An information security policy architecture with special reference to a tertiary institution.

Jordaan, Ansa

02 June 2008

This dissertation will be limited to the compilation of an Information Security Policy Architecture for a Tertiary Institution. An Information Security Policy Architecture for a Tertiary Institution is probably the most challenging architecture to develop in an environment where information accessibility is promoted. The Security Policy Architecture is a component of a complete Information Security Architecture, which will not be addressed in this dissertation. To mitigate and manage risks, it is essential to know what the information technology risks are and as a second step, to actively manage these risks to ensure that they stay within acceptable limits. The reporting and the monitoring of these risks open new fields of research and will not be discussed in this dissertation. / von Solms, S.H., Prof.

Information technology security measures

Computer security

Establishing an information security culture in organizations : an outcomes based education approach

Van Niekerk, Johannes Frederick

January 2005

Information security is crucial to the continuous well-being of modern orga- nizations. Humans play a signfiicant role in the processes needed to secure an organization's information resources. Without an adequate level of user co-operation and knowledge, many security techniques are liable to be misused or misinterpreted by users. This may result in an adequate security measure becoming inadequate. It is therefor necessary to educate the orga- nization's employees regarding information security and also to establish a corporate sub-culture of information security in the organization, which will ensure that the employees have the correct attitude towards their security responsibilities. Current information security education programs fails to pay su±cient attention to the behavioral sciences. There also exist a lack of knowledge regarding the principles, and processes, that would be needed for the establishment of an corporate sub-culture, specific to information security. Without both the necessary knowledge, and the desired attitude amongst the employee, it will be impossible to guarantee that the organi- zation's information resources are secure. It would therefor make sense to address both these dimensions to the human factor in information security, using a single integrated, holistic approach. This dissertation presents such an approach, which is based on an integration of sound behavioral theories.

Computer security

Competency-based education

A cyber security awareness and education framework for South Africa

Kortjan, Noloxolo

January 2013

The Internet is becoming increasingly interwoven in the daily life of many individuals, organisations and nations. It has, to a large extent, had a positive effect on the way people communicate. It has also introduced new avenues for business and has offered nations an opportunity to govern online. Nevertheless, although cyberspace offers an endless list of services and opportunities, it is also accompanied by many risks. One of these risks is cybercrime. The Internet has given criminals a platform on which to grow and proliferate. As a result of the abstract nature of the Internet, it is easy for these criminals to go unpunished. Moreover, many who use the Internet are not aware of such threats; therefore they may themselves be at risk, together with businesses and governmental assets and infrastructure. In view of this, there is a need for cyber security awareness and education initiatives that will promote users who are well versed in the risks associated with the Internet. In this context, it is the role of the government to empower all levels of society by providing the necessary knowledge and expertise to act securely online. However, there is currently a definite lack in South Africa (SA) in this regard, as there are currently no government-led cyber security awareness and education initiatives. The primary research objective of this study, therefore, is to propose a cyber security awareness and education framework for SA that will assist in creating a cyber secure culture in SA among all of its users of the Internet.

Computer networks -- Security measures

Computer crimes -- Prevention

Computer security

SoDA : a model for the administration of separation of duty requirements in workflow systems

Perelson, Stephen

January 2001

The increasing reliance on information technology to support business processes has emphasised the need for information security mechanisms. This, however, has resulted in an ever-increasing workload in terms of security administration. Security administration encompasses the activity of ensuring the correct enforcement of access control within an organisation. Access rights and their allocation are dictated by the security policies within an organisation. As such, security administration can be seen as a policybased approach. Policy-based approaches promise to lighten the workload of security administrators. Separation of duties is one of the principles cited as a criterion when setting up these policy-based mechanisms. Different types of separation of duty policies exist. They can be categorised into policies that can be enforced at administration time, viz. static separation of duty requirements and policies that can be enforced only at execution time, viz. dynamic separation of duty requirements. This dissertation deals with the specification of both static separation of duty requirements and dynamic separation of duty requirements in role-based workflow environments. It proposes a model for the specification of separation of duty requirements, the expressions of which are based on set theory. The model focuses, furthermore, on the enforcement of static separation of duty. The enforcement of static separation of duty requirements is modelled in terms of invariant conditions. The invariant conditions specify restrictions upon the elements allowed in the sets representing access control requirements. The sets are themselves expressed as database tables within a relational database management system. Algorithms that stipulate how to verify the additions or deletions of elements within these sets can then be performed within the database management system. A prototype was developed in order to demonstrate the concepts of this model. This prototype helps demonstrate how the proposed model could function and flaunts its effectiveness.

Computers -- Access control

A framework to evaluate usable security in online social networking

Yeratziotis, Alexandros

January 2011

It is commonly held in the literature that users find security and privacy difficult to comprehend. It is also acknowledged that most end-user applications and websites have built-in security and privacy features. Users are expected to interact with these in order to protect their personal information. However, security is generally a secondary goal for users. Considering the complexity associated with security in combination with the notion that it is not users’ primary task, it makes sense that users tend to ignore their security responsibilities. As a result, they make poor security-related decisions and, consequently, their personal information is at risk. Usable Security is the field that investigates these types of issue, focusing on the design of security and privacy features that are usable. In order to understand and appreciate the complexities that exist in the field of Usable Security, the research fields of Human-Computer Interaction and Information Security should be examined. Accordingly, the Information Security field is concerned with all aspects pertaining to the security and privacy of information, while the field of Human-Computer Interaction is concerned with the design, evaluation and implementation of interactive computing systems for human use. This research delivers a framework to evaluate Usable Security in online social networks. In this study, online social networks that are particular to the health domain were used as a case study and contributed to the development of a framework consisting of three components: a process, a validation tool and a Usable Security heuristic evaluation. There is no existing qualitative process that describes how one would develop and validate a heuristic evaluation. In this regard a heuristic evaluation is a usability inspection method that is used to evaluate the design of an interface for any usability violations in the field of Human-Computer Interaction. Therefore, firstly, a new process and a validation tool were required to be developed. Once this had been achieved, the process could then be followed to develop a new heuristic evaluation that is specific to Usable Security. In order to assess the validity of a new heuristic evaluation a validation tool is used. The development of tools that can improve the design of security and privacy features on end-user applications and websites in terms of their usability is critical, as this will ensure that the intended users experience them as usable and can utilise them effectively. The framework for evaluating Usable Security contributes to this objective in the context of online social networks.

Computer security

Data protection

Security concerns in implementing service oriented architecture : a game theoretical analysis

01 September 2015

M.Tech. / Threats to information assets have increased significantly since the adoption of Service Oriented Architecture (SOA). Gone are the days when organisations could just secure the perimeter of their applications. The study adopted a threat vulnerability control framework and game theory as a theoretical lens. It investigated the various facets behind decision making under uncertainty in SOA and the perceived industry best practices. Game theory is a way to model complex SOA security interactions under uncertainty. Intelligent attackers require intelligent analysis. Game theory helps us implement strategies that take into account the attackers’ intentions since it can be applied in situations of uncertainty. The data was collected primarily through semi structured interviews at a Top I.T company based in Sandton. Grounded theory techniques were employed as a chief methodology for data analysis...

Game theory

Extensions to the self protecting object model to facilitate integrity in stationary and mobile hosts

Brandi, Wesley

13 March 2014

M.Sc. (Computer Science) / In this dissertation we propose extensions to the Self Protecting Object (SPO) model to facilitate the sharing of information in a more effective manner. We see the sharing ofinformation as the sharing of objects that provide services. Sharing objects effectively is allowing the objects to be used in a secure environment, independent of their location, in a manner usage was intended. The SPO model proposed by Olivier [32] allows for objects in a federated database to be moved from one site to another and ensures that the security policy of the object will always be respected and implemented, regardless of its location. Although the SPO model does indeed allow for objects (information) to be shared effectively, it fails to address issues of maintaining integrity within objects. We therefore define the notion of maintaining integrity within the spa model and propose a model to achieve it. We argue that ensuring an SPO is only used in a way usage was intended does not suffice to ensure integrity. The model we propose is based on ensuring that modifications to an SPO are only executed if the modification does not violate the constraints defined for the Sf'O, The model" allows for an spa to maintain its unique identity in addition to maintaining its integrity. The SPO model is designed to be used in a federated database on sites that are stationary. Therefore, having addressed the issue of maintaining integrity within SPOs on stationary sites in the federated database, we then introduce the notion of a mobile site: a site that will eventually disconnect from the federated database and become unreachable for some time. Introducing the mobile site into the federated database allows us to propose the Mobile Self Protecting Object (MSPO) and its associated architecture. Because of the nature of mobile sites, the original model for maintaining integrity can not be applied to the MSPO architecture. We therefore propose a mechanism (to be implemented in unison with the original model) to ensure the integrity of MSPOs on mobile sites. We then discuss the JASPO prototype. The aim of the prototype was to determine if the Self Protecting Object model was feasible using current development technologies. We examine the requirements identified in order for the prototype to be successful and discuss how these were satisfied. Several modifications were made to the original spa model, including the addition of a new module and the exclusion of others, we discuss these modifications and examine why they were necessary.

Internetworking (Telecommunication)

Internet domain names

The management of networks with specific reference to security management

Kersten, Karin

15 August 2012

M.Comm. / This dissertation is devoted to an investigation into the network-management environment, with special emphasis on the security aspects and the provision of a reference framework when choosing a network-management product. The dissertation is aimed at those responsible for network-management and the selection of the various network-management products by providing a framework for evaluating network management products. The first four chapters provide the background to the reference framework. The following two chapters are devoted to those aspects to be taken into consideration when evaluating a network-management product. The consolidation and the case study in chapters seven and eight provide an abridged version of the framework and illustrate how the framework could be applied to a network-management product. Chapter one provides the background to the reference framework regarding networks and network-management. The concept of network-management is introduced, as well as the three forms of architectures that could be implemented, namely centralised, hierarchical and distributed architectures. A number of network-management functions have to be taken into consideration when evaluating a network-management package, namely configuration, asset, fault, performance, accounting and security management. These functions are also covered in chapter six. Chapter two provides the background to the security aspect of the reference framework. The three main topics covered in this respect are the definition of network-security, computer crime and specific elements of network-security. This chapter also provides a springboard for the evaluation of the network-management environment, as well as an idea of what issues and measures should be addressed and taken in order to prevent, or at least minimise, the effects of network-security breaches. Chapter three covers issues relating to network-security responsibilities, with special reference to the management side of network-management, including those issues that management should take into consideration when evaluating the network-management environment. Two methods that could be implemented include network-management policies and strategies. Network-security policies and strategies encompass those issues necessary for effective security within an organisation. This chapter, however, covers the more theoretical or higher-level goals or objectives of network-management. Chapter four relates to more of the day-to-day management issues of the network-security and the network-security management services and functions that should be considered. These include issues such as network-security services, managing network access, monitoring and controlling the network security system and the maintenance and modification of the said system. Network-management product considerations are discussed in chapter five, which chapter can be viewed as the business and practical side of the reference framework. The topics discussed here are more closely related to the business considerations when evaluating a networkmanagement package and the practical issues of network-management. Topics discussed in this chapter include security and network-management products, practical approaches to choosing network-management products, critical success factors of network-management and analysis of the cost component. In contrast to these issues, the reference framework expounded in chapter six concentrates on the technical and network-management functions. Chapter six constitutes the culmination of the present dissertation in the form of a reference framework, which is for the greater part formulated along the lines of the criteria given. This reference framework is aimed at those experts enlisted to evaluate and select networkmanagement products, specifically as far as their security-management features are concerned. The areas covered include the user framework, the product framework, networkfault management, network-performance management, network-accounting management, network configuration and change management, network-security management and conformance testing. The topics discussed are, however, by no means exclusive and there are a number of other issues that have not been addressed in this dissertation, but which, depending on the network environment, would have to be taken into consideration. Chapter seven is a consolidation of the reference framework given in chapter six, as well as of some of the main points and criteria that could be considered when performing a quick evaluation of a product. This chapter does not, however, make any pretence to being exhaustive, but merely serves to highlight a few crucial criteria. Chapter eight is devoted to a case study in terms of which the reference framework is applied to a network-management product. In conclusion, a summary of the dissertation is given in chapter nine.

Computer networks - Management

Computer networks - Security measures

Computer crimes

Information security risk management: a holistic framework.

Bornman, Werner George

22 April 2008

Information security risk management is a business principle that is becoming more important for organisations due to external factors such as governmental regulations. Since due diligence regarding information security risk management (ISRM) is necessitated by law, organisations have to ensure that risk information is adequately communicated to the appropriate parties. Organisations can have numerous managerial levels, each of which has specific functions related to ISRM. The approaches of each level differ and this makes a cohesive ISRM approach throughout the organisation a daunting task. This task is compounded by strategic and tactical level management having specific requirements imposed on them regarding risk management. Tactical level management has to meet these requirements by instituting processes that can deliver on what is required. Processes in turn should be executed by operational level management. However, the available approaches of each managerial level make it impossible to communicate and consolidate information from the lower organisational levels to top level management due to the differing terminology, concepts and scope of each approach. This dissertation addresses the ISRM communication challenge through a systematic and structured solution. ISRM and related concepts are defined to provide a solid foundation for ISRM communication. The need for and institutions that impose risk management requirements are evaluated. These requirements are used to guide the solution for ISRM communication. At strategic level, governmental requirements from various countries are evaluated. These requirements are used as the goals of the communication processes. Different approaches at tactical and operational level are evaluated to determine if they can meet the strategic level requirements. It was found that the requirements are not met by most of the evaluated approaches. The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented. It allows organisations to evaluate ISRM methodologies at operational level against the requirements of strategic management. This framework caters for the ability of ISRM methodologies to be adapted to organisational requirements. Developed scales allow for a qualitative comparison between different methodologies. The BFME forms the basis of the Bornman Framework for ISRM Information Communication (BFIC). This communication framework communicates the status of each ISRM component. This framework can be applied to any ISRM methodology after it has been evaluated by the BFME. The Bornman Risk Console (BRC) provides a practical implementation of the BFIC. The prototype utilises an existing ISRM methodology’s approach and provides decision-enabling risk information to top level management. By implementing the BRC and following the processes of the BFME and BFIC the differences in the approaches at each managerial level in different organisational structures are negated. These frameworks and prototype provide a holistic communication framework that can be implemented in any organisation. / Prof. L. Labuschagne

risk management

information technology security measures

computer security management

Secure object-oriented databases

Olivier, Martin Stephanus

07 October 2014

D.Phil. (Computer Science) / The need for security in a database is obvious. Object-orientation enables databases to be used in applications where other database models are not adequate. It is thus clear that security of object-oriented databases must be investigated...

Computers - Access control