Visualizing Memory Utilization for the Purpose of Vulnerability Analysis

McConnell, William Charles

02 July 2008

The expansion of the internet over recent years has resulted in an increase in digital attacks on computers. Most attacks, including the more dangerous ones, directly target program vulnerabilities. The increase in attacks has prompted a need to develop new ways to classify, detect, and avoid vulnerabilities. The effectiveness of these goals relies on the development of new methods and tools that facilitate the process of detecting vulnerabilities and exploits. This thesis presents the development of a tool that provides a visual representation of main memory for the purpose of security analysis. The tool provides new insight into memory utilization by software; users are able to see memory utilization as execution time progression, visually distinguish between memory behaviors (allocations, writes, etc), and visually observe special relationships between memory locations. The insight enables users to search for visual evidence that software is vulnerable, violated, or utilizing memory incorrectly. The development process for our visual tool has three stages: (1) identifying the memory utilization policies of the Windows 32-bit operating system; (2) identifying the data required for visual representations of memory and then implementing one possible method to capture the data; and (3) enumerating and implementing requirements for a memory tool that generates visual representations of memory for the purpose of vulnerability and exploit analysis. / Master of Science

main memory

memory API

data capturing

function hooks

exploits

security

resource utilization

visualization

software vulnerabilities

Uso de técnicas e ferramentas para detecção de vulnerabilidades: um survey com membros de equipes de desenvolvimento ágil de software / Use of techniques and tools for vulnerability detection: a survey with members of agile software development teams

Santos, Ligia Cassia Moreno de Castro

05 April 2018

Métodos ágeis foram criados para sanar fraquezas reais e perceptíveis dos métodos tradicionais de desenvolvimento de software. Devido à pressão na entrega de produtos de software dentro do prazo, muitas vezes requisitos de segurança são pouco mensurados ou até deixados de lado. Durante o desenvolvimento ágil de software é importante detectar possíveis vulnerabilidades. Esta dissertação descreve um survey aplicado a membros de equipes de desenvolvimento de software que aplicam métodos ágeis. Para tanto, foram identificados por meio da rede de profissionais LinkedIn 110 membros de equipes ágeis que implantaram, estão em processo de implantação ou ainda irão implantar técnicas e ferramentas para detecção de vulnerabilidades. Além disso, foram entrevistados nove gerentes de equipes ágeis. O questionário e o roteiro da entrevista foram baseados em três conhecidos processos de desenvolvimento de software seguro, a saber, Processo de McGraw, OWASP CLASP e as atividades de Howard e Lipner. A coleta de dados se deu por meio de questionários e entrevistas. A análise dos resultados utilizou técnicas de estatística descritiva e análise de conteúdo. Elas indicaram os métodos ágeis mais utilizados, o uso atual das técnicas e ferramentas, as aptidões, os interesses e as necessidades em treinamento em técnicas e ferramenta para detecção de vulnerabilidades. Além disso, os benefícios obtidos com a implantação das técnicas e ferramentas, as motivações, as estratégias, as dificuldades, as limitações e as lições aprendidas foram identificadas. Os resultados indicam que existe motivação para a implantação de segurança, mas ainda não se dá atenção especial à detecção de vulnerabilidades nas equipes ágeis cujos membros participaram do survey / Agile methods were created to address real and perceived weaknesses of traditional software development methods. Due to the pressure to delivery software products on time, security requirements are often poorly addressed or even neglected. During agile software development it is important to detect possible vulnerabilities. This dissertation describes a survey applied to members of software development teams who apply agile methods. Thus, 110 members of agile teams were identified through LinkedIns network of professionals who deployed, are in the process of being deployed or will still implement techniques and tools for vulnerability detection techniques and tools were identified. The questionnaire was based on three known safe software development processes, namely, the McGraw Process, OWASP CLASP, and the activities of Howard and Lipner. Data were collected through questionnaires and interviews. The analysis of the results used techniques of descriptive statistics and content analysis. They indicated the most widely used agile methods, the current use of techniques and tools, the skills, interests and training needs of agile teams in vulnerability detection techniques and tools. In addition, the benefits of implementing the techniques and tools, the motivations, the strategies, the difficulties, the limitations and the lessons learned were identified. The results suggest that special attention is still not given to detection of vulnerabilities in the agile teams whose members participated in the survey

Agile Methods

Desenvolvimento de software

Engenharia de Software

Métodos Ágeis

Segurança de Software

Software Development

Software Engineering

Software Security

Survey

Survey

Vulnerabilidades

Vulnerabilities

Uso de técnicas e ferramentas para detecção de vulnerabilidades: um survey com membros de equipes de desenvolvimento ágil de software / Use of techniques and tools for vulnerability detection: a survey with members of agile software development teams

Ligia Cassia Moreno de Castro Santos

05 April 2018

Métodos ágeis foram criados para sanar fraquezas reais e perceptíveis dos métodos tradicionais de desenvolvimento de software. Devido à pressão na entrega de produtos de software dentro do prazo, muitas vezes requisitos de segurança são pouco mensurados ou até deixados de lado. Durante o desenvolvimento ágil de software é importante detectar possíveis vulnerabilidades. Esta dissertação descreve um survey aplicado a membros de equipes de desenvolvimento de software que aplicam métodos ágeis. Para tanto, foram identificados por meio da rede de profissionais LinkedIn 110 membros de equipes ágeis que implantaram, estão em processo de implantação ou ainda irão implantar técnicas e ferramentas para detecção de vulnerabilidades. Além disso, foram entrevistados nove gerentes de equipes ágeis. O questionário e o roteiro da entrevista foram baseados em três conhecidos processos de desenvolvimento de software seguro, a saber, Processo de McGraw, OWASP CLASP e as atividades de Howard e Lipner. A coleta de dados se deu por meio de questionários e entrevistas. A análise dos resultados utilizou técnicas de estatística descritiva e análise de conteúdo. Elas indicaram os métodos ágeis mais utilizados, o uso atual das técnicas e ferramentas, as aptidões, os interesses e as necessidades em treinamento em técnicas e ferramenta para detecção de vulnerabilidades. Além disso, os benefícios obtidos com a implantação das técnicas e ferramentas, as motivações, as estratégias, as dificuldades, as limitações e as lições aprendidas foram identificadas. Os resultados indicam que existe motivação para a implantação de segurança, mas ainda não se dá atenção especial à detecção de vulnerabilidades nas equipes ágeis cujos membros participaram do survey / Agile methods were created to address real and perceived weaknesses of traditional software development methods. Due to the pressure to delivery software products on time, security requirements are often poorly addressed or even neglected. During agile software development it is important to detect possible vulnerabilities. This dissertation describes a survey applied to members of software development teams who apply agile methods. Thus, 110 members of agile teams were identified through LinkedIns network of professionals who deployed, are in the process of being deployed or will still implement techniques and tools for vulnerability detection techniques and tools were identified. The questionnaire was based on three known safe software development processes, namely, the McGraw Process, OWASP CLASP, and the activities of Howard and Lipner. Data were collected through questionnaires and interviews. The analysis of the results used techniques of descriptive statistics and content analysis. They indicated the most widely used agile methods, the current use of techniques and tools, the skills, interests and training needs of agile teams in vulnerability detection techniques and tools. In addition, the benefits of implementing the techniques and tools, the motivations, the strategies, the difficulties, the limitations and the lessons learned were identified. The results suggest that special attention is still not given to detection of vulnerabilities in the agile teams whose members participated in the survey

Desenvolvimento de software

Engenharia de Software

Métodos Ágeis

Segurança de Software

Survey

Vulnerabilidades

Agile Methods

Software Development

Software Engineering

Software Security

Survey

Vulnerabilities

Culturally aligned security in banking : a system for rural banking in Ghana

Kwaa-Aidoo, Ephrem Kwaku

January 2010

This thesis is an investigation into the unique rural banking system in Ghana and the role of information systems in fraud control. It presents a robust information security and internal control model to deal with fraud for the banking system. The rural banking industry has been noted for poor internal control leading to fraud. This has resulted in poor performance and even the collapse of some banks. The Focus of the study was on the processes used to deliver banking services. To design a protection system, a number of rural banks were visited. This was to understand the environment, regulatory regimes and the structure and banking processes of the industry and banks. Systemic vulnerabilities within the industry which could be exploited for fraud were found. The lack of structures like an address system and unreliable identification documents makes it difficult to use conventional identification processes. Also the lack of adequate controls, small staff numbers and the cross organisational nature of some transactions among other cultural issues reduces the ability to implement transaction controls. Twenty fraud scenarios were derived to illustrate the manifestation of these vulnerabilities. The rural banking integrity model was developed to deal with these observations. This protection model was developed using existing information security models and banking control mechanisms but incorporating the nature of the rural banking industry and culture of its environment. The fraud protection model was tested against the fraud scenarios and was shown to meet the needs of the rural banking industry in dealing with its systemic vulnerabilities. The proposed community-based identification scheme deals with identification weaknesses as an alternative to conventional identity verification mechanisms. The Transaction Authentication Code uses traditional adinkra symbols. Whilst other mechanisms like the Transaction Verification Code design v internal controls into the banking processes. This deals with various process control weaknesses and avoids human discretion in complying with controls. Object based separation of duties is also introduced as a means of controlling conflicting tasks which could lead to fraud.

658.05

Intervenções de prevenção positiva: uma revisão de literatura / Not informed by the author

Rocco, Fernando Viana de Carvalho

22 January 2018

No campo da prevenção ao HIV, a maior parte dos esforços se dedica as pessoas soronegativas que nos programas e pesquisas aparecem como sinônimo de todos. A noção de Prevenção Positiva produzida no âmbito da resposta brasileira , por outro lado, considerou que as PVHA também necessitam de cuidados preventivos únicos. A presente dissertação se propõe a examinar a produção científica que descreve intervenções de prevenção positiva, bem como as suas possíveis contribuições na resposta à epidemia de HIV/AIDS, analisadas na perspectiva informada pelo quadro das vulnerabilidades e dos direitos humanos, que possibilitou a produção de uma noção singular de prevenção positiva ao longo da 3a década de epidemia. Para tanto, utilizamos como método de pesquisa a revisão de escopo (scoping review) que permitiu sintetizar o conhecimento sobre intervenções de prevenção positiva disponibilizadas nas bases de dados escolhidas (CINAHL, ERIC, Lilacs, MedLine, PsycInf, Scopus, Web of Science e Google Acadêmico). Dos 700 artigos recuperados, foram selecionados 15 artigos, a partir dos critérios de busca. Entre outros achados, os estudos confirmaram o entendimento de que, historicamente, a prevenção do HIV se constituiu no campo sócio-comportamental. Não à toa, as intervenções centraram-se quase inteiramente na prevenção da transmissão do HIV e controle da epidemia, não no bem-estar das pessoas vivendo com HIV. Discutimos que as intervenções disponíveis na literatura, apesar da esperada inovação cunhada como prevenção positiva, sustentam a mesma prioridade de proteger as pessoas HIV negativas de serem infectadas por seus parceiros HIV positivos e perdem a oportunidade de inovar programas existentes, a partir do momento que não levam em conta os contextos diferentes de vulnerabilidade social e ação programática, que excluem os marcadores de [8] desigualdade (como classe ou gênero) e os projetos de cada pessoa vivendo com HIV na sua vida cotidiana e sua vulnerabilidade pessoal. Defendemos a maior produtividade de uma concepção que supere esse modelo que leva à culpabilização das PVHA e à sobreposição de estigmas que enfrentam, para fortalecer uma noção de prevenção solidária e compartilhada realizada em intervenções de prevenção positiva balizadas pela atenção integral à saúde e pela defesa e promoção dos direitos humanos das pessoas afetadas pela AIDS / In the HIV prevention field, most part of the emissions are dedicated as seronegative people that appear in programs and researches as synonymous of all. The notion of Positive Prevention produced within the scope of the Brazilian response, conversely, considered that PLWHA also need single preventive care. This thesis proposes to examine the scientific production that describes positive prevention interventions as well as their possible contributions for the response to HIV/AIDS epidemic, analyzed from an informed perspective by the vulnerability and human rights framework, which made possible the production of single notion about the positive prevention throughout the 3rd epidemics decade. For this purpose, was used as a research method, a scoping review that allowed synthesizing knowledge about positive prevention interventions available in the chosen databases (CINAHL, ERIC, Lilacs, MedLine, PsycInf, Scopus, Web of Science and Google Scholar). Of the 700 recovered articles, were selected 15 articles based on the search criteria. Among other discoveries, the studies confirmed the understanding that, historically, HIV prevention has been in the socio-behavorial field. Not by accident, the interventions focused almost entirely on preventing HIV transmissions and controlling the epidemic, not on the well-being of people living with HIV. Was discussed that interventions available in the literature, despite the expected innovation named as positive prevention, support the same priority in protecting HIV negative people from being infected by their HIV positive partners and miss the opportunity to innovate existing programs, from the moment that they dont consider the distinct contexts of social vulnerability and programmatic action that exclude markers of inequality (such as class or gender) and the projects of each person living with HIV in their daily lives and personal vulnerability. We defend the higher productivity of a conception that [10] overcome this model that blames the PLWHA and the overlapping of stigmas they face in order to strengthen the notion of solidarity and shared prevention carried out in interventions of positive prevention defined by integral health care and the defense and promotion of the Human Rights of people affected by AIDS

Direitos humanos

HIV

HIV

Human rights

Positive prevention

Prevenção e controle

Prevenção positiva

Prevention and control

Vulnerabilidades em saúde

Vulnerabilities in health

Does Your TV Spy on You? : The security, privacy and safety issues with IoT

Viding, Emmie

January 2019

The growth of Internet of Things is steadily increasing, both in Sweden and globally. This relative new technology improves the lives of many; but at the price of their security, privacy and safety. This thesis consists of a literature study and an online survey. It investigates what security, privacy and safety risks Internet of Things devices may bring, how aware people are about these risks, how the user can minimize the risk of being hacked or attacked and what manufacturers can do to make safer Internet of Thing devices. The survey was created based on the risks related to Internet of Things devices which was found during the literature study. It was possible to identify security, privacy and safety risks related to Internet of Things. It was also possible to find answers of how both users and manufacturers can protect their devices from being hacked. The survey showed that there was a correlation between how interested people are in technology and how aware they are of the risks with Internet of Things. Internet of Things can be used to do DDoS attacks, espionage and eavesdropping. People who are interested in technology tends to protect themselves more actively (by changing default password and updating the software) compared to those who are not interested.

Internet of Things

Risks with IoT

Smart home vulnerabilities

Övrig annan teknik

Estudo sobre a topologia das redes criminais

Cunha, Bruno Requião da

January 2017

Nesta tese investigam-se três pontos ligados a fragilidades topológicas de grafos e suas aplicações a redes complexas reais e, em especial, a redes de relacionamentos criminais. Na primeira etapa, apresenta-se in abstracto um método inédito e eficiente de fragmentação de redes complexas por módulos. O procedimento identifica em primeiro lugar comunidades topológicas por meio da qual a rede pode ser representada usando algoritmos heurísticos de extração de comunidades. Então, somente os nós que participam de ligaçõees inter-comunitaárias são removidos em ordem decrescente de sua centralidade de intermediação. Ilustra-se o método pela aplicação a uma variedade de redes reais nas áreas social, de infraestrutura, e biológica. Mostra-se que a abordagem por módulos supera ataques direcionados a vértices baseados somente no ordenamento de índices de centralidade, com ganhos de eficiência fortemente relacionados à modularidade da rede.No segundo momento, introduzem-se os conceitos de robustez e fragilidade de redes generalizadas para avaliar o quanto um determinado sistema se comporta frente a ataques incompletos. Ainda, avalia-se o desempenho (relação entre robustez e custo computacional) de diversos ataques sequenciais e simultâneos a redes modulares por meio de uma medida empírica que chamamos de performance. Mostra-se por meio de redes artificiais de referência e de redes reais que para sistemas altamente modulares a estratégia de fragmentação por módulos apresenta um desempenho até 10 vezes superior aos demais ataques. Na última etapa, explora-se com maior profundidade a natureza subjacente de redes reais de relacionamentos criminais. Apresenta-se uma rede única e sem precedentes construída pela Polícia Federal Brasileira consistindo de mais de 35.000 relacionamentos entre 24.000 indivíduos. Os dados foram coletados entre abril e agosto de 2013 e consistem em informações fornecidas diretamente pelos investigadores responsáveis de cada caso. O sistema apresenta características típicas de redes sociais, porém é bem mais “escuro"que o comportamento típico, com baixos níveis tanto de densidade de arestas quanto de eficiência de rede. Além do mais, o sistema é extremamente modular o que implica ser possível desmantelar toda a rede de crimes federais brasileiros com a remoção de aproximadamente 2% dos indivíduos escolhidos conforme a prescrição do método modular. Também, a rede é controlável no sentido da teoria matemática de controle, significando que com acesso a aproximadamente 20% dos nós é possível, em tese, levar qualquer variável dinâmica de um estado inicial a um estado final arbitrário em um tempo finito. Exibi-se tambám uma análise topológica e de fragilidades de uma segunda rede criminal relacionada a investigações da Polícia Federal. Trata-se de um fórum online destinado à prática de crimes cibernéticos na chamada camada profunda da internet (deep web). (Continuação ) Após a coleta dos dados foi possível construir uma rede de relacionamentos com quase 10.000 indivíduos. Comparou-se, entãoo, a estratégia usada de fato pela Polícia Federal durante a Operação Darknet com a previsão teórica de ataques topológicos à rede criminal e mostrou-se que ataques dirigidos por grau teriam fragmentado o sistema de maneira quase 15 vezes mais eficiente. Por outro lado, esta rede não é modular apesar de novamente apresentar uma arquitetura mais “escura" que o usual. Por termo, demonstra-se que os ataques por arestas estão diretamente relacionados ao aprisionamento enquanto que a ressocialização e/ou morte dos indivíduos é melhor interpretada como a remoção por vértices. Destarte, comprovou-se que de um ponto de vista topológico a ressocialização é de fato mais eficiente em reduzir a criminalidade do que o aprisionamento. Contudo, na rede de crimes federais estudada essa diferenca é muito pequena, de tal modo que ambas as políticas poderiam, em tese, ser aplicadas a fim de se combater eficientemente o sistema criminoso. / In this thesis we investigate three points connected to topological fragilities of graphs and their applications to real complex networks and, in particular, to networks of criminal relationships. In the first step, we present an unprecedented and efficient method of fragmentation of complex networks by modules. Firstly, the procedure identifies topological communities through which the network can be represented using heuristic communities extraction algorithms. After that, only the nodes that bridge communities are removed in descending order of their betweenness centrality . We illustrate the method by the applying it to a variety of real networks in the social, infrastructure, and biological fields. We show that the modular approach outperforms attacks traditional attacks based only on the ordering of centrality indexes, with efficiency gains strongly related to the modularity of the network. In the second moment, we introduce the concepts of generalized robustness and fragility of networks to evaluate how much a certain system behaves in the face of incomplete attacks. Also, we evaluate the relation between robustness and computational cost of several sequential and simultaneous attacks to modular networks by means of an empirical measure that we call performance. In this sense, we show through artificial and real networks that for highly modular systems the strategy of fragmentation by modules presents a performance up to 10 times superior to traditional attacks. In the last step, we explore in more depth the underlying nature of real networks of criminal relationships. We present a unique and unprecedented network built by the Brazilian Federal Police consisting of more than 35,000 relationships among 24,000 individuals. The data were collected between April and August 2013 and consist of information provided directly by the investigators responsible for each case. The system has typical characteristics of social networks, but is much "darker"than traditional social networks, with low levels of edge density and network efficiency. Moreover, the network is extremely modular which implies that it is possible to dismantle all the network of Brazilian federal crimes with the removal of approximately 2% of the individuals chosen according to the modular method. Also the network is controllable in the sense of the mathematical control theory, meaning that with access only to 20% of nodes it is possible, In theory, to take any dynamic variable from an initial state to an arbitrary final state in a finite time. We also show a topological analysis of a second criminal network related to Federal Police investigations. This is an online forum for cybercrime in the so-called deep web. After the data collection, it was possible to build a network of relationships with almost 10,000 individuals. We then compared the strategy actually used by the Federal Police during Operation Darknet with the theoretical prediction of topological attacks on the criminal network and showed that degree-based attacks would have fragmented the system almost 15 times more efficiently. On the other hand, this network is not modular despite presenting a "darker"architecture than usual. As a last result, this particular system is not controllable in practical terms. We finish the study by showing that edge attacks are directly related to the imprisonment whereas the resocialization and/or death of the individuals is better interpreted as the removal of vertices. Thus, we prove that from a topological point of view resocialization is in fact more efficient in reducing crime rates than imprisonment. However, in the network of federal crimes studied here this difference is very small, so that both policies could in theory be applied in order to combat effectively the criminal system.

Topologia

Teoria de redes

Crimes federais

Complex networks

Network attack

Modular networks

Criminal networks

Federal police

Topological vulnerabilities

Vulnerabilities in a Wetter World : A study on migration as an adaptation strategy to climate change, with under-five mortality as an intermediating variable.

Kaufmann, Wanja

January 2019

This thesis strives to examine firstly if migration is a significant adaptation strategy to the experience of abundant precipitation, and secondly whether under-five mortality works attenuating or enhancing when being an intermediating factor. With cross-country panel data for precipitation and migration percentage for 169 countries over the world for the time period 1950-2005, a fixed effect model has been created for both parts of the analysis — in the first one to estimate the effects of abundant precipitation on migration flows, and in the second one to examine if and how the mortality rates of children under the age of five works as driver on the effect between abundant precipitation and migration. The results illustrated a positive and significant effect of precipitation on migration when same-year data was used. For the five-year lag data and the ten-year lag data, the null hypothesis which indicates that there is no relationship between the variables could not be rejected, but there were still results that indicated that the migration goes up in a five-year perspective and decreases in a ten-year perspective. The results from the first part of the analysis do not illustrate enormous effects. For the second part of the analysis, results show that the effect of precipitation on under-five mortality does, in contrary to the stated hypothesis, implicate an attenuation as opposed to an enhancement of the effect of precipitation on migration. Due to low precision and non-significant results, it is not possible to determine how exactly the effects are directly affecting each other. This thesis has however helped to prove that one can reject that the effects are strongly enhancing each other.

Climate change

precipitation

under-five-mortality

migration

panel data

climate refugees

vulnerabilities

climate change adaptation

Economics

Nationalekonomi

Att hitta akilleshälen : sårbarhetsanalyser till stöd för militär planering / Finding the Achilles’ heel : vulnerability analyses in support of military planning

Magnét, Erik

January 2018

Enligt gällande västliga militära planeringsdoktriner, inklusive den svenska som den formuleras i Svensk planerings och ledningsmetod (SPL), är tyngdpunktsanalyser av såväl motståndaren som den egna sidan avgörande steg i planeringsprocesserna på både strategisk och operativ nivå. Tyngdpunkten kan anfallas eller påverkas direkt eller indirekt, i det ideala fallet genom att slå mot kritiska sårbarheter. Kritiska sårbarheter kan ofta vara av teknisk karaktär, vilket historiska erfarenheter visar. Bristande teknisk förståelse riskerar därmed leda till att kritiska sårbarheter hos fienden inte exploateras och att våra egna inte skyddas. De nyckelfaktorer som bygger upp tyngdpunkten ska enligt doktrinerna identifieras genom systemanalys. Beskrivningarna av vad en systemanalys är eller hur denna kan genomföras saknar dock både tillräckligt djup och tydlighet för att kunna användas praktiskt och ge önskad kvalitet. Detta riskerar att ge stora konsekvenser för den fortsatta planeringen. I uppsatsen föreslås en utvecklad metod för tyngdpunktsanalys, med fokus på hur de kritiska sårbarheterna identifieras och värderas. Metodens huvudsakliga moment är modellering och klassificering, där klassificeringsmomentet sker med en föreslagen metod som hämtat stöd från såväl verkansprocessen som civil forskning om systemsårbarheter. Metoden operationaliseras i uppsatsen och prövas i en fallstudie med två fall. Slutsatserna från undersökningen indikerar att den föreslagna metoden är användbar och har förklaringskraft i de undersökta fallen. För att analysen av kritiska sårbarheter ska nå tillräcklig kvalitet krävs djupa systemkunskaper och inte minst resurser i form av personal och tid. Den föreslagna metoden behöver prövas i sin helhet för att utvärdera den praktiska användbarheten. / According to contemporary western military doctrines, and Swedish doctrine is no exception, analyses of the centers of gravity of enemy and friendly forces are vital steps in the planning process at the strategic and operational levels of war. Centers of gravity might be attacked or influenced directly or indirectly, ideally by targeting critical vulnerabilities. Critical vulnerabilities are often of a technical nature, as shown by historical experience. A lack of technical understanding might lead to enemy vulnerabilities not being exploited and our own not being adequately protected. According to doctrine, a center of gravity’s key factors should be identified through systems analysis of enemy and friendly forces. However, descriptions of what these analyses are, or how they should be conducted, lack sufficient depth and clarity to be used in practice and provide sufficient quality. This is likely to have negative consequences for continued planning. This thesis proposes a developed method for center of gravity analysis, focusing on the identification and evaluation of critical vulnerabilities. The main elements of the method are modeling and classification, where the classification is conducted using a proposed method, supported by a method within the targeting process, and by civilian research into system vulnerabilities. The full method is operationalized in the thesis and tested in a two-case study. The conclusions from the study indicate that the proposed method is usable and has explanatory value in the cases studied. To achieve sufficient quality in the analysis of critical vulnerabilities, in-depth systems knowledge and, not least, resources in terms of staff and time are required. The proposed method needs to be tested in its entirety to evaluate its practical usability.

Center of Gravity analysis

Critical vulnerabilities

Systems analysis

Operational planning

Tyngdpunktsanalys

kritiska sårbarheter

systemanalys

operativ planering

Other Engineering and Technologies

Annan teknik

An Evaluation of Florida Gulf Coast University's Residence Life Staff Member's Hurricane Preparedness

Floto, Erin

02 July 2014

Florida Gulf Coast University (FGCU) is located along the coast of the Gulf of Mexico in southern Florida, in an area vulnerable to hurricane strikes. At FGCU, The Office of Housing and Residence Life (OHRL) is responsible for three locations on- and off-campus where students reside in apartment or suite-style housing. Due to the large number of students with varying backgrounds, the OHRL staff members have become essential personnel during severe weather events that may cause safety concerns for the residents living in OHRL housing locations. This study's purpose is to assess the Residence Life staff on their level of preparedness in the event of a hurricane strike, including carrying out severe weather procedures and maintaining the safety of residents. After running multiple regression analyses, bivariate correlations, and t-tests, this study indicates that those with a higher hurricane knowledge and experience score were more likely to be females and that one's preparedness confidence was the single independent variable found to have a relationship with, and was considered a predicting variable for, the dependent variable (preparedness as an RA/RD). Further analysis was done to consider specific answers on RA's and RD's knowledge of FGCU procedures in comparison to recent campus emergency management studies to consider the overall effectiveness of their procedures. Findings indicate that improvements can be made in the areas concerning their knowledge of when to evacuate, their duties for evacuation, and how the university communicates information. This study and survey can be adapted further to expand on student vulnerabilities to include a more broad range of students, schools and teacher's vulnerabilities, and expanded to include more natural hazards.

Campus Emergency Management

Disasters

Factor Analysis

Multiple Regression Analysis

Student Vulnerabilities

Environmental Sciences

Higher Education and Teaching

Statistics and Probability