Dissertations / Theses on the topic 'Information systems security policy'
To see the other types of publications on this topic, follow the link: Information systems security policy.
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Information systems security policy.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Hellqvist, Fredrik. "Design of business information security policy : A case study on Orebro County Council´s work with information security." Thesis, Örebro universitet, Handelshögskolan vid Örebro Universitet, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:oru:diva-35527.
Full text
2
Lapke, Michael Stephen. "Power Relationships in Information Systems Security Policy Formulation and Implementation." VCU Scholars Compass, 2008. http://scholarscompass.vcu.edu/etd/1239.
Full textAbstract:
This thesis argues that organizational power impacts the development and implementation of Information Systems (IS) Security policy. The motivation for this research stems from the continuing concern of ineffective security in organizations, leading to significant monetary losses. IS researchers have contended that ineffective IS Security policy is a precursor to ineffective IS Security (Loch et al. 1992; Whitman et al. 2001; David 2002; Solms and Solms 2004). Beyond this pragmatic aspect, there is a gap in the literature concerning power relationships and IS Security policy. This research intends to bridge the gap. The dissertation is a two phased study whereby the first phase seeks to understand the intricacies of IS Security policy formulation and implementation. In the first phase, a conceptual framework utilizes Katz's (1970) semantic theory. The conceptual framework provides the theoretical foundation for a case study that takes place at an educational institution's Information Technology (IT) Department. In the results, it is confirmed that a disconnect exists between IS Security policy formulation and implementation. Furthermore, a significant emergent finding indicates that power relationships have a direct impact on this observed disconnect. The second phase takes place as an in depth case study at the IT department within a large financial organization. The theoretical foundation for the second phase is based was Clegg's (2002) Circuits of Power. A conceptual framework for this phase utilizes this theory. This framework guides the study of power relationships and how they might affect the formulation and implementation of IS Security policy in this organization. The case study demonstrates that power relationships have a clear impact on the formulation and implementation of IS security policy. Though there is a strong security culture at the organization and a well defined set of processes, an improvement in the process and ensuing security culture is possible by accounting for the effect of power relationships.
3
Abdul, Talib Yurita Yakimin. "Intrinsic Motivation and Information Systems Security Policy Compliance in Organizations." VCU Scholars Compass, 2015. http://scholarscompass.vcu.edu/etd/3710.
Full textAbstract:
Incidents of computer abuse, proprietary information leaks and other security lapses have been on the increase. Most often, such security lapses are attributed to internal employees in organizations subverting established organizational IS security policy. As employee compliance with IS security policy is the key to escalating IS security breaches, understanding employee motivation for following IS security policy is critical. In addition to several types of extrinsic motives noted in prior studies, including sanctions, rewards, and social pressures, this study adds that an important contributing intrinsic factor is empowerment. Per Thomas and Velthouse’s (1990) intrinsic motivation model, empowerment is the positive feelings derived from IS security task assessments. Through survey data collected from 289 participants, the study assesses how dimensions of psychological empowerment (i.e., competence, meaning, impact, and choice) as derived from IS security task may impact the IS security performance of the participants, measured by their compliance with IS security policy. The study demonstrates that the competence and meaning dimensions of psychological empowerment have a positive impact on participants’ IS security policy compliance intention, while impact has a marginal negative influence on compliance. Furthermore, dimensions of psychological empowerment can be predicted by structural empowerment facets, particularly IS security education, training, and awareness (SETA), access to IS security strategy and goals, and participation in IS security decision-making. In addition, the competence and meaning dimensions of psychological empowerment may act as mediators for the relations between structural empowerment and participants’ IS security policy compliance. Theoretical contributions, managerial implications, and directions for future research of this study will be discussed.
4
Aliti, Admirim, and Deniz Akkaya. "Employees' Role in Improving Information Systems Security." Thesis, Linnéuniversitetet, Institutionen för datavetenskap, fysik och matematik, DFM, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-13769.
Full textAbstract:
Information security is one of the most essential concerns in today’s organizations. IT departments in larger organizations are tasked to implement security, by both ensuring to have pertinent hardware and software, and likewise enlighten, teach and educate organization’s employees about security issues. The aim of this research is to focus on the human factor of the organization, which impacts the security of the information, since technological solutions of technical problems become incomprehensible without human recognition about security. If the security is not addressed in firms, this might lead to essential data of the organization to be compromised. This study explores ways to enhance information security and improve the human factor by integrating the crucial information security elements in organizations. Social constructivist worldview is adopted throughout the study, and an inductive based - qualitative approach, a single case study design and hermeneutical analysis for analyzing the observations and interviews are utilized. The research setting for this study is Växjö Municipality in Sweden. The empirical investigation suggests that human factor plays an essential role in maintaining information security, and organizations can improve employees’ role by keeping their security policies up to date and find the best ways to disseminate that information. As a result, this research comes up with “information security human management model” for organizations.
5
Harris, Mark. "THE SHAPING OF MANAGERS’ SECURITY OBJECTIVES THROUGH INFORMATION SECURITY AWARENESS TRAINING." VCU Scholars Compass, 2010. http://scholarscompass.vcu.edu/etd/2208.
Full textAbstract:
Information security research states that corporate security policy and information security training should be socio-technical in nature and that corporations should consider training as a primary method of protecting their information systems. However, information security policies and training are predominately technical in nature. In addition, managers creating security policies rely heavily on security guidelines, which are also technically oriented. This study created a series of information security training videos that were viewed by four groups of managers. One video discussed the socio-technical aspects of security, another discussed only the social aspects of security, the third detailed only the technical aspects of security, and the fourth was a control video unrelated to information security. Each group was shown the video, and after this viewing, each group’s values toward information security were ascertained and converted into security objectives following Keeney (1992)’s value-focused thinking approach. Each group’s list of security objectives were used as the input to Schmidt (1997)’s ranking Delphi methodology, which yielded a more concise and ranked list of security objectives. The results thus obtained, indicate that manager’s objectives towards information security are affected by the nature and scope of the information security training they receive. Information security policy based on each group’s value-based security objectives indicate that manager’s receiving socio-technical training would produce the strongest information security policy when analyzing the value-focused thinking list of security objectives. However, the quality of security policy decreases when analyzing the ranked Delphi list of security objectives, thus providing mixed results. The theoretical contribution of this research states that technically oriented information security training found in corporations today affects manager’s values and security objectives in a way that leads them to create and support technically oriented security policies, thus ignoring the social aspects of security. The practical contribution of this research states that managers should receive socio-technical information security training as a part of their regular job training, which would affect their values and lead to socio-technical information security policy based on the manager’s socio-technical security objectives. The methodological contribution of this research demonstrates the successful use of the value-focused thinking approach as the input to the ranking of the Delphi methodology.
6
Marin, Luis Franco. "SELinux policy management framework for HIS." Thesis, Queensland University of Technology, 2008. https://eprints.qut.edu.au/26358/1/Luis_Franco_Thesis.pdf.
Full textAbstract:
Health Information Systems (HIS) make extensive use of Information and Communication Technologies (ICT). The use of ICT aids in improving the quality and efficiency of healthcare services by making healthcare information available at the point of care (Goldstein, Groen, Ponkshe, and Wine, 2007). The increasing availability of healthcare data presents security and privacy issues which have not yet been fully addressed (Liu, Caelli, May, and Croll, 2008a). Healthcare organisations have to comply with the security and privacy requirements stated in laws, regulations and ethical standards, while managing healthcare information. Protecting the security and privacy of healthcare information is a very complex task (Liu, May, Caelli and Croll, 2008b). In order to simplify the complexity of providing security and privacy in HIS, appropriate information security services and mechanisms have to be implemented. Solutions at the application layer have already been implemented in HIS such as those existing in healthcare web services (Weaver et al., 2003). In addition, Discretionary Access Control (DAC) is the most commonly implemented access control model to restrict access to resources at the OS layer (Liu, Caelli, May, Croll and Henricksen, 2007a). Nevertheless, the combination of application security mechanisms and DAC at the OS layer has been stated to be insufficient in satisfying security requirements in computer systems (Loscocco et al., 1998). This thesis investigates the feasibility of implementing Security Enhanced Linux (SELinux) to enforce a Role-Based Access Control (RBAC) policy to help protect resources at the Operating System (OS) layer. SELinux provides Mandatory Access Control (MAC) mechanisms at the OS layer. These mechanisms can contain the damage from compromised applications and restrict access to resources according to the security policy implemented. The main contribution of this research is to provide a modern framework to implement and manage SELinux in HIS. The proposed framework introduces SELinux Profiles to restrict access permissions over the system resources to authorised users. The feasibility of using SELinux profiles in HIS was demonstrated through the creation of a prototype, which was submitted to various attack scenarios. The prototype was also subjected to testing during emergency scenarios, where changes to the security policies had to be made on the spot. Attack scenarios were based on vulnerabilities common at the application layer. SELinux demonstrated that it could effectively contain attacks at the application layer and provide adequate flexibility during emergency situations. However, even with the use of current tools, the development of SELinux policies can be very complex. Further research has to be made in order to simplify the management of SELinux policies and access permissions. In addition, SELinux related technologies, such as the Policy Management Server by Tresys Technologies, need to be researched in order to provide solutions at different layers of protection.
7
Marin, Luis Franco. "SELinux policy management framework for HIS." Queensland University of Technology, 2008. http://eprints.qut.edu.au/26358/.
Full textAbstract:
Health Information Systems (HIS) make extensive use of Information and Communication Technologies (ICT). The use of ICT aids in improving the quality and efficiency of healthcare services by making healthcare information available at the point of care (Goldstein, Groen, Ponkshe, and Wine, 2007). The increasing availability of healthcare data presents security and privacy issues which have not yet been fully addressed (Liu, Caelli, May, and Croll, 2008a). Healthcare organisations have to comply with the security and privacy requirements stated in laws, regulations and ethical standards, while managing healthcare information. Protecting the security and privacy of healthcare information is a very complex task (Liu, May, Caelli and Croll, 2008b). In order to simplify the complexity of providing security and privacy in HIS, appropriate information security services and mechanisms have to be implemented. Solutions at the application layer have already been implemented in HIS such as those existing in healthcare web services (Weaver et al., 2003). In addition, Discretionary Access Control (DAC) is the most commonly implemented access control model to restrict access to resources at the OS layer (Liu, Caelli, May, Croll and Henricksen, 2007a). Nevertheless, the combination of application security mechanisms and DAC at the OS layer has been stated to be insufficient in satisfying security requirements in computer systems (Loscocco et al., 1998). This thesis investigates the feasibility of implementing Security Enhanced Linux (SELinux) to enforce a Role-Based Access Control (RBAC) policy to help protect resources at the Operating System (OS) layer. SELinux provides Mandatory Access Control (MAC) mechanisms at the OS layer. These mechanisms can contain the damage from compromised applications and restrict access to resources according to the security policy implemented. The main contribution of this research is to provide a modern framework to implement and manage SELinux in HIS. The proposed framework introduces SELinux Profiles to restrict access permissions over the system resources to authorised users. The feasibility of using SELinux profiles in HIS was demonstrated through the creation of a prototype, which was submitted to various attack scenarios. The prototype was also subjected to testing during emergency scenarios, where changes to the security policies had to be made on the spot. Attack scenarios were based on vulnerabilities common at the application layer. SELinux demonstrated that it could effectively contain attacks at the application layer and provide adequate flexibility during emergency situations. However, even with the use of current tools, the development of SELinux policies can be very complex. Further research has to be made in order to simplify the management of SELinux policies and access permissions. In addition, SELinux related technologies, such as the Policy Management Server by Tresys Technologies, need to be researched in order to provide solutions at different layers of protection.
8
Patterson, Joanna. "Cyber-Security Policy Decisions in Small Businesses." ScholarWorks, 2017. https://scholarworks.waldenu.edu/dissertations/4551.
Full textAbstract:
Cyber-attacks against small businesses are on the rise yet small business owners often lack effective strategies to avoid these attacks. The purpose of this qualitative multiple case study was to explore the strategies small business owners use to make cyber-security decisions. Bertalanffy's general systems theory provided the conceptual framework for this study. A purposive sample of 10 small business owners participated in the interview process and shared their decision-making methodologies and influencers. The small business owners were vetted to ensure their strategies were effective through a series of qualification questions. The intent of the research question and corresponding interview questions was to identify strategies that successful small business owners use to make cyber-security decisions. Data analysis consisted of coding keywords, phrases, and sentences from semi structured interviews as well as document analysis. The following themes emerged: government requirements, peer influence, budgetary constraints, commercial standards, and lack of employee involvement. According to the participants, budgetary constraints and peer influence were the most influential factors when making decisions regarding cyber-security strategies. Through exposing small business owners to proven strategies, the implications for social change include a reduction of their small business operating costs and assistance with compliance activities.
9
Alkahtani, Hend K. "Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework." Thesis, Loughborough University, 2018. https://dspace.lboro.ac.uk/2134/28120.
Full textAbstract:
The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application.
10
Kayahan, Hüseyin. "INTRUSION EXECUTION SYSTEMS : Prototype: IMPETUS." Thesis, Linnéuniversitetet, Institutionen för datavetenskap (DV), 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-29546.
Full textAbstract:
In nature, it is inspiring to observe such an extensive variety of defensive skills distributed among species. The speed of an antelope, and the sting of a scorpion, wasp or a bee are some examples of such defensive tools or mechanisms important to survive against predators. However sophisticated the skills or tools are, the correct accurate use and on-time triggering of those tools is a matter of life and death for animals. With those defensive measures, animals come with a complementary ability called "vigilance". Vigilance is costly and the human tries to minimize vigilant behaviour in every aspect of life. The absence of vigilance, or negligence in other words, allows humans to spend more time and cognition on matters that he or she wants rather than on problems that need time. The human has an inherent and intricate mechanism that determine the vigilance level required for a particular problem. The consequences of the lack of vigilance in a work environment, more especially in the Information Technologies Security field are catastrophic and even lethal as humanity becomes an increasingly associated habitant of cyberspace ecosystem. Intrusion Execution Systems (IES) which is one of my conceptual propositions in this research, is my approach to reduce negligent behaviour in IT Security personnel. Impetus is the name of the first prototype for IES concept with limitations, which is included in this research. Impetus can successfully achieve desired behaviour in test environment, however the conceptual propositions in this research among with Impetus, should further be experimented in real-world in order to be convinced of its effectiveness.
11
Dawson, Alan Robert. "Exploring Strategies for Implementing Information Security Training and Employee Compliance Practices." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/7794.
Full textAbstract:
Humans are the weakest link in any information security (IS) environment. Research has shown that humans account for more than half of all security incidents in organizations. The purpose of this qualitative case study was to explore the strategies IS managers use to provide training and awareness programs that improve compliance with organizational security policies and reduce the number of security incidents. The population for this study was IS security managers from 2 organizations in Western New York. Information theory and institutional isomorphism were the conceptual frameworks for this study. Data collection was performed using face-to-face interviews with IS managers (n = 3) as well as secondary data analysis of documented IS policies and procedures (n = 28). Analysis and coding of the interview data was performed using a qualitative analysis tool called NVivo, that helped identify the primary themes. Developing IS policy, building a strong security culture, and establishing and maintaining a consistent, relevant, and role-based security awareness and training program were a few of the main themes that emerged from analysis. The findings from this study may drive social change by providing IS managers additional information on developing IS policy, building an IS culture and developing role-specific training and awareness programs. Improved IS practices may contribute to social change by reducing IS risk within organizations as well as reducing personal IS risk with improved IS habits.
12
Malis, Johanna, and Josette Falck. "Informationssäkerhetspolicy och Säkerhetsmedvetenhet : En undersökning av kommunala förvaltningars praktiska arbete med att uppnå informationsäkerhet." Thesis, Högskolan i Halmstad, 2016. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-31863.
Full text
13
Al-Hamar, Aisha. "Enhancing information security in organisations in Qatar." Thesis, Loughborough University, 2018. https://dspace.lboro.ac.uk/2134/33541.
Full textAbstract:
Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats. Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Many researchers have noted that the significance of information security, particularly information security policies and awareness, is growing due to increasing use of IT and computerization. In the last 15 years, the State of Qatar has witnessed remarkable growth and development of its civilization, having embraced information technology as a base for innovation and success. The country has undergone tremendous improvements in the health care, education and transport sectors. Information technology plays a strategic role in building the country's knowledge-based economy. Due to Qatar s increasing use of the internet and connection to the global environment, it needs to adequately address the global threats arising online. As a result, the scope of this research is to investigate information security in Qatar and in particular the National Information Assurance (NIA) policy. There are many solutions for information security some technical and some non-technical such as policies and making users aware of the dangers. This research focusses on enhancing information security through non-technical solutions. The aim of this research is to improve Qatari organisations information security processes by developing a comprehensive Information Security Management framework that is applicable for implementation of the NIA policy, taking into account Qatar's culture and environment. To achieve the aim of this research, different research methodologies, strategies and data collection methods will be used, such as a literature review, surveys, interviews and case studies. The main findings of this research are that there is insufficient information security awareness in organisations in Qatar and a lack of a security culture, and that the current NIA policy has many barriers that need to be addressed. The barriers include a lack of information security awareness, a lack of dedicated information security staff, and a lack of a security culture. These barriers are addressed by the proposed information security management framework, which is based on four strategic goals: empowering Qataris in the field of information security, enhancing information security awareness and culture, activating the Qatar National Information Assurance policy in real life, and enabling Qatar to become a regional leader in information security. The research also provides an information security awareness programme for employees and university students. At the time of writing this thesis, there are already indications that the research will have a positive impact on information security in Qatar. A significant example is that the information security awareness programme for employees has been approved for implementation at the Ministry of Administrative Development Labour and Social Affairs (ADLSA) in Qatar. In addition, the recommendations proposed have been communicated to the responsible organisations in Qatar, and the author has been informed that each organisation has decided to act upon the recommendations made.
14
Bobade, Kailas B. "Personalized Credential Negotiation Based on Policy Individualization in Federation." Kent State University / OhioLINK, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=kent1259734008.
Full text
15
Qureshi, Mustafa Ali, and Farhan Khalid. "How companies manage IT security : A comparative study of Pakistan and Sweden." Thesis, Internationella Handelshögskolan, Högskolan i Jönköping, IHH, Informatik, 2013. http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-21768.
Full textAbstract:
IT security provides comprehensive picture both internally and externally by act of ensuring that data is not lost when critical issues arise. In spite of the world has now been replaced with an imperative approach. The companies are using widely desktop computers, laptops, ipads, smart phones and workstation. The sum of all this has been influence to the IT based information and communication system in companies. The purpose is to do research by taking a critical look at how different kind of business and non-business companies manage their IT security in Pakistan and Sweden with specific emphasis on the administrative controls. As the IT security has a list of steps but the authors focused on three major functions: IT security policy, IT security plan and IT security risk analysis. As soon as the topic was selected the emphasis was laid on collecting and reading material related to the IT security. It became clear that the most relevant and interesting task was not merely to investigate how different companies in Pakistan and Sweden manage their IT security but infact try to understand what kind of steps and measures lies behind to achieve them. The method was adopted qualitative because it fulfil the requirements which authors want to achieve in the form of deeper understanding how different companies manage IT security in two different countries. This study concluded that Pakistani companies in terms of IT security policy should focus on data ware houses by implementing policies for securing of exploiting the data and in case of Swedish company IT managers should implement policies for securing of personal data. Evaluation techniques are missing from the companies of Pakistan and Sweden in IT security plan. Enhancing the performing of IT risk analysis to countermeasure the threat. Pakistani companies should focus on business model of information asset. In case of Swedish company higher level and more detailed analysis can apply to core areas of the IT system. These proposed points for improvements could also help in more understanding of IT security in Pakistan and Sweden.
16
Antoniou, George S. "Designing an effective information security policy for exceptional situations in an organization: An experimental study." NSUWorks, 2015. http://nsuworks.nova.edu/gscis_etd/949.
Full textAbstract:
An increasing number of researchers are recognizing the importance of the role played by employees in maintaining the effectiveness of an information security policy. Currently, little research exists to validate the relationship between the actions (behaviors) taken by employees in response to exceptional situations (antecedents) regarding an organization’s information security policy, the impact (consequences) those actions have on an organization, and the motives that prompt those actions. When these exceptional situations occur, employees may feel compelled to engage in behaviors that violate the terms of an information security policy because strict compliance with the policy could cause the organization to lose revenue, reputability or some other business advantage. To address this issue, this research study investigated how to design an effective information security policy for exceptional situations in an organization. In order to achieve this goal, this study explored how an information security policy should be designed with the critical components of clarity, comprehensiveness, ease of use and flexibility, in addition to including provisions for the work contingencies of employees. The aim of this proposed study was to demonstrate how the application principles of the prima-facie, utilitarian and universalizability design theories can aid in designing an information security policy that includes these essential elements. The research study explored the effectiveness of the policy's design and the effect it had on employee compliance with the policy in exceptional situations. A survey questionnaire was administered to a control group and an experimental group consisting of full-time and part-time employees who worked in various departments of a single organization. The survey employed a five-point Likert-type scale. The data gathered from the questionnaire was analyzed. Inferential statistics used the general linear model (GLM), including the t-test, analysis of covariance (ANCOVA), regression analysis, and factor analysis with the latest SPSS version computer statistical analysis program. This study built to develop a model for designing an effective information security policy for exceptional situations in an organization. Based on the analysis of fit the model for designing an effective information security policy for exceptional situations in an organization was determine to be a success model. This study should provide many opportunities for future research, as well as providing information security practitioners and academics a solid roadmap for designing effective information security policies within an organization to apply during exceptional situations.
17
Watkins, Trevor U. "Is Microsoft a Threat to National Security? Policy, Products, Penetrations, and Honeypots." Connect to resource online, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=ysu1244659206.
Full text
18
Henning, Rhonda R. "Security Policies That Make Sense for Complex Systems: Comprehensible Formalism for the System Consumer." NSUWorks, 2014. http://nsuworks.nova.edu/gscis_etd/9.
Full textAbstract:
Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system's resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. For the system end-user, the functional allocation of security policy to discrete system components, or subsystems, may be too complex for comprehension. In this dissertation, the concept of a metapolicy, or policy that governs execution of subordinate security policies, is introduced. From the user's perspective, the metapolicy provides the rules for system governance that are functionally applied across the system's components for policy enforcement. The metapolicy provides a method to communicate updated higher-level policy information to all components of a system; it minimizes the overhead associated with access control decisions by making access decisions at the highest level possible in the policy hierarchy. Formal definitions of policy often involve mathematical proof, formal logic, or set theoretic notation. Such policy definitions may be beyond the capability of a system user who simply wants to control information sharing. For thousands of years, mankind has used narrative and storytelling as a way to convey knowledge. This dissertation discusses how the concepts of storytelling can be embodied in computational narrative and used as a top-level requirements specification. The definition of metapolicy is further discussed, as is the relationship between the metapolicy and various access control mechanisms. The use of storytelling to derive the metapolicy and its applicability to formal requirements definition is discussed. The author's hypothesis on the use of narrative to explain security policy to the system user is validated through the use of a series of survey instruments. The survey instrument applies either a traditional requirements specification language or a brief narrative to describe a security policy and asks the subject to interpret the statements. The results of this research are promising and reflect a synthesis of the disciplines of neuroscience, security, and formal methods to present a potentially more comprehensible knowledge representation of security policy.
19
Almusharraf, Ahlam. "DIVERGENCE IN STAKEHOLDER PERCEPTIONS OF SECURITY POLICIES: A REPGRID ANALYSIS FOR NORM-RULE COMPLIANCE." VCU Scholars Compass, 2016. http://scholarscompass.vcu.edu/etd/4346.
Full textAbstract:
Many organizations have a problem with synchronizing individual values regarding information security with expectations set by the relevant security policy. Such discordance leads to failure in compliance or simply subversion of existing or imposed controls. The problem of the mismatch in understanding the security policies amongst individuals in an organization has devastating effect on security of the organization. Different individuals hold different understanding and knowledge about IS security, which is reflected on IS security policies design and practice (Vaast, 2007). Albrecthsen and Hovdena (2009) argue that users and managers practice IS security differently because they have different rationalities. This difference in rationalities may reflect the mismatch between the security policies and individuals’ values.
In this research, we argue that occurrence of security breach can change individuals’ values in light of security policy of organization. These changes in the values can be reflected on the compliance between individuals’ norms and security rules and standards. Indeed, organizations need to guarantee the compliance between security policy and values of their employees. Thus, they can alleviate or prevent violations of security of organization. However, it is difficult to find a common method that all organizations can adopt to guarantee the synch between security rules and individuals’ norms.
The main aim of this research is to investigate how people perceive information security policy and how their perceptions change in response to security breaches. Besides, this research aims to investigate the relationship between individuals’ values and security policy. Thus, organizations can have the intended level of compliance between individual norms and security rules and standards.
With the aid of the Repertory Grid technique, this research examines how a security breach shapes people’s values with respect to security policy of an organization. To conduct the argument, this research offers an assessment mechanism that aids the organization to evaluate employees’ values in regard to security policy. Based on that evaluation, the organization can develop a proper mechanism to guarantee compliance between individuals’ norms and security rules. The results of this research show that employees in an organization hold different perceptions regarding the security policy. These perceptions change in response to security incident. This change in perceptions dose not necessarily result in better compliance with the security policy. Factors like the type of breach and people’s experience can affect the amount of change in the perceptions. Contributions, implications, and directions for future research of this study will be discussed.
20
Al, Abbasi Hawazin. "Organizational Information Security: Strategies to Minimize Workplace Cyberloafing for Increased Productivity." ScholarWorks, 2018. https://scholarworks.waldenu.edu/dissertations/4773.
Full textAbstract:
Productivity loss occurs in organizations that experience high levels of personal Internet use by employees on company time, which includes employees using smartphones to surf without needing the firm's Internet connection. The purpose of this qualitative phenomenological study was to explore reliable ways for organizational leaders to monitor or limit their employees' use of smartphone technology for personal use (cyberloafing) while on the job to minimize wasted work time. Social cognitive theory, which includes an emphasis on human behavioral changes based upon the environment, people, and behavior, served as the conceptual framework. The general research question was as follows: How can managers minimize wasted work time by limiting the personal Internet activity of employees who use personal mobile devices while on the job. Data collection involved gathering information from interviews with 20 frontline supervisors, human resource managers, and information technology managers and specialists in 2 U.S. industries: education and telecommunications. Data analysis included examining word frequencies, keyword coding, and identifying themes. Four management themes emerged: create mobile device usage policy, enforce monitoring technology, create a deterrence strategy, and customize monitoring and tracking technology. This study may be important because the analysis revealed effective ways to prevent or minimize employees from Internet surfing and wasting time at work. The findings could lead to positive social change through increased employee productivity and responsibility by providing managers with information to control or limit cyberloafing activities and by fostering an increased commitment to comply with an organization's Internet use policy.
21
Rodriguez, Julio C. "Public Servants' Perceptions of the Cybersecurity Posture of the Local Government in Puerto Rico." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/6370.
Full textAbstract:
The absence of legislation, the lack of a standard cybersecurity framework, and the failure to adopt a resilient cybersecurity posture can be detrimental to the availability, confidentiality, and integrity of municipal information systems. The purpose of this phenomenological study was to understand the cybersecurity posture of municipalities from the perception of public servants serving in information technology (IT) leadership roles in highly populated municipalities in the San Juan-Carolina-Caguas Metropolitan Statistical Area of Puerto Rico. The study was also used to address key factors influencing the cybersecurity posture of these municipalities. The theoretical framework was open system theory used in combination with a conceptual framework encompassing key dimensions influencing digital government. Data were collected using semistructured interviews with 10 public servants working in IT leadership positions in a municipal setting in Puerto Rico. Data analysis involved horizontalization, reduction, elimination, clustering, thematizing, validation, and development of individual and composite textural descriptions. Participants reported that the cybersecurity posture of their municipalities was resilient. Participants also reported that technological changes, politics, the economy, management support, and processes were key elements to achieve a resilient posture. Findings may be used to empower elected officials, policymakers, public servants, and practitioners to manage and improve elements affecting cybersecurity with the goal of achieving a resilient posture to deliver cybersecurity as a public good.
22
Gustavsson, Simon, and Fredrik Årman. "Bring your own device - a concern for organizations? : A thesis about tech organizations awareness and management of smartwatches." Thesis, Linnéuniversitetet, Institutionen för informatik (IK), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-96411.
Full textAbstract:
With 5G around the corner and an overall increase in a faster and more stable internet connection, the future of Internet of Things (IoT) looks bright. There is a steady increase in the development of IoT devices, such as the smartwatch, and a high increase in usage of IoT, both by organizations and private citizens. Organizational managing of a smartwatch falls under the “Bring your own device” (BYOD) policy which allows employees to do work on their private devices. It appears to be a lack of knowledge in organizations on how to manage IoT devices both regarding policies and technical IT security. There has been an increase in malware attacks against IoT devices, and compromised smartwatches could be used to gain unauthorized access to organizations’ networks. The smartwatch is a common and powerful IoT device and will be used as an example in this thesis which purpose is to examine how organizations’ perceive and manage IoT devices, focusing on the smartwatch in order to gain insight regarding whether IoT devices such as the smartwatch is an area of concern within organizations. To understand the smartwatch, understanding IoT first will be important. The literature review delves into both IoT and smartwatch functionality and security. It looks at the BYOD policy and technical IT security solutions regarding the smartwatch. The review pointed to there being IT security issues with smartwatches and that implementing a BYOD policy increases productivity but increases the risk of malware attacks from and against the allowed devices. To fulfill the thesis purpose, qualitative interviews with high ranking IT security personnel at tech organizations were performed, thematized, and analyzed. The most prominent results are discussed; if the smartwatch is a threat and possible technical solutions for prevention, the organizations customer businesses IT security level, and BYOD policy. The results from the thesis showed that the organizations had a high awareness of the smartwatch and the IT security risks brought with it. They all had BYOD policies to restrict/limit access for the smartwatch’s access to their internal networks and a set of technical solutions to prevent breaches in the IT infrastructure and to detect if there had been a breach. The informants claimed that their organizations’ awareness regarding the smartwatch and the concerning IT security was higher than many of their customer businesses, which makes for an interesting subject for future research. How can these organizations reach the same level of awareness?Med 5G runt hörnet och en generell ökning av både snabbare och stabilare internet så ser framtiden för Internet of Things (IoT) ljus ut. Det pågår en stadig ökning i utvecklingen av IoT-enheter såsom smartklockan, samtidigt som en användandet av IoT ökar både på företag och hos privatpersoner. En verksamhets hantering av smartklockan hamnar under policyn ”Bring your own device” (BYOD) vilket tillåter anställda att använda sina privata enheter i jobbrelaterat syfte. Det verkar finnas en kunskapsbrist hos verksamheter avseende hur man hanterar IoT-enheter, både gällande policy och teknisk IT-säkerhet. Det har skett en ökning av malware attacker (skadlig kod) mot IoT-enheter och en kompromissad smartklocka kan potentiellt användas för att få otillbörlig åtkomst till en verksamhets nätverk. Smartklockan är en vanlig och kraftfull IoT-enhet och kommer att användas som exempel i den här uppsatsen. Syftet med uppsatsen är att undersöka hur verksamheter uppfattar och hanterar IoT-enheter med fokus på smartklockan, för att ta reda på om IoT-enheter såsom smartklockan är ett område som verksamheter arbetar med. För att förstå smartklockan så är det viktigt att först förstå IoT. I litteraturstudien redogörs både IoT och smartklockors funktionalitet samt säkerhetsaspekter. Vidare beskrivs även BYOD policy och tekniska IT-säkerhetslösningar gällande smartklockan. Litteraturstudien pekade på att det existerar IT-säkerhetsproblem med smartklockan och att implementera en BYOD policy kan öka verksamhetens produktivitet men även öka riskerna med malware attacker, både mot och från de tillåtna enheterna. För att uppfylla uppsatsens syfte utfördes kvalitativa intervjuer med högt uppsatt IT-säkerhetspersonal på IT-orienterade verksamheter, som sedan tematiserades och analyserades. De mest relevanta resultaten diskuteras, avseende smartklockan som ett hot och de relaterade tekniska lösningarna, verksamheternas kundföretags IT-säkerhetsnivå och BYOD policyn. De empiriska resultaten från uppsatsen visade att verksamheterna som intervjuades hade en hög medvetenhet relaterat till smartklockan och de IT-säkerhetsproblem som den kan medföra. Alla verksamheterna hade en BYOD policy för att begränsa/förbjuda smartklockans åtkomst till deras interna nätverk, samt ett par tekniska lösningar för att förebygga intrång i deras IT-infrastruktur och för att upptäcka om ett intrång redan skett. Informanterna påstod att deras verksamheters medvetenhet kring smartklockan och den relaterade IT-säkerheten var högre kontra flera av deras kundföretags, vilket är ett relevant ämne för framtida forskning. Hur kan dessa verksamheter nå upp till samma nivå av medvetenhet?
23
Rabie, Osama Bassam J. "Developing a Cyberterrorism Policy: Incorporating Individual Values." VCU Scholars Compass, 2018. https://scholarscompass.vcu.edu/etd/5549.
Full textAbstract:
Preventing cyberterrorism is becoming a necessity for individuals, organizations, and governments. However, current policies focus on technical and managerial aspects without asking for experts and non-experts values and preferences for preventing cyberterrorism. This study employs value focused thinking and public value forum to bare strategic measures and alternatives for complex policy decisions for preventing cyberterrorism. The strategic measures and alternatives are per socio-technical process.
24
Donnerin, Oscar, and Adham Mouwafi. "Kommuner i interorganisatorisk samverkan : Att säkert och effektivt styra informationssäkerhetsarbete." Thesis, Linköpings universitet, Filosofiska fakulteten, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-119833.
Full textAbstract:
Samverkan mellan kommuner är något som varit en aktuell fråga för svenska myndigheter under en längre tid. Mer specifikt har en tydlig ökning identifierats sedan kommunallagen trädde i kraft 1991 och samverkansformen visade sig möta reella politiska behov på ett positivt sätt. Samtidigt har offentliga organisationer de senaste 15 åren gått från att förespråka skyddandet av information till att bli mer öppna och utbyta information över organisatoriska gränser. Denna kvalitativa fallstudie undersöker informationssäkerhet i en interorganisatorisk samverkan mellan svenska kommuner. Teorier som behandlas i uppsatsen är informationssäkerhet, information security governance och samverkan. Studiens syfte är att undersöka utmaningarna med styrning av informationssäkerhetsarbete i en interorganisatorisk samverkan mellan svenska kommuner. Vi ämnar således bidra till forskningen genom att dels förfina befintliga teorier kring de separata ämnesområdena men även utveckla teori där dessa ämnen möts. Vi syftar även till att bidra till praktiken genom att generera värdefull kunskap för de studerade organisationerna men även generalisera resultatet för liknande organisationer. Resultatet visar att vi identifierat ett antal centrala utmaningar där vissa är svårare att hantera än andra. En central utmaning är att det politiska självstyret är tydligt uttalat vilket sätter begräsningar för vad som är möjligt att realisera gemensamt. Vi kan även konstatera att resurser och prioriteringar påverkas av detta. Vi har presenterat ett antal förslag på behov som kan beaktas, både internt i kommunerna men även gemensamt över kommunala gränser. De rekommendationer vi har till kommunerna är att ta ett steg tillbaka gällande samverkan, detta då de ligger på så pass olika nivåer och kan få svårt att skapa en gemensam grund. Kommunerna bör även fokusera på den interna verksamheten och öka säkerhetsmedvetandet för att bli mer redo för att ingå i en samverkan. Uppfylls detta kan de börja fokusera på att anta principer och andra gemensamma aktiviteter som till exempel utbildningar. Detta gör att informationssäkerhetsarbetet går från att vara reaktivt till att bli mer proaktivt. Detta är något som vi anser att både offentliga- och privata organisationer borde sträva mot men även forskare borde ta hänsyn till.
25
Schütte, Julian Hendrik [Verfasser], Claudia [Akademischer Betreuer] Eckert, and Stefan [Akademischer Betreuer] Katzenbeisser. "Security Policies in Pervasive Systems : Design of a Modular Security Policy Framework for Semantic, Multi-Domain, Service-Oriented Pervasive Systems / Julian Hendrik Schütte. Gutachter: Claudia Eckert ; Stefan Katzenbeisser. Betreuer: Claudia Eckert." München : Universitätsbibliothek der TU München, 2013. http://d-nb.info/1041322968/34.
Full text
26
Schütte, Julian Hendrik Verfasser], Claudia [Akademischer Betreuer] [Eckert, and Stefan [Akademischer Betreuer] Katzenbeisser. "Security Policies in Pervasive Systems : Design of a Modular Security Policy Framework for Semantic, Multi-Domain, Service-Oriented Pervasive Systems / Julian Hendrik Schütte. Gutachter: Claudia Eckert ; Stefan Katzenbeisser. Betreuer: Claudia Eckert." München : Universitätsbibliothek der TU München, 2013. http://nbn-resolving.de/urn:nbn:de:bvb:91-diss-20130813-1128393-0-4.
Full text
27
Anye, Ernest Tamanji. "Factors Affecting Employee Intentions to Comply With Password Policies." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/6965.
Full textAbstract:
Password policy compliance is a vital component of organizational information security. Although many organizations make substantial investments in information security, employee-related security breaches are prevalent, with many breaches being caused by negative password behavior such as password sharing and the use of weak passwords. The purpose of this quantitative correlational study was to examine the relationship between employees’ attitudes towards password policies, information security awareness, password self-efficacy, and employee intentions to comply with password policies. This study was grounded in the theory of planned behavior and social cognitive theory. A cross-sectional survey was administered online to a random sample of 187 employees selected from a pool of qualified Qualtrics panel members. Participants worked for organizations in the United States and were aware of the password policies in their own organizations. The collected data were analyzed using 3 ordinal logistic regression models, each representing a specific measure of employees’ compliance intentions. Attitudes towards policies and password self-efficacy were significant predictors of employees’ intentions to comply with password policies (odds ratios ≥ 1.257, p < .05), while information security awareness did not have a significant impact on compliance intentions. With more knowledge of the controllable predictive factors affecting compliance, information security managers may be able to improve password policy compliance and reduce economic loss due to related security breaches. An implication of this study for positive social change is that a reduction in security breaches may promote more public confidence in organizational information systems.
28
du, Fresne Andrew J. "Can Audits be an Effective Method to Improve Information Governance Compliance Objectives?" University of Findlay / OhioLINK, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=findlay1595949409362295.
Full text
29
Kuzmenko, Victoria Vladimirovna, and Вікторія Володимирівна Кузьменко. "Information warfare a new face of warfare in international relations." Thesis, National Aviation University, 2021. https://er.nau.edu.ua/handle/NAU/51632.
Full textAbstract:
1. International communication [Electronic resource].- Access mode: http:// academy.gov.ua/infpol/pages/dop/2/files/53dfa6b2-8428-4688-9bba-
7c38b11fa419.pdf;
2. Information warfare[Electronic resource].- Access mode: https://www.
wikiwand.com/uk/%D0%86%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0
%B0%D1%86%D1%96%D0%B9%D0%BD%D0%B0_%D0%B2%D1%96%D0% B9%D0%BD%D0%B0
3. Information warfare: a new form of people’s war [Electronic resource].- Access mode: https://fas.org/irp/world/china/docs/iw_wei.htm
4. Information warfare - the essence, methods and means of warfare[Electronic resource].- Access mode: https://www.bezpeka.com/uk/informacijna-vijnasutnistmetodi-ta-zasobi-vedennja/ .Information is one of the most important components in the life of modern society. The status of a person, state, or organization in the real world is largely determined by its ability to communicate with people and its position in the information space. International relations have always been based on the principles of communication. International communication- is the exchange of information between participants on the world stage, which has an international character . Information has a global impact, that is, with the successful management of people’s minds, it is possible to destroy the opponent or even to start a war. And international communication is a guide to the beginning of information conflicts between the subjects, which can later escalate into information warfare. Today, the causes of information warfare in international relations may be simple communication between participants, but most often it is terrorism and cybercrime. A computer as a tool can be used to commit a crime and can be the object of a specific crime. These actions are used to disrupt and disable various government databases and management systems.
Інформація - одна з найважливіших складових у житті сучасного суспільства. Статус людини, держави чи організації в реальному світі значною мірою визначається її здатністю спілкуватися з людьми та її становищем в інформаційному просторі. Міжнародні відносини завжди базувались на принципах спілкування. Міжнародне спілкування - це обмін інформацією між учасниками на світовій арені, що має міжнародний характер . Інформація має глобальний вплив, тобто завдяки успішному управлінню свідомістю людей можна знищити супротивника або навіть розпочати війну. А міжнародне спілкування є орієнтиром для початку інформаційних конфліктів між суб’єктами, які згодом можуть перерости в інформаційну війну. Сьогодні причинами інформаційної війни у міжнародних відносинах може бути просте спілкування між учасниками, але найчастіше це тероризм та кіберзлочинність. Комп’ютер як інструмент може бути використаний для вчинення злочину і може бути об’єктом конкретного злочину. Ці дії використовуються для порушення та відключення різних державних баз даних та систем управління.
30
Палагнюк, Д. М., Д. С. Тищук, and О. В. Березюк. "Принципи забезпечення інформаційної безпеки." Thesis, ВНТУ, 2018. http://ir.lib.vntu.edu.ua//handle/123456789/24491.
Full textAbstract:
In the article the problem of information security as one of the most important in today's information society. The essence of the concept of information security, the basic principles of software.Представлено завдання забезпечення інформаційної безпеки, як одного із головних в сучасному інформаційному суспільстві. Розкрито сутність поняття інформаційної безпеки, основні принципи її забезпечення.
31
Huang, Jiawei. "The Road to a Nationwide Electronic Health Record System: Data Interoperability and Regulatory Landscape." Scholarship @ Claremont, 2019. https://scholarship.claremont.edu/cmc_theses/2224.
Full textAbstract:
This paper seeks to break down how a large scale Electronic Health Records system could improve quality of care and reduce monetary waste in the healthcare system. The paper further explores issues regarding regulations to data exchange and data interoperability. Due to the massive size of healthcare data, the exponential increase in the speed of data generation through innovative technologies, and the complexity of healthcare data types, the widespread of a large-scale EHR system has hit barriers. Much of the data available is unstructured or contained within a singular healthcare provider’s systems. To fully utilize all the data available, methods for making data interoperable and regulations for data exchange to protect and support patients must be made. Through angles addressing data exchange and interoperability, we seek to break down the constraints and issues that EHR systems still face and gain an understanding of the regulatory landscape.
32
Литовська, А. Є. "Проблеми інформаційних систем та технологій маркетингу на підприємствах." Thesis, Сумський державний університет, 2013. http://essuir.sumdu.edu.ua/handle/123456789/32617.
Full textAbstract:
У наш час інформація є визначальним фактором функціонування підприємства. Без інформаційних систем та технологій інформація не буде досягати цільової аудиторії, що, у свою чергу, призводить до низької поінформованості працівників і не дає можливості підприємству функціонувати на повну силу. Наявність маркетингової інформаційної системи є одним із важливих аспектів для прийняття рішень та функціонування підприємства взагалі.
При цитуванні документа, використовуйте посилання http://essuir.sumdu.edu.ua/handle/123456789/32617
33
Raheem, Muhammad. "Mitigation of inter-domain Policy Violations at Internet eXchange Points." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-247908.
Full textAbstract:
Economic incentives and the need to efficiently deliver Internet have led to the growth of Internet eXchange Points (IXPs), i.e., the interconnection networks through which a multitude of possibly competing network entities connect to each other with the goal of exchanging traffic. At IXPs, the exchange of traffic between two or more member networks is dictated by the Border gateway Protocol (BGP), i.e., the inter-domain routing protocol used by network operators to exchange reachability information about IP prefix destinations. There is a common “honest-closed-world” assumption at IXPs that two IXP members exchange data traffic only if they have exchanged the corresponding reachability information via BGP. This state of affairs severely hinders security as any IXP member can send traffic to another member without having received a route from that member. Filtering traffic according to BGP routes would solve the problem. However, IXP members can install filters but the number of filtering rules required at a large IXP can easily exceed the capacity of the network devices. In addition, an IXP cannot filter this type of traffic as the exchanged BGP routes between two members are not visible to the IXP itself. In this thesis, we evaluated the design space between reactive and proactive approaches for guaranteeing consistency between the BGP control-plane and the data-plane. In a reactive approach, an IXP member operator monitors, collects, and analyzes the incoming traffic to detect if any illegitimate traffic exists whereas, in a proactive approach, an operator configures its network devices to filter any illegitimate traffic without the need to perform any monitoring. We focused on proactive approaches because of the increased security of the IXP network and its inherent simplified network management. We designed and implemented a solution to this problem by leveraging the emerging Software Defined Networking (SDN) paradigm, which enables the programmability of the forwarding tables by separating the controland dataplanes. Our approach only installs rules in the data-plane that allow legitimate traffic to be forwarded, dropping anything else. As hardware switches have high performance but low memory space, we decided to make also use of software switches. A “heavy-hitter” module detects the forwarding rules carrying most of the traffic and installs them into the hardware switch. The remaining forwarding rules are installed into the software switches.We evaluated the prototype in an emulated testbed using the Mininet virtualnetwork environment. We analyzed the security of our system with the help of static verification tests, which confirmed compliance with security policies. The results reveal that with even just 10% of the rules installed in the hardware switch, the hardware switch directly filter 95% of the traffic volume with nonuniform Internet-like traffic distribution workloads. We also evaluated the latency and throughput overheads of the system, though the results are limited by the accuracy of the emulated environment. The scalability experiments show that, with 10K forwarding rules, the system takes around 40 seconds to install and update the data plane. This is due to inherent slowness of emulated environment and limitations of the POX controller, which is coded in Python.Ekonomiska incitament och behovet av att effektivt leverera Internet har lett till tillväxten av Internet eXchange Points (IXP), dvs de sammankopplingsnät genom vilka en mängd möjligen konkurrerande nätverksenheter förbinder varandra med målet att utbyta trafik. Vid IXPs dikteras utbytet av trafik mellan två eller flera medlemsnät av gränsgatewayprotokollet (BGP), dvs det inter-domänroutingprotokollet som används av nätoperatörer för att utbyta tillgänglighetsinformation om IP-prefixdestinationer. Det finns ett gemensamt antagande om "honest-closed-world" vid IXP, att två IXP-medlemmar endast utbyter datatrafik om de har bytt ut motsvarande tillgänglighetsinformation via BGP. Detta tillstånd försvårar allvarligt säkerheten eftersom varje IXP-medlem kan skicka trafik till en annan medlem utan att ha mottagit en rutt från den medlemmen. Filtrering av trafik enligt BGP-vägar skulle lösa problemet. IXPmedlemmar kan dock installera filter men antalet filtreringsregler som krävs vid en stor IXP kan enkelt överskrida nätverksenheternas kapacitet. Dessutom kan en IXP inte filtrera denna typ av trafik eftersom de utbytta BGP-vägarna mellan två medlemmar inte är synliga för IXP-enheten själv.I denna avhandling utvärderade vi utrymmet mellan reaktiva och proaktiva metoder för att garantera överensstämmelse mellan BGP-kontrollplanet och dataplanet. I ett reaktivt tillvägagångssätt övervakar, samlar och analyserar en inkommande trafik en IXP-medlem för att upptäcka om någon obehörig trafik finns, medan en operatör konfigurerar sina nätverksenheter för att filtrera någon obehörig trafik utan att behöva övervaka . Vi fokuserade på proaktiva tillvägagångssätt på grund av den ökade säkerheten för IXP-nätverket och dess inneboende förenklad nätverkshantering. Vi konstruerade och genomförde en lösning på detta problem genom att utnyttja det nya SDN-paradigmet (Software Defined Networking), vilket möjliggör programmerbarheten hos vidarebefordringsborden genom att separera kontrolloch dataplanerna. Vårt tillvägagångssätt installerar bara regler i dataplanet som tillåter legitim trafik att vidarebefordras, släppa allt annat. Eftersom hårdvaruomkopplare har hög prestanda men lågt minne, bestämde vi oss för att även använda programvaruomkopplare. En "heavy-hitter" -modul detekterar vidarebefordringsreglerna som transporterar större delen av trafiken och installerar dem i hårdvaruomkopplaren. De återstående spolningsreglerna installeras i programvaruomkopplarna.Vi utvärderade prototypen i en emulerad testbädd med hjälp av virtuella nätverksmiljö Mininet. Vi analyserade säkerheten för vårt system med hjälp av statiska verifieringsprov, vilket bekräftade överensstämmelse med säkerhetspolicyerna. Resultaten visar att med bara 10% av de regler som installerats i hårdvaruomkopplaren filtrerar hårdvaruomkopplaren direkt 95% av trafikvolymen med ojämn Internetliknande trafikfördelningsarbete. Vi utvärderade också latensoch genomströmningsomkostnaderna för systemet, även om resultaten begränsas av noggrannheten hos den emulerade miljön. Skalbarhetsexperimenten visar att med 10K-vidarebefordringsregler tar systemet cirka 40 sekunder för att installera och uppdatera dataplanet. Detta beror på inneboende långsamma emulerade miljöer och begränsningar av POX-kontrollern, som kodas i Python.
34
Holmström, Anton, and Anton Barsk. "Informationssäkerhet i kommunala förvaltningar : kultur, medvetenhet och ansvar." Thesis, Luleå tekniska universitet, Digitala tjänster och system, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-74413.
Full textAbstract:
Information hanteras, lagras och används av alla typer av verksamheter i sambandmed digitaliseringens framfart. Information är en drivande resurs för verksamhetersom en viktig biståndsdel i affärsprocesser och därför finns ett behov att skydda den.Informationssäkerhet är inte bara en teknisk fråga utan påverkas av organisationskultur,anställdas säkerhetsmedvetenhet samt ledning och individ. Studien användersig av en abduktiv forskningsansats med en kvalitativ datainsamling. I studien intervjuadesnio anställda från olika kommunala förvaltningar för att undersöka hurarbetet med informationssäkerhet bedrivs. I analysen undersöker vi hur den nuvarandesituationen ställer sig mot teorier om hur ett effektivt säkerhetsarbete skabedrivas. I diskussionen belyser vi vikten av ledningens delaktighet i verksamhetensinformationssäkerhet och hur det påverkar det systematiska säkerhetsarbetet.Vi diskuterar även hur individens roll påverkar säkerhetsarbetets effektivitet. Studienvisar hur informationssäkerheten i kommunala förvaltningar inte ligger i fas medbehovet och pekar på vikten av individen samt ledningens ansvar i säkerhetsarbetet.Information is handled, stored and used by all types of organisations in conjunctionwith the digitization. Information is an important business driver in the businessprocesses of most organisations therefore the protection of the information is crucial.Information security is not solely a technical question and therfore is affectedby the organisational culture, employees security awareness and the role of managementand individuals. The study uses a qualitative method for data collectionwith an abductive approach. In the study, we perform interviews with 9 differentemployees within different municipal administrations to examine how they workwith information security. In the analysis we investigate the correlation betweentheory and the existing situation. In the discussion we highlight the importance ofmanagement participation and the effects they have on information security, securityawareness and organisational culture. We also discuss the importance of theinvolvement of individuals in information security and how it affects its effectivness.The study shows the municiapals shortcomings within information security and theimportance of individuals and managements responsibility for an effective and secureorganisation.
35
Carlsson, Olivia. "Auktorisering i system för digitalt bevarande." Thesis, Mittuniversitetet, Institutionen för informationssystem och –teknologi, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-37260.
Full textAbstract:
The purpose is to investigate, analyze and clarify the relationship between authorization and security policy for digital preservation system. Information security comes into focus when digital preservation systems are discussed. The handling of electronic documents in digital preservation systems is now widespread and a large part of many activities. This means that the business must ensure that it protects against the loss of information stored in the digital preservation system. Authorization and security policy are relevant to archive and information science because digital objects in digital preservation system are to be protected from unauthorized access. With a qualitative method the research will go through security policy, systems and models for access architecture. With open approach and open questions, the research will be summarized with a discussion on the most important conclusions for access management for digital preservation system, which are mainly built on roles. It is of great importance that the company uses roles and authorization levels to ensure that everyone knows with certainty what to do and what they cannot do.Syftet är att undersöka, analysera och klargöra relationen mellan auktorisering och säkerhetspolicy för system för digitalt bevarande. Informationssäkerhet kommer i fokus när system för digitalt bevarande diskuteras. Hanteringen av elektroniska dokument i system för digitalt bevarande är nu utbrett och en stor del av många aktiviteter. Det innebär att verksamheten måste se till att den skyddar mot förlust av information som lagras i system för digitalt bevarande. Auktorisering och säkerhetspolicy är relevant för arkiv- och informationsvetenskap eftersom digitala objekt i system för digitalt bevarande ska skyddas mot obehörig åtkomst. Med en kvalitativ metod kommer forskningen att gå igenom säkerhetspolicy, system och modeller för åtkomstarkitektur. Med öppet tillvägagångssätt och öppna frågor kommer forskningen slutligen att sammanfattas med en diskussion om de viktigaste slutsatserna för åtkomsthantering för system för digitalt bevarande, som huvudsakligen bygger på roller. Det är av stor vikt att företaget använder roller och auktoriseringsnivåer för att säkerställa att alla med säkerhet vet vad de ska göra och vad de inte får göra.
36
Ring, Eggers Gustav Emil, and Petter Olsson. "Informationssäkerhet vs. Affärsmål : Ett arbete om hur svenska startups hanterar sin informationssäkerhet." Thesis, Uppsala universitet, Institutionen för informatik och media, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-341513.
Full textAbstract:
Att bedriva startups i ett informationsbaserat samhälle medför idag flera utmaningar. För att nå framgång måste företagets resurser användas på rätt sätt. I en tid där informationssäkerhet spelar en allt större roll ska det här till en avvägning mellan att uppnå en bra säkerhetsnivå, samtidigt som de affärsmässiga aspekterna måste prioriteras. I arbetet undersöks hur svenska startups hanterar sin informationssäkerhet. Arbetet syftar även till att undersöka hur utbredd medvetenheten är inom sex svenska startups gällande informationssäkerhet samt hur mycket det prioriteras. Arbetet resultat visar att medvetenheten kring informationssäkerheten är hög men att det fortfarande är brister när det gäller att omsätta denna medvetenhet till praktisk handling och att det är de affärsorienterade målen som prioriteras högst inom en svensk startup.To run a startup in an information based society can cause a lot of challenges. To reach success, the company’s resources must be used in a proper way. In a time where information security has a big role, there must be a balance between keeping a high level of security meanwhile the business orientated expectations must be prioritized. This thesis will examine how a startup manages its information security. It does also focus on the awareness of information security within six swedish startups considering information security and also it’s priority. The results of the study shows that awareness of information security is high, but there are still shortcomings in putting this awareness into practice. The study also shows that the business-orientated goals are the highest priority within a swedish startup.
37
Kutnar, Petr. "Informační strategie firmy." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2016. http://www.nusl.cz/ntk/nusl-241608.
Full textAbstract:
This thesis describes the design of an information strategy for the Faculty Hospital in Brno, which is the largest provider of health services in Moravia. The first part includes theoretical aspects used. In the following chapter, there are analyses that aim to precisely describe the current situation of the organization. The third part contains draft of a new information strategy from several perspectives. At the end of this chapter there is a detailed time analysis which uses PERT methodology. The last part evaluates the costs and benefits of new information strategy of Faculty Hospital.
38
Andersson, Simon, and Andreas Forsberg. "Användarinvolvering för ökad medvetenhet : En studie om policyutvecklingsprocessen." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-74419.
Full textAbstract:
Many organisations experience the new general data protection regulation (GDPR) as difficult to understand and are unsure as to how they should formulate and communicate a policy that is complied by the organisation's employees. ePrivacy is a separate regulation that works as a compliment to GDPR and makes the regulation even more complex. The purpose of this study is to identify recommendations to formulate policies that increases likelihood that the policy is complied by the organisation's employees. The study was conducted as a case study with a participating company. In this study a policy has been developed within the context of the GDPR and ePrivacythat was then used in interviews with employees of the participating company. This was done in order to research the policy development process and handling of policies in that company. With this research, the knowledge of factors within policy development that affect the employees likelihood to comply with and be aware of the organisation's policies will increase. The recommendations that are formulated as a result of the study may be usedby developers to increase the likelihood that the organisation's policies are complied with and that the employees are more aware of the policies. The recommendations of the study is that developers should take advantage of user involvement in the policy development process. This gives the employees their chance to affect their own work and their processes themselves which will increase their self efficacy and awareness of policies.Många organisationer upplever att nya dataskyddsförordningen (GDPR) ärsvar att förstå och hur de ska formulera och kommunicera en policy som efterlevs och följs av organisationens anställda. ePrivacy är en separat förordning som är tänkt att komplettera dataskyddsförordningen och gör förordningen än mer komplex. Syftet med studien är att identiera rekommendationer för att formulera policys som höjer sannolikheten att de efterlevs och följs av organisationens anställda. Undersökningen har utförts som en fallstudie på det medverkande företaget. I denna studie har det inom kontexten dataskyddsförordningen och ePrivacy formulerats en policy som sedan användes vid intervjuer med anställda på det medverkande företaget. Detta för att undersöka Policyutvecklingsprocessen och hantering av policys på företaget.Med den här undersökningen ökar kunskapen om vilka faktorer inom policyutveckling som påverkar anställdas sannolikhet att följa organisationens policys och ökar policy-medvetenhet inom organisationen. De rekommendationer som formuleras som ett resultat av undersökningen kan nyttjas av utvecklare för att öka sannolikheten att organisationens policys efterlevs och följs av anställda samt ökar medvetenheten om organisationens policys. Studiens rekommendationer är att utvecklare bör nyttja användarinvolvering i dess policyutvecklingsprocess. Detta ger anställda chansen att påverka sin vardagoch dess arbetsprocesser själva vilket bidrar till höjd upplevd självförmågaoch medvetenhet om policys.
39
Ott, Amon [Verfasser]. "Mandatory Rule Set Based Access Control in Linux : A Multi-Policy Security Framework and Role Model Solution for Access Control in Networked Linux Systems / Amon Ott." Aachen : Shaker, 2007. http://d-nb.info/1166511898/34.
Full text
40
Riegl, Tomáš. "Zavedení Managementu Informační Bezpečnosti v IT podniku." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2014. http://www.nusl.cz/ntk/nusl-224623.
Full textAbstract:
This thesis deals with the introduction of information security management system in IT enterprise. It includes theoretical knowledge which are necessary for the understanding of this issue and their application for the analysis of the current state of information security, risk analysis and risk management. Last but not least for the actual implementation of information security management system in the company. The implementation of ISMS was divided into two phases. This thesis details the first phase.
41
Haddad, Mehdi. "Access control and inference problem in data integration systems." Thesis, Lyon, INSA, 2014. http://www.theses.fr/2014ISAL0107/document.
Full textAbstract:
Dans cette thèse nous nous intéressons au contrôle d’accès dans un système issu d’une intégration de données. Dans un système d’intégration de données un médiateur est défini. Ce médiateur a pour objectif d’offrir un point d’entrée unique à un ensemble de sources hétérogènes. Dans ce type d’architecture, l’aspect sécurité, et en particulier le contrôle d’accès, pose un défi majeur. En effet, chaque source, ayant été construite indépendamment, définit sa propre politique de contrôle d’accès. Le problème qui émerge de ce contexte est alors le suivant : "Comment définir une politique représentative au niveau du médiateur et qui permet de préserver les politiques des sources de données impliquées dans la construction du médiateur?" Préserver les politiques des sources de données signifie qu’un accès interdit au niveau d’une source doit également l’être au niveau du médiateur. Aussi, la politique du médiateur doit préserver les données des accès indirects. Un accès indirect consiste à synthétiser une information sensible en combinant des informations non sensibles et les liens sémantiques entre ces informations. Détecter tous les accès indirects dans un système est appelé problème d’inférence. Dans ce manuscrit, nous proposons une méthodologie incrémentale qui permet d’aborder le problème d’inférence dans un contexte d’intégration de données. Cette méthodologie est composée de trois phases. La première, phase de propagation, permet de combiner les politiques sources et ainsi générer une politique préliminaire au niveau médiateur. La deuxième phase, phase de détection, caractérise le rôle que peuvent jouer les relations sémantiques entre données afin d’inférer une information confidentielle. Par la suite, nous introduisant, au sein de cette phase, une approche basée sur les graphes afin d’énumérer tous les accès indirects qui peuvent induire l’accès à une information sensible. Afin de remédier aux accès indirects détectés nous introduisons la phase de reconfiguration qui propose deux solutions. La première solution est mise en œuvre au niveau conceptuel. La seconde solution est mise en œuvre lors de l’exécutionIn this thesis we are interested in controlling the access to a data integration system. In a data integration system, a mediator is defined. This mediator aims at providing a unique entry point to several heterogeneous sources. In this kind of architecture security aspects and access control in particular represent a major challenge. Indeed, every source, designed independently of the others, defines its own access control policy. The problem is then: "How to define a representative policy at the mediator level that preserves sources’ policies?" Preserving the sources’ policies means that a prohibited access at the source level should also be prohibited at the mediator level. Also, the policy of the mediator needs to protect data against indirect accesses. An indirect access occurs when one could synthesize sensitive information from the combination of non sensitive information and semantic constraints. Detecting all indirect accesses in a given system is referred to as the inference problem. In this manuscript, we propose an incremental methodology able to tackle the inference problem in a data integration context. This methodology has three phases. The first phase, the propagation phase, allows combining source policies and therefore generating a preliminary policy at the mediator level. The second phase, the detection phase, characterizes the role of semantic constraints in inducing inference about sensitive information. We also introduce in this phase a graph-based approach able to enumerate all indirect access that could induce accessing sensitive information. In order to deal with previously detected indirect access, we introduce the reconfiguration phase which provides two solutions. The first solution could be implemented at design time. The second solution could be implemented at runtime
42
Ryšánek, Vladimír. "Posouzení informačního systému firmy a návrh změn." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-223769.
Full textAbstract:
This thesis focuses on the analysis of the current state of an information system in order to detect it´s deficiencies and to propose a motion for their elimination. Via application of selected methods, it reveals lack in the system security policy, on which this thesis further focuses. Specifies how to implement asset assessment as a part of the risk management in the company and also contains its own security policy solution using Safetica software, which helps reducing the likelihood of the company security incidents.
43
Konečný, Martin. "GAP analýza systému řízení bezpečnosti informací." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2019. http://www.nusl.cz/ntk/nusl-399368.
Full textAbstract:
The master’s thesis focuses on GAP analysis of information security management system. The thesis consists of theoretical, analytical and practical part. The first part discusses the theoretical background of the issue of information and cyber security. The analytical part describes the current condition of the researched company. The thesis’s output is the draft of risk register and draft of security countermeasures implementation. The draft targets on countermeasures leading to increase information security in company.
44
Pech, Jan. "Aplikace zákona a vyhlášky o kybernetické bezpečnosti na úřadech státní správy." Master's thesis, Vysoká škola ekonomická v Praze, 2016. http://www.nusl.cz/ntk/nusl-203989.
Full textAbstract:
The thesis is focused on the Czech act no. 181/2014 Sb., on cyber security and subsequent regulations, introduces origin and importance of act, defines the state administration´s office which identifies important information systems according to regulations, and subsequently thesis detailed analyses act and regulation on cyber security in relation to the defined state administration´s office. Keynote of this thesis is show the real application of identified obligations of the act and regulation to the defined state administration´s office, especially a design, implementation and management of organizational and technical security measures, including the evaluation of real impact on information security. To achieve the set goals author of this thesis uses the analysis of legislation, and draws own conclusions from author´s position of a security technologist who actively participated in the design security policy, and implementation and management of security tools. The benefit of this thesis is complex overview of the security employees work at defined state administration´s office, overview of the real fulfilment obligations of the act and regulation of cybernetic security, and ultimately this thesis brings ideas for further development of technical security tools. This thesis can brings benefit to other important information systems administrators as a set of processes, proposals and recommendation for their own information security management system. This thesis is structurally divided into four main parts. The first theoretical part introduces origin, importance and impact of the act on state and private organizations. The second analytical part analyses act and subsequent regulations in relation to the defined state administration´s office. The third practical part shows the real application of organizational and technical security measures. The fourth last part evaluates the real impact of measures on information security.
45
Huin, Leslie. "Sécurité d'accès dans les Systèmes d'Information Coopératifs : modélisation et Implémentation à l'aide d'agents." Thesis, Lyon 3, 2012. http://www.theses.fr/2012LYO30028.
Full textAbstract:
Le partage entre sources indépendantes hétérogènes et distribuées peut être résolu par la construction d’un système d’information coopératif (SIC). Un SIC est un ensemble de composants plus ou moins autonomes, souvent préexistants qui travaillent de manière synergique en échangeant information, expertise et en coordonnant leurs activités. Cela implique notamment la prise en compte de l’interopérabilité liée aux différences de description des données et de représentation de la sémantique. La gestion des données est alors assurée sans recours à un schéma global complet pour respecter l’autonomie des bases locales.Dans ce contexte, nous avons choisi de traiter le thème de la sécurité d’accès dans le but de garantir la confidentialité et l’intégrité des données de la coopération. La sécurité ajoute de nouveaux problèmes d’hétérogénéité et de résolution de conflits à ceux déjà existants en terme de coopération de données. Nous utilisons deux modèles canoniques proposés par l’équipe MODEME, permettant de représenter de manière unifiée les schémas locaux de données et de sécurité. Nous construisons un système pour la gestion de l’interopération des données et des politiques de sécurité, ainsi que la résolution sécurisée de requêtes globales. Nous avons choisi d’implémenter notre système en suivant le paradigme multi-agents avec une approche par médiation et intégration de schémas. Deux protocoles sont définis au regard des deux fonctionnalités du système : - Un protocole de gestion des connaissances permettant de traiter le problème d’interopérabilité entre les différents modes de représentation des données et des modèles de sécurité, et de générer les appariements entre ces différents modèles. - Un protocole de résolution de requêtes à partir des connaissances globales construites a priori, dont l’objectif est de présenter des résultats sémantiquement cohérents et sécurisés. Les agents sont décrits dans leur buts, leurs interactions, leurs connaissances en définissant leur rôle pour chaque protocole, avec notamment le rôle clé de médiateur de sécurité. Un scénario d’expérimentation permet d’illustrer sur un cas concret la génération des connaissances à partir des schémas locaux ainsi que le développement complexe du protocole pour le contrôle d’accèsSharing heterogeneous and distributed independent data sources can be solved by building a Cooperative Information System (CIS). A CIS is a set of components, exchanging information, expertise and coordinating their activities. This must consider interoperability related to differences of data description and semantic. Data management is provided without using a comprehensive global scheme to respect the autonomy of local databases.In this context, we chose to treat access security in order to ensure confidentiality and data integrity in a cooperation. This adds new security issues regarding heterogeneity and conflict resolution, on top of those in terms of data cooperation. We use two canonical models proposed by the MODEME team, to represent the local schemas and security policies in a unified way.We build a system to manage the interoperation of data and security policies, and the resolution of secure global queries. We have chosen to implement our system using the multi-agent paradigm, with an schema integration and mediation approach. Two protocols have been defined related to the features of the system: - A knowledge management protocol to address the problem of interoperability between different modes of data representation and security models, and to generate the matches between these different models. - A query resolution protocol using the global knowledge, which aims to present the results semantically consistent and secure. Agents are described in their goals, their interactions, their knowledge by defining their role for each protocol, including the key role of security mediator. An experimental scenario illustrates the knowledge generation from local schemas and the development of protocol for access control
46
Mráčková, Kateřina. "Návrh metodiky bezpečnosti informací v podniku provozující elektronický obchod." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2013. http://www.nusl.cz/ntk/nusl-224218.
Full textAbstract:
The work deals with the analysis of security management in company selling goods trought the stone shop and the electronic commerce. The assets and threats affecting them were identified and an analysis of risks and selected measures was evaluated. The work is based on the theoretical background from series of standards ISO/IEC 27000 given in the first part of it.
47
Veselý, Martin. "Hodnocení zabezpečení obchodních informací." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2009. http://www.nusl.cz/ntk/nusl-222175.
Full textAbstract:
The thesis ”Rating of security business information” is focused on creating metrics in order to assess security of an information system of the company Tech4sec, spol.s.r.o. Risks of the information system and their impact on economy of the company are elaborated by application of the created metrics. To build the part of IS/IT strategy of the company that leads to elimitation of the risks found is dealt with in the thesis as well.
48
Mashima, Daisuke. "Safeguarding health data with enhanced accountability and patient awareness." Diss., Georgia Institute of Technology, 2012. http://hdl.handle.net/1853/45775.
Full textAbstract:
Several factors are driving the transition from paper-based health records to electronic health record systems. In the United States, the adoption rate of electronic health record systems significantly increased after "Meaningful Use" incentive program was started in 2009. While increased use of electronic health record systems could improve the efficiency and quality of healthcare services, it can also lead to a number of security and privacy issues, such as identity theft and healthcare fraud. Such incidents could have negative impact on trustworthiness of electronic health record technology itself and thereby could limit its benefits.
In this dissertation, we tackle three challenges that we believe are important to improve the security and privacy in electronic health record systems. Our approach is based on an analysis of real-world incidents, namely theft and misuse of patient identity, unauthorized usage and update of electronic health records, and threats from insiders in healthcare organizations. Our contributions include design and development of a user-centric monitoring agent system that works on behalf of a patient (i.e., an end user) and securely monitors usage of the patient's identity credentials as well as access to her electronic health records. Such a monitoring agent can enhance patient's awareness and control and improve accountability for health records even in a distributed, multi-domain environment, which is typical in an e-healthcare setting. This will reduce the risk and loss caused by misuse of stolen data. In addition to the solution from a patient's perspective, we also propose a secure system architecture that can be used in healthcare organizations to enable robust auditing and management over client devices. This helps us further enhance patients' confidence in secure use of their health data.
49
Venturini, Yeda Regina. "MOS - Modelo Ontológico de Segurança para negociação de política de controle de acesso em multidomínios." Universidade de São Paulo, 2006. http://www.teses.usp.br/teses/disponiveis/3/3141/tde-19092006-165220/.
Full textAbstract:
A evolução nas tecnologias de redes e o crescente número de dispositivos fixos e portáteis pertencentes a um usuário, os quais compartilham recursos entre si, introduziram novos conceitos e desafios na área de redes e segurança da informação. Esta nova realidade estimulou o desenvolvimento de um projeto para viabilizar a formação de domínios de segurança pessoais e permitir a associação segura entre estes domínios, formando um multidomínio. A formação de multidomínios introduziu novos desafios quanto à definição da política de segurança para o controle de acesso, pois é composto por ambientes administrativos distintos que precisam compartilhar seus recursos para a realização de trabalho colaborativo. Este trabalho apresenta os principais conceitos envolvidos na formação de domínio de segurança pessoal e multidomínios, e propõe um modelo de segurança para viabilizar a negociação e composição dinâmica da política de segurança para o controle de acesso nestes ambientes. O modelo proposto é chamado de Modelo Ontológico de Segurança (MOS). O MOS é um modelo de controle de acesso baseado em papéis, cujos elementos são definidos por ontologia. A ontologia define uma linguagem semântica comum e padronizada, viabilizando a interpretação da política pelos diferentes domínios. A negociação da política ocorre através da definição da política de importação e exportação de cada domínio. Estas políticas refletem as contribuições parciais de cada domínio para a formação da política do multidomínio. O uso de ontologia permite a composição dinâmica da política do multidomínio, assim como a verificação e resolução de conflitos de interesses, que refletem incompatibilidades entre as políticas de importação e exportação. O MOS foi validado através da análise de sua viabilidade de aplicação em multidomínios pessoais. A análise foi feita pela definição de um modelo concreto e pela simulação da negociação e composição da política de controle de acesso. Para simulação foi definido um multidomínio para projetos de pesquisa. Os resultados mostraram que o MOS permite a definição de um procedimento automatizável para criação da política de controle de acesso em multidomínios.The evolution in the network technology and the growing number of portable and fixed devices belonging to a user, which shares resources, introduces new concepts and challenges in the network and information security area. This new reality has motivated the development of a project for personal security domain formation and security association between them, creating a multi-domain. The multi-domain formation introduces new challenges concerning the access control security policy, since multi-domains are composed by independent administrative domains that share resources for collaborative work. This work presents the main concept concerning the personal security domains and multi-domains, and proposes a security model to allow the dynamic security policy negotiation and composition for access control in multi-domain. The proposed model is called MOS, which is an ontological security model. The MOS is a role-based access control model, which elements are defined by an ontology. The ontology defines a semantic language, common and standardized, allowing the policy interpretation by different domains. The policy negotiation is made possible by the definition of the policy importation and exportation in each domain. These policies mean the partial contributions of each domain for the multi-domain policy formation. The use of ontology allows the dynamic multi-domain policy composition, as well as the verification and resolution of interest conflicts. These conflicts mean incompatibilities between the importation and exportation policy. The MOS was validated through the viability analysis for personal multi-domain application. The analysis was made through the definition of a factual model and the simulation of access control policy negotiation and composition. The simulation was taken place through the definition of a collaborative research projects multi-domain. The results demonstrate the MOS is feasible for implementation in automatic procedures for multi-domain access control policy creation.
50
Salim, Farzad. "Detecting and resolving redundancies in EP3P policies." Thesis, Faculty of Computer Science and Software Engineering, University of Wollongong, 2006. https://eprints.qut.edu.au/28175/1/c28175.pdf.
Full textAbstract:
Current regulatory requirements on data privacy make it increasingly important for
enterprises to be able to verify and audit their compliance with their privacy policies. Traditionally, a privacy policy is written in a natural language. Such policies inherit the potential ambiguity, inconsistency and mis-interpretation of natural text. Hence, formal languages are emerging to allow a precise specification of enforceable privacy policies that can be verified.
The EP3P language is one such formal language. An EP3P privacy policy of an enterprise consists of many rules. Given the semantics of the language, there may exist some rules in the ruleset which can never be used, these rules are referred to as redundant rules.
Redundancies adversely affect privacy policies in several ways. Firstly, redundant rules reduce the efficiency of operations on privacy policies. Secondly, they may misdirect the policy auditor when determining the outcome of a policy. Therefore, in order to address these deficiencies it is important to identify and resolve redundancies.
This thesis introduces the concept of minimal privacy policy - a policy that is free of redundancy. The essential component for maintaining the minimality of privacy policies
is to determine the effects of the rules on each other. Hence, redundancy detection and resolution frameworks are proposed. Pair-wise redundancy detection is the central concept in these frameworks and it suggests a pair-wise comparison of the rules in order to detect redundancies. In addition, the thesis introduces a policy management tool that assists policy auditors in performing several operations on an EP3P privacy policy while maintaining its minimality. Formal results comparing alternative notions of redundancy, and how this would affect the tool, are also presented.