riesgos de seguridad de la información, la validación del modelo en una Pyme en el proceso de ventas. La integración proporciona una identificación oportuna y eficaz de los riesgos del enfoque cualitativo y permite aprovechar los valores identificados para los activos del enfoque cuantitativo. Asimismo, permite identificar los principales riesgos valorizándolos, para luego proceder a un tratamiento de acuerdo a las necesidades de la empresa. Se espera que este modelo ayude en la gestión de riesgos de seguridad de la información dentro de las Pymes, para poder reducir el impacto de riesgos a los que pueden estar expuestas. / Nowadays, every company should be aware of the importance and the way business information should be treated since it is one of their most important assets. Unfortunately, not all are sure about their actual value, and so, they may be exposed to large losses. According to EY, 41% of companies consider that they have minimum probabilities to detect a sophisticated attack. The main reason that hinders the effectiveness of information security is due to budgetary restrictions and the lack of specialized resources. To protect the information, companies must determine their risk exposure, for which it’s advisable to use methodologies, reference frameworks or standards for information security risk analysis. This project consists on implementing an information security risk management model for SMEs, integrating the OCTAVE-S methodology and the ISO/IEC 27005 standard. This covers the analysis of methodologies and risk management standards, the design of the information security risk management model, the validation of the model in a SME in the sales process. This integration provides a timely and effective identification of the risks of the qualitative approach and makes it possible to take advantage of the values identified for the assets of the quantitative approach. Furthermore, this allows identifying the main information security risks by rating and treating them according to the needs of the company. It’s expected that this model will help in the management of information security risks within SMEs, in order to reduce the impact of risks to which they may be exposed. / Tesis Modelo de Gestión de riesgos Seguridad de la Información OCTAVE ISO/IEC 27005 Risk Management model Information Security
305	Visuell kontextbaserad mikroträning : En effektivitetsstudie / Visual context based microtraining : An efficiency study Ljungdahl, Erik January 2019 (has links) Informationssäkerhet är ett område som blir mer aktuellt för var dag när samhället blir allt mer digitaliserat, vilket leder till att nya vägar för att utbilda allmänheten måste undersökas. Tidigare forskning har studerat konceptet kontextbaserad mikroträning, alltså träning ögonblicket innan träningen behövs, och utefter detta skapat videoklipp för att således lära personer om säkerhetsmedvetenhet. Ett sådant klipp, i följande rapport ofta kallad visuell kontextbaserad mikroträning, ämnade undervisa personer i vad ett säkert lösenord ska innehålla, hur det kan utformas och en föreslagen metod att minnas lösenordet. Videomaterialet har dock endast undersökt i syfte att fastställa den allmänna åsikten, men dess effektivitet har tidigare inte undersökts. Denna studie vilar på deltagandet av 49 studiedeltagare som fick genomgå mikroträning, en grupp som exponerades för visuell kontextbaserad mikroträning och en som exponerades för samma pedagogiska innehåll som det visuella mikroträningsmediet ämnade framföra, dock denna gång i skriven text. Resultatet av studiemomentet genererade således 25 lösenord med tillhörande demografisk data efter videoexponering och 24 lösenord efter textexponering och dessa två dataset fick jämföras gentemot varandra. Efter den utförda analysen stod det klart att de skillnader som existerar mellan mikroträningsvideon och en text med samma undervisningsmaterial utformad för komparativa syften var små, och ingen signifikant korrelation kunde fastställas. / Information security is a field that gets more relevant for every day in a digitized society, which means that new ways to educate the public in information security matters has to be explored. Previous research has studied the concept of context based micro training, meaning training in the moment in which it’s needed, and along this created videos which are meant to educate people of what a secure password should contain, how the password is designed and methods to remember the password in question. This study is resting on the participation of 49 study participants who were subjected to micro training, one group who were exposed to visual context based micro training and one that was exposed to the same educational content as the visual micro training medium intended to convey, however this time in written text. The result of the study moment generated 25 passwords with associated demographic data after exposure to video, and 24 passwords after exposure to text, and these two data sets were compared to each other. After the analysis it was clear that the differences that exists between visual context based micro training and a text containing the same educational material in written form were small , and no significant correlation could be established. information security micro training security awareness informationssäkerhet mikroträning säkerhetsmedvetenhet Information Systems
306	A security framework for mobile health data collection. / Framework de segurança para coleta de dados em saúde móvel. Iwaya, Leonardo Horn 11 February 2014 (has links) Mobile health (mHealth) can be defined as the practice of medicine and public health supported by mobile computing technologies, such as mobile phones, PDAs, tablets, sensors and other wireless devices. Particularly in the case of mobile phones, there has been a significant increase in the number of lines, equipment, and network infrastructure in Low- and Middle-Income Countries (LMIC), allowing the adoption of mHealth systems efficiently. There are now several cases of systems for data collection focused on primary care, health surveillance and epidemiological research, which were adopted in these countries. Such systems provide health care managers information with higher quality and in a shorter time, which in turn improves their ability to plan actions and respond to emergencies. However, security is not included among the main requirements of such systems. Aiming to address this issue, we developed a survey about mHealth applications and research initiatives in Brazil, which shows that a reasonable number of papers only briefly (13%) or simply do not mention (40%) their security requirements. This survey also provides a discussion about the current state-of-art of Brazilian mHealth researches, including the main types of applications, target users, devices employed and the research barriers identified. After that, we present the SecourHealth, a security framework for mHealth data collection applications. SecourHealth was designed to cope with six main security requirements: support user registration and authentication mechanisms; treat network disconnections and delays; provide a secure data storage - even in case of possible theft or loss of equipment; allow secure data exchange between the device and server; enabling device sharing between users (i.e., health workers); and allow trade-offs between security, performance and usability. This thesis also describes in detail the framework modeling and development steps showing how it was integrated into an application for the Android platform. Finally, we benchmarked the cryptographic algorithms implemented, when compared to the overhead of using HTTPS protocol. / Saúde Móvel (mHealth) pode ser definida como a prática médica e a saúde pública suportadas por tecnologias de computação móvel, como: telefones celulares, PDAs, tablets, sensores e outros dispositivos sem fio. Particularmente no caso dos celulares, há um aumento expressivo no número de linhas, aparelhos, e na infraestrutura de rede em países de média e baixa renda (Low- Middle- Income Countries, LMIC), permitindo a adoção de sistemas mHealth de maneira eficiente. Existem, hoje, vários casos de sistemas de coleta de dados voltadas à atenção primária, vigilância (em saúde) e pesquisas epidemiológicas adotados nesses países. Tais sistemas fornecem aos gestores de saúde uma informação de melhor qualidade em menor tempo, que por sua vez melhoram a capacidade de planejamento e resposta a emergências. Contudo, nota-se um relaxamento no cumprimento de requisitos de segurança nestes sistemas. Com base nisso, foi feito um levantamento de aplicações e iniciativas de pesquisa em mHealth no Brasil, no qual se constatou que um número razoável de trabalhos mencionam fracamente (13%) ou não menciona (40%) os requisitos de segurança. Este levantamento também discute sobre o estado atual das pesquisas de mHealth no Brasil, os principais tipos de aplicações, os grupos de usuários, os dispositivos utilizados e as barreiras de pesquisa identificadas. Em seguida, este trabalho apresenta o SecourHealth, um framework de segurança voltado ao desenvolvimento de aplicações de mhealth para coleta de dados. O SecourHealth foi projetado com base em seis requisitos principais de segurança: suportar o registro e a autenticação do usuário; tratar a desconexão e os atrasos na rede; prover o armazenamento seguro de dados prevendo possibilidades de furto ou perda dos aparelhos; fazer transmissão segura de dados entre o aparelho e o servidor; permitir o compartilhamento de dispositivos entre os usuários (e.g., agentes de saúde); e considerar opções de compromisso entre segurança, desempenho e usabilidade. O trabalho também descreve com detalhes as etapas de modelagem e desenvolvimento do framework - que foi integrado a uma aplicação para a plataforma Android. Finalmente, é feita uma análise do desempenho dos algoritmos criptográficos implementados, considerando o overhead pelo simples uso do protocolo HTTPS. Computação móvel Electrical engineering Engenharia elétrica Health Informação (Segurança) Information (Security) Mobile computing Saúde Telemedicina Telemedicine
307	Comparison of Liberty Alliance and OpenID regarding their ability to protect the confidentiality, integrity and availability of the users’ information : a study based on the analysis of resistance to common attacks de Souza, Jaqueline January 2010 (has links) It is essential to solve the problem due to password fatigue in order to increase the security of the transactions on the Web and secure the users’ account and information. Web Single Sign-On is one of the techniques that have been created to solve these issues. Unfortunately, this method creates new opportunities for hackers. The Liberty Alliance and OpenID are two of the most known Web Single Sign-On frameworks. This work intends to review the strengths and the weaknesses of both regarding their ability to protect the confidentiality, integrity and availability of the users’ information, by studying their aptitude to prevent some of the most dangerous attacks on the web. The analysis of the results shows that Liberty Alliance has created a strong infrastructure in order to mitigate those attacks. Consequently, this framework protects the confidentiality, integrity and availability of the users’ information more efficiently than OpenID. On the other hand, this latter shows significant weaknesses that compromises the confidentiality, integrity and availability of the users’ information. WebSSO OpenID Liberty Alliance information security attacks Computer Sciences Datavetenskap (datalogi)
308	La protection pénale de la sécurité de l’information en Irak : Etude juridique au niveau national et international / The Criminal protection of information security in Iraq : Legal study at national and international level. Ghaibi, Dhia Moslem Abd Alameer 20 September 2018 (has links) La sécurité des technologies de l'information, de la communication (TIC) et la question de la cybercriminalité ont été préoccupantes pendant un certain temps. Ce n'est que dans le passé récent, que les gouvernements ont commencé à comprendre l'importance de la sécurité des TIC. La criminalité informatique, comme toute forme de criminalité, est difficile à chiffrer, la cybercriminalité pourrait constituer la forme de comportement criminel la moins déclarée puisque la victime ignore souvent qu’une infraction a même eu lieu. De plus l'insuffisance des solutions de cybersécurité ainsi que l'absence d'une compréhension commune font des difficultés juridiques à l'échelle nationale et internationale. Il est incertain que les normes du droit-commun, notamment celles du droit pénal, soient suffisantes, d’une part pour couvrir les besoins d’une politique pénale efficace et, d’autre part, la nécessité d’affronter la diversité des crimes et l’évolution continuelle de leurs moyens. L'Irak, comme certains pays, a subi des infractions des systèmes d'information. Mais comment l’Irak peut-il faire face aux questions de la cybercriminalité ? Les lois traditionnelles sont-elles suffisantes pour encadrer la cybersécurité? L’Irak a-t-il besoin de règles juridiques nouvelles ? À cet égard, l’apport du droit international s’avère important pour la lutte contre la cybercriminalité. Les conventions internationales en matière de cyber sécurité ainsi que la législation des pays pionniers dans ce domaine peuvent inspirer le législateur irakien. L’intérêt de ce sujet de recherche vise, à la lumière du droit international, à proposer une protection juridique efficace et de développer le cadre juridique irakien de la cybersécurité. / The security of information and communication technologies (ICT) and the issue of cybercrime has been a concern for some time. It is only in the recent past that governments have begun to understand the importance of ICT security. Computer crime, like any form of crime, is hard to quantify, and cybercrime may be the least reported form of criminal behavior since the victim often does not know that an offense has even occurred. In addition, the lack of cybersecurity solutions and the lack of common understanding make legal difficulties both nationally and internationally. It is doubtful that common law standards, including those of the criminal law, are sufficient, on the one hand to cover the needs of an effective criminal policy and, on the other hand, the need to deal with the diversity of crimes and the continual evolution of their means. Iraq, like some countries, has suffered information system breaches. But how can Iraq cope with the issues of cybercrime? Are traditional laws sufficient to frame cybersecurity? Does Iraq need new legal rules? In this respect, the contribution of international law is important for the fight against cybercrime. International cyber security conventions and pioneer legislation in this area can inspire the Iraqi legislator. The purpose of this research topic is, in the light of international law, to provide effective legal protection and to develop Iraq's legal framework for cybersecurity. Sécurité de l'information Cybercriminalité Droit pénal Coopération internationale Information security Cybercrime Criminal law International cooperation
309	[en] CRYPTO-COMPRESSION PREFIX CODING / [pt] CODIFICAÇÃO LIVRE DE PREFIXO PARA CRIPTO-COMPRESSÃO CLAUDIO GOMES DE MELLO 16 May 2007 (has links) [pt] Cifragem e compressão de dados são funcionalidades essencias quando dados digitais são armazenados ou transmitidos através de canais inseguros. Geralmente, duas operações sequencias são aplicadas: primeiro, compressão de dados para economizar espaço de armazenamento e reduzir custos de transmissão, segundo, cifragem de dados para prover confidencialidade. Essa solução funciona bem para a maioria das aplicações, mas é necessário executar duas operações caras, e para acessar os dados, é necessário primeiro decifrar e depois descomprimir todo o texto cifrado para recuperar a informação. Neste trabalho são propostos algoritmos que realizam tanto compressão como cifragem de dados. A primeira contribuição desta tese é o algoritmo ADDNULLS - Inserção Seletiva de Nulos. Este algoritmo usa a técnica da esteganografia para esconder os símbolos codificados em símbolos falsos. É baseado na inserção seletiva de um número variável de símbolos nulos após os símbolos codificados. É mostrado que as perdas nas taxas de compressão são relativamente pequenas. A segunda contribuição desta tese é o algoritmo HHC - Huffman Homofônico-Canônico. Este algoritmo cria uma nova árvore homofônica baseada na árvore de Huffman canônica original para o texto de entrada. Os resultados dos experimentos são mostrados. A terceira contribuição desta tese é o algoritmo RHUFF - Huffman Randomizado. Este algoritmo é uma variante do algoritmo de Huffman que define um procedimento de cripto-compressão que aleatoriza a saída. O objetivo é gerar textos cifrados aleatórios como saída para obscurecer as redundâncias do texto original (confusão). O algoritmo possui uma função de permutação inicial, que dissipa a redundância do texto original pelo texto cifrado (difusão). A quarta contribuição desta tese é o algoritmo HSPC2 - Códigos de Prefixo baseados em Substituição Homofônica com 2 homofônicos. No processo de codificação, o algoritmo adiciona um bit de sufixo em alguns códigos. Uma chave secreta e uma taxa de homofônicos são parâmetros que controlam essa inserção. É mostrado que a quebra do HSPC2 é um problema NP- Completo. / [en] Data compression and encryption are essential features when digital data is stored or transmitted over insecure channels. Usually, we apply two sequential operations: first, we apply data compression to save disk space and to reduce transmission costs, and second, data encryption to provide confidentiality. This solution works fine for most applications, but we have to execute two expensive operations, and if we want to access data, we must first decipher and then decompress the ciphertext to restore information. In this work we propose algorithms that achieve both compressed and encrypted data. The first contribution of this thesis is the algorithm ADDNULLS - Selective Addition of Nulls. This algorithm uses steganographic technique to hide the real symbols of the encoded text within fake ones. It is based on selective insertion of a variable number of null symbols after the real ones. It is shown that coding and decoding rates loss are small. The disadvantage is ciphertext expansion. The second contribution of this thesis is the algorithm HHC - Homophonic- Canonic Huffman. This algorithm creates a new homophonic tree based upon the original canonical Huffman tree for the input text. It is shown the results of the experiments. Adding security has not significantly decreased performance. The third contribution of this thesis is the algorithm RHUFF - Randomized Huffman. This algorithm is a variant of Huffman codes that defines a crypto-compression algorithm that randomizes output. The goal is to generate random ciphertexts as output to obscure the redundancies in the plaintext (confusion). The algorithm uses homophonic substitution, canonical Huffman codes and a secret key for ciphering. The secret key is based on an initial permutation function, which dissipates the redundancy of the plaintext over the ciphertext (diffusion). The fourth contribution of this thesis is the algorithm HSPC2 - Homophonic Substitution Prefix Codes with 2 homophones. It is proposed a provably secure algorithm by using a homophonic substitution algorithm and a key. In the encoding process, the HSPC2 function appends a one bit suffx to some codes. A secret key and a homophonic rate parameters control this appending. It is shown that breaking HSPC2 is an NP-Complete problem. [pt] COMPRESSAO DE DADOS [en] DATA COMPRESSION [pt] SEGURANCA DA INFORMACAO [en] INFORMATION SECURITY [pt] SUBSTITUICAO HOMOFONICA [en] HOMOPHONIC SUBSTITUTION
310	Privacy-preserving queries on encrypted databases Meng, Xianrui 07 December 2016 (has links) In today's Internet, with the advent of cloud computing, there is a natural desire for enterprises, organizations, and end users to outsource increasingly large amounts of data to a cloud provider. Therefore, ensuring security and privacy is becoming a significant challenge for cloud computing, especially for users with sensitive and valuable data. Recently, many efficient and scalable query processing methods over encrypted data have been proposed. Despite that, numerous challenges remain to be addressed due to the high complexity of many important queries on encrypted large-scale datasets. This thesis studies the problem of privacy-preserving database query processing on structured data (e.g., relational and graph databases). In particular, this thesis proposes several practical and provable secure structured encryption schemes that allow the data owner to encrypt data without losing the ability to query and retrieve it efficiently for authorized clients. This thesis includes two parts. The first part investigates graph encryption schemes. This thesis proposes a graph encryption scheme for approximate shortest distance queries. Such scheme allows the client to query the shortest distance between two nodes in an encrypted graph securely and efficiently. Moreover, this thesis also explores how the techniques can be applied to other graph queries. The second part of this thesis proposes secure top-k query processing schemes on encrypted relational databases. Furthermore, the thesis develops a scheme for the top-k join queries over multiple encrypted relations. Finally, this thesis demonstrates the practicality of the proposed encryption schemes by prototyping the encryption systems to perform queries on real-world encrypted datasets. Computer science Cryptography Database security Data management Graph theory Information security/privacy Query processing

Search results