Does Device Matter? Understanding How User, Device, and Usage Characteristics Influence Risky IT Behaviors of Individuals

Negahban, Arash

08 1900

Over the past few years, there has been a skyrocketing growth in the use of mobile devices. Mobile devices are ushering in a new era of multi-platform media and a new paradigm of “being-always-connected”. The proliferation of mobile devices, the dramatic growth of cloud computing services, the availability of high-speed mobile internet, and the increase in the functionalities and network connectivity of mobile devices, have led to creation of a phenomenon called BYOD (Bring Your Own Device), which allows employees to connect their personal devices to corporate networks. BYOD is identified as one of the top ten technology trends in 2014 that can multiply the size of mobile workforce in organizations. However, it can also serve as a vehicle that transfers cyber security threats associated with personal mobile devices to the organizations. As BYOD opens the floodgates of various device types and platforms into organizations, identifying different sources of cyber security threats becomes indispensable. So far, there are no studies that investigated how user, device and usage characteristics affect individuals’ protective and risky IT behaviors. The goal of this dissertation is to expand the current literature in IS security by accounting for the roles of user, device, and usage characteristics in protective and risky IT behaviors of individuals. In this study, we extend the protection motivation theory by conceptualizing and measuring the risky IT behaviors of individuals and investigating how user, device, and usage characteristics along with the traditional protection motivation factors, influence individuals’ protective and risky IT behaviors. We collected data using an online survey. The results of our study show that individuals tend to engage in different levels of protective and risky IT behaviors on different types of devices. We also found that certain individual characteristics as well as the variety of applications that individuals use on their computing devices, influence their protective and risky IT behaviors.

risky IT behavior

IT security

mobile devices

protective IT behavior

information systems security

Mobile computing -- Security measures.

Computer security.

Ontology Based Security Threat Assessment and Mitigation for Cloud Systems

Kamongi, Patrick

12 1900

A malicious actor often relies on security vulnerabilities of IT systems to launch a cyber attack. Most cloud services are supported by an orchestration of large and complex systems which are prone to vulnerabilities, making threat assessment very challenging. In this research, I developed formal and practical ontology-based techniques that enable automated evaluation of a cloud system's security threats. I use an architecture for threat assessment of cloud systems that leverages a dynamically generated ontology knowledge base. I created an ontology model and represented the components of a cloud system. These ontologies are designed for a set of domains that covers some cloud's aspects and information technology products' cyber threat data. The inputs to our architecture are the configurations of cloud assets and components specification (which encompass the desired assessment procedures) and the outputs are actionable threat assessment results. The focus of this work is on ways of enumerating, assessing, and mitigating emerging cyber security threats. A research toolkit system has been developed to evaluate our architecture. We expect our techniques to be leveraged by any cloud provider or consumer in closing the gap of identifying and remediating known or impending security threats facing their cloud's assets.

Ontology

Cybersecurity

Cloud Computing

Vulnerability

Ranking

Threat

Risk

Prediction

Assessment

Mitigation

Systems

Computer networks -- Security measures.

Computer security.

Cloud computing -- Security measures.

Ontologies (Information retrieval)

Seed and Grow: An Attack Against Anonymized Social Networks

Peng, Wei

07 August 2012

Indiana University-Purdue University Indianapolis (IUPUI) / Digital traces left by a user of an on-line social networking service can be abused by a malicious party to compromise the person’s privacy. This is exacerbated by the increasing overlap in user-bases among various services. To demonstrate the feasibility of abuse and raise public awareness of this issue, I propose an algorithm, Seed and Grow, to identify users from an anonymized social graph based solely on graph structure. The algorithm first identifies a seed sub-graph either planted by an attacker or divulged by collusion of a small group of users, and then grows the seed larger based on the attacker’s existing knowledge of the users’ social relations. This work identifies and relaxes implicit assumptions taken by previous works, eliminates arbitrary parameters, and improves identification effectiveness and accuracy. Experiment results on real-world collected datasets further corroborate my expectation and claim.

social networks; anonymization; privacy

Data protection

Computer security

Internet -- Safety measures

Privacy, Right of

Computer networks -- Social aspects

Acceptance of biometric authentication security technology on mobile devices

Malatji, W. R.

January 2022

M. Tech. (Department of Information and Communication Technology, Faculty of Applied and Computer Sciences), Vaal University of Technology. / Mobile devices are rapidly becoming a key computing platform, transforming how people access business and personal information. Accessing business and personal data using mobile devices requires authentication that is secure. The world is rapidly becoming connected and all users of mobile devices need to be clear regarding individual data security. As a result, biometrics for mobile devices has come into existence. Biometric technology can be applied on mobile devices to improve the trustworthiness of wireless services. Furthermore, it is of great importance and necessary to start paying attention to and investing in mobile biometric technologies, as they are quickly turning into tools of choice for productivity. In the literature review, it shows that few studies measured the acceptance of biometric authentication technology on mobile devices. This study seeks to find out the perceptions as to the acceptance of biometric authentication technology on mobile devices. TAM2 was used as the foundation for generating the hypothesis and developing the conceptual framework for this study. This quantitative study used a survey-based questionnaire to collect data from 305 participants. The simple random sampling technique was used to select participants for this study. The response rate was 98% of the expected population, which was a total of 302 valid responses. A descriptive analysis was deployed to provide a description of respondents’ demographic characteristics. SPSS was used to compute the multiple regressions in order to evaluate the research hypotheses. The findings of this study revealed that perceived humanness, perceived interactivity, perceived social presence, perceived ease of use and subjective social norm, and perceived usefulness and trust are important determinants of customers’ intention to accept and use mobile biometric devices. It was found that reliability is a good predictor of trust. On the other hand privacy, identity theft and combining data are also important determinants of trust. This work can be used to strengthen biometric authentication technology in-cooperation with mobile devices for simplicity of use. Since most mobile devices are used for personal and business information, further research on the acceptance of biometric authentication technology on mobile devices is needed.

Technology acceptance

Biometrics

Mobile devices

Mobile biometrics

Intention to use

Dissertations, Academic -- South Africa.

Mobile computing -- Security measures.

Smartphones -- Security measures.

Biometric identification.

Scalable framework for turn-key honeynet deployment

Brzeczko, Albert Walter

22 May 2014

Enterprise networks present very high value targets in the eyes of malicious actors who seek to exfiltrate sensitive proprietary data, disrupt the operations of a particular organization, or leverage considerable computational and network resources to further their own illicit goals. For this reason, enterprise networks typically attract the most determined of attackers. These attackers are prone to using the most novel and difficult-to-detect approaches so that they may have a high probability of success and continue operating undetected. Many existing network security approaches that fall under the category of intrusion detection systems (IDS) and intrusion prevention systems (IPS) are able to detect classes of attacks that are well-known. While these approaches are effective for filtering out routine attacks in automated fashion, they are ill-suited for detecting the types of novel tactics and zero-day exploits that are increasingly used against the enterprise. In this thesis, a solution is presented that augments existing security measures to provide enhanced coverage of novel attacks in conjunction with what is already provided by traditional IDS and IPS. The approach enables honeypots, a class of tech- nique that observes novel attacks by luring an attacker to perform malicious activity on a system having no production value, to be deployed in a turn-key fashion and at large scale on enterprise networks. In spite of the honeypot’s efficacy against tar- geted attacks, organizations can seldom afford to devote capital and IT manpower to integrating them into their security posture. Furthermore, misconfigured honeypots can actually weaken an organization’s security posture by giving the attacker a stag- ing ground on which to perform further attacks. A turn-key approach is needed for organizations to use honeypots to trap, observe, and mitigate novel targeted attacks.

Honeynet

Cloud computing

Information security

Computer networks Security measures

Internet-based electronic payment systems

Kortekaas, Birgit Friederike

01 January 2002

As today, the traditional payment systems of cash, cheques and credit cards are being supplemented by electronic cheques, electronic credit card-based systems, and token-based systems, online security is of utmost importance and one of the biggest criteria used for evaluating electronic payment systems. Electronic payment systems must guarantee the essential security requirements: confidentiality, privacy, integrity, availability. authentication, non-repudiation as well as anonymity and trust. This paper compares the various payment systems (both traditional and electronic) available today mainly according to their security aspects. Secure processing can be accomplished including access controls and detection techniques, such as, encrypted communication channels, user and/or message authentication, symmetric and asymmetric encryption, digital certificates and firewalls. These effective security measures, which are outlined in detail in this paper, will protect the information and payment systems against security risks that currently threaten the Internet / Computing / M.Sc. (Information Systems)

Internet

Electronic commerce

Electronic payment systems

Authentication

Confidentiality

Identification

Integrity

Privacy

Security

Cryptography

Certificates

Encryption

Digital signatures

Anonymity

Threats

Electronic cash

Electronic cheque

Smart cards

Electronic credit cards

658.478

Internet -- Economic aspects

Internet -- Security measures

Payment

Electronic commerce -- Security measures

Computer networks -- Security measures

Data encryption (Computer science)

Smart cards

An analysis of the relationship between security risk management and business continuity management: a case study of the United Nations Funds and Programmes

Van der Merwe, Johannes Jacobus

26 July 2015

Text in English / The goal of this research was to investigate the relationship between security risk management and business continuity management and to determine how these two methodologies are applied within United Nations Funds and Programmes. These United Nations (UN) agencies have been established to deliver humanitarian aid, economic and social development and reconstruction activities. The locations where these services are required are typically where security risks are also most prevalent. The staff of the UN, the International Red Cross and other humanitarian and development organisations have traditionally been treated as neutral parties and have not been targeted by belligerent groups. This study revealed that there has been an annual increase in security incidents against aid workers and employees of UN organisations. The changing security landscape worldwide and the increasing demand for aid and development services in especially fragile and post-conflict environments, require organisations working in these areas to maintain a high level of resilience. Their resilience can be strengthened by applying robust security risk and business continuity management methodologies. The study included an examination of the global risk environment as it pertains to UN agencies, as well as key risk management concepts such as risk management, operational risk management, security risk management, business continuity management and organisational resilience. For the purposes of this study, security risk management is defined as the systematic approach to assessing and acting on security risks, while ensuring the safety and security of the organisation's personnel and facilities and ensuring that organisational objectives are achieved. Business continuity is a management process that identifies potential threats to an organisation, it assesses the impact to business operations − should the threats materialise − and it furthermore assists in the development of strategies to continue operations in the event of a disruption. In addition to looking at these concepts individually, the relationship between security risk management and business continuity management was also reviewed. The specific objectives set out to achieve the goal of the study were the following:  Explore the perceptions of UN agencies about the link between security risk management and business continuity management.  Analyse the extent of integration between security risk management and business continuity management processes and oversight.  Make recommendations as to how security risk management and business continuity management can operate in an integrated manner with the goal of increasing the overall resilience of UN agencies. To answer the research questions a qualitative research approach was adopted. This enabled the researcher to collect data through interviewing participants and analysing their feedback. The research focused on UN Funds and Programmes as a sub-set of agencies within the UN family of organisations. Each one of these agencies has a specific mandate, such as providing assistance to refugees, promoting food security, poverty reduction, improving reproductive health and family planning services. They also operate in fragile states as well as in emergency and humanitarian crises situations where the security risks are often higher than in normal developing countries. Eight out of 12 UN Funds and Programmes agreed to participate in the study, including: United Nations Children's Fund; United Nations Relief and Works Agency for Palestine Refugees in the Near East; Office of the United Nations High Commissioner for Refugees; World Food Programme; United Nations Development Programme; United Nations Office on Drugs and Crime; United Nations Human Settlements Programme; and UN Women. Data were collected through conducting semi-structured telephone interviews with the security manager and/or business continuity manager serving in the headquarters of each participating organisation. Findings from the study indicated that security risk management within the UN system has evolved and that security has matured from a purely protective and defensive posture to following a risk management approach. The strength of the UN Security Management System lies in its Security Risk Management Model, which enables a thorough assessment of security risks and the implementation of commensurate mitigating security measures. In contrast to security risk management, the study revealed that business continuity as a management process is a fairly new initiative and has not yet been comprehensively adopted by all UN agencies. When combined, security risk management and business continuity management ensure the safety of staff, maximise the defence of the agencies’ reputation, minimise the impact of events on the agencies as well as their beneficiaries, protect the organisation’s assets, and very importantly, demonstrate effective governance. This can only be done through establishing an organisational risk management model by positioning security risk management and business continuity management within the UN agency’s organisational structure so that they can effectively work together and at the same time allow access to senior management. Good practices and apparent gaps were identified in how these two methodologies are implemented and five specific recommendations were made. The research confirmed the need for both security risk management and business continuity management and the role each function plays to enhance an organisation’s resilience. It also highlighted that while they are two separate management functions, both need to be implemented within a larger risk management framework and need to be closely aligned in order to be effective. The five recommendations are:  Incorporate security risk management and business continuity management functions and responsibilities into the larger agency-wide risk management governance framework.  Expand the scope of business continuity in those UN agencies where it currently sits in the domain of information technology or has not yet been comprehensively implemented across the organisation.  Establish a comprehensive crisis management framework spanning across the whole organisation from their headquarters to country offices.  Develop the capacity to gather risk data across their agency and aggregate the data to view the full spectrum of risks, including security risks and business continuity risks in a holistic manner.  Integrate security risk management and business continuity management processes to enhance their effectiveness. This study contributes to the existing body of knowledge in the field of risk management by gathering relevant information from participating UN Funds and Programmes, comparing the information with other academic sources and drawing conclusions to answer the research questions. While it is expected that each organisation will have its own view on how to implement security risk management and business continuity management, the findings and recommendations as a result of the study present a series of practical recommendations on how the two functions can operate in an integrated manner in order to increase the overall resilience of these UN agencies. Other non-UN organisations working in similar high risk environments could also benefit from the outcomes of the study, as it would allow them to compare their own approaches to security risk management and business continuity management with the information presented in this study. / Security Risk Management / M. Tech. (Security Management)

658.47

United Nations Development Programme

Business planning

Risk management

Industries -- Security measures

Emergency management

Electronic payment and security on the Internet

Marais, Terrence K.

12 1900

Thesis (MBA)--Stellenbosch University, 2002. / ENGLISH ABSTRACT: The greatest potential worry that an on-line shopper has is what happens to his/her credit card details from the moment "submit" is pressed on the computer. Is it possible for someone on the Internet to intercept the message and use credit card details maliciously? Also, there is a lot of talk about personal details being encrypted, but how sure is one that this was indeed the case once "submit" has been pressed? Is there a way in which one can be sure that a transaction will occur only once? Many of the security issues are new and many experts are only learning how to deal with these now. This thesis offers suggestions and strategies a user can follow to minimize misuse and abuse of payment details. Electronic payment is the backbone of e-commerce, and the biggest threat towards widespread acceptance and usage of e-commerce is security. Many innovative solutions have been developed by vendors to address security issues. For example, the Secure Electronic Transfer (SET) protocol was developed to ensure that credit card transactions could be conducted safely and securely on the Internet. Secure Socket Layer (SSL) ensures that all communications and transactions are conducted in a tightly secure environment. This is critical for online or mobile banking and other financial activities. Others developments include payment systems that ensure that credit card details are never exposed to a merchant (e.g. SET), while some ensure that credit card numbers never enter the Internet. The five corner stones of security are confidentiality, privacy, authentication, integrity and non-repudiation. Authentication, non-repudiation and integrity can be resolved with digital certificates, digital timestamps and digital signatures. Message confidentiality, on the other hand, is ensured through the use of strong encryption. Encryption systems mutilate data or a message to such an extent that it is totally useless to someone who does not have the appropriate algorithm and key to decode it. The most widely used encryption schemes are the secret key and public key encryption systems. The public key cryptosystem generates two keys, called a public and private key. The public key can be made generally known, but the private key must be kept secret. A unique property of the scheme is that once data is encrypted with one key, only the corresponding other key of the pair can decrypt it. This makes it possible to address issues of authentication, integrity and non-repudiation. Traditional payment instruments such as cash, cheques, debit and credit card transactions are being replaced by their electronic equivalents. The driving forces behind these are transactional security, efficiency and speed. Novel payment solutions and strategies have been devised to meet the challenges of this new economy. For example, smart cards can act as an electronic purse that can hold electronic money. Other information, such as personal details, medical records, driver's licence, etc. can also be stored on the card. Whilst many security experts are in agreement that security is not a barrier anymore for wider usage of the Internet for financial transactions, many consumers are still apprehensive about how secure and safe it really is. This work aims to diminish those fears and show that the Internet is safe for business. / AFRIKAANSE OPSOMMING: Een van die grootste bekommernisse wat 'n kliënt met aankope op die Internet kan ondervind, is die onsekerheid wat presies gebeur nadat betalings aangegaan is en "Submit" is gedruk. Is dit moontlik dat iemand die boodskap kan onderskep en betaling besonderhede vir eie gebruik kan herwin? Daar is ook baie publisiteit oor kodifisering, maar hoe kan die klient verseker wees dat betalings besonderhede wel gekodifiseer is wanneer "Submit" gedruk was? Is daar 'n manier waarmee 'n mens verseker kan wees dat betaling slegs eenkeer gaan geskied? Baie van die sekuriteits lokvalle is nuut en sekuritiets kenners is tans besig om te leer hoe om die probleme te hanteer. Die werkstuk offer wenke en strategieë vir die verbruiker om die misbruik van betaling besondehede op die Internet te minimiseer. Elektronies betalings meganisme is die ruggraat van elektroniese besigheid, en die grootste struikelblok tot die grootskaalse gebruik daarvan is sekuriteit. Daar is baie innoverende oplossings om die probleme hok te slaan. By voorbeeld, die Secure Electronic Transfer (SET) protokol was ontwikkel om te verseker dat betalings met kredietkaart met hoë sekuriteit en veiligheid aangegaan kan word. Secure Socket Layers (SSL), verseker dat alle kommunikasies en transaksies in 'n sekuur en veilige omgewing plaasvind. Dit is veral krities wanneer die verbruiker gebruik maak van die Internet of vanaf selfone om transaksies aan te gaan met 'n bank. Ander ontwikkelinge sluit in betalings metodes wat verseker dat die handelaar nooit die kredietkaart besonderhede sien nie (bv. SET). Ander verseker weer dat die betalings besonderhede nooit oor die Internet hoef gestuur te word nie. Die vyf hoekstene van sekuriteit is konfidensialiteit, privaatheid, outentisiteit, integriteit en non-repudiasie. Outentisiteit, integriteit en non-repudiasie word opgelos deur die gebruik maak van digitale sertifikate, digitale tydstempels en digitale handtekeninge. Konfidensialiteit kan verseker word deur die boodskap te kodifiseer. Kodifikasie behels die verandering van data of boodskappe op so 'n wyse dat dit van geen betekenis is vir 'n persoon wat nie die korrekte algoritme en sleutel het om dit te dekodifiseer nie. Die geheime en publieke kodifiserings stelsels word die meeste gebruik om data te kodifiseer. Die publieke kodifiserings stelsel genereer twee sleutels, naamlik 'n privaat en publieke sleutel. Die publieke sleutel kan alom bekend gemaak word, maar die private sleutel moet slegs bekend wees aan sy gebruiker. 'n Unieke eienskap van die stelsel is dat indien 'n boodskap gekodifiseer is met een sleutel, slegs die ander sleutel van die paar dit sal kan dekodifiseer. Dit maak dit moontlik om outentisiteit, integriteit en non-repudiasie toe te pas. Die tradisionele metodes van betaling soos kontant, tjek en debiet of kredietkaart, gaan mettertyd vervang word deur hul elektroniese eweknie. Die dryfkrag agter die verskynsel is die hoë sekuriteit, doeltreffendheid en spoed waarmee transaksies op die manier gehanteer kan word. Vindingryke betaling metodes is ontdek om die besondere uitdagings van die nuwe ekonomie aan te speek. Byvoorbeeld, knap kaarte kan gebruik word as 'n elektroniese beursie wat elektroniese geld bêre. Ander persoonlike inligting, mediese records, bestuurlisensies, ens. kan ook op die kaart geberg word. Terwyl baie sekuriteits kenners glo dat sekuriteit nie meer 'n stuikelblok is om die Internet vir besigheids transaksies te gebruik nie, bly baie van die verbruikers skepties. Die werkstuk se doel is om daardie onsekerhede uit die weg te ruim, deur te verduidelik hoe sekuriteit toe gepas word, en om te bewys dat die Internet interdaad veilig is as a medium vir besigheids transaksies.

Electronic funds transfers

Internet

Dissertations -- Business management

Theses -- Business management

A review of catastrophe planning for management information systems inHong Kong

Chan, Yuk-wah, Eliza., 陳玉華.

January 1989

published_or_final_version / Business Administration / Master / Master of Business Administration

Multi-core design and resource allocation: from big core to ultra-tiny core

Kwok, Tai-on, Tyrone., 郭泰安.

January 2008

published_or_final_version / Electrical and Electronic Engineering / Doctoral / Doctor of Philosophy

Computer networks - Security measures

Systems on a chip.

Computer architecture.