A model for security incident response in the South African National Research and Education network

Mooi, Roderick David

January 2014

This dissertation addresses the problem of a lack of a formal incident response capability in the South African National Research and Education Network (SA NREN). While investigating alternatives it was found that no clear method exists to solve this problem. Therefore, a second problem is identified: the lack of a definitive method for establishing a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) in general. Solving the second problem is important as we then have a means of knowing how to start when building a CSIRT. This will set the basis for addressing the initial problem, resulting in a prepared, improved and coordinated response to IT security incidents affecting the SANREN. To commence, the requirements for establishing a CSIRT are identified via a comprehensive literature review. These requirements are categorized into five areas, namely, the basic business requirements followed by the four Ps of the IT Infrastructure Library (ITIL). That is, People, Processes, Product and Partners, adapted to suit the CSIRT context. Through the use of argumentation, the relationships between the areas are uncovered and explored. Thereafter, a Design Science Research-based process is utilised to develop a generic model for establishing a CSIRT. The model is based on the interactions uncovered between the business requirements and the adapted four Ps. These are summarised through two views -- strategic and tactical -- together forming an holistic model for establishing a CSIRT. The model highlights the decisions required for the business requirements, services, team model and staff, policies and processes, tools and technologies, and partners of a CSIRT respectively. Finally, to address the primary objective, the generic model is applied to the SANREN environment. Thus, the second artefact is an instantiation, a specific model, which can be implemented to create a CSIRT for the SA NREN. To produce the specific model, insight into the nature of the SANREN environment was required. The status quo was revealed through the use of a survey and argumentative analysis of the results. The specific decisions in each area required to establish an SA NREN CSIRT are explored throughout the development of the model. The result is a comprehensive framework for implementing a CSIRT in the SA NREN, detailing the decisions required in each of the areas. This model additionally acts as a demonstration of the utility of the generic model. The implications of this research are twofold. Firstly, the generic model is useful as a basis for anyone wanting to establish a CSIRT. It helps to ensure that all factors are considered and that no important decisions are neglected, thereby enabling an holistic view. Secondly, the specific model for the SA NREN CSIRT serves as a foundation for implementing the CSIRT going forward. It accelerates the process by addressing the important considerations and highlighting the concerns that must be addressed while establishing the CSIRT.

Information networks -- South Africa

Internet -- Security measures

Digital forensic model for computer networks

Sanyamahwe, Tendai

January 2011

The Internet has become important since information is now stored in digital form and is transported both within and between organisations in large amounts through computer networks. Nevertheless, there are those individuals or groups of people who utilise the Internet to harm other businesses because they can remain relatively anonymous. To prosecute such criminals, forensic practitioners have to follow a well-defined procedure to convict responsible cyber-criminals in a court of law. Log files provide significant digital evidence in computer networks when tracing cyber-criminals. Network log mining is an evolution of typical digital forensics utilising evidence from network devices such as firewalls, switches and routers. Network log mining is a process supported by presiding South African laws such as the Computer Evidence Act, 57 of 1983; the Electronic Communications and Transactions (ECT) Act, 25 of 2002; and the Electronic Communications Act, 36 of 2005. Nevertheless, international laws and regulations supporting network log mining include the Sarbanes-Oxley Act; the Foreign Corrupt Practices Act (FCPA) and the Bribery Act of the USA. A digital forensic model for computer networks focusing on network log mining has been developed based on the literature reviewed and critical thought. The development of the model followed the Design Science methodology. However, this research project argues that there are some important aspects which are not fully addressed by South African presiding legislation supporting digital forensic investigations. With that in mind, this research project proposes some Forensic Investigation Precautions. These precautions were developed as part of the proposed model. The Diffusion of Innovations (DOI) Theory is the framework underpinning the development of the model and how it can be assimilated into the community. The model was sent to IT experts for validation and this provided the qualitative element and the primary data of this research project. From these experts, this study found out that the proposed model is very unique, very comprehensive and has added new knowledge into the field of Information Technology. Also, a paper was written out of this research project.

Computer crimes -- Investigation

Computer crimes -- Investigation

Evidence, Criminal

Computer networks -- Security measures

Electronic evidence

Forensic sciences

Internet -- Security measures

Protecting Sensitive Credential Content during Trust Negotiation

Jarvis, Ryan D.

21 April 2003

Keeping sensitive information private in a public world is a common concern to users of digital credentials. A digital credential may contain sensitive attributes certifying characteristics about its owner. X.509v3, the most widely used certificate standard, includes support for certificate extensions that make it possible to bind multiple attributes to a public key contained in the certificate. This feature, although convenient, potentially exploits the certificate holder's private information contained in the certificate. There are currently no privacy considerations in place to protect the disclosure of attributes in a certificate. This thesis focuses on protecting sensitive credential content during trust negotiation and demonstrates, through design and implementation, the privacy benefits achieved through selective disclosure. Selective disclosure of credential content can be achieved using private attributes, a well-known technique that incorporates bit commitment within digital credentials. This technique has not been thoroughly explored or implemented in any prior work. In this thesis, a protocol for issuing and showing credentials containing private attributes is discussed and suggested as a method for concealing and selectively revealing sensitive attributes bound to credentials during trust negotiation. To demonstrate greater privacy control within a credential-based system, private attributes are incorporated into TrustBuilder, an implementation of trust negotiation. With access control at the attribute level, TrustBuilder gives users greater control over their private information and can improve the success rate of negotiations. TrustBuilder also demonstrates how credentials with private attributes can eliminate risks normally associated with exchanging credentials, such as excessive gathering of information that is not germane to the transaction and inadvertently disclosing the value of a sensitive credential attribute.

trust negotiation

privacy

bit commitment

security

ISRL

Internet Security Research Lab

TrustBuilder

selective disclosure

digital credential

X.509v3

Computer Sciences

6G wireless communication systems: applications, opportunities and challenges

Anoh, K., See, C.H., Dama, Y., Abd-Alhameed, Raed, Keates, S.

26 December 2022

Yes / As the technical specifications of the 5th Generation (5G) wireless communication standard are being wrapped up, there are growing efforts amongst researchers, industrialists, and standardisation bodies on the enabling technologies of a 6G standard or the so-called Beyond 5G (B5G) one. Although the 5G standard has presented several benefits, there are still some limitations within it. Such limitations have motivated the setting up of study groups to determine suitable technologies that should operate in the year 2030 and beyond, i.e., after 5G. Consequently, this Special Issue of Future Internet concerning what possibilities lie ahead for a 6G wireless network includes four high-quality research papers (three of which are review papers with over 412 referred sources and one regular research). This editorial piece summarises the major contributions of the articles and the Special Issue, outlining future directions for new research.

Future internet technologies

Beyond 5G

6G

COVID-19

Pandemic resilient

6G internet security

Enabling technologies

Applications

Challenges

Opportunities

The role of risk perception in Internet purchasing behaviour and intention

De Villiers, R. R. (Raoul Reenen)

12 1900

Thesis (MComm.)--Stellenbosch University, 2001. / ENGLISH ABSTRACT: In recent years the importance and number of users of electronic commerce and its medium, the Internet, have grown substantially. Despite this, the Business-to- Consumer sector has shown slow expansion and limited growth, with the majority of consumers slow to adopt the Internet as a medium for purchase. A probable factor affecting the purchasing behaviour of individuals is the perception of risk of a breach in (credit card) security and/or a violation of privacy. The research discussed here indicates that two closely related constructs, namely perceived privacy risk and perceived security risk exerts an influence on the Internet purchasing behaviour of Internet users, and more importantly, the intention to purchase. In addition, the role of social pressures regarding the provision of personal and credit card information is indicated to be of considerable importance. / AFRIKAANSE OPSOMMING: Die afgelope aantal jare het die belangrikheid en gebruik van eletroniese handel en die Internet aansienlik toegeneem. Ongeag hierdie groei het die sektor gemoeid met die handel tussen besighede en verbruikers egter beperkte groei getoon. 'n Waarskynlike rede vir die tendens in Internet aankoop gedrag is die persepsie dat daar 'n risiko is van misbruik van 'n krediet kaart sowel as misbruik en skending van privaatheid. Die studie wat hier bespreek word toon aan dat twee nou verwante kostrukte, naamlik persepsie van sekuriteits- en persepsie van privaatheidsrisiko 'n rol speel in die bepaling van Internet aankoop gedrag, sowel as die intensie om te koop. Verder is die rol van sosiale druk rakende die verskaffing van persoonlike en krediet kaart inligting uitgelig as 'n faktor van uiterste belang.

Consumer behavior

Electronic commerce -- Security measures

Consumer protection

Risk

Internet -- Security measures

Dissertations -- Business management

Theses -- Business management

A framework for correlation and aggregation of security alerts in communication networks : a reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective

Alserhani, Faeiz

January 2011

The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations' sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information.

621.382

Analyse du DNS et analyse sémantique pour la détection de l'hameçonnage / DNS and semantic analysis for phishing detection

Marchal, Samuel

22 June 2015

L’hameçonnage est une escroquerie moderne qui cible les utilisateurs de communications électroniques et vise à les convaincre de réaliser des actions pour le bénéfice d’un individu nommé hameçonneur. Les attaques d’hameçonnage s’appuient essentiellement sur de l’ingénierie sociale et la plupart de ces attaques utilisent des liens représentés par des noms de domaine et des URLs. Nous proposons donc dans cette thèse de nouvelles solutions, reposant sur une analyse lexicale et sémantique de la composition des noms de domaine et des URLs, pour combattre l’hameçonnage. Ces deux types de pointeurs sont créés et offusqués par les hameçonneurs pour piéger leurs victimes. Ainsi, nous démontrons que les noms de domaine et les URLs utilisés dans des attaques d’hameçonnage présentent des similitudes dans leur composition lexicale et sémantique, et que celles-ci sont différentes des caractéristiques présentées par les noms de domaine et les URL légitimes. Nous utilisons ces caractéristiques pour construire des modèles représentant la composition des URLs et des noms de domaine d’hameçonnage en utilisant des techniques d’apprentissage automatique et des méthodes de traitement du langage naturel. Les modèles construits sont utilisés pour des applications telles que l’identification de noms de domaine et des URLs d’hameçonnage, la notation des URLs et la prédiction des noms de domaine utilisés dans les attaques d’hameçonnage. Les techniques proposées sont évaluées sur des données réelles et elles montrent leur efficacité en répondant aux exigences de vitesse, d’universalité et de fiabilité / Phishing is a kind of modern swindles that targets electronic communications users and aims to persuade them to perform actions for a another’s benefit. Phishing attacks rely mostly on social engineering and that most phishing vectors leverage directing links represented by domain names and URLs, we introduce new solutions to cope with phishing. These solutions rely on the lexical and semantic analysis of the composition of domain names and URLs. Both of these resource pointers are created and obfuscated by phishers to trap their victims. Hence, we demonstrate in this document that phishing domain names and URLs present similarities in their lexical and semantic composition that are different form legitimate domain names and URLs composition. We use this characteristic to build models representing the composition of phishing URLs and domain names using machine learning techniques and natural language processing models. The built models are used for several applications such as the identification of phishing domain names and phishing URLs, the rating of phishing URLs and the prediction of domain names used in phishing attacks. All the introduced techniques are assessed on ground truth data and show their efficiency by meeting speed, coverage and reliability requirements. This document shows that the use of lexical and semantic analysis can be applied to domain names and URLs and that this application is relevant to detect phishing attacks

Détection de l’hameçonnage

Surveillance du DNS

Analyse sémantique

Prédiction de l’hameçonnage

Sécurité de l’Internet

Machine learning

Phishing detection

DNS monitoring

Semantic analysis

URL lexical analysis

Internet security

Machine learning

005.8

Internet payment system--: mechanism, applications & experimentation.

January 2000

Ka-Lung Chong. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2000. / Includes bibliographical references (leaves 80-83). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgments --- p.iii / Chapter 1 --- Introduction & Motivation --- p.1 / Chapter 1.1 --- Introduction --- p.1 / Chapter 1.2 --- Internet Commerce --- p.3 / Chapter 1.3 --- Motivation --- p.6 / Chapter 1.4 --- Related Work --- p.7 / Chapter 1.4.1 --- Cryptographic Techniques --- p.7 / Chapter 1.4.2 --- Internet Payment Systems --- p.9 / Chapter 1.5 --- Contribution --- p.16 / Chapter 1.6 --- Outline of the Thesis --- p.17 / Chapter 2 --- A New Payment Model --- p.19 / Chapter 2.1 --- Model Description --- p.19 / Chapter 2.2 --- Characteristics of Our Model --- p.22 / Chapter 2.3 --- Model Architecture --- p.24 / Chapter 2.4 --- Comparison --- p.30 / Chapter 2.5 --- System Implementation --- p.30 / Chapter 2.5.1 --- Acquirer Interface --- p.31 / Chapter 2.5.2 --- Issuer Interface --- p.32 / Chapter 2.5.3 --- Merchant Interface --- p.32 / Chapter 2.5.4 --- Payment Gateway Interface --- p.33 / Chapter 2.5.5 --- Payment Cancellation Interface --- p.33 / Chapter 3 --- A E-Commerce Application - TravelNet --- p.35 / Chapter 3.1 --- System Architecture --- p.35 / Chapter 3.2 --- System Features --- p.38 / Chapter 3.3 --- System Snapshots --- p.39 / Chapter 4 --- Simulation --- p.44 / Chapter 4.1 --- Objective --- p.44 / Chapter 4.2 --- Simulation Flow --- p.45 / Chapter 4.3 --- Assumptions --- p.49 / Chapter 4.4 --- Simulation of Payment Systems --- p.50 / Chapter 5 --- Discussion of Security Concerns --- p.54 / Chapter 5.1 --- Threats to Internet Payment --- p.54 / Chapter 5.1.1 --- Eavesdropping --- p.55 / Chapter 5.1.2 --- Masquerading --- p.55 / Chapter 5.1.3 --- Message Tampering --- p.56 / Chapter 5.1.4 --- Replaying --- p.56 / Chapter 5.2 --- Aspects of A Secure Internet Payment System --- p.57 / Chapter 5.2.1 --- Authentication --- p.57 / Chapter 5.2.2 --- Confidentiality --- p.57 / Chapter 5.2.3 --- Integrity --- p.58 / Chapter 5.2.4 --- Non-Repudiation --- p.58 / Chapter 5.3 --- Our System Security --- p.58 / Chapter 5.4 --- TravelNet Application Security --- p.61 / Chapter 6 --- Discussion of Performance Evaluation --- p.64 / Chapter 6.1 --- Performance Concerns --- p.64 / Chapter 6.2 --- Experiments Conducted --- p.65 / Chapter 6.2.1 --- Description --- p.65 / Chapter 6.2.2 --- Analysis on the Results --- p.65 / Chapter 6.3 --- Simulation Analysis --- p.69 / Chapter 7 --- Conclusion & Future Work --- p.72 / Chapter A --- Experiment Specification --- p.74 / Chapter A.1 --- Configuration --- p.74 / Chapter A.2 --- Experiment Results --- p.74 / Chapter B --- Simulation Specification --- p.77 / Chapter B.1 --- Parameter Listing --- p.77 / Chapter B.2 --- Simulation Results --- p.77 / Bibliography --- p.80

Electronic commerce--Security measures

Electronic funds transfers

Internet--Security measures

World Wide Web--Security measures

Computer security

Användarnas förtroende för mobila tjänsters säkerhet : Vilka säkerhetskrav uppfyller mobila betalningstjänster och vilket förtroende finns för sådana tjänster? / User trust in the security surrounding mobile services : Trust and performance regarding mobile security?

Johansson, Mattias, Andersson, Linus

January 2006

<p>Tekniken kring mobiltelefoni är under ständig utveckling och mobiltelefonen har idag fått nya funktioner utöver dess grundfunktion röstsamtal. Efterfrågan efter nya mobila tjänster drivs hela tiden framåt då mobilen får allt större kapacitet och prestanda. Bland de tjänster som växts fram märks möjligheten att utföra monetära transaktioner. Detta innebär helt enkelt att använda sin mobiltelefon för att betala och utföra allehanda tjänster kopplade till användarens monetära tillgångar. Överföringen av pengar kräver dock hög säkerhet. Vad vet egentligen konsumenterna om säkerheten kring dessa tjänster? Många betalningar och transaktioner sker idag över Internet och bankerna förmedlar budskapet om att säkerheten runt deras Internettjänster är mycket hög, men vad säger de om säkerheten för deras mobila alternativ? Finns den höga säkerheten även för de mobila tjänsterna och har användarna förtroende fullt ut för dessa? Finns inte användarnas förtroende för säkerheten hos de nya mobila tjänsterna kommer de troligtvis inte heller användas. Vi ämnar därför i denna uppsats utreda om säkerheten i en mobil betalningstjänst motsvarar den som finns när den utförs på en dator i hemmet och har detta i slutändan användarnas förtroende? </p><p>Syftet med detta arbete är att undersöka vilket förtroende användarna har för säkerheten hos mobila betalningstjänster samt om dessa tjänster uppfyller samma säkerhetskrav som när de används via normal datoranvändning. Studien påbörjades med en genomgång av befintlig litteratur inom säkerheten för mobilt Internet samt Internetanvändande vid hemdatorn. Sedan genomfördes intervjuer av personer med stor kunskap kring säkerheten hos mobilt Internet. För att få reda på användarnas förtroende kring mobila betaltjänster genomförde vi sedan en webbaserad surveyundersökning varvid en fokusgrupps-undersökning användes till hjälp gällande framtagningen av frågorna. Utfallen från intervjuerna samt surveyundersökningen analyserades sedan tillsammans med utvald teori.</p><p>Våra resultat visar att majoriteten av respondenterna inte känner förtroende för säkerheten hos mobila betalningstjänster. De flesta anser att det inte är lika säkert att surfa via mobilen som via datorn i hemmet. Däremot kan hälften av individerna i populationen tänka sig att betala över Internet med mobiltelefonen och en betydande del kan även tänka sig att utföra finansiella affärer med hjälp av mobiltelefonen. Vi anser också att en mobiltelefon inte når upp till samma säkerhetsnivå som hos en stationär dator med fast Internet.</p> / <p>The mobile technology is under constant development and the mobile phone today has many other functions besides just talking. The demand for new mobile services is constantly getting stronger since the mobile phone becomes more and more powerful. Among these services is the possibility to perform transactions of money. With this we mean using the mobile phone to pay bills and other services that is connected to a user’s assets. The transaction of money of course requires high security. What do the consumers know about the security surrounding these kinds of services? Today many payments and transactions that involve money takes place over the Internet from the home computer and the banks that offers these services claims that this is safe. But what do they say about the security surrounding their mobile alternatives? Does the necessary security exist for these mobile services and does it have the consumers trust? If the users do not trust the security surrounding the mobile service, they will probably not use them. We will therefore with this thesis try to investigate if the security that surrounds the mobile payment services is equivalent to when the services is used on a home computer and if the services has the users trust?</p><p>The purpose with this thesis is to investigate the users trust regarding mobile payment services and if these services fulfil the same security demands as when they are used normally at the home computer. The study began with a review of existing theories regarding the security for mobile Internet and Internet usage on the home computer. Thereafter interviews took place with experts having great knowledge regarding mobile Internet security. We then performed a web-based survey to get information about the users trust for the security surrounding mobile payment services. We used a focus group with the aim of helping us selecting relevant questions for the survey. The results from the interviews and the survey study were then analyzed with the chosen theory.</p><p>On the basis of our survey we can draw the conclusion that the majority of respondents do not trust the security that surrounds mobile payment services. The majority is of the opinion that it is not as safe to use mobile Internet services as to use the corresponding service from the computer at home. However half of the population could very well consider paying bills with the mobile phone and a large part of the respondents would also like to use financial transactions with this kind of media. We also conclude that a mobile phone does not reach the security standard of a home computer.</p>

Mobile security

mobile transactions

user trust for mobile security

Internet security

Mobil säkerhet

mobila transaktioner

Internetsäkerhet

Informatics

Informatik

Användarnas förtroende för mobila tjänsters säkerhet : Vilka säkerhetskrav uppfyller mobila betalningstjänster och vilket förtroende finns för sådana tjänster? / User trust in the security surrounding mobile services : Trust and performance regarding mobile security?

Johansson, Mattias, Andersson, Linus

January 2006

Tekniken kring mobiltelefoni är under ständig utveckling och mobiltelefonen har idag fått nya funktioner utöver dess grundfunktion röstsamtal. Efterfrågan efter nya mobila tjänster drivs hela tiden framåt då mobilen får allt större kapacitet och prestanda. Bland de tjänster som växts fram märks möjligheten att utföra monetära transaktioner. Detta innebär helt enkelt att använda sin mobiltelefon för att betala och utföra allehanda tjänster kopplade till användarens monetära tillgångar. Överföringen av pengar kräver dock hög säkerhet. Vad vet egentligen konsumenterna om säkerheten kring dessa tjänster? Många betalningar och transaktioner sker idag över Internet och bankerna förmedlar budskapet om att säkerheten runt deras Internettjänster är mycket hög, men vad säger de om säkerheten för deras mobila alternativ? Finns den höga säkerheten även för de mobila tjänsterna och har användarna förtroende fullt ut för dessa? Finns inte användarnas förtroende för säkerheten hos de nya mobila tjänsterna kommer de troligtvis inte heller användas. Vi ämnar därför i denna uppsats utreda om säkerheten i en mobil betalningstjänst motsvarar den som finns när den utförs på en dator i hemmet och har detta i slutändan användarnas förtroende? Syftet med detta arbete är att undersöka vilket förtroende användarna har för säkerheten hos mobila betalningstjänster samt om dessa tjänster uppfyller samma säkerhetskrav som när de används via normal datoranvändning. Studien påbörjades med en genomgång av befintlig litteratur inom säkerheten för mobilt Internet samt Internetanvändande vid hemdatorn. Sedan genomfördes intervjuer av personer med stor kunskap kring säkerheten hos mobilt Internet. För att få reda på användarnas förtroende kring mobila betaltjänster genomförde vi sedan en webbaserad surveyundersökning varvid en fokusgrupps-undersökning användes till hjälp gällande framtagningen av frågorna. Utfallen från intervjuerna samt surveyundersökningen analyserades sedan tillsammans med utvald teori. Våra resultat visar att majoriteten av respondenterna inte känner förtroende för säkerheten hos mobila betalningstjänster. De flesta anser att det inte är lika säkert att surfa via mobilen som via datorn i hemmet. Däremot kan hälften av individerna i populationen tänka sig att betala över Internet med mobiltelefonen och en betydande del kan även tänka sig att utföra finansiella affärer med hjälp av mobiltelefonen. Vi anser också att en mobiltelefon inte når upp till samma säkerhetsnivå som hos en stationär dator med fast Internet. / The mobile technology is under constant development and the mobile phone today has many other functions besides just talking. The demand for new mobile services is constantly getting stronger since the mobile phone becomes more and more powerful. Among these services is the possibility to perform transactions of money. With this we mean using the mobile phone to pay bills and other services that is connected to a user’s assets. The transaction of money of course requires high security. What do the consumers know about the security surrounding these kinds of services? Today many payments and transactions that involve money takes place over the Internet from the home computer and the banks that offers these services claims that this is safe. But what do they say about the security surrounding their mobile alternatives? Does the necessary security exist for these mobile services and does it have the consumers trust? If the users do not trust the security surrounding the mobile service, they will probably not use them. We will therefore with this thesis try to investigate if the security that surrounds the mobile payment services is equivalent to when the services is used on a home computer and if the services has the users trust? The purpose with this thesis is to investigate the users trust regarding mobile payment services and if these services fulfil the same security demands as when they are used normally at the home computer. The study began with a review of existing theories regarding the security for mobile Internet and Internet usage on the home computer. Thereafter interviews took place with experts having great knowledge regarding mobile Internet security. We then performed a web-based survey to get information about the users trust for the security surrounding mobile payment services. We used a focus group with the aim of helping us selecting relevant questions for the survey. The results from the interviews and the survey study were then analyzed with the chosen theory. On the basis of our survey we can draw the conclusion that the majority of respondents do not trust the security that surrounds mobile payment services. The majority is of the opinion that it is not as safe to use mobile Internet services as to use the corresponding service from the computer at home. However half of the population could very well consider paying bills with the mobile phone and a large part of the respondents would also like to use financial transactions with this kind of media. We also conclude that a mobile phone does not reach the security standard of a home computer.

Mobile security

mobile transactions

user trust for mobile security

Internet security

Mobil säkerhet

mobila transaktioner

Internetsäkerhet

Information Systems