To see the other types of publications on this topic, follow the link: Information security practice tests.
Dissertations / Theses on the topic 'Information security practice tests'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 32 dissertations / theses for your research on the topic 'Information security practice tests.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Ashenden, D. M. "Information security awareness : improving current research and practice." Thesis, University College London (University of London), 2015. http://discovery.ucl.ac.uk/1469598/.
Full textAbstract:
Large-scale data losses experienced across both public and private sector organisations have led to expectations that organisations will develop a culture that supports information security aims and objectives. Despite the fact that many organisations now run awareness, education and training programmes for their employees, however, information security incidents due to employee misuse of information still keep occurring. This suggests that these programmes are not working. The research presented in this thesis examines ways to better understand employees’ attitudes towards information security with a view to improving current organisational practice. The research explores whether Chief Information Security Officers are delivering organisational change for information security, before moving on to better understand employee’s attitudes and how these are translated into behaviours. The research takes a mixed-methods approach that is not often used in information security research and combines both qualitative and quantitative analytical methods, grounded in the theory of social psychology. Case studies are carried out with Chief Information Security Officers as well as at the Office of Fair Trading and Prudential plc. The research delivers a survey tool that can be used in organisations to better understand how to frame information security messages so that they achieve their aims. An expert panel of users evaluated the survey. The research concluded that end users fall into two groups – the ‘I Can Handle It Group’ and the ‘It’s Out of My Control Group’ and these substantive findings have been validated by a field experiment. By mirroring the attributions of the dominant group the field experiment demonstrates that it is possible to influence employees’ behaviour.
2
Williams, Patricia A. "An investigation into information security in general medical practice." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2007. https://ro.ecu.edu.au/theses/274.
Full textAbstract:
Increased demand by governments and patients for better healthcare communication has seen a growth in adoption of electronic medical records, with general practice as the cornerstone of this distributed environment. In this progressively more electronic state, general practice is charged with the responsibility to ensure confidentiality and privacy of patient infonnation. However, evidence suggests that protection of patient information is poorly handled in general practice. The deficiency in awareness of vulnerability and risk, together with the lack of appropriate controls and knowledge, leaves medical practice insecure and potentially vulnerable to information security breaches.
3
Hove, Cathrine, and Marte Tårnes. "Information Security Incident Management : An Empirical Study of Current Practice." Thesis, Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk, 2013. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-22651.
Full textAbstract:
An increasing use of digital solutions suggests that organizations today are more exposed to attacks than before. Recent reports show that attacks get more advanced and that attackers choose their targets more wisely. Despite preventive measures being implemented, incidents occur occasionally. This calls for effective and efficient information security incident management. Several standards and guidelines addressing incident management exist. However, few studies of current practices have been conducted. In this thesis an empirical study was conducted where organizations' incident management practices were studied. The research was conducted as a case study of three large Norwegian organizations, where the data collection methods were interviews and document studies. Our findings show that the organizations were relatively compliant with standards and guidelines for incident management, but that there was still room for improvements. We found communication, information dissemination, employee involvement, experience and allocation of responsibilities to be important factors to an effective and efficient incident management process. Finally, we contribute with recommendations for performing successful information security incident management. We recommend organizations to use standards and guidelines as a basis for incident management, conduct regular rehearsals, utilize employees as part of the sensor network in incident detection and to conduct awareness campaigns for employees.
4
Mahncke, Rachel J. "Measuring and applying information security governance within general medical practice." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2016. https://ro.ecu.edu.au/theses/1797.
Full textAbstract:
Australia is in the process of adopting a national approach towards the secure electronic exchange of health information. The health information contributions of general practices as the primary point of patient medical care, will be critical to the success of an interoperable national healthcare system. Sharing information creates vulnerabilities by increasing exposure to information security threats. Consequently, improvement in information security practice within general practice may positively contribute towards improved patient care by providing access to timely and accurate information. There is renewed focus within general practice on information security, inter alia the introduction of: the Royal Australian College of General Practitioners (RACGP, 2014) Computer and Information Security Standards (CISS, 2013); privacy law reform in 2014; an evolving national electronic heath record system; litigation relating to information breaches; and continuing Australian public support for mandatory data breach notification legislation.The implementation of reliable information security procedures within general practices will be critical to secure the exchange of confidential patient information. Protecting patient health information requires appropriate security measures in regards to technologies, policies, and procedures as well as ensuring that staff are well trained and aware of these security activities. Adherence to industry standard security activities will enable general practices to take responsibility for their information security thereby minimising the threat of lost or stolen information. To meet the rising number of information security threats, general practices need to adopt a framework of accountability and control to address and demonstrate effective information security management and governance. The governance component of information security remains insufficiently addressed within Australian general practice at present.This thesis demonstrates an application of international standards at a strategic level, and proposes a functional process improvement framework against which general practices can assess and implement effective information security governance. This interpretation and operationalisation of international governance of information security standard ISO/IEC 27014:2013 (ISO, 2013), had not previously been undertaken. Further, application of information security governance within the Australian general practice environment had not previously been undertaken, and formed the basis for establishing a positive information security culture.A qualitative action research methodology was utilised for the collection of national data. Further, iterative action research cycles were applied to develop the practical information security governance framework for use within general practice. Following a review of the literature, a preliminary framework was developed to include industry best practice standards and information security compliance criteria applicable to general practice. This initial governance framework extends the industry security standards developed by the RACGP CISS (2013), ISACA’s COBIT 5 (2012), NEHTA’s NESAF (2012) governance framework and Williams’ TIGS-CMM model (2007c). Information security experts validated the information security governance framework during focus groups and interview data collections, which included representatives from key Australian healthcare organisations.Following development, the governance framework was applied and tested within general practices during iterative cycles of interviews. General practice participants conducted a self-assessment against the framework, responded to semi-structured interview questions, and policy documentation was analysed. The governance framework was revised following these iterations and cycles of action research. The objective of this research method was to achieve a ‘theoretical saturation’ of the theory whereby the patterns in the general practice interviews indicated when no new information was being yielded (Mason 2010). A final cycle of a general practice interview was conducted to verify the appropriateness of the information security governance framework within Australian general practice.The contribution of this research was both theoretical and practical. A holistic governance framework and process was synthesised and formulated, which aimed to assist general practices to meet their legal and industry related compliance security responsibilities, by securing information assets in an escalating threat environment. The governance approach was designed to be achievable and sustainable for general practices over time, whilst encouraging incremental improvement in security performance. To address the people aspect of security, the governance process incorporated a risk-based structure for the review of security breaches and performance measures, to assist in making the necessary governance decisions by amending policies and processes, and accessing the required training. This strategic approach extends international and industry best practice of information security governance for use in Australian general practice, with the aim of improving the protection of confidential health information
5
Mirbaz, Jamshid. "Säkerhetsstyrning inom den Finansiella Sektorn : En Studie på Best Practice hos Tre Svenska Banker." Thesis, KTH, Industriella informations- och styrsystem, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-98863.
Full textAbstract:
For organizations that handle sensitive information, IT governance and information security are necessities in order to maintain credibility and to conduct its business efficiently. There are several known processes to increase security governance – which is a fusion of information security and IT governance. This master thesis examines if organizations use recognized processes and if it in that case would lead to higher security. The study is qualitative and conducted in the financial sector and based on Best Practice frameworks of the security governance in Swedish banks. Data collection was done through interviews and surveys that were triangulated to get a gathered picture of the quality of the security governance activities. The questionnaire surveys were graded according to the Likert scale. This work shows that banks use the processes described in the theory section, Chapter 3, and that they have adapted them to the business. The results from both the interviews and questionnaires show that Bank 3 has a high degree of security governance in the organization. This bank also had good cooperation and communication between the business and the IT side - they worked well aligned. There are clear indications that show that the banks take the methods and processes described in the study into consideration, but that they were adapted to the banks' operations. It is important that business and IT find meeting places - both parties need to contribute with their expertise to achieve the best possible outcome - a safe basis for security governance.
6
Vega, Laurian. "Security in Practice: Examining the Collaborative Management of Sensitive Information in Childcare Centers and Physicians' Offices." Diss., Virginia Tech, 2011. http://hdl.handle.net/10919/37552.
Full textAbstract:
Traditionally, security has been conceptualized as rules, locks, and passwords. More recently, security research has explored how people interact in secure (or insecure) ways in part of a larger socio-technical system. Socio-technical systems are comprised of people, technology, relationships, and interactions that work together to create safe praxis. Because information systems are not just technical, but also social, the scope of privacy and security concerns must include social and technical factors. Clearly, computer security is enhanced by developments in the technical arena, where researchers are building ever more secure and robust systems to guard the privacy and confidentiality of information. However, when the definition of security is broadened to encompass both human and technical mechanisms, how security is managed with and through the day-to-day social work practices becomes increasingly important.
In this dissertation I focus on how sensitive information is collaboratively managed in socio-technical systems by examining two domains: childcare centers and physiciansâ offices. In childcare centers, workers manage the enrolled children and also the enrolled childâ s personal information. In physiciansâ offices, workers manage the patientsâ health along with the patientsâ health information. My dissertation presents results from interviews and observations of these locations. The data collected consists of observation notes, interview transcriptions, pictures, and forms. The researchers identified breakdowns related to security and privacy. Using Activity Theory to first structure, categorize, and analyze the observed breakdowns, I used phenomenological methods to understand the context and experience of security and privacy.
The outcomes from this work are three themes, along with corresponding future scenarios. The themes discussed are security embodiment, communities of security, and zones of ambiguity. Those themes extend the literature in the areas of usable security, human-computer interaction, and trust. The presentation will use future scenarios to examine the complexity of developing secure systems for the real world.Ph. D.
7
Shear, Christopher James. "Business counterintelligence : sustainable practice or passing fad?" Thesis, Stellenbosch : University of Stellenbosch, 2009. http://hdl.handle.net/10019.1/1930.
Full textAbstract:
Thesis (MA (Information Science))--University of Stellenbosch, 2009.Traditional information protection mechanisms are no longer adequately placed to effectively deal with the adversarial threats that have arisen as a result of the rise in importance of knowledge for today’s organisations. Business counterintelligence appears to be a protective entity, which in principle can effectively engage with and mitigate many of these newly manifested threats. Yet, business counterintelligence is also an entity that is accompanied by a great deal of haze and confusion as to its use, implementation and integration within different organisations. This is evident from the literature where there currently exist multiple fragmented definitions of what business counterintelligence is. Organisations may as a result adopt a particular business counterintelligence definition that may not be effective for their context. This can result in the ineffective protection of critical information assets and the misappropriation of organisational resources; something which is not sustainable. This thesis proposes that in order to allay the confusion caused by these differing fragmented definitions, one needs to be able to arrive at a consolidated definition of what constitutes business counterintelligence; this thesis’s primary objective. This has been examined by firstly contextualising business counterintelligence in order to better understand the topic; the information society was used as a backdrop for this purpose. Secondly, an examination of the prevailing views of business counterintelligence and its role within organisations is offered in order to build clarity. Thirdly, a consolidated definition of business counterintelligence is proposed and its implications for different organisations examined. Finally, the implications of this consolidated definition for the sustainability of business counterintelligence are discussed and conclusions based on the evidence presented within the thesis drawn. Based on the arguments presented, this thesis postulates that a consolidated definition of business counterintelligence is more effective and is thus more sustainable.
8
Sestorp, Isak, and André Lehto. "CPDLC in Practice : A Dissection of the Controller Pilot Data Link Communication Security." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-159840.
Full textAbstract:
Controller-Pilot Data Link Communication, a technology that has been introduced to help offload the congested, previously used voice communication in larger airports, has in recent years started being questioned on its sufficiency in security. As the traffic load in air traffic communication keeps demanding more reliable and secure systems, we will in this thesis look at how widely CPDLC is actually used in practice in Europe. By using the newly introduced technology in software defined radios, we show that it is possible to capture and decode CPDLC messages to readable plain text. We furthermore discuss which type of attacks that could be possible with information retrieved from CPDLC communication.
9
Sarmonpal, Sandra. "Learning Analytics from Research to Practice| A Content Analysis to Assess Information Quality on Product Websites." Thesis, Pepperdine University, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=13421041.
Full textAbstract:
The purpose of this study was to examine and describe the nature of the research to practice gap in learning analytics applications in K12 educational settings. It was also the purpose of this study to characterize how learning analytics are currently implemented and understood. A secondary objective of this research was to advance a preliminary learning analytics implementation framework for practitioners. To achieve these purposes, this study applied quantitative content analysis using automated text analysis techniques to assess the quality of information provided on analytics-based product websites against learning analytics research. Because learning analytics implementations require adoption of analytical tools, characterizing content on analytics-based product websites provides insight into data practices in K12 schools and how learning analytics are practiced and understood. A major finding of this study was that learning analytics do not appear to be applied in ways that will improve learning outcomes for students as described by the research. A second finding was that policy influence expressed in the study corpus suggest competing interests within the current policy structure for K12 education settings. Keywords: quantitative content analysis, automated text analysis, learning analytics, big data, frameworks, educational technology, website content analysis
10
Nguyen, Ngoc Tan. "A Security Monitoring Plane for Information Centric Networking : application to Named Data Networking." Thesis, Troyes, 2018. http://www.theses.fr/2018TROY0020.
Full textAbstract:
L'architecture de l'Internet a été conçue pour connecter des hôtes distants. Mais l'évolution de son usage, qui s'apparente à celui d'une plate-forme mondiale pour la distribution de contenu met à mal son modèle de communication originale. Afin de mettre en cohérence l'architecture de l'Internet et son usage, de nouvelles architectures réseaux orientées contenu ont été proposées et celles-ci sont prêtes à être mises en oeuvre. Les questions de leur gestion, déploiement et sécurité se posent alors comme des verrous indispensables à lever pour les opérateurs de l'Internet. Dans cette thèse, nous proposons un plan de surveillance de la sécurité pour Named Data Networking (NDN), l'architecture la plus aboutie et bénéficiant d'une implémentation fonctionnelle. Dans le déploiement réel, nous avons caractérisé les attaques NDN les plus importantes - Interest Flooding Attack (IFA) et Content Poisoning Attack (CPA). Ces résultats ont permis de concevoir des micro-détecteurs qui reposent sur la théorie des tests d'hypothèses. L'approche permet de concevoir un test optimal (AUMP) capable d'assurer une probabilité de fausses alarmes (PFA) désirée en maximisant la puissance de détection. Nous avons intégré ces micro-détecteurs dans un plan de surveillance de la sécurité permettant de détecter des changements anormaux et les corréler par le réseau Bayésien, qui permet d'identifier les événements de sécurité dans un noeud NDN. Cette solution a été validée par simulation et expérimentation sur les attaques IFA et CPAThe current architecture of the Internet has been designed to connect remote hosts. But the evolution of its usage, which is now similar to that of a global platform for content distribution undermines its original communication model. In order to bring consistency between the Internet's architecture with its use, new content-oriented network architectures have been proposed, and these are now ready to be implemented. The issues of their management, deployment, and security now arise as locks essential to lift for Internet operators. In this thesis, we propose a security monitoring plan for Named Data Networking (NDN), the most advanced architecture which also benefits from a functional implementation. In this context, we have characterized the most important NDN attacks - Interest Flooding Attack (IFA) and Content Poisoning Attack (CPA) - under real deployment conditions. These results have led to the development of micro-detector-based attack detection solutions leveraging hypothesis testing theory. The approach allows the design of an optimal (AUMP) test capable of providing a desired false alarm probability (PFA) by maximizing the detection power. We have integrated these micro-detectors into a security monitoring plan to detect abnormal changes and correlate them through a Bayesian network, which can identify events impacting security in an NDN node. This proposal has been validated by simulation and experimentation on IFA and CPA attacks
11
Lukweza, Chishala. "An investigation into the state-of-practice of information security within Zambian copper mines: a case study." Thesis, Rhodes University, 2011. http://hdl.handle.net/10962/d1002776.
Full textAbstract:
Zambian copper mines have embraced the use of information technologies for strategic operations and competitive advantage. This dependence on these technologies has not only been seen in the physical aspects of business operations but also in the use of information systems such as Enterprise Resource Planning Systems (ERPs) for strategic decision making and increased usage of Industrial Control Systems (ICS’) that are meant to enhance operational efficiency in production areas. A survey was conducted to explore leadership perceptions on information security practices in Zambian copper mines and an ISO/IEC 27002 Audit Tool was administered to middle management in a particular mine for an in-depth analysis of their information security practices. Results revealed that although information security controls may have been put in place in these organisations, there are still areas that require attention. Senior management and middle management have different perceptions as to the extent to which information security practices are conducted in these copper mines. This implies that management may not be fully involved in certain aspects of these organisations’ information security practices. The results concluded that management needs to be fully involved and provide support for information security programs. Furthermore, these information security programs should be standardised so as to effectively protect these organisations’ information assets. This should also include the involvement of personnel as key players in the information security process.
12
Tidwell, Craig Leonard. "Testing the impact of training with simulated scenarios for information security awareness on virtual community of practice members." Doctoral diss., University of Central Florida, 2011. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/5058.
Full textAbstract:
Even though the null hypothesis, which stated that there would be no difference between the groups scores on the information security awareness tests, was not rejected, the groups that received the initial training with the simulated scenarios did perform slightly better from the pre-training test to the post-training test when compared with the control group that did not receive the initial training. More research is suggested to determine how information security awareness training with simulated scenarios and follow-up testing can be used to improve and sustain the security practices of members of virtual communities of practice. Specifically, additional research could include: comparing the effect of training with the simulated scenarios and with training that would not use the simulated security scenarios; the potential benefits of using adaptive and intelligent training to focus on the individual subjects' weaknesses and strengths; the length of the training with simulated scenarios events, the time between each training event, and the overall length of the training; the demographics of the groups used in the training, and how different user characteristics impact the efficacy of the training with simulated scenarios and testing; and lastly examining how increasing the fidelity of the simulated scenarios might impact the results of the follow-up tests.; Information security has become a major challenge for all private and public organizations. The protection of proprietary and secret data and the proper awareness of what is entailed in protecting this data are necessary in all organizations. This treatise examines how simulation and training would influence information security awareness over time in virtual communities of practice under a variety of security threats. The hypothesis of the study was that security-trained members of a virtual community of practice would respond significantly better to routine security processes and attempts to breach security or to violate the security policy of their organization or of their virtual community of practice. Deterrence theory was used as the grounded theory and integrated in the information security awareness training with simulated scenarios. The study provided training with simulated scenarios and then tested the users of a virtual community of practice over an approximately twelve-week period to see if the planned security awareness training with simulated security problem scenarios would be effective in improving their responses to the follow-up tests. The research subjects were divided into four groups, the experimental group and three control groups. The experimental group received all of the training and testing events throughout the twelve-week period. The three control groups received various portions of the training and testing. The data from all of the tests were analyzed using the Kruskal-Wallis ranked order test, and it was determined that there was no significant difference between the groups at the end of the data collection.ID: 029809175; System requirements: World Wide Web browser and PDF reader.; Mode of access: World Wide Web.; Thesis (Ph.D.)--University of Central Florida, 2011.; Includes bibliographical references (p. 189-196).
Ph.D.
Doctorate
Engineering and Computer Science
Modeling and Simulation
13
Al, Smadi Duha. "Information Sharing and Storage Behavior via Cloud Computing: Security and Privacy in Research and Practice and Users' Trust." Thesis, University of North Texas, 2019. https://digital.library.unt.edu/ark:/67531/metadc1505164/.
Full textAbstract:
This research contributes to the cloud computing (CC) literature and information science research by addressing the reality of information sharing and storage behavior (ISSB) of the users' personal information via CC. Gathering information about usage also allows this research to address the paradox between the research and practice. Additionally, this research explores the concept of trust and its role in the behavioral change relative to CC. The findings help reconcile the paradox between the two realms.
Essay1 develops and tests cloud computing usage model (CCUM) that assesses ISSB. This model considers the main adoption determinants and the main drawbacks of CC. The study measures the main concerns of users found in the literature, perceived security and perceived privacy. The findings prove surprising on these concerns. Using multiple regression to analyze 129 valid survey responses, the results find that CC users are less concerned about the major issues of security and privacy and will use the technology based on peer usage. Essay 2 examines why users ignore the technology issues and elect to replace the traditional mechanisms for handling their personal information. The results of an interview-based study conducted on 11 normal users and 11 IT professionals clarify their perceptions about CC and examine its readiness to handle their information from an end-user perspective. Essay 3 explores the CC literature to identify the major factors associated with the users' trust beliefs. The research conducted in this essay groups these factors into three categories. The posited and tested model examines the effect of perceived trust on ISSB. A structural equation modeling approach is used to analyze 1228 valid responses and tests the developed cloud computing trust model. The results provide multiple implications for CC researchers, managers, and service providers.
14
Garcia-Patron, Sanchez Raul. "Quantum information with optical continuous variables: from Bell tests to key distribution." Doctoral thesis, Universite Libre de Bruxelles, 2007. http://hdl.handle.net/2013/ULB-DIPOT:oai:dipot.ulb.ac.be:2013/210655.
Full textAbstract:
In this thesis we have studied different aspects of the novel field of quantum information with continuous variables. The higher efficiency and bandwidth of homodyne detection combined with the easiness of generation and manipulation of Gaussian states makes continuous-variable quantum information a promising and flourishing field of research. This dissertation is divided in two parts. The first part explores two applications of the “photon subtraction” operation; Firstly, a technique to generate highly non-Gaussian single-mode states of light; Secondly, an experimental setup capable of realizing a loophole-free Bell test. The second part of this dissertation develops a detailed analysis of an important family of continuous-variable quantum key distribution protocols, namely those based on Gaussian modulation of Gaussian states./Dans cette thèse on a étudié différents aspects de l'information quantique à variables continues. Les meilleures efficacité et bande passante de la détection homodyne combinées à la simplicité de génération et de manipulation d'états gaussiens rend l'information quantique à variables continues un domaine de recherche très prometteur, qui est actuellement en plein essor. La dissertation est divisée en deux parties. La première explore deux applications de l'opération “soustraction de photon”; en premier lieu on présente une nouvelle technique capable de générer des états mono-modaux de la lumière hautement non-gaussiens; deuxiemement on présente un schéma expérimental capable de réaliser un test de Bell sans faille logique. La deuxième partie de cette dissertation développe une étude détaillée d'une famille très importante de protocoles de distribution quantique de clé à variables continues, ceux basés sur la modulation gaussienne d'états gaussiens.Doctorat en Sciences de l'ingénieur
info:eu-repo/semantics/nonPublished
15
Siganto, Jean Josephine. "Transparent, balanced and vigorous: The exercise of the Australian Privacy Commissioner's powers in relation to National Privacy Principle 4." Thesis, Queensland University of Technology, 2015. https://eprints.qut.edu.au/83792/4/Jean_Siganto_Thesis.pdf.
Full textAbstract:
This thesis considers whether the Australian Privacy Commissioner's use of its powers supports compliance with the requirement to 'take reasonable steps' to protect personal information in National Privacy Principle 4 of the Privacy Act 1988 (Cth). Two unique lenses were used. First, the Commissioner's use of powers was assessed against the principles of transparency, balance and vigorousness and secondly against alignment with an industry practice approach to securing information. Following a comprehensive review of publicly available materials, interviews and investigation file records, this thesis found that the Commissioner's use of his powers has not been transparent, balanced or vigorous, nor has it been supportive of an industry practice approach to securing data. Accordingly, it concludes that the Privacy Commissioner's use of its regulatory powers is unlikely to result in any significant improvement to the security of personal information held by organisations in Australia.
16
Wang, Qianxue. "Création et évaluation statistique d'une nouvelle de générateurs pseudo-aléatoires chaotiques." Thesis, Besançon, 2012. http://www.theses.fr/2012BESA2031.
Full textAbstract:
Dans cette thèse, une nouvelle manière de générer des nombres pseudo-aléatoires est présentée.La proposition consiste à mixer deux générateurs exitants avec des itérations chaotiquesdiscrètes, qui satisfont à la définition de chaos proposée par Devaney. Un cadre rigoureux estintroduit, dans lequel les propriétés topologiques du générateur résultant sont données. Deuxréalisations pratiques d’un tel générateur sont ensuite présentées et évaluées. On montre que lespropriétés statistiques des générateurs fournis en entrée peuvent être grandement améliorées enprocédant ainsi. Ces deux propositions sont alors comparées, en profondeur, entre elles et avecun certain nombre de générateurs préexistants. On montre entre autres que la seconde manièrede mixer deux générateurs est largement meilleure que la première, à la fois en terme de vitesseet de performances.Dans la première partie de ce manuscrit, la fonction d’itérations considérée est la négation vectorielle.Dans la deuxième partie, nous proposons d’utiliser des graphes fortement connexescomme critère de sélection de bonnes fonctions d’itérations. Nous montrons que nous pouvonschanger de fonction sans perte de propriétés pour le générateur obtenu. Finalement, une illustrationdans le domaine de l’information dissimulée est présentée, et la robustesse de l’algorithmede tatouage numérique proposé est évaluéIn this thesis, a new way to generate pseudorandom numbers is presented. The propositionis to mix two exiting generators with discrete chaotic iterations that satisfy the Devaney’sdefinition of chaos. A rigorous framework is introduced, where topological properties of theresulting generator are given, and two practical designs are presented and evaluated. It is shownthat the statistical quality of the inputted generators can be greatly improved by this way, thusfulfilling the up-to-date standards. Comparison between these two designs and existing generatorsare investigated in details. Among other things, it is established that the second designedtechnique outperforms the first one, both in terms of performance and speed.In the first part of this manuscript, the iteration function embedded into chaotic iterations isthe vectorial Boolean negation. In the second part, we propose a method using graphs havingstrongly connected components as a selection criterion.We are thus able to modify the iterationfunction without deflating the good properties of the associated generator. Simulation resultsand basic security analysis are then presented to evaluate the randomness of this new family ofpseudorandom generators. Finally, an illustration in the field of information hiding is presented,and the robustness of the obtained data hiding algorithm against attacks is evaluated
17
Montesdioca, Gustavo Percio Zimmermann. "Satisfação do usuário com as práticas de segurança da informação." reponame:Biblioteca Digital de Teses e Dissertações da UFRGS, 2013. http://hdl.handle.net/10183/72774.
Full textAbstract:
A segurança da informação é uma das grandes preocupações dos gestores corporativos nessas últimas décadas e responsável por grandes prejuízos as organizações. A prevenção desses problemas pode ser alcançada através da educação e da conscientização do usuário no uso da tecnologia de maneira segura, utilizando práticas que estejam de acordo com as políticas de segurança da informação das empresas. Gestores tem dificuldade de entender e decidir que tipo de ação deve ser realizada para proteger informações. A falta de conhecimento, métricas e dados sobre o assunto são os principais problemas relatados pelos gestores para tomada de decisão sobre investimentos. Diversos estudos indicam que o uso de práticas de segurança por usuários e investimentos em treinamento e conscientização são a maneira mais eficaz de evitar problemas relacionados à segurança da informação. A satisfação do usuário é uma das formas comprovadas na literatura de SI de medir a qualidade do investimento em SI e a intenção de uso do SI pelo usuário. O objetivo da pesquisa é desenvolver um instrumento para medir a satisfação do usuário com as práticas de segurança da informação. Para atingir esse objetivo, fatores sobre a satisfação do usuário com SI foram identificados na literatura. Esses fatores foram combinados para elaboração de um instrumento de pesquisa sobre satisfação do usuário com as práticas de segurança da informação. Um modelo conceitual foi elaborado e validado através de uma survey realizada com usuários de computador que utilizam sistemas de informação corporativo. Obteve-se um total de 229 respostas, com 173 questionários válidos. A análise de dados utilizou modelagem de equações estruturais baseado em covariância para avaliação do modelo conceitual e das hipóteses de pesquisa. O resultado indica satisfação com os benefícios percebidos com a segurança frente ao esforço para alcança-los, mas insatisfação do usuário com o uso do sistemas de informação com as práticas de segurança.Information security is a major concern for management in recent decades and responsible for major losses in organizations. The prevention of these problems can be achieved through user education and awareness on using technology safely, using practices that are consistent with the information security policies on firm. Managers face difficulties to understand and decide what action should be taken to protect information systems. Lack of knowledge and metrics on the information security are the main problems reported by managers for decision on information security investments. Several studies indicate that user involvement and investment in training and awareness are the most effective way to avoid problems related to information security. User satisfaction is one of the proven ways to measure the quality of investment and use intention of information systems. The objective of this research is to develop an instrument to measure user satisfaction with information security practices. To achieve this goal, factors to measure IS user satisfaction were identified on literature. A research instrument was developed based on these factors to measure user satisfaction with information security practices. A conceptual model was developed and a survey was conducted with enterprise information systems users. There was obtained a total of 173 usable questionnaires. Structural equation modeling covariance-based was used to evaluate model and research hypotheses. The result indicates satisfaction with percept benefits from information security compared with efforts to achieve them, but user dissatisfaction over the information systems use with security practices.
18
Norris-Jones, Lynne. "Demonstrate and document : the development of a best practice model for biometric access control management." Thesis, Cardiff Metropolitan University, 2011. http://hdl.handle.net/10369/6411.
Full textAbstract:
This thesis investigates the social, legal and ethical perceptions of participants towards the implementation of biometric access control systems within a sample of United Kingdom work-based environments. It focuses on the application of fingerprint scanning and facial recognition systems, whilst alluding to the development of more advanced (bleeding edge) technologies in the future. The conceptual framework is based on a tripartite model in which Maslow's Hierarchy of Needs is applied to the workforce whilst the principles of Utilitarianism and the Psychological Contract are applied to both management strategies and workforce perceptions. A qualitative paradigm is used in which semi-structured interviews are conducted with management and workforce participants within a sample of United Kingdom-based organisations (represented by Case Studies A-D). Discourse from these interviews are analysed, leading to the development of a series of first-cut findings for suggested "Best Practice " in the social, legal and ethical management of biometric access control systems. This process is subsequently developed with a refined sample of respondents (Case Studies A and C) culminating in the presentation of a suggested "Best Practice Model" for application to all four case studies. The model is based upon elements of a pre-determined Code of Practice (ISO/IEC 27002lnformation Technology - Security techniques - Code of Practice for Information Security Management) towards fostering acceptance of biometric technology within the workplace, in answering the question: How should organisations using biometric access control systems address social, legal and ethical concerns in the management of specific working environments in the United Kingdom?
19
Rapp, Axel. "Web site security maturity of the European Union and its member states : A survey study on the compliance with best practices of DNSSEC, HSTS, HTTPS, TLS-version, and certificate validation types." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-20127.
Full textAbstract:
With e-governance steadily growing, citizen-to-state communication via Web sites is as well, placing enormous trust in the protocols designed to handle this communication in a secure manner. Since breaching any of the protocols enabling Web site communication could yield benefits to a malicious attacker and bring harm to end-users, the battle between hackers and information security professionals is ongoing and never-ending. This phenomenon is the main reason why it is of importance to adhere to the latest best practices established by specialized independent organizations. Best practice compliance is important for any organization, but maybe most of all for our governing authorities, which we should hold to the highest standard possible due to the nature of their societal responsibility to protect the public. This report aims to, by conducting a quantitative survey, study the Web sites of the governments and government agencies of the member states of the European Union, as well as Web sites controlled by the European Union to assess to what degree their domains comply with the current best practices of DNSSEC, HSTS, HTTPS, SSL/TLS, and certificate validation types. The findings presented in this paper show that there are significant differences in compliance level between the different parameters measured, where HTTPS best practice deployment was the highest (96%) and HSTS best practice deployment was the lowest (3%). Further, when comparing the average best practice compliance by country, Denmark and the Netherlands performed the best, while Cyprus had the lowest average.
20
Carvalho, Luciano Gonçalves de. "Requisitos e testes de segurança para brinquedos inteligentes." Universidade de São Paulo, 2017. http://www.teses.usp.br/teses/disponiveis/100/100131/tde-15022018-003245/.
Full textAbstract:
Os brinquedos são uma parte essencial de nossa cultura e têm evoluído ao longo do tempo. Atualmente, encontramos no mercado brinquedos dotados de circuitos eletrônicos e sensores, capazes de coletar dados do ambiente e informações pessoais dos usuários. Além disso, eles podem se conectar automaticamente a redes de comunicação por meio de protocolos de rede sem fio para acessar serviços móveis com o objetivo de personalizar a experiência de jogo para cada usuário. Conhecidos como brinquedos inteligentes, estes fazem parte de um ambiente denominado de computação para brinquedos, composto pelo brinquedo físico, um dispositivo móvel, que pode ser um tablet ou smartphone, e um aplicativo móvel (app), que pode controlar o brinquedo físico e compartilhar informações com serviços móveis. Esse novo tipo de brinquedo, que pertence a um novo tipo de ambiente e que também carrega características da Internet das Coisas, traz consigo questões relacionadas à segurança da informação que não existiam nos brinquedos convencionais. Essas questões, portanto, devem ser tratadas de forma a evitar prejuízos aos usuários dessa tecnologia. Para isso, o presente trabalho apresenta vinte e dois (22) requisitos de segurança gerais identificados por meio da utilização do processo Security Development Lifecycle (SDL) da Microsoft e da técnica de modelagem de ameaças suportada pelo modelo de ameaça STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service e Elevation of privilege). Os requisitos apresentados endereçam questões de segurança que os brinquedos inteligentes devem atender para evitar as principais ameaças existentes. As questões de segurança consideradas foram extraídas da Childrens Online Privacy Protection Act (COPPA), General Data Protection Regulation (GDPR) e Personal Information Protection and Eletronic Documents Act (PIPEDA). Além dos requisitos de segurança, um conjunto de testes de segurança gerais foram identificados com base no processo SDL para verificar o adequado atendimento a esses requisitos. Uma análise dos brinquedos inteligentes atualmente disponíveis no mercado e suas falhas de segurança relatadas publicamente dão indícios da importância de atender aos requisitos de segurança e executar os testes propostos neste trabalho para evitar problemas de segurança variadosToys are an essential part of our culture, and they have evolved over time. Currently, we can find in the market toys equipped with electronic circuits and sensors able to collect environmental and personal data from users. They are also able to automatically connect to communication networks through wireless network protocols in order to access mobile services aiming at customizing the gaming experience for each user. Known as smart toys, these are part of a so-called toy computing environment, consisting of a physical toy, a mobile device, which can be a tablet or smartphone, and a mobile app, which can control the physical toy and share information with mobile services. This new type of toy, which belongs to a new type of environment and also present characteristics of the Internet of Things, raises issues regarding information security which did not exist in conventional toys. Such issues, hence, should be treated in a way to avoid losses to the users of this technology. Accordingly, this research project presents twenty two (22) general security requirements identified following the Microsoft Security Development Lifecycle (SDL) and the threat modeling supported by the threat model STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service e Elevation of privilege). These requirements address security issues that smart toys should meet to avoid the main existent threats. All considered issues were extracted from the Childrens Online Privacy Protection Act (COPPA), General Data Protection Regulation (GDPR) and Personal Information Protection and Electronic Documents Act (PIPEDA). Furthermore, we have also identified a general set of security tests based on the SDL process to check whether the identified security requirements have been met. A further analysis of the smart toys currently available in the market and their publicly related security flaws give evidence of the importance of meeting the proposed security requirements and executing the proposed security tests to avoid several security problems
21
Roberts, Anthea Elizabeth. "Is International Law International?" Phd thesis, Canberra, ACT : The Australian National University, 2017. http://hdl.handle.net/1885/124611.
Full textAbstract:
International lawyers are familiar with the question:
“Is international law law?” But this thesis instead asks the
question: “Is international law international?” Using a
variety of methods, this work sheds light on some of the ways in
which international law as a transnational legal field is
constructed by international law academics, and is conceptualized
in international law textbooks, in the five permanent members of
the Security Council: the People’s Republic of China, the
French Republic, the Russian Federation, the United Kingdom of
Great Britain and Northern Ireland, and the United States of
America. It explores how different national communities of
international lawyers construct and pass on their understandings
of “international law” in ways that belie the field’s claim
to universality, perpetuating certain forms of difference and
dominance. By adopting a comparative approach, it aims to make
international lawyers more aware of the frames that shape their
own understandings of and approaches to the field, as well as how
these might be similar to or different from the frames adopted by
those coming from other states, regions or geopolitical
groupings. It also examines how some of these patterns might be
disrupted as a result of shifts in geopolitical power, such as
the movement from unipolar power toward greater multipolarity and
the growing confrontations between Western liberal democratic
states (like the United States, the United Kingdom, and France)
and non-Western authoritarian states (like China and Russia).
22
Lin, Gary, and 林俊銘. "Enterprise Information Security - Backup Systems Planning and Practice." Thesis, 2002. http://ndltd.ncl.edu.tw/handle/47151235587414698218.
Full textAbstract:
碩士國立中山大學
國際高階經營管理研究所
90
It is well understood that competitiveness is the foundation of business. Efficient information acquisition, distribution and protection proves to not only improve business’ competitiveness but also extend business value to both business partners and customers. Consequently, Information Security has been the rigorous and sustaining challenge to the business. Thanks to the booming evolution of information technology, business nowadays has proliferated it widely for business operations. Sept 11 catastrophe in US has brought to business a significant yet unforeseen impact — information security reassessment on both backup systems and disaster recovery planning. This document aims at exploring the status quo of domestic enterprises in this regard as well as possible obstacles of the implementation. Through field research and thorough understanding, we’ve observed the differentiation among the industries we investigated. Meanwhile, we hoped to come out some solid recommendations and awareness to the business by applying generally acknowledged standard — BS7799 rules and policies. With that in mind, enterprises then would be able to move themselves faster toward globalization. For a long time, IT professionals tend to use tape or jukebox as primary data backup media. Today, we can only rely on those tools for alternatives. By current working field, I’m taking the advantage by introducing high-level technologic system frameworks, practices and experiences from international key players in this field. Enterprises are also recommended to start the “BIA — Business Impact Analysis” to outline a proper DR and Contingency Plan for the sake of substantial and continual support to business interests and long-term benefits!
23
Lessing, Martha Maria. "A model for best practice driven information security governance." Thesis, 2008. http://hdl.handle.net/10210/524.
Full textAbstract:
To ensure the likely success of an organisation’s Information Security Governance, discipline leaders recommend that organisations follow the guidelines as set out in Information Security Governance best practice documents. Best practices and related documents from the Information Security Governance discipline, as well as best practices and related documents from the Corporate Governance and Information Technology Governance disciplines, all include sections pertaining to Information Security, Information Security Governance and Information Technology assets. This study puts these sections together, and constructs an Information Security Governance model that combines all aspects of Information Security Governance. In theory, this model should guide an organisation to the ultimate level of Information Security Governance.Prof. S. H. von Solms
24
Wang, Ji Hsian, and 王繼顯. "Verification and Practice of Enterprise Information Security Pattern and Knowledge within Ontology Method." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/77748723698840124016.
Full textAbstract:
碩士國防管理學院
國防資訊研究所
95
The application that is popularized with information technology and products extensively, each enterprise realizes the operation purpose by information technology and policy of information safety. However, the characteristic of the question of information safety emerges in an endless stream, making enterprise's information threaten to heighten with loophole safely, the work of stipulating, revising and carrying out etc. Relative to enterprise's information policy, enterprises will face stricter and stricter challenge. Similarly, enterprises will consider the condition and limiting factor inside or outside the norm of international information safety, enterprise in the stipulating of policy of information safety. But, are the rules consistent with international regulations while stipulating the policy? And will it producing different understanding because knowledge backgrounds are different and considering the limiting factor? How do enterprises utilize information security knowledge to stipulate the policy of information safety effectively? So, this paper constructs the domain knowledge base of the information safety with ontology method, through the knowledge tool, such knowledge as the safety measure of using BS7799 information constructs in the knowledge base of the field to be with standard safety management…etc. Put forward the concept structure design of the basic grammar and analysis, understand the norm by way of picture, and fit present situation knowledge of enterprise's information security and threaten knowledge to combine, help the policymaker to make or improve the information security of enterprises and fit the policy effectively, so that to help to increase the competition advantage in enterprises, and then the information of strengthening enterprises information security.
25
"Best practice strategy framework for developing countries to secure cyberspace." Thesis, 2015. http://hdl.handle.net/10210/15091.
Full textAbstract:
M.Com. (Informatics)Cyber issues are global phenomena in a world of inter-related systems, and as such, the discussion on cybersecurity frameworks, policies and strategies inevitably requires reference to, and benchmarking with regional, continental and global trends and solutions. This, in the context of the effects of globalisation on developing countries, with specific reference to areas such as Africa as a developing continent with regard to the protection of its cyberspace. More drastic measures, such as the utilization of cyber warfare techniques and pre-emptive cyber strike-teams in addition to traditional cybersecurity mechanisms as an essential part of a national security effort to protect cyberspace has become more prevalent within the developed worlds. Likewise, developing nations need to gear themselves in a structured, coordinated and responsible way in order to do their part to secure their own environments. Cyberspace is a dynamic global environment with cyber related issues being a global concern. Although countries generally regulate their own cyber environment through policy; cross-border cyber issues are difficult to resolve and the lack of international cyber laws impede cybersecurity efforts. Cybercrime and the management of cross-border cyber incidents are becoming a growing national security concern as the lack of effective controls leave critical infrastructure and the cyber-connected environment vulnerable to attack. Some developing countries are on track with the maturity of their cybersecurity initiatives, but appropriate cybersecurity frameworks for many developing countries require careful consideration, especially due to the lack of resources, infrastructure and local technology development capabilities.
26
Raykova, Mariana Petrova. "Secure Computation in Heterogeneous Environments: How to Bring Multiparty Computation Closer to Practice?" Thesis, 2012. https://doi.org/10.7916/D8GH9R2Z.
Full textAbstract:
Many services that people use daily require computation that depends on the private data of multiple parties. While the utility of the final result of such interactions outweighs the privacy concerns related to output release, the inputs for such computations are much more sensitive and need to be protected. Secure multiparty computation (MPC) considers the question of constructing computation protocols that reveal nothing more about their inputs than what is inherently leaked by the output. There have been strong theoretical results that demonstrate that every functionality can be computed securely. However, these protocols remain unused in practical solutions since they introduce efficiency overhead prohibitive for most applications. Generic multiparty computation techniques address homogeneous setups with respect to the resources available to the participants and the adversarial model. On the other hand, realistic scenarios present a wide diversity of heterogeneous environments where different participants have different available resources and different incentives to misbehave and collude. In this thesis we introduce techniques for multiparty computation that focus on heterogeneous settings. We present solutions tailored to address different types of asymmetric constraints and improve the efficiency of existing approaches in these scenarios. We tackle the question from three main directions: New Computational Models for MPC - We explore different computational models that enable us to overcome inherent inefficiencies of generic MPC solutions using circuit representation for the evaluated functionality. First, we show how we can use random access machines to construct MPC protocols that add only polylogarithmic overhead to the running time of the insecure version of the underlying functionality. This allows to achieve MPC constructions with computational complexity sublinear in the size for their inputs, which is very important for computations that use large databases. We also consider multivariate polynomials which yield more succinct representations for the functionalities they implement than circuits, and at the same time a large collection of problems are naturally and efficiently expressed as multivariate polynomials. We construct an MPC protocol for multivariate polynomials, which improves the communication complexity of corresponding circuit solutions, and provides currently the most efficient solution for multiparty set intersection in the fully malicious case. Outsourcing Computation - The goal in this setting is to utilize the resources of a single powerful service provider for the work that computationally weak clients need to perform on their data. We present a new paradigm for constructing verifiable computation (VC) schemes, which enables a computationally limited client to verify efficiently the result of a large computation. Our construction is based on attribute-based encryption and avoids expensive primitives such as fully homomorphic encryption andprobabilistically checkable proofs underlying existing VC schemes. Additionally our solution enjoys two new useful properties: public delegation and verification. We further introduce the model of server-aided computation where we utilize the computational power of an outsourcing party to assist the execution and improve the efficiency of MPC protocols. For this purpose we define a new adversarial model of non-collusion, which provides room for more efficient constructions that rely almost completely only on symmetric key operations, and at the same time captures realistic settings for adversarial behavior. In this model we propose protocols for generic secure computation that offload the work of most of the parties to the computation server. We also construct a specialized server-aided two party set intersection protocol that achieves better efficiencies for the two participants than existing solutions. Outsourcing in many cases concerns only data storage and while outsourcing the data of a single party is useful, providing a way for data sharing among different clients of the service is the more interesting and useful setup. However, this scenario brings new challenges for access control since the access control rules and data accesses become private data for the clients with respect to the service provide. We propose an approach that offers trade-offs between the privacy provided for the clients and the communication overhead incurred for each data access. Efficient Private Search in Practice - We consider the question of private search from a different perspective compared to traditional settings for MPC. We start with strict efficiency requirements motivated by speeds of available hardware and what is considered acceptable overhead from practical point of view. Then we adopt relaxed definitions of privacy, which still provide meaningful security guarantees while allowing us to meet the efficiency requirements. In this setting we design a security architecture and implement a system for data sharing based on encrypted search, which achieves only 30% overhead compared to non-secure solutions on realistic workloads.
27
TU, FANG-SHENG, and 涂芳聖. "A Practice Research of Computer Mediated Communication Software on Team Performance of Outsourcing Project of Information Security." Thesis, 2017. http://ndltd.ncl.edu.tw/handle/57196850656691960646.
Full textAbstract:
碩士輔仁大學
資訊管理學系碩士在職專班
105
In recent years, outsourcing has become’s a trend for enterprises to obtain information security system. On information security, it specially need to coordinate the manpower and timetable through various meetings or communication tools to accomplish the established objectives. Due to the rapid development of communication tools, various CMC software provides the instant communication and interaction between the members of the organization, and whether these can help the team to achieve the best team performance. In this research, uses instant messaging software, Email , social networking for the independent variables, on the research to influence process of communication, interaction, social network and team performance. Samples were collected from various information security management professions in Taiwan with 130 valid questionnaires retrieved. In this study, we have 3 result as fellow: 1.Instant messaging software and email all positively influence communication process, team interaction, social networks and project team of the information security project. It show that hat CMC software can improve the team performance of information security project. 2.Most of the project information security team regularly connected through e-mail to do regular progress reports, question replies and discussion. 3.The respondents agree that the mobile communication platform and Facebook are good quality communication tools, but in these two tools is not significant to influence communication process, team interaction, social networks and project team of the information security project.
28
Botha, Carla-Lee. "A gab analysis to compare best practice recommendations legal requirements when raising information security awareness amongst home users of online banking." Diss., 2011. http://hdl.handle.net/10500/5457.
Full textAbstract:
South African home users of the Internet use the Internet to perform various everyday functions. These functions include, but are not limited to, online shopping, online gaming, social networking and online banking. Home users of online banking face multiple threats, such as phishing and social engineering. These threats come from hackers attempting to obtain confidential information, such as online banking authentication credentials, from home users. It is, thus, essential that home users of online banking be made aware of these threats, how to identify them and what countermeasures to implement to protect themselves from hackers. In this respect, information security awareness (ISA) programmes are an effective way of making the home users of online banking aware of both the threats they face and the countermeasures available to protect themselves from these threats.
There are certain legal requirements with which South African banks have to comply when implementing ISA initiatives. Non-compliance or failure to demonstrate due care and due diligence should a security incident occur will result in financial penalties for the bank as well as possible brand damage and loss of customers. Banks implement international best practice recommendations in an effort to comply with legislation. These include recommendations for information security awareness.
This research investigated both information security best practice recommendations and information security legal requirements for information security awareness. A selected list of information security best practices was investigated for best practice recommendations while a selected list of information security legislation was investigated for legal requirements imposed on South African banks. A gap analysis was performed on both these recommendations and requirements to determine whether the implementation of best practice recommendations resulted in compliance with legal requirements. The gap analysis found that the implementation of best practice recommendations does not result in compliance with legal requirements. Accordingly, the outcome of this research highlighted the importance of understanding the legal requirements and ensuring that adequate controls are in place with which to achieve compliance.Business Information systems
Msc. (Information systems)
29
Botha, Carla-Lee. "A gap analysis to compare best practice recommendations and legal requirements when raising information security awareness amongst home users of online banking." Diss., 2011. http://hdl.handle.net/10500/5457.
Full textAbstract:
South African home users of the Internet use the Internet to perform various everyday functions. These functions include, but are not limited to, online shopping, online gaming, social networking and online banking. Home users of online banking face multiple threats, such as phishing and social engineering. These threats come from hackers attempting to obtain confidential information, such as online banking authentication credentials, from home users. It is, thus, essential that home users of online banking be made aware of these threats, how to identify them and what countermeasures to implement to protect themselves from hackers. In this respect, information security awareness (ISA) programmes are an effective way of making the home users of online banking aware of both the threats they face and the countermeasures available to protect themselves from these threats.
There are certain legal requirements with which South African banks have to comply when implementing ISA initiatives. Non-compliance or failure to demonstrate due care and due diligence should a security incident occur will result in financial penalties for the bank as well as possible brand damage and loss of customers. Banks implement international best practice recommendations in an effort to comply with legislation. These include recommendations for information security awareness.
This research investigated both information security best practice recommendations and information security legal requirements for information security awareness. A selected list of information security best practices was investigated for best practice recommendations while a selected list of information security legislation was investigated for legal requirements imposed on South African banks. A gap analysis was performed on both these recommendations and requirements to determine whether the implementation of best practice recommendations resulted in compliance with legal requirements. The gap analysis found that the implementation of best practice recommendations does not result in compliance with legal requirements. Accordingly, the outcome of this research highlighted the importance of understanding the legal requirements and ensuring that adequate controls are in place with which to achieve compliance.Business Information systems
Msc. (Information systems)
30
Mahopo, Ntombizodwa Bessy. "A risk based approach for managing information technology security risk within a dynamic environment." Diss., 2015. http://hdl.handle.net/10500/21925.
Full textAbstract:
Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world.
Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks.
The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk.
Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks.
Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk.
Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes.
The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves.Computing
M. Sc. (Computing)
31
Maguraushe, Kudakwashe. "Development of a diagnostic instrument and privacy model for student personal information privacy perceptions at a Zimbabwean university." Thesis, 2021. http://hdl.handle.net/10500/27557.
Full textAbstract:
Orientation: The safety of any natural being with respect to the processing of their personal information is an essential human right as specified in the Zimbabwe Data Protection Act (ZDPA) bill. Once enacted, the ZDPA bill will affect universities as public entities. It will
directly impact how personal information is collected and processed. The bill will be fundamental in understanding the privacy perceptions of students in relation to privacy awareness, privacy expectations and confidence within university. These need to be understood to give guidelines to universities on the implementation of the ZPDA.
Problem Statement: The current constitution and the ZDPA are not sufficient to give organisations guidelines on ensuring personal information privacy. There is need for guidelines to help organisations and institutions to implement and comply with the provisions
of the ZDPA in the context of Zimbabwe. The privacy regulations, regarded as the three concepts (awareness, expectations and confidence), were used to determine the student perceptions. These three concepts have not been researched before in the privacy context
and the relationship between the three concepts has not as yet been established.
Research purpose: The main aim of the study was to develop and validate an Information Privacy Perception Survey (IPPS) diagnostic tool and a Student Personal Information Privacy Perception (SPIPP) model to give guidelines to universities on how they can implement the ZDPA and aid universities in comprehending student privacy perceptions to safeguard personal information and assist in giving effect to their privacy constitutional right.
Research Methodology: A quantitative research method was used in a deductive research approach where a survey research strategy was applied using the IPPS instrument for data collection. The IPPS instrument was designed with 54 items that were developed from the
literature. The preliminary instrument was taken through both the expert review and pilot study. Using the non-probability convenience sampling method, 287 students participated in the final survey. SPSS version 25 was used for data analysis. Both descriptive and inferential statistics were done. Exploratory factor analysis (EFA) was used to validate the
instrument while confirmatory factor analysis (CFA) and the structural equation modelling (SEM) were used to validate the model.
Main findings: diagnostic instrument was validated and resulted in seven new factors, namely university confidence (UC), privacy expectations (PE), individual awareness (IA), external awareness (EA), privacy awareness (PA), practice confidence (PC) and correctness expectations (CE). Students indicated that they had high expectations of the university on privacy. The new factors showed a high level of awareness of privacy and had low confidence in the university safeguarding their personal information privacy. A SPIPP
empirical model was also validated using structural equation modelling (SEM) and it indicated an average overall good fit between the proposed SPIPP conceptual model and the empirically derived SPIPP model
Contribution: A diagnostic instrument that measures the perceptions (privacy awareness, expectations and confidence of students) was developed and validated. This study further contributed a model for information privacy perceptions that illustrates the relationship
between the three concepts (awareness, expectations and confidence). Other universities can use the model to ascertain the perceptions of students on privacy. This research also contributes to improvement in the personal information protection of students processed by
universities. The results will aid university management and information regulators to implement measures to create a culture of privacy and to protect student data in line with regulatory requirements and best practice.School of Computing
Ph. D. (Information Systems)
32
Perkins, Catharina Elizabetha. "The management of an information technology infrastructure in schools in the Western Cape Province." Diss., 2012. http://hdl.handle.net/10500/9266.
Full textAbstract:
This research conceptualises IT infrastructure management at secondary
schools in the WCED (Western Cape Education Department). This includes
whether or not secondary schools in the WCED make use of a full time, on-site
network administrator or whether a teacher acts as on-site network
administrator. The literature review studied the effectiveness of IT infrastructure
management which includes hardware, software, policies, computer network,
security; staff management and BYOD (bring your own device). The
management of IT infrastructure at secondary schools within the WCED differs
widely from school to school, and its functionality depends on many factors.
The quantitative study revealed problem areas within IT infrastructure
management at secondary schools in the WCED. Furthermore the quantitative
study also revealed that there is a need for best practice guidelines with
regards to IT infrastructure management in order to improve service delivery.
The literature review provided sources for best practice IT infrastructure
management.Rekenaar infrastruktuur by sekondere skole in die WKOD (Wes Kaapse Onderwys Departement) word in die navorsing beskryf. Die studie ondersoek verskillende strukture naamlike skole wat 'n voltydse netwerk administrateur het en skole waar 'n onderwyser die verantwoordelikheid aanneem van 'n netwerk administrateur. Die effektiewe beheer van rekenaar infrastrukture word bespreek. Dit sluit hardeware, sagteware, beleid formulasie, rekenaar netwerk, sekuriteit, personeel bestuur, en BYOD (bring jou eie toestel). Die bestuur van rekenaar infrastruktuur verskil van skool tot skool en die effektiewe bestuur daarvan word deur baie faktore beinvloed. Die kwantitatiewe studie het probleem areas vir die bestuur van rekenaar infrastruktuur by sekondere skole in die WKOD uitgewys. Die kwantitatiewe studie het verder die behoefte vir beste praktyk riglyne uitgewys om sodoende better dienslewering te verseker. Die literere studie het beste praktyk riglyne vir rekenaar infrastruktuur bestuur genoem.
Educational Leadership and Management