The economics of information security

Dlamini, Moses Thandokuhle

20 September 2010

In the year 2008, world markets suffered a huge economic crisis. The extent of the economic crisis has been so severe and has had a global impact. As a contingency strategy, governments of wealthy nations have resorted to extensive bailouts and rescue packages to stop organisations from going bankrupt. A skyrocketing amount of money has been spent on rescue packages and bailouts for the tumbling organisations. However, this could not stop some of the world’s wealthiest financial institutions e.g. Lehman Brothers, Northern Rock, etc from collapsing. Most of the surviving organisations froze their expenditure, implemented cost-cutting measures and in the process, numerous employees lost their jobs. Executives were compelled to ‘achieve more with less’ in order to save their organisations from going bankrupt. It is on this premise that this research proposed the BC3I (Broad Control Category Cost Indicators) model, which is a step towards ‘achieving more with less’ within information security budgeting. The tumbling world markets and increased requirements for legal and regulatory compliance have made this a timely and relevant research that addressed a current, spot-on and global problem. The BC3I model as the main outcome of this research has indeed come at the right time. The BC3I model as proposed in this research makes a real contribution towards assisting information security managers as they make informed decisions regarding the optimal and cost-effective allocation of financial resources to information security activities. The proposed model can be argued to be a good start towards the selection of appropriate controls to optimally and cost-effectively protect organisations’ information assets and simultaneously achieve compliance with legal and regulatory mandates. As a proof of concept, the practicality of the BC3I model has been demonstrated in three different scenarios. The model has been illustrated for an organisation chosen from the financial sector; being the hardest hit by the economic crisis. Furthermore, the financial sector is chosen because of its high reliance on information security for the most obvious reasons that of dealing with money and confidential customer information. Finally and for acceptance purposes, the model has been discussed and reviewed by industry experts from the financial sector. Copyright / Dissertation (MSc)--University of Pretoria, 2010. / Computer Science / unrestricted

Broad control categories

Information security standards

Budget constraints

Information security

Information security investment

Information security budget

Information security controls

UCTD

Bezpečnost firemních telefonních sítí využívajících VoIP / Security of Enterprise VoIP Telephony Networks

Šolc, Jiří

January 2008

This thesis focuses on enterprise VoIP telephony network security. Introduces brief comparison of old analog and digital voice networks and IP telephone networks with special focus on VoIP system security. The goal of the thesis is to identify the risks of implementation and operation of VoIP technologies in enterprise environment and so thesis brings some conclusion how to minimalize or avoid these risks. First two chapters briefly introduce the development of telephony technologies with differentiation of enterprise telephone network from public telephone networks. Further it describes individual technologies, digitalization of voice, processing the signal and VoIP protocols and components. Third chapter focuses on infrastructure of telephony networks with special interest for architecture of IP telephony and ways of establishing call processing. It describes data flows for further security risk analysis, which this technology came with. Fifth chapter is about enterprise security standards in common and is trying to describe information security management system (ISMS) adopting VoIP technology. Individual security threats and risks are described in sixth chapter, along with known methods how to avoid them. Final parts of thesis concludes of two real situation studies of threats and risks of VoIP technologies implemented in environment of small commercial enterprise and medium size enterprise, in this example represented by University of economics. These chapters conclude theoretical problems shown on practical examples.

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

An investigation of information security policies and practices in Mauritius

Sookdawoor, Oumeshsingh

30 November 2005

With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems)

Adherence to established standards

Information security framework

Information security policy

Information security practices

Security standards

Compliance

Information security risk

Procedures

005.8096982

Information policy -- Mauritius

Kyberbezpečnost v průmyslu / Cybersecurity in the engineering industry

Jemelíková, Kristýna

January 2021

The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.

Zavedení ISMS v obchodní společnosti / Implementation of ISMS in the Commercial Company

Dejmek, Martin

January 2013

This master thesis deals with the implementation of information security management system in the company. It summarizes the theoretical background in this field and uses it to analyze the current state of information security, as well as analysis and risk management and not least the actual implementation of ISMS in the particular company. This work also contains three groups of measures that reduce the impact of identified risks and which also implements an essential parts of ISMS.

A risk based approach for managing information technology security risk within a dynamic environment

Mahopo, Ntombizodwa Bessy

11 1900

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves. / Computing / M. Sc. (Computing)

IT

IT security

Risk

Risk management

IT security threat modelling

IT security management

OCTAVE

COBIT

ITIL

ISO 27001/2

ISF Standard of Good Practice

005.82

Computer security -- Standards

Cyberterrorism

Anomaly Detection in RFID Networks

Alkadi, Alaa

01 January 2017

Available security standards for RFID networks (e.g. ISO/IEC 29167) are designed to secure individual tag-reader sessions and do not protect against active attacks that could also compromise the system as a whole (e.g. tag cloning or replay attacks). Proper traffic characterization models of the communication within an RFID network can lead to better understanding of operation under “normal” system state conditions and can consequently help identify security breaches not addressed by current standards. This study of RFID traffic characterization considers two piecewise-constant data smoothing techniques, namely Bayesian blocks and Knuth’s algorithms, over time-tagged events and compares them in the context of rate-based anomaly detection. This was accomplished using data from experimental RFID readings and comparing (1) the event counts versus time if using the smoothed curves versus empirical histograms of the raw data and (2) the threshold-dependent alert-rates based on inter-arrival times obtained if using the smoothed curves versus that of the raw data itself. Results indicate that both algorithms adequately model RFID traffic in which inter-event time statistics are stationary but that Bayesian blocks become superior for traffic in which such statistics experience abrupt changes.

Thesis

University of North Florida

UNF

RFID

RFID security

NFC

anomaly detection

security

Bayesian blocks

Bayesian statistics

Knuth

Knuth's rule

RFID traffic

piecewise constant models

security standards

RFID networks

ISO standards

IEC 29167 standards

tag-reader sessions

active attacks

tag cloning

replay attacks

piecewise linear models

RFID command arrivals

traffic characterization

intrusion detection

Radiofrequency identification

Bayes methods

Data models

mathematical model

telecommunication traffic

telecommunication security

Computational Engineering

Information Security

Theory and Algorithms