Segui questo link per vedere altri tipi di pubblicazioni sul tema: Information security.
Tesi sul tema "Information security"
Cita una fonte nei formati APA, MLA, Chicago, Harvard e in molti altri stili
Vedi i top-50 saggi (tesi di laurea o di dottorato) per l'attività di ricerca sul tema "Information security".
Accanto a ogni fonte nell'elenco di riferimenti c'è un pulsante "Aggiungi alla bibliografia". Premilo e genereremo automaticamente la citazione bibliografica dell'opera scelta nello stile citazionale di cui hai bisogno: APA, MLA, Harvard, Chicago, Vancouver ecc.
Puoi anche scaricare il testo completo della pubblicazione scientifica nel formato .pdf e leggere online l'abstract (il sommario) dell'opera se è presente nei metadati.
Vedi le tesi di molte aree scientifiche e compila una bibliografia corretta.
1
Tyukala, Mkhululi. "Governing information security using organisational information security profiles". Thesis, Nelson Mandela Metropolitan University, 2007. http://hdl.handle.net/10948/626.
Testo completoAbstract (sommario):
The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.
2
Åhlfeldt, Rose-Mharie. "Information Security in Home Healthcare". Thesis, Högskolan i Skövde, Institutionen för datavetenskap, 2001. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-618.
Testo completoAbstract (sommario):
Healthcare is very information-intensive. Hence, it has become necessary to use the support of computers in order to efficiently improve such an information-intensive organisation. This thesis points out deficiencies in the area of information security in home healthcare regarding personal integrity and secrecy. Home healthcare is, in Sweden, performed by the municipalities. The work is based on the recommendations and common advice for processing of personal data compiled by the Data Inspection Board. Two municipalities in the Västra Götaland Region have been investigated. One of the municipalities has a manual system and the other has a computerized system for personal data management. The work includes a field study where persons from both municipalities have been observed. It also includes interviews based on the comprehensive questions from the Data Inspection Board and questions arisen from the observations. The work shows that a very clear need of training among personnel involved in home healthcare. It also shows the need for elaborate security measures including levels on access profiles. A weak point concerning security is also the heavy use of facsimile transmission for information distribution.
3
Yucel, Okan. "Information System Security". Master's thesis, METU, 2003. http://etd.lib.metu.edu.tr/upload/4/1260303/index.pdf.
Testo completoAbstract (sommario):
This thesis analyzes the physical, communicational, and organizational
dimensions of information system security process by taking the four-layer approach,
which is composed of the policy, model, architecture, and mechanisms into account.
Within this scope, according to the results of the security analysis of information
systems in METU Informatics Institute, the policy, model, architecture, and
mechanisms necessary to prepare a new security process were proposed. As a
subcomponent of this proposed security process, the network security of the IS100
course was partially established, and the generated results were evaluated.
4
Saltysh, S. "Information security: passwords". Thesis, Sumy State University, 2014. http://essuir.sumdu.edu.ua/handle/123456789/45430.
Testo completoAbstract (sommario):
Many people have accounts in different sites, and the problem is that hundreds of millions of passwords are being compromised by cybercriminals every year. People finally need to understand that the Internet is a very hostile place, while online service providers need to finally start taking network security seriously.
One of the world’s leading password crackers just got better and is now able to crack passwords of up to 55 characters in length and algorithms such as TrueCrypt 5.0+, LastPass and Samsung Android Password/PIN.
5
Burkhead, Randy L. "A phenomenological study of information security incidents experienced by information security professionals providing corporate information security incident management". Thesis, Capella University, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=3682325.
Testo completoAbstract (sommario):
The security of digital information is paramount to the success of private organizations. Violating that security is a multi-billion-dollar criminal business and exploiting these vulnerabilities creates a single point of failure for operations. Thus, understanding the detection, identification, and response to information security incidents is critical to protecting all levels of infrastructure. The lived experiences of current professionals indicate 10 unique themes in regards to how information security incidents are addressed in private organizations. These unique themes led the researcher to offer several conclusions related to the importance of planning, communication, offensive capabilities, and integration with third-party organizations. Information security incident management is accomplished as an escalation process with multiple decision points leading to a restoration of services or security. The source of the incident is not often sought beyond the first external IP address but their purpose and intent are essential to information security incident management. The key lessons learned from professionals include the importance of having a plan, training the plan, and incorporating the human elements of security into information security incident response. Penetration testing as well a knowledge about threat and attack patterns are important to information security incident management for detection, containment, and remediation. External organizations play a major role in the management of information security incidents as fear, incompetence, and jurisdictional issues keep the private sector from working with government, military, and law enforcement organizations. These themes have wide reaching implications for practical application and future research projects.
6
Alfawaz, Salahuddin M. "Information security management : a case study of an information security culture". Thesis, Queensland University of Technology, 2011. https://eprints.qut.edu.au/41777/1/Salahuddin_Alfawaz_Thesis.pdf.
Testo completoAbstract (sommario):
This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation's information security systems in a socio- technical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and non- technical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals' behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context. The theoretical foundation for the study is based on organisational and national culture theories. A conceptual framework for this study was constructed based on Peterson and Smith's (1997) model of national culture. This framework guides the study of national, organisational and technological values and their relationships to the development of information security culture. Further, the study seeks to better understand how these values might affect the development and deployment of an organisation's information security culture. Drawing on evidence from three exploratory case studies, an emergent conceptual framework was developed from the traditional human behaviour and the social environment perspectives used in social work, This framework contributes to in- formation security management by identifying behaviours related to four modes of information security practice. These modes provide a sound basis that can be used to evaluate individual organisational members' behaviour and the adequacy of ex- isting security measures. The results confirm the plausibility of the four modes of practice. Furthermore, a final framework was developed by integrating the four modes framework into the research framework. The outcomes of the three case stud- ies demonstrate that some of the national, organisational and technological values have clear impacts on the development and deployment of organisations' informa- tion security culture. This research, by providing an understanding the in
uence of national, organi- sational and technological values on individuals' information security behaviour, contributes to building a theory of information security culture development within an organisational context. The research reports on the development of an inte- grated information security culture model that highlights recommendations for developing an information security culture. The research framework, introduced by this research, is put forward as a robust starting point for further related work in this area.
7
Lund, Per. "Information Security Awareness amongst students : A study about information security awareness at universities". Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-70873.
Testo completoAbstract (sommario):
In the era of information, it has become vital for companies to make sure that their information is properly protected. They are therefore, willing to spend large amounts of resources on protecting their information. This can usually be done in a large variety of ways. The root of information security is first and foremost, having policies that regulate how information security is upheld. And secondly, by teaching employees proper practice of information security. These are however procedures that are not all that common in a university environment, and even more so in relation to students. In order to explore this phenomenon further, an exploratory study have been carried out to find more information on the subject. This has been done in several ways in order to grasp as much information as possible. Firstly, by doing a literary study to find out what is already known within the field of information security in regard to students. Secondly, by doing a quantitative study that evaluates the student’s information security awareness. And lastly, by conducting an interview with a member of staff at a university to find out their attitude towards the phenomenon. The thesis concludes by suggesting how universities might want to handle information security in relationship to students.
8
Rastogi, Rahul. "Information security service management : a service management approach to information security management". Thesis, Nelson Mandela Metropolitan University, 2011. http://hdl.handle.net/10948/1389.
Testo completoAbstract (sommario):
In today’s world, information and the associated Information Technology are critical assets for many organizations. Any information security breach, or compromise of these assets, can lead to serious implications for organizations that are heavily dependent on these assets. For such organizations, information security becomes vital. Organizations deploy an information security infrastructure for protecting their information assets. This infrastructure consists of policies and controls. Organizations also create an information security management system for managing information security in the organization. While some of the policies and controls are of a purely technical nature, many depend upon the actions of end-users. However, end-users are known to exhibit both compliant and noncompliant behaviours in respect of these information security policies and controls in the organization. Non-compliant information security behaviours of end-users have the potential to lead to information security breaches. Non-compliance thus needs to be controlled. The discipline of information security and its management have evolved over the years. However, the discipline has retained the technology-driven nature of its origin. In this context, the discipline has failed to adequately appreciate the role played by the end-users and the complexities of their behaviour, as it relates to information security policies and controls. The pervasive information security management philosophy is that of treating end-users as the enemy. Compliance is sought to be achieved through awareness programs, rewards, punishments and evermore strict policies and controls. This has led to a bureaucratic information security management approach. The philosophy of treating end-users as the enemy has had an adverse impact on information security in the organization. It can be said that rather than curbing non-compliance by end-users, the present-day bureaucratic approach to information security management has contributed to non-compliance. This thesis calls this the end-user crisis. This research aims at resolving this crisis by identifying an improved approach to information security management in the organization. This research has applied the service management approach to information security management. The resultant Information Security Service Management (ISSM) views end-users as assets and resources, and not as enemies. The central idea of ISSM is that the end-user is to be treated as a customer, whose needs are to be satisfied. This research presents ISSM. This research also presents the various components of ISSM to aid in its implementation in an organization.
9
Björck, Fredrik. "Discovering information security management /". Stockholm : Department of Computer and Systems Sciences, Stockholm University, 2005. http://urn.kb.se/resolve?urn=urn:nbn:se:su:diva-718.
Testo completo
10
Talib, Shuhaili. "Personalising information security education". Thesis, University of Plymouth, 2014. http://hdl.handle.net/10026.1/2896.
Testo completoAbstract (sommario):
Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.
11
Wells, William Ward. "Information security program development". CSUSB ScholarWorks, 2004. https://scholarworks.lib.csusb.edu/etd-project/2585.
Testo completo
12
Крапивний, Іван Васильович, Иван Васильевич Крапивный, Ivan Vasylovych Krapyvnyi, Віталій Анатолійович Омельяненко, Виталий Анатольевич Омельяненко, Vitalii Anatoliiovych Omelianenko e V. O. Varakin. "Information security economic systems in national security country". Thesis, Sumy State University, 2015. http://essuir.sumdu.edu.ua/handle/123456789/43592.
Testo completoAbstract (sommario):
In today's world, information security becomes vital for ensuring the interests of man, society and the state and the most important, part of the whole system of national security.
Doctrine considers all the work in the field of information based on the Concept of National Security of Ukraine. The doctrine identifies four main components of Ukraine's national interests in the information sphere.
13
Spandonidis, Bladimiros. "Linking Information Security Awareness to Information Security Management Strategy.A Study in an IT Company". Thesis, Linnéuniversitetet, Institutionen för informatik (IK), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-45894.
Testo completoAbstract (sommario):
There is a great concern when it comes to the investigation of the parameters that affect the formulation of an information security management strategy in an organization. Amongst others, information security awareness is of great interest, mainly because it links the implementation of the information security policies to the consciousness and the psychology of the employees of an organization. State it otherwise, the information security awareness positively beholds the role of a bridge so as to help the IS managers to evaluate the level that the critical information of the organization are secured, and it offers to IS managers opportunities to develop suitable training programs and information security policies for all the employees of an organization. In the current thesis, we focused on the investigation of the factors that influence the behavior of the employees in order to accept any information security policy of the organization and to adopt information security awareness.The psychology of security and technology (POST™) framework (Layton, 2005) together with a PEST (Political, Economic, Social, Technology) analysis guide the investigation and offer the theoretical background for the conduction of a study in an IT Company. A qualitative research has been conducted and semi-structured interviews helped for the collection of the desired data. Also a thematic analysis and the use of a generic approach (Lichtman, 2013) helped for the analysis of the data. The final results gave the ability to identify in practice the employees’ information security awareness adoption level, to link the measurement findings to the development of an information security management strategy and to refine the POST™ framework for its greater advance.
14
Posthumus, Shaun Murray. "Corporate information risk : an information security governance framework". Thesis, Nelson Mandela Metropolitan University, 2006. http://hdl.handle.net/10948/814.
Testo completoAbstract (sommario):
Information Security is currently viewed from a technical point of view only. Some authors believe that Information Security is a process that involves more than merely Risk Management at the department level, as it is also a strategic and potentially legal issue. Hence, there is a need to elevate the importance of Information Security to a governance level through Information Security Governance and propose a framework to help guide the Board of Directors in their Information Security Governance efforts. IT is a major facilitator of organizational business processes and these processes manipulate and transmit sensitive customer and financial information. IT, which involves major risks, may threaten the security if corporate information assets. Therefore, IT requires attention at board level to ensure that technology-related information risks are within an organization’s accepted risk appetite. However, IT issues are a neglected topic at board level and this could bring about enronesque disasters. Therefore, there is a need for the Board of Directors to direct and control IT-related risks effectively to reduce the potential for Information Security breaches and bring about a stronger system of internal control. The IT Oversight Committee is a proven means of achieving this, and this study further motivates the necessity for such a committee to solidify an organization’s Information Security posture among other IT-related issues.
15
Åhlfeldt, Rose-mharie. "Information Security in Home Healthcare". Thesis, University of Skövde, Department of Computer Science, 2001. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-618.
Testo completoAbstract (sommario):
Healthcare is very information-intensive. Hence, it has become necessary to use the support of computers in order to efficiently improve such an information-intensive organisation.
This thesis points out deficiencies in the area of information security in home healthcare regarding personal integrity and secrecy. Home healthcare is, in Sweden, performed by the municipalities. The work is based on the recommendations and common advice for processing of personal data compiled by the Data Inspection Board. Two municipalities in the Västra Götaland Region have been investigated. One of the municipalities has a manual system and the other has a computerized system for personal data management.
The work includes a field study where persons from both municipalities have been observed. It also includes interviews based on the comprehensive questions from the Data Inspection Board and questions arisen from the observations.
The work shows that a very clear need of training among personnel involved in home healthcare. It also shows the need for elaborate security measures including levels on access profiles. A weak point concerning security is also the heavy use of facsimile transmission for information distribution.
16
Petrakakos, Nikolaos Harilaos. "Port security and information technology". Thesis, Massachusetts Institute of Technology, 2005. http://hdl.handle.net/1721.1/33573.
Testo completoAbstract (sommario):
Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Ocean Engineering, 2005.Includes bibliographical references (p. 92).
The terrorist attacks of September 11th 2001 on New York and Washington DC shed light on the many security shortcomings that sea ports and the entire import and export process face. A primary source of these problems is the information sharing process which makes it hard to track the source of a problem in the import and export process due to lack of information and coordination. This thesis attempts to examine these data sharing problems by looking at what federal agencies, ports, and other private firms have been doing to solve the problems. The document exchange between various stakeholders and the process behind that was also examined to find potential problems. The reason behind doing this is because it is essential to understand the process and its problems before any meaningful results can be extracted from examining the efforts being done to solve the problems. The findings were similar for all cases showing that the primary reason preventing any of these problems to be solved is the unwillingness of commercial stakeholders to share information due to lack of incentives and privacy concerns.
by Nikolaos Harilaos Petrakakos.
S.M.
17
Beautement, A. "Optimising information security decision making". Thesis, University College London (University of London), 2013. http://discovery.ucl.ac.uk/1395123/.
Testo completoAbstract (sommario):
The aim of the thesis is to investigate the relationship between human behaviour and effective security in order to develop tools and methods for supporting decision makers in the field of information security. A review of the literature of information security, Human Computer Interaction (HCI), and the economics of security reveals that role of users in delivering effective security has largely been neglected. Security designers working without an understanding of the limitations of human cognition implement systems that, by their nature, offer perverse incentives to the user. The result is the adoption of insecure behaviour by the users in order to cope with the burdens placed upon them. Despite HCI identifying the need for increased usability in security, much of the research in the field of HCI Security (HCISec) still focuses on improving the usability of the interface to security systems, rather than the underlying system itself. In addition, while the impact of user non-compliance on the effectiveness of security has been demonstrated, most security design methods still rely on technical measures and controls to achieve their security aims. In recent years the need to incorporate human factors into security decision making has been recognised but this process is not supported by appropriate tools or methodologies. The traditional CIA framework used to express security goals lacks the flexibility and granularity to support the analysis of the trade-offs that are taking place. The research gap is therefore not so much one of knowledge (for much of the required information does exist in the fields of security and HCI) but rather how to combine this knowledge to form an effective decision making framework. This gap is addressed by combining the fields of security and HCI with economics in order to provide a utility-based approach that allows the effective balancing and management of human factors alongside more technical measures and controls. The need to consider human effort as a limited resource is shown by highlighting the negative consequences of neglecting this axis of resource measurement. This need is expressed through the Compliance Budget model which treats users as perceptive actors conducting a cost/benefit analysis when faced with compliance decisions. Through the use of the qualitative data analysis methodology Grounded Theory, a set of semi-structured interviews were analysed to provide the basis for this model. Passwords form a running example throughout the thesis. The need to provide decision makers with empirical data grounded in the real world is recognised and addressed through a combination of data gathering techniques. A laboratory study and a field trial were conducted to gather performance data with two password policies. In order to make optimal use of this data, a unified approach to decision making is necessary. Alongside this, the usefulness of systems models as tools for simulation and analysis is recognised. An economically motivated framework is therefore presented that organises and expresses security goals with the methods required to fulfil them. The role of the user is fully represented in this framework which is structured in such a way as to allow a smooth transition from data gathering to systems modelling. This unified approach to optimising security decision making provides key insights into the requirements for making more effective real-world decisions in the field of information security and is a useful foundation for improving current practices in this area.
18
Flaaen, Stephen. "Information Security and the Cloud". Thesis, The University of Arizona, 2012. http://hdl.handle.net/10150/243939.
Testo completoAbstract (sommario):
In today’s business environment companies are looking for ways to differentiate their services as well as maintain low costs to provide these services. Leveraging information technology has proved to be one of the most successful ways to accomplish this. One of the rapidly growing technologies that both small and large companies can utilize is cloud computing. A ubiquitous term for many IT managers and C-level executives, cloud computing is in fact a poorly understood term to many outside the realm of information technology. This paper develops a clear definition of cloud computing and also discusses information security in cloud computing. Information security has become a large concern for businesses because consumers are putting their trust into these companies’ hands and want to keep sensitive information, such as credit card numbers and medical records, protected. In addition, this paper introduces privacy laws that every company using cloud computing should be familiar with. Specifically, laws dealing with patient healthcare information and credit card safety are discussed in detail. I conclude with security guidelines for businesses that use CC services.
19
Turesson, Michael, Vadim Koroliov e Ola Brolin. "What is your password? : Assessing information security awareness among employees in an organisation". Thesis, Jönköping University, JIBS, Business Informatics, 2009. http://urn.kb.se/resolve?urn=urn:nbn:se:hj:diva-9655.
Testo completoAbstract (sommario):
The development of Information and Communication Technologies has opened up a large pool of possibilities for any and every business actor. These possibilities have brought up new vulnerabilities as well. Information security has become an inherent part of any organization. Companies and organizations invest significant amount of resources in IT security solutions, usually omitting the weakest link of the defense - the people.
The research intended to study and evaluate the information security awareness level of employees in a public organization which preferred to remain anonymous. This study is based on a mixed-methods approach. A survey was built up and performed, basing on the interview of the employees and the IT Security Chief. The interview intended to give a general picture of the attitude, knowledge and behavior the employees towards information security and its constituent aspects.
The results of the survey show that the information security awareness at this particular organization has an average performance based on the grading scale determined by the management of the company. Generally speaking, half of the information security focus areas show underdeveloped sense of awareness among employees, whereas the other focus areas are close to perfect. In terms of information security, the research indicates that there is a gap between the employees' theoretical condition and their day to day be-havior. In other words, the theoretical and practical preparation of the employees does not provide an appropriate information security awareness behavior. Some of the reasons for unsecure behavior were complex and sophisticated security designs including passwords; another problem was inherent in the work design which imposed the use of multiple systems and applications in the daily work.
In the end, the research suggests some recommendations for improvement, as well as practices to sustain a desirable level of information security awareness level. The overall information security awareness program required immediate improvements in order to boost the positive attitude and behavior of employees towards information security, as well as enrich the knowledge of information security in general.
20
Hellqvist, Fredrik. "Design of business information security policy : A case study on Orebro County Council´s work with information security". Thesis, Örebro universitet, Handelshögskolan vid Örebro Universitet, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:oru:diva-35527.
Testo completo
21
Hanus, Bartlomiej T. "The Impact of Information Security Awareness on Compliance with Information Security Policies: a Phishing Perspective". Thesis, University of North Texas, 2014. https://digital.library.unt.edu/ark:/67531/metadc699974/.
Testo completoAbstract (sommario):
This research seeks to derive and examine a multidimensional definition of information security awareness, investigate its antecedents, and analyze its effects on compliance with organizational information security policies. The above research goals are tested through the theoretical lens of technology threat avoidance theory and protection motivation theory. Information security awareness is defined as a second-order construct composed of the elements of threat and coping appraisals supplemented by the responsibilities construct to account for organizational environment. The study is executed in two stages. First, the participants (employees of a municipality) are exposed to a series of phishing and spear-phishing messages to assess if there are any common characteristics shared by the phishing victims. The differences between the phished and the not phished group are assessed through multiple discriminant analysis. Second, the same individuals are asked to participate in a survey designed to examine their security awareness. The research model is tested using PLS-SEM approach. The results indicate that security awareness is in fact a second-order formative construct composed of six components. There are significant differences in security awareness levels between the victims of the phishing experiment and the employees who maintain compliance with security policies. The study extends the theory by proposing and validating a universal definition of security awareness. It provides practitioners with an instrument to examine awareness in a plethora of settings and design customized security training activities.
22
Toussaint, Gregory W. "Executive security awareness primer". Thesis, Utica College, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=1586318.
Testo completoAbstract (sommario):
The purpose of this paper was to create a primer for a security awareness program to educate senior level executives on the key aspects of cyber security. This is due to the gap area that was discovered in the lack of both executive security awareness programs, and the lack of executives that fully abide by their company's security policies. This, coupled with research showing that executives are highly targeted by attackers, was the impetus behind this project. It was determined that the content of an executive security awareness program should be similar to that of a security awareness program for all other employees, with the differences being in the delivery and time frame of each segment. Due to this, literature was reviewed on the various topics of security awareness. Research revealed the importance of capturing an executive's attention, in order to keep their interest in the program. It was recommended that individuals charged with creating an executive security awareness program begin by having one on one meetings with the executives in their company. These meetings will help assess the time constraints of their company executives as well as their current knowledge of the various security awareness topics. This will help with tailoring the program specifically to their company executives. This primer may be used by any company or organization in the beginning stages of creating their own security awareness program for executives. Keywords: Cybersecurity, Professor Albert Orbinati, Executive Security Awareness, Internet Safety.
23
Gutta, Ramamohan. "Managing Security Objectives for Effective Organizational Performance Information Security Management". ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/7147.
Testo completoAbstract (sommario):
Information is a significant asset to organizations, and a data breach from a cyberattack harms reputations and may result in a massive financial loss. Many senior managers lack the competencies to implement an enterprise risk management system and align organizational resources such as people, processes, and technology to prevent cyberattacks on enterprise assets. The purpose of this Delphi study was to explore how the managerial competencies for information security and risk management senior managers help in managing security objectives and practices to mitigate security risks. The National Institute of Standards and Technology framework served as the foundation for this study. The sample was made up of 12 information security practitioners, information security experts, and managers responsible for the enterprise information security management. Participants were from Fortune 500 companies in the United States. Selection was based on their level of experience and knowledge of the topic being studied. Data were collected using a 3 round Delphi study of 12 experts in information security and risk management. Statistical analysis was performed on the collected data during a 3 round Delphi study. The mean, standard deviation, majority agreement, and ranges were used to determine the final concensus for this research study. Findings of this study included the need for managerial support, risk management strategies, and developling the managerial and technical talent to mitigate and respond to cyberattacks. Findings may result in a positive social change by providing information that helps managers to reduce the number of data breaches from cyberattacks, which benefits companies, employees, and customers.
24
He, Ying. "Generic security templates for information system security arguments : mapping security arguments within healthcare systems". Thesis, University of Glasgow, 2014. http://theses.gla.ac.uk/5773/.
Testo completoAbstract (sommario):
Industry reports indicate that the number of security incidents happened in healthcare organisation is increasing. Lessons learned (i.e. the causes of a security incident and the recommendations intended to avoid any recurrence) from those security incidents should ideally inform information security management systems (ISMS). The sharing of the lessons learned is an essential activity in the “follow-up” phase of security incident response lifecycle, which has long been addressed but not given enough attention in academic and industry. This dissertation proposes a novel approach, the Generic Security Template (GST), aiming to feed back the lessons learned from real world security incidents to the ISMS. It adapts graphical Goal Structuring Notations (GSN), to present the lessons learned in a structured manner through mapping them to the security requirements of the ISMS. The suitability of the GST has been confirmed by demonstrating that instances of the GST can be produced from real world security incidents of different countries based on in-depth analysis of case studies. The usability of the GST has been evaluated using a series of empirical studies. The GST is empirically evaluated in terms of its given effectiveness in assisting the communication of the lessons learned from security incidents as compared to the traditional text based approach alone. The results show that the GST can help to improve the accuracy and reduce the mental efforts in assisting the identification of the lessons learned from security incidents and the results are statistically significant. The GST is further evaluated to determine whether users can apply the GST to structure insights derived from a specific security incident. The results show that students with a computer science background can create an instance of the GST. The acceptability of the GST is assessed in a healthcare organisation. Strengths and weaknesses are identified and the GST has been adjusted to fit into organisational needs. The GST is then further tested to examine its capability to feed back the security lessons to the ISMS. The results show that, by using the GST, lessons identified from security incidents from one healthcare organisation in a specific country can be transferred to another and can indeed inform the improvements of the ISMS. In summary, the GST provides a unified way to feed back the lessons learned to the ISMS. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents around the world.
25
Aliti, Admirim, e Deniz Akkaya. "Employees' Role in Improving Information Systems Security". Thesis, Linnéuniversitetet, Institutionen för datavetenskap, fysik och matematik, DFM, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-13769.
Testo completoAbstract (sommario):
Information security is one of the most essential concerns in today’s organizations. IT departments in larger organizations are tasked to implement security, by both ensuring to have pertinent hardware and software, and likewise enlighten, teach and educate organization’s employees about security issues. The aim of this research is to focus on the human factor of the organization, which impacts the security of the information, since technological solutions of technical problems become incomprehensible without human recognition about security. If the security is not addressed in firms, this might lead to essential data of the organization to be compromised. This study explores ways to enhance information security and improve the human factor by integrating the crucial information security elements in organizations. Social constructivist worldview is adopted throughout the study, and an inductive based - qualitative approach, a single case study design and hermeneutical analysis for analyzing the observations and interviews are utilized. The research setting for this study is Växjö Municipality in Sweden. The empirical investigation suggests that human factor plays an essential role in maintaining information security, and organizations can improve employees’ role by keeping their security policies up to date and find the best ways to disseminate that information. As a result, this research comes up with “information security human management model” for organizations.
26
Thomson, Kerry-Lynn. "Integrating information security into corporate culture". Thesis, Port Elizabeth Technikon, 2003. http://hdl.handle.net/10948/132.
Testo completoAbstract (sommario):
Introduction: There are many components that are required for an organisation to be successful in its chosen field. These components vary from corporate culture, to corporate leadership, to effective protection of important assets. These and many more contribute to the success of an organisation. One component that should be a definitive part in the strategy of any organisation is information security. Information security is one of the fastest growing sub-disciplines in the Information Technology industry, indicating the importance of this field (Zylt, 2001, online). Information security is concerned with the implementation and support of control measures to protect the confidentiality, integrity and availability of electronically stored information (BS 7799-1, 1999, p 1). Information security is achieved by applying control measures that will lessen the threat, reduce the vulnerability or diminish the impact of losing an information asset. However, as a result of the fact that an increasing number of employees have access to information, the protection of information is no longer only dependent on physical and technical controls, but also, to a large extent, on the actions of employees utilising information resources. All employees have a role to play in safeguarding information and they need guidance in fulfilling these roles (Barnard, 1998, p 12). This guidance should originate from senior management, using good corporate governance practices. The effective leadership resulting from good corporate governance practices is another component in an organisation that contributes to its success (King Report, 2001, p 11). Corporate governance is defined as the exercise of power over and responsibility for corporate entities (Blackwell Publishers, 2000, online). Senior management, as part of its corporate governance duties, should encourage employees to adhere to the behaviour specified by senior management to contribute towards a successful organisation. Senior management should not dictate this behaviour, but encourage it as naturally as possible, resulting in the correct behaviour becoming part of the corporate culture. If the inner workings of organisations are explored it would be found that there are many hidden forces at work that determine how senior management and the employees relate to one another and to customers. These hidden forces are collectively called the culture of the organisation (Hagberg Consulting Group, 2002, online). Cultural assumptions in organisations grow around how people in the organisation relate to each other, but that is only a small part of what corporate culture actually covers (Schein, 1999, p 28). Corporate culture is the outcome of all the collective, taken-for-granted assumptions that a group has learned throughout history. Corporate culture is the residue of success. In other words, it is the set of procedures that senior management and employees of an organisation follow in order to be successful (Schein, 1999, p 29). Cultivating an effective corporate culture, managing an organisation using efficient corporate governance practices and protecting the valuable information assets of an organisation through an effective information security program are, individually, all important components in the success of an organisation. One of the biggest questions with regard to these three fields is the relationship that should exist between information security, corporate governance and corporate culture. In other words, what can the senior management of an organisation, using effective corporate governance practices, do to ensure that information security practices become a subconscious response in the corporate culture?.
27
Mahmood, Ashrafullah Khalid. "Information Security Management of Healthcare System". Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-4353.
Testo completoAbstract (sommario):
Information security has significant role in Healthcare organizations. The Electronic Health Record (EHR) with patient’s information is considered as very sensitive in Healthcare organization. Sensitive information of patients in healthcare has to be managed such that it is safe and secure from unauthorized access. The high-level quality care to patients is possible if healthcare management system is able to provide right information in right time to right place. Availability and accessibility are significant aspects of information security, where applicable information needs to be available and accessible for user within the healthcare organization as well as across organizational borders. At the same time, it is essentials to protect the patient security from unauthorized access and maintain the appropriate level in health care regarding information security. The aim of this thesis is to explore current management of information security in terms of Electronic Health Records (EHR) and how these are protected from possible security threats and risks in healthcare, when the sensitive information has to be communicated among different actors in healthcare as well as across borders. The Blekinge health care system was investigated through case study with conduction of several interviews to discover possible issues, concerning security threats to management of healthcare. The theoretical work was the framework and support for possible solutions of identified security risks and threats in Blekinge healthcare. At the end after mapping, the whole process possible guidelines and suggestions were recommended for healthcare in order to prevent the sensitive information from unauthorized access and maintain information security. The management of technical and administrative bodies was explored for security problems. It has main role to healthcare and in general, whole business is the responsibility of this management to manage the sensitive information of patients. Consequently, Blekinge healthcare was investigated for possible issues and some possible guidelines and suggestions in order to improve the current information security with prevention of necessary risks to healthcare sensitive information.muqadas@gmail.com
28
Jones, Malachi G. "Asymmetric information games and cyber security". Diss., Georgia Institute of Technology, 2013. http://hdl.handle.net/1853/50284.
Testo completoAbstract (sommario):
A cyber-security problem is a conflict-resolution scenario that typically consists of a security system and at least two decision makers (e.g. attacker and defender) that can each have competing objectives. In this thesis, we are interested in cyber-security problems where one decision maker has superior or better information. Game theory is a well-established mathematical tool that can be used to analyze such problems and will be our tool of choice. In particular, we will formulate cyber-security problems as stochastic games with asymmetric information, where game-theoretic methods can then be applied to the problems to derive optimal policies for each decision maker. A severe limitation of considering optimal policies is that these policies are computationally prohibitive. We address the complexity issues by introducing methods, based on the ideas of model predictive control, to compute suboptimal polices. Specifically, we first prove that the methods generate suboptimal policies that have tight performance bounds. We then show that the suboptimal polices can be computed by solving a linear program online, and the complexity of the linear program remains constant with respect to the game length. Finally, we demonstrate how the suboptimal policy methods can be applied to cyber-security problems to reduce the computational complexity of forecasting cyber-attacks.
29
Sharma, Dhirendra S. M. Massachusetts Institute of Technology. "Enterprise Information Security Management Framework [EISMF]". Thesis, Massachusetts Institute of Technology, 2011. http://hdl.handle.net/1721.1/67568.
Testo completoAbstract (sommario):
Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.
Includes bibliographical references (p. 124-130).
There are several technological solutions available in the market to help organizations with information security breach detection and prevention such as intrusion detection and prevention systems, antivirus software, firewalls, and spam filters. There is no doubt in the fact that significant progress has been made in the technological side of information security. However, when we study causes of information security breaches, we find that a significant number are caused by non-technical reasons such as social engineering, theft of computing device or portable hard drive, human behavior, and human error. This leads us to conclude that information security should not be viewed through technology perspective only. Instead, a more holistic approach is required. This thesis provides a systems approach towards information security management and include technological, management and social aspects. This thesis starts with introduction especially background and motivation of the author, followed by literature research. Next, Enterprise Information Security Management Framework is presented leading to estimation of an organization's information security management maturity-level. Finally, conclusion and potential future work are presented.
by Dhirendra Sharma.
S.M.in Engineering and Management
30
Brown-Moorer, Charlotte A. "Traceable Enterprise Information Security Architecture Methodology". International Foundation for Telemetering, 2009. http://hdl.handle.net/10150/605972.
Testo completoAbstract (sommario):
ITC/USA 2009 Conference Proceedings / The Forty-Fifth Annual International Telemetering Conference and Technical Exhibition / October 26-29, 2009 / Riviera Hotel & Convention Center, Las Vegas, NevadaWith the introduction of networking into telemetry applications, these systems have become increasingly complex. This imposes significant strain on information security for architecture designs. It has been recognized that an organized or structured approach to developing security architectures is needed. Several enterprise architecture frameworks are available today that address system complexity. However they fall short of addressing security at a high enough level in the enterprise and address security too late in the design process. In this paper a methodology is proposed that bridges the gap between security requirements and architecture design development at the enterprise level. This approach is consistent with and traceable to the original needs of the customer. This paper introduces a systems engineering approach to develop an enterprise level methodology, and presents a worked example of this approach for the integrated Network Enhanced Telemetry system.
31
Seeholzer, Roger V. "Investigating Roles of Information Security Strategy". NSUWorks, 2015. http://nsuworks.nova.edu/gscis_etd/49.
Testo completoAbstract (sommario):
A fundamental understanding of the complexities comprising an information security strategy (ISS) in an organization is lacking. Most ISS implementations in government organizations equate anti-virus or installing a firewall to that of an ISS. While use of hardware and software forms a good defense; neither comprises the essence of an ISS. The ISS best integrates with business and information system strategies from the start, forming and shaping the direction of overall strategy synergistically within large government organizations. The researcher used grounded theory and investigated what a large government organization’s choices were with the differing roles an information security professional (ISP) chooses to operate with and to develop an information security program. Analysis of the data collected from interviewing 32 chief information security officers (CISOs) revealed how CISOs viewed their programs, aligned their goals in the organization, and selected role(s) to execute strategy. Use of grounded theory coding practices of the interviews showed a deficit in complexities of an ISS and a lack of an ISS in the majority of organizations. The participants came from multiple organizations in the National Capital Region on the east coast of the United States. This study advances the body of knowledge in a qualitative understanding of actions taken by CISOs to select a direction towards ISS implementation, role selection, and development of information security programs. It provides a theory for further testing of strategy development and role maturity.
32
Crémilleux, Damien. "Visualization for information system security monitoring". Thesis, CentraleSupélec, 2019. http://www.theses.fr/2019CSUP0013.
Testo completoAbstract (sommario):
Le centre opérationnel de sécurité, SOC, est un élément central pour la sécurité des systèmes d’information. Danscette thèse, nous nous intéressons à ses limites et proposons un nouveau processus et deux outils visuels pour yrépondre. Nos contributions permettent à la fois une meilleure collaboration entre les analystes travaillant ausein des SOCs, ainsi que de faciliter visuellement le triage des événements de sécurité au sein des systèmesd’informationsA security operations center, SOC, is a key element for the security of information systems. In this thesis, weexhibited the limitations of SOCs and proposed a process associated with two tools to answer them. Ourcontributions enable a better collaboration between the security analysts working in SOCs and facilitate securityevents triage thanks to visualization
33
Babiuk e Besnosyuk. "GOALS AND MEANS OF INFORMATION SECURITY". Thesis, Київ 2018, 2018. http://er.nau.edu.ua/handle/NAU/33663.
Testo completo
34
Agrianidis, Anastasios. "Information Security Training and Serious Games". Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-85460.
Testo completoAbstract (sommario):
The digital transformation of the 21st century has led to a series of new possibilities and challenges, where one major concern of many major organizations and enterprises is promoting Information Security Awareness and Training (ISAT) for their employees. This aspect of Information Security (IS) can promote cybersecurity in the work environment against threats related to the human factor. Apart from traditional methods as workshops and seminars, researchers study the effect of gamification on ISAT, by proposing customized digital games to train employees regardless their IT skills. This thesis is trying to propose what techniques and approaches can be considered to train people throughout a full threat progression by studying the features of previous efforts. For this purpose, a literature study based on the principles of a systematic literature review (SLR) is essential to gather the available data and review their characteristics. More specifically, the solutions of the researchers are analyzed against the seven steps of the Lockheed Martin Cyber Kill Chain (LM CKC), where each game is classified to one or more phases, according to the training they offer. Thus, some tools can provide a wide range of training, covering many aspects of the CKC, while others are targeting a specific IS topic. The results also suggest that popular attacks involving social engineering, phishing, password and anti-malware software are addressed by many games, mainly in the early stages of the CKC and are focus on trainees without professional IT background. On the other hand, in the last two phases of the CKC, the majority of categorized games involves countermeasures that IS specialists must launch to prevent the security breach. Therefore, this study offers insight on the characteristics of serious games, which can influence an ISAT program, tailored to the enterprise’s distinct IS issue(s) and the IT background of the trainees.
35
Oscarson, Per. "Actual and Perceived Information Systems Security". Doctoral thesis, Linköping : Department of Management and Engineering, Linköping University, 2007. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-10215.
Testo completo
36
Da, Veiga Adéle. "Cultivating and assessing information security culture". Pretoria : [s.n.], 2009. http://upetd.up.ac.za/thesis/available/etd-04242009-165716/.
Testo completo
37
Helms, J. (Janne). "Information systems security management:a literature review". Master's thesis, University of Oulu, 2019. http://jultika.oulu.fi/Record/nbnfioulu-201906212604.
Testo completoAbstract (sommario):
Abstract. Information security has begun to receive an increasing amount of intention. The importance of information security has started to be recognized among organizations and the work to comply with the increased requirements has been started. One essential method of managing information security is an information security policy, that is created and managed to suit the needs of each organization.
Managing information security policies can be viewed a tedious task and thus easily dismissed or done quickly. There are several aspects to cover and components to manage, including technical aspects and the human factors. The purpose of this thesis is to provide an insight to the managerial aspect of information security and the policies through a literary review.
This thesis is not intended to be a guide on how to create an information security policy. It rather is providing a view of the studies concerning information security management and, in some instances, how information security is managed in some organizations. The results of this thesis can be used in creating a list of aspects that are valuable in managing information security and policy creation.
38
Faizi, Ana. "Information Security Risk Assessment in Cloud". Thesis, Luleå tekniska universitet, Datavetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-76120.
Testo completoAbstract (sommario):
This research addresses the issue of information security risk assessment (ISRA) on cloud solutions implemented for large companies. Four companies were studied, of which three used cloud services and conducted ISRA, while one provided cloud services and consultancy to customers on ISRA. Data were gathered qualitatively to (1) analyze the cloud using companies’ practices and (2) to identify regularities observed by the cloud providing company. The COAT-hanger model, which focuses on theorizing the practices, was used to study the practices. The results showed that the companies aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the companies’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. In addition, the companies’ boards lacked interest in and/or awareness of risks associated with the cloud solutions. Finally, the finding also stressed the importance of a good understanding and a well written legal contract between the cloud providers and the companies utilizing the cloud services.
39
Harris, Mark. "THE SHAPING OF MANAGERS’ SECURITY OBJECTIVES THROUGH INFORMATION SECURITY AWARENESS TRAINING". VCU Scholars Compass, 2010. http://scholarscompass.vcu.edu/etd/2208.
Testo completoAbstract (sommario):
Information security research states that corporate security policy and information security training should be socio-technical in nature and that corporations should consider training as a primary method of protecting their information systems. However, information security policies and training are predominately technical in nature. In addition, managers creating security policies rely heavily on security guidelines, which are also technically oriented. This study created a series of information security training videos that were viewed by four groups of managers. One video discussed the socio-technical aspects of security, another discussed only the social aspects of security, the third detailed only the technical aspects of security, and the fourth was a control video unrelated to information security. Each group was shown the video, and after this viewing, each group’s values toward information security were ascertained and converted into security objectives following Keeney (1992)’s value-focused thinking approach. Each group’s list of security objectives were used as the input to Schmidt (1997)’s ranking Delphi methodology, which yielded a more concise and ranked list of security objectives. The results thus obtained, indicate that manager’s objectives towards information security are affected by the nature and scope of the information security training they receive. Information security policy based on each group’s value-based security objectives indicate that manager’s receiving socio-technical training would produce the strongest information security policy when analyzing the value-focused thinking list of security objectives. However, the quality of security policy decreases when analyzing the ranked Delphi list of security objectives, thus providing mixed results. The theoretical contribution of this research states that technically oriented information security training found in corporations today affects manager’s values and security objectives in a way that leads them to create and support technically oriented security policies, thus ignoring the social aspects of security. The practical contribution of this research states that managers should receive socio-technical information security training as a part of their regular job training, which would affect their values and lead to socio-technical information security policy based on the manager’s socio-technical security objectives. The methodological contribution of this research demonstrates the successful use of the value-focused thinking approach as the input to the ranking of the Delphi methodology.
40
Farnian, Adnan. "Assessing The Relative Importance of Information Security Governance Processes on Reducing Negative Impacts From Information Security Incidents". Thesis, KTH, Industriella informations- och styrsystem, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-81417.
Testo completoAbstract (sommario):
Today the extent and value of electronic data is constantly growing. Dealing across the internet depends on how secure consumers believe their personal data are. And therefore, information security becomes essential to any business with any form of web strategy, from simple business-to-consumer, or business-to-business to the use of extranets, e-mail and instants messaging. It matters too any organization that depends on computers for its daily existence. This master thesis has its focus on Information Security Governance. The goal of this thesis was to study different Information Security processes within the five objectives for Information Security Governance in order to identify which processes that organizations should prioritize in order to reduce negative consequences on the data, information and software of a business from security incidents. By surveying IT experts, it was possible to gather their relative opinion regarding the relationship between Information Security Governance processes and security incidents. By studying the five desired objectives for Information Security Governance, Strategic Alignment, Risk Management, Resource Management, Performance Measurement and Value Delivery the result indicated that some processes within Performance Measurements have a difference in relation to other processes. For those processes a conclusion can be made that they are not as important as the processes which they were compared to. A reason for this can be that the processes within performance measurement are different in such a way that they measure an incident after it has actually happened. While other processes within the objectives for ISG are processes which needs to be fulfilled in order to prevent that an incident happens. This could obviously explain why the expert‟s choose to value the processes within performance measurement less important compared to other processes. However, this conclusion cannot be generalized, since the total amount of completed responses where less than expected. More respondents would have made the result more reliable. The majority of the respondents were academicals and their opinion and experience may be different from the IT experts within the industry, which have a better understanding of how it actually works in reality within an organization.
41
Waddell, Stanie Adolphus. "A Study of the Effect of Information Security Policies on Information Security Breaches in Higher Education Institutions". NSUWorks, 2013. http://nsuworks.nova.edu/gscis_etd/331.
Testo completoAbstract (sommario):
Many articles within the literature point to the information security policy as one of the most important elements of an effective information security program. Even though this belief is continually referred to in many information security scholarly articles, very few research studies have been performed to corroborate this sentiment. Doherty and Fulford undertook two studies in 2003 and in 2005 respectively that sought to catalogue the impact of the information security policy on breaches at businesses in the United Kingdom. The pair went on to call for additional studies in differing industry segments.
This dissertation built upon Doherty and Fulford (2005). It sought to add to the body of knowledge by determining the statistical significance of the information security policy on breaches within Higher education. This research was able to corroborate the findings from Doherty and Fulford's original research. There were no observed statistically significant relationships between information security policies and the frequency and severity of information security breaches. This study also made novel contributions to the body of knowledge that included the analysis of the statistical relationships between information security awareness programs and information security breaches.
This effort also analyzed the statistical relationships between information security policy enforcement and breaches. The results of the analysis indicated no statistically significant relationships. Additionally, this research observed that while information security policies are heavily utilized by colleges and universities, security awareness training is not heavily employed by institutions of higher education. This research noted that many institutions reported not having consistent enforcement of information security policies.
The data observed during this research implies there is room for additional coverage of formal information security awareness programs and potentially a call to attempt alternative training methods to achieve a reduction of the occurrences and impact of security breaches. There is room for greater adoption of consistent enforcement of policy at higher education organizations. The results of this dissertation suggest that the existence of policy, training, and enforcement activities in and of themselves are not enough to sufficiently curtail breaches. Additional studies should be performed to better understand how breaches can be reduced.
42
Soyref, Maxim. "The holistic management of information security processes". Thesis, The University of Sydney, 2014. http://hdl.handle.net/2123/13373.
Testo completoAbstract (sommario):
Title: The holistic management of information security processes Keywords: cybersecurity, information security, strategy, security process, security governance, security management This research examines information security management and associated processes within a large Australian financial institution by providing a rich, in-depth view of organisational information security management within the specifics of its dynamic context. Using a single in-depth qualitative case study, this research examines the role of internal and external actors in relation to the information security management processes. Relational process and stakeholder theoretical lenses are applied to derive the findings of this research. The three key outcomes of the research are: The information security management process is a product of a multitude of interactions between internal and external actors within organisations. These actors pursue individual agendas and objectives, therefore requiring those who ensure organisational information security to utilise a combination of cognitive, political and social processes to ensure cooperation. The use of such processes can contribute to the effectiveness of formal security governance, assist in embedding a security culture and help position information security as a business enabler. External and internal actors vary in their impact upon the information security process within organisations. This variation is a result of difference in power, legitimacy and urgency of these stakeholder claims. Internal and external stakeholders are continuously interacting with each other through a network of dynamic and multi-directional relationships. Identifying, prioritising and engaging with the variety of stakeholders impacting on the information management process can contribute to the achievement of organisational information security management objectives. A classification framework is provided that can guide the prioritisation process and seek appropriate modes of engagement with the
43
Tuyisenge, Marie Jeanne. "BLOCKCHAIN TECHNOLOGY SECURITY CONCERNS:LITERATURE REVIEW". Thesis, Uppsala universitet, Informationssystem, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-446799.
Testo completoAbstract (sommario):
Blockchain is a technology that allows the decentralization of data stored in a way that there is no single central actor to control or modify the data. Bitcoin is the first successful blockchain application implemented with the concept known as cryptocurrency that allows a transaction flow without any bank or government to control it. Blockchain is associated with benefits including high level of transparency, integrity, trust and confidence for the participants. Blockchain is still at early stage but it is a promising technology that has the potential to impact many more areas in the future. However, its security area is still the weakest part of it which still needs improvement. Therefore, this thesis aims to make a review of the blockchain security issues using the past published literature between 2010 and 2021. This thesis conducts a review on 20 articles to provide a scientific input that gives an overall view of existing security threats and their respective impacts on blockchain system. This thesis starts with an overview of how blockchain system works and briefly discuss on the information security of blockchain. The collection of security attacks from the literature has been carried out by using concept centric matrix approach. This process resulted to security attacks that were classified based on four layers of blockchain system architecture. Then, the security attacks are mapped to common security impacts including double spending, unauthorized code execution, denial of service, unfair income and privacy key leakage. These security impacts were analyzed which led to the conclusion that the major security issues on blockchain result from its P2P network architecture and its consensus mechanism. Besides, some possible solutions to mitigate the security threats were discussed though, more effort in developing new security measures and protocol framework is still required.
44
Korovessis, Peter. "Establishing an information security awareness and culture". Thesis, University of Plymouth, 2015. http://hdl.handle.net/10026.1/3836.
Testo completoAbstract (sommario):
In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.
45
Edwards, Keith. "Examining the Security Awareness, Information Privacy, and the Security Behaviors of Home Computer Users". NSUWorks, 2015. http://nsuworks.nova.edu/gscis_etd/947.
Testo completoAbstract (sommario):
Attacks on computer systems continue to be a problem. The majority of the attacks target home computer users. To help mitigate the attacks some companies provide security awareness training to their employees. However, not all people work for a company that provides security awareness training and typically, home computer users do not have the incentive to take security awareness training on their own. Research in security awareness and security behavior has produced conflicting results. Therefore, it is not clear, how security aware home computer users are or to what extent security awareness affects the security behavior of home computer users. The goal of this study was to determine if there is a relationship between security awareness and users practicing good security behavior.
This study adapted its research model from the health belief model (HBM), which accesses a patient’s decision to perform health related activities. The research model included the HBM constructs of perceived severity, perceived susceptibility, perceived threat, perceived benefits, perceived barriers, cues to action, and self-efficacy. The research model also contained the security awareness (SA) and concern for information privacy (CFIP) constructs. The model used SA to ascertain the effect of security awareness on a person’s self-efficacy in information security (SEIS), perceived threat, CFIP, and security behavior. The research model included CFIP to ascertain its effect on security behavior.
The developed survey measured the participants' security awareness, concern for information privacy, self-efficacy, expectations of security actions, perceived security threats, cues to action, and security behavior. SurveyMonkey administered the survey. SurveyMonkey randomly selected 267 participants from its 30 million-member base.
The findings of this study indicate home computer users are security aware. SA does not have a direct effect on a user’s security behavior, perceived threat, or CFIP. However, it does have influence on SEIS. SEIS has a weak effect on expectations. CFIP has an effect on a user’s security behavior after removing perceived threat from the research model. Perceived susceptibility has a direct effect on a user’s security behavior, but perceived severity or perceived threat does not.
46
Alkahtani, Hend K. "Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework". Thesis, Loughborough University, 2018. https://dspace.lboro.ac.uk/2134/28120.
Testo completoAbstract (sommario):
The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application.
47
Hone, Karin. "The information security policy: an important information security management control". Thesis, 2008. http://hdl.handle.net/10210/274.
Testo completoAbstract (sommario):
This study originated from the realisation that the information security industry has identified the information security policy as one of the most important information security management controls. Within the industry there are, however, differing views as to what constitutes an information security policy, what it should contain, how it should be developed and how it should best be disseminated and managed. Numerous organisations claim to have an information security policy, but admit that it is not an effective control. The principal aim of this study is to make a contribution to the information security discipline by defining what an information security policy is, where it fits into the broader information security management framework, what elements an effective policy should contain, how it should be disseminated and how the document is best kept relevant, practical, up-to-date and efficient. The study develops and documents various processes and methodologies needed to ensure the effectiveness of the information security policy, such as the dissemination process and the information security policy management lifecycle. The study consists of five parts, of which Part I serves as introduction to the research topic. It provides background information to the topic and lays the foundation for the rest of the dissertation. Chapter 1 specifically deals with the research topic, the motivation for it and the issues addressed by the dissertation. Chapter 2 looks at the concept of information security management and what it consists of, highlighting the role an information security policy has to play in the discipline. Chapter 3 introduces the various international information security standards and codes of practice that are referred to, examined and analysed in the dissertation. This chapter specifically highlights how and to what extent each of these address the topic of the information security policy. Part II introduces the concept of the information security policy. Chapter 4 provides the background to what an information security policy is and where it fits into the broader structure of an organisation’s governance framework. Chapter 5 specifies what an effective information security policy is and what components are needed to ensure its success as an information security control. Part III expands the components of an effective information security policy as introduced in Chapter 5. This part consists of Chapters 6 to 8, with each of these addressing a single component. Chapter 6 further investigated the development of the information security policy. The dissemination of the document is discussed in Chapter 7 and Chapter 8 expands the concept of the information security policy management lifecycle. Part IV consists of Chapter 9, which deals with a case study applying the various processes and methodologies defined in the previous part. The case study deals with a fictitious organisation and provides detailed background information to indicate how the organisation should approach the development and dissemination of the information security policy. Some of the examples constructed from the case study include a sample information security policy and a presentation to be used as introduction to the information security policy. The dissertation is concluded in Chapter 10. This chapter provides a summarised overview of the research and the issues addressed in it.Prof. J.H.P. Ehlers
48
Martins, Adele. "Information security culture". Thesis, 2008. http://hdl.handle.net/10210/292.
Testo completoAbstract (sommario):
The current study originated from the realisation that information security is no longer solely dependent on technology. Information security breaches are often caused by users, most of the time internal to the organisation, who compromise the technology-driven solutions. This interaction between people and the information systems is seemingly the weakest link in information security. A people-oriented approach is needed to address this problem. Incorporating the human element into information security could be done by creating an information security culture. This culture can then focus on the behaviour of users in the information technology environment. The study is therefore principally aimed at making a contribution to information security by addressing information security culture and, for this reason, culminates in the development of an information security culture model and assessment approach. While developing the model, special care was taken to incorporate the behaviour of people in the working environment and hence organisational behaviour coupled with issues concerning information security culture that need to be addressed. An information security culture assessment approach is developed consisting of a questionnaire to assess whether an organisation has an adequate level of information security culture. The assessment approach is illustrated through a case study. Below is an overview of the framework within which the research was conducted: The dissertation consists of four parts. Chapters 1 and 2 constitute Part 1: Introduction and background. Chapter 1 serves as an introduction to the research study by providing the primary motivation for the study and defining the problems and issues to be addressed. In addition, the chapter is devoted to defining a set of standard terms and concepts used throughout the study. The chapter concludes with an overview of the remaining chapters. Chapter 2 gives some background to information security culture and discusses its evolution to date. There is a new trend in information security to incorporate the human element through an information security culture. Information security is divided into two different levels. Level 1 focuses on the human aspects of information security, such as the information security culture, and level 2 incorporates the technical aspects of information security. Part 2: Information security culture model is covered in chapters 3, 4 and 5. In chapter 3, the concept of information security culture is researched. Different perspectives are examined to identify issues that need to be considered when addressing information security culture. A definition of information security culture is constructed based on organisational culture. Chapter 4 is devoted to developing a model that can be used to promote an information security culture. This model incorporates the concept of organisational behaviour as well as the issues identified in chapter 3. Chapter 5 builds upon the information security culture model and aims to identify practical tasks to address in order to implement the model. In Part 3: Assessing information security culture, chapters 6 to 10, attention is given to the assessment of an information security culture, giving management an indication of how adequately the culture is promoted through the model. Chapter 6 considers the use of available approaches such as ISO17799 to aid in promoting and assessing an information security culture. This approach is evaluated against the definition of information security culture and the information security culture model in order to determine whether it could assess information security culture in an acceptable manner. The next four chapters, namely chapters 7 to 10, are devoted to the development of an information security culture assessment approach consisting of four phases. Chapter 7 discusses phase 1. In this phase a questionnaire is developed based on the information security culture model. Chapter 8 uses the information security culture questionnaire as part of a survey in a case study. This case study illustrates phase 2 as well as what information can be obtained through the questionnaire. In chapter 9 the data obtained through the survey is analysed statistically and presented (phase 3). The level of information security culture is then discussed in chapter 10, with interpretations and recommendations to improve the culture (phase 4). Chapter 11 in Part 4: Conclusion serves as a concluding chapter in which the usefulness and limitations of the proposed model and assessment approach are highlighted. The research study culminates in a discussion of those aspects of information security culture that could bear further research.Prof. J.H.P. Eloff
49
Von, Solms Elmarie. "Institutionalizing information security". Thesis, 2008. http://hdl.handle.net/10210/523.
Testo completoAbstract (sommario):
Information security has become a much discussed subject all over the world in the last few years. This is because information security is no longer a luxury, but a necessity in all organisations. The securing of information is not an easy task because information security is flexible and always seems to be in a state of development. This means that information security has undergone different development changes due to new technologies in the past few years. Information security became prominent around 50 years ago and had a very strict technical approach. In this approach, industries mainly worked with mainframes, with little or no concept of management aspects such as security policies or awareness programmes. The technical approach thus included little or no management effort in terms of information security. The need to manage information security began when new technologies such as the Internet and the World Wide Web were introduced to the information security environment. This caused information security to shift from the technical to the more managerial approach. The move of information security from the technical to the managerial approach may be identified through different development trends. These development trends have occurred mainly to improve information security management in any organisation. The primary purpose of this dissertation is therefore to identify and investigate different development trends that have an influence on information security, especially from a managerial point of view.Prof. J.H.P. Eloff
50
Liou, Jia-Yin, e 劉家吟. "Information Security Policy Compliance:A View from Information Security Climate and Psychology". Thesis, 2014. http://ndltd.ncl.edu.tw/handle/cq2u4h.
Testo completoAbstract (sommario):
碩士淡江大學
資訊管理學系碩士班
102
With the rapid development of information technology, information security management issues are more and more important. Currently, information security policy compliance research mainly investigates information security behaviors of employees from general deterrence theory and protection motivation theory lens. However, these studies focus on the discussions of security specifications of organization and the motivations of individual’s behavior but omit the influences of psychological factors on employee’s information security policy compliance. To fill this gap, based on the field theory, we considered information security climate as background factors and psychological ownership as personal factors, this study investigated employees in the service industry in Taiwan to explore the impacts of information security climate and psychological ownership on organizational commitment and information security policy compliance intentions. The survey employed web questionnaires and hard copied questionnaires to increase response rate. The results showed that the information security climate significantly impacted affective commitment, continuance commitment, and normative commitment. It also significantly affected psychological ownership and information security policy compliance intention. Psychological ownership significantly impacted affective commitment, continuance commitment, normative commitment, and information security policy compliance intention. The normative commitment significantly impacted information security policy compliance intention. Affective commitment and continuance commitment had no significant effects on information security policy compliance intention. In sum, this study suggests that information security climate and psychological ownership can promote organizational commitment of employees, and thereby increase the information security policy compliance intention.