Security and usability of authentication by challenge questions in online examination

Ullah, Abrar

January 2017

Online examinations are an integral component of many online learning environments and a high-stake process for students, teachers and educational institutions. They are the target of many security threats, including intrusion by hackers and collusion. Collu-sion happens when a student invites a third party to impersonate him/her in an online test, or to abet with the exam questions. This research proposed a profile-based chal-lenge question approach to create and consolidate a student's profile during the learning process, to be used for authentication in the examination process. The pro-posed method was investigated in six research studies using a usability test method and a risk-based security assessment method, in order to investigate usability attributes and security threats. The findings of the studies revealed that text-based questions are prone to usability issues such as ambiguity, syntactic variation, and spelling mistakes. The results of a usability analysis suggested that image-based questions are more usable than text-based questions (p < 0.01). The findings identified that dynamic profile questions are more efficient and effective than text-based and image-based questions (p < 0.01). Since text-based questions are associated with an individual's personal information, they are prone to being shared with impersonators. An increase in the numbers of chal-lenge questions being shared showed a significant linear trend (p < 0.01) and increased the success of an impersonation attack. An increase in the database size decreased the success of an impersonation attack with a significant linear trend (p < 0.01). The security analysis of dynamic profile questions revealed that an impersonation attack was not successful when a student shared credentials using email asynchronously. However, a similar attack was successful when a student and impersonator shared information in real time using mobile phones. The response time in this attack was significantly different when a genuine student responded to his challenge questions (p < 0.01). The security analysis revealed that the use of dynamic profile questions in a proctored exam can influence impersonation and abetting. This view was supported by online programme tutors in a focus group study.

371.33

Rámec pro řízení bezpečnostních rizik on-line služeb / Framework for on-line service security risk management

Mészáros, Jan

January 2010

This dissertation thesis is dedicated to on-line services security management from service provider's and service consumer's viewpoints. The main goal is to propose a framework for on-line services security risk management, to develop a supporting software tool prototype and to validate them through a case study performed in a real-world environment. The key components of the proposed framework are a threat model and a risk model. These models are designed to fit specific features of on-line services and the surrounding environment. A risk management process is an integral part of the framework. The process is suitable for frequent and recurrent risk assessments. The process comprises of eight steps, related roles and responsibilities are defined for each step. The process execution results in identification and execution of proper tasks which contribute to treatment of identified security risks and deficiencies. Documentation and reporting of an overall level of on-line services security over time is possible if the process is executed on a regular basis. The proposed framework was validated through a case study performed in a large enterprise environment.

Informační bezpečnost jako jeden z ukazatelů hodnocení výkonnosti v energetické společnosti / Information security as one of the performance indicators in energy company

Kubík, Lukáš

January 2017

Master thesis is concerned with assessing the state of information security and its use as an indicator of corporate performance in energy company. Chapter analysis of the problem and current situation presents findings on the state of information security and implementation stage of ISMS. The practical part is focused on risk analysis and assessment the maturity level of processes, which are submitted as the basis for the proposed security measures and recommendations. There are also designed metrics to measure level of information security.

GAP analýza systému řízení bezpečnosti informací / GAP analysis of information security management system

Konečný, Martin

January 2019

The master’s thesis focuses on GAP analysis of information security management system. The thesis consists of theoretical, analytical and practical part. The first part discusses the theoretical background of the issue of information and cyber security. The analytical part describes the current condition of the researched company. The thesis’s output is the draft of risk register and draft of security countermeasures implementation. The draft targets on countermeasures leading to increase information security in company.

Zavedení managementu informační bezpečnosti v malém podniku / The Implementation of Information Security Management System in the Small Company

Radvanský, Martin

January 2011

This diploma thesis deals with methods of management of information security in the small company. The thesis is divided into two main parts. The first part of this thesis is focused on theoretical aspects of information security and contains description of standards ČSN ISO/IEC 27000:2006. The practical part of this work is about the project of implementation of the information security management system in the small company. The implementation is divided into three separate parts with the first part of implementation being described in detail.

Management informační bezpečnosti ve zdravotnickém zařízení / Information Security Management in Healthcare Organization

Mikulová, Aneta

January 2011

The topic of my thesis is "Information security management in healthcare organization." Medical facilities are generally the ones who should put emphasis on information security. For my thesis I chose aesthetic private clinic called Visage, I underwent safety analysis. The analysis showed that only a small part of the security process is documented in the clinic. This is particularly deficient in terms of business. There may be a leak of sensitive information on the health status of individual patients. It is necessary to better treat the handling of these data. The aim of this thesis is a security manual that will describe the personal, physical and IT security.

Fog Computing based traffic Safety for Connected Vulnerable Road Users / Assurer la sécurité des usagers vulnérables de la route connectés grâce à leur Smartphones et au concept de Fog Computing

Jalew, Esubalew Alemneh

25 October 2019

Chaque année, des millions de personnes meurent et beaucoup d'autres subissent des séquelles graves à la suite d'accidents de la route. Malgré une multitude d’initiatives, le nombre de cas mortels et d'accidents graves augmente chaque année en engendrant des problèmes préoccupants à la fois sociaux, économiques et sanitaires. En raison de leur nombre élevé et de l'absence de protection personnelle, plus de la moitié de ces décès concerne les usagers vulnérables (en anglais, vulnerable road users - VRU) regroupant les piétons, cyclistes et motocyclistes. Les appareils mobiles, combinés à la technologie de Fog Computing (ou informatique géodistribuée, ou même informatique en brouillard), représentent une solution réaliste à court terme pour les protéger en les avertissant de l’imminence d'un accident de circulation. L’omniprésence des appareils mobiles et leurs capacités de calcul élevées font de ces appareils un élément important à considérer dans les solutions de sécurité routière. Le Fog Computing offre des fonctionnalités adaptées aux applications de sécurité routière, puisqu’il s’agit d’une extension du Cloud Computing permettant de rapprocher les services informatiques, le stockage et le réseau au plus près des utilisateurs finaux. Par conséquent, dans cette thèse, nous proposons une architecture réseau sans infrastructure supplémentaire (PV-Alert) pour des fins de sécurité routière et reposant uniquement sur les appareils mobiles des VRU et des conducteurs sur la route avec l’aide du concept de Fog Computing. Les données géographiques et cinématiques de ces appareils sont collectées et envoyées périodiquement au serveur fog situé à proximité. Le serveur fog traite ces données en exécutant un algorithme de calcul de risque d’accident de circulation et renvoie des notifications en cas d'accident imminent. L’évaluation de cette architecture montre qu’elle est capable de générer des alertes en temps réel et qu’elle est plus performante que d’autres architectures en termes de fiabilité, d’évolutivité et de latence. / Annually, millions of people die and many more sustain non-fatal injuries because of road traffic crashes. Despite multitude of countermeasures, the number of causalities and disabilities owing to traffic accidents are increasing each year causing grinding social, economic, and health problems. Due to their high volume and lack of protective-shells, more than half of road traffic deaths are imputed to vulnerable road users (VRUs): pedestrians, cyclists and motorcyclists. Mobile devices combined with fog computing can provide feasible solutions to protect VRUs by predicting collusions and warning users of an imminent traffic accident. Mobile devices’ ubiquity and high computational capabilities make the devices an important components of traffic safety solutions. Fog computing has features that suits to traffic safety applications as it is an extension of cloud computing that brings down computing, storage, and network services to the proximity of end user. Therefore, in this thesis, we have proposed an infrastructure-less traffic safety architecture that depends on fog computing and mobile devices possessed by VRUs and drivers. The main duties of mobile devices are extracting their positions and other related data and sending cooperative awareness message to a nearby fog server using wireless connection. The fog server estimates collision using a collision prediction algorithm and sends an alert message, if an about-to-occur collision is predicted. Evaluation results shows that the proposed architecture is able to render alerts in real time. Moreover, analytical and performance evaluations depict that the architecture outperforms other related road safety architectures in terms of reliability, scalability and latency. However, before deploying the architecture, challenges pertaining to weaknesses of important ingredients of the architecture should be treated prudently. Position read by mobile devices are not accurate and do not meet maximum position sampling rates traffic safety applications demand. Moreover, continuous and high rate position sampling drains mobile devices battery quickly. From fog computing’s point of view, it confronts new privacy and security challenges in addition to those assumed from cloud computing. For aforementioned challenges, we have proposed new solutions: (i) In order to improve GPS accuracy, we have proposed an efficient and effective two-stage map matching algorithm. In the first stage, GPS readings obtained from smartphones are passed through Kalman filter to smooth outlier readings. In the second stage, the smoothed positions are mapped to road segments using online time warping algorithm. (ii) position sampling frequency requirement is fulfilled by an energy efficient location prediction system that fuses GPS and inertial sensors’ data. (iii) For energy efficiency, we proposed an energy efficient fuzzy logic-based adaptive beaconing rate management that ensures safety of VRUs. (iv) finally, privacy and security issues are addressed indirectly using trust management system. The two-way subjective logic-based trust management system enables fog clients to evaluate the trust level of fog servers before awarding the service and allows the servers to check out the trustworthiness of the service demanders. Engaging omnipresent mobile device and QoS-aware fog computing paradigm in active traffic safety applications has the potential to reduce overwhelming number of traffic accidents on VRUs.

Sécurité routière

Usagers vulnérables de la route

Fog Computing

Efficacité énergétique

Gestion de confiance et sécurité

Traffic Safety

Vulnerable road users

Fog Computing

Position accuracy and prediction

Energy Efficiency

Trust Management and Security

0005.1

Aplikace zákona a vyhlášky o kybernetické bezpečnosti na úřadech státní správy / Application of the act and subsequent regulation on cyber security at state administration´s offices

Pech, Jan

January 2016

The thesis is focused on the Czech act no. 181/2014 Sb., on cyber security and subsequent regulations, introduces origin and importance of act, defines the state administration´s office which identifies important information systems according to regulations, and subsequently thesis detailed analyses act and regulation on cyber security in relation to the defined state administration´s office. Keynote of this thesis is show the real application of identified obligations of the act and regulation to the defined state administration´s office, especially a design, implementation and management of organizational and technical security measures, including the evaluation of real impact on information security. To achieve the set goals author of this thesis uses the analysis of legislation, and draws own conclusions from author´s position of a security technologist who actively participated in the design security policy, and implementation and management of security tools. The benefit of this thesis is complex overview of the security employees work at defined state administration´s office, overview of the real fulfilment obligations of the act and regulation of cybernetic security, and ultimately this thesis brings ideas for further development of technical security tools. This thesis can brings benefit to other important information systems administrators as a set of processes, proposals and recommendation for their own information security management system. This thesis is structurally divided into four main parts. The first theoretical part introduces origin, importance and impact of the act on state and private organizations. The second analytical part analyses act and subsequent regulations in relation to the defined state administration´s office. The third practical part shows the real application of organizational and technical security measures. The fourth last part evaluates the real impact of measures on information security.

Modul pro sledování politiky sítě v datech o tocích / Module for Network Policy Monitoring in Flow Data

Piecek, Adam

January 2019

The aim of this master's thesis is to design a language through which it would be possible to monitor a stream of network flows in order to detect network policy violations in the local network. An analysis of the languages used in the data stream management systems and an analysis of tasks submitted by the potential administrator were both carried out. The analysis specified resulted in the language design which represents pipelining consisting of filtering and aggregation. These operations can be clearly defined and managed within security rules. The result of this thesis also results in the Policer modul being integrated in the NEMEA system, which is able to apply the main commands of the proposed language. Finally, the module meets the requirements of the specified tasks and may be used for further development in the area of monitoring network policies.