Guidelines for designing IT security management tools

An important factor that impacts the effectiveness of secu-rity systems within an organization is the usability of secu-rity management tools. In this paper, we present a survey of design guidelines for such tools. We gathered guidelines and recommendations related to IT security management tools from the literature as well as from our own prior studies of IT security management. We categorized and combined these into a set of high level guidelines and identified the relationships between the guidelines and challenges in IT security management. We also illustrated the need for the guidelines, where possible, with quotes from additional in-terviews with five security practitioners. Our framework of guidelines can be used by those developing IT security tools, as well as by practitioners and managers evaluating tools

Culture and Information Security Awareness: Examining the Role of Organisational and Security Culture

This item is only available electronically.The relationship between security culture and ISA has received preliminary support; however, its interplay with organisational culture is yet to be empirically explored. Therefore, this study examined the relationship between ISA, organisational culture, and security culture. A total of 508 working Australians completed an online questionnaire. ISA was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q); organisational culture was measured using the Denison Organisational Culture Survey (DOCS); and security culture was assessed through the Organisational Security Culture Measure. Our results showed that while organisational culture and security culture were correlated with ISA, security culture mediated the relationship between organisational culture and ISA. This finding has important applied implications. Organisations can improve ISA by focussing on security culture rather than organisational culture, saving them time and resources. Future research could further extend current findings by also considering national culture.Thesis (M.Psych(Organisational & Human Factors)) -- University of Adelaide, School of Psychology, 201

The Professionalisation of Information Security: Perspectives of UK Practitioners

In response to the increased “cyber” threats to business, the UK and US Governments are taking steps to develop the training and professional identity of information security practitioners. The ambition of the UK Government is to drive the creation of a recognised profession, in order to attract technology graduates and others into the practice of cybersecurity. Although much has been written by state bodies and industry commentators alike on this topic, we believe this qualitative study is the first empirical academic work investigating attitudes to that professionalisation amongst information security workers. The results are contextualised using concepts from the literature in the fields of professionalisation and social topics in information security. Despite the movement to establish professional status for their industry, these practitioners showed mixed levels of support for further professionalisation, with a distinctly wary attitude towards full regulation and licensing and an explicit rejection of elitist and exclusive models of profession. Whereas the UK Government looks to establish “professional” status in order to attract entrants, such status in itself was seen to be of little import to those already working in the area. In addition there are significant tensions between managers embracing business- and human-centred security and those more interested in the technical practice of executing policy. While these tensions continue, the results suggest that state attempts artificially to catalyse the professionalisation process for this group would be precipitate. Historically such projects have risen from the front line; ambitions to move the industry in that direction might see more success by identifying and delegating control to a single regulatory body, founded and respected by the people it aims eventually to regulat

Guidelines for cybersecurity education campaigns

In our technology- and information-infused world, cyberspace is an integral part of modern-day society. As the number of active cyberspace users increases, so too does the chances of a cyber threat finding a vulnerable target increase. All cyber users who are exposed to cyber risks need to be educated about cyber security. Human beings play a key role in the implementation and governing of an entire cybersecurity and cybersafety solution. The effectiveness of any cybersecurity and cybersafety solutions in a societal or individual context is dependent on the human beings involved in the process. If these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in these cybersecurity solutions. It is essential that all users be educated to combat any threats. Children are a particularly vulnerable subgroup within society. They are digital natives and make use of ICT, and online services with increasing frequency, but this does not mean they are knowledgeable about or behaving securely in their cyber activities. Children will be exposed to cyberspace throughout their lifetimes. Therefore, cybersecurity and cybersafety should be taught to children as a life-skill. There is a lack of well-known, comprehensive cybersecurity and cybersafety educational campaigns which target school children. Most existing information security and cybersecurity education campaigns limit their scope. Literature reports mainly on education campaigns focused on primary businesses, government agencies and tertiary education institutions. Additionally, most guidance for the design and implementation of security and safety campaigns: are for an organisational context, only target organisational users, and mostly provide high-level design recommendations. This thesis addressed the lack of guidance for designing and implementing cybersecurity and cybersafety educational campaigns suited to school learners as a target audience. The thesis aimed to offer guidance for designing and implementing education campaigns that educate school learners about cybersecurity and cybersafety. This was done through the implementation of an action research process over a five-year period. The action research process involved cybersecurity and cybersafety educational interventions at multiple schools. A total of 18 actionable guidelines were derived from this research to guide the design and implementation of cybersecurity and cybersafety education campaigns which aim to educate school children

Opportunities and Risks in Online Gaming Environments

Massively Multiplayer Online Role Playing Games (MMORPGs) have evolved from traditional video games in that they embrace both the technology of the Internet and video games. The massive “exodus” from the physical offline world to online gaming communities brings with it not only a number of unique and exciting opportunities, but also a number of emerging and serious risks. This research set out to examine the unique opportunities and risks to vulnerable individuals, namely, young adults, teenagers and young children; all of whom are considered by many to be priority groups in the protection from harm. The purpose was to examine the reality of vulnerable individuals encountering these opportunities and risks. This research combined a number of methodologies supported by underpinning qualitative and quantitative theories. Questionnaires, semi-structured interviews and focus groups gathered information from teenagers, adults and children in order to critically examine the unique opportunities and risks encountered in Massively Multiplayer Online Role Playing Games. The findings from these interactions identified specific examples of opportunities and risk posed to vulnerable individuals. The findings demonstrated that there was a need for a support and protection mechanism that promoted the identification and awareness of the potential risk among vulnerable individuals. Emerging from these findings was a set of concepts that provided the evidence base for a Novel Taxonomy of Opportunities and Risks in Massively Multiplayer Online Role Playing Game environments that was designed to assist in the assessment of risk. Validation of the proposed taxonomy was achieved by means of an ethnographic study of (World of Warcraft) online gamers’ behaviour and social interactions through unobtrusive video capture of gaming sessions. The Novel Taxonomy of Opportunities and Risks provided a basis for the development of a proof-of-concept Decision Support System; the purpose of which was to assist both social work practitioners and individuals to identify and reduce risks. Representatives from both user groups were consulted for evaluation of the acceptability of such an approach. Favourable responses from participants demonstrated acceptability of the aforementioned approach. The evaluation process also demonstrated how the prototype would serve as a useful tool to make individual users aware of potential dangers. This research presents three novel facets: (1) it advances understanding of the unique opportunities and risks within MMORPG environments; (2) provides a framework for the assessment of risks in MMORPGs through the Novel Taxonomy and (3) demonstrates a novel Decision Support System to assist in the identification and reduction of risk through a proof-of-concept prototype

A stealth approach to usable security: Helping IT security managers to identify workable security solutions

Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk reduction and the business impact of information security controls, but not the impact that controls have on users. Rather than trying to remind security managers of usability, we present a new paradigm -- a stealth approach which incorporates the impact of security controls on users' productivity and willingness to comply into business impact and risk reduction. During two 2-hour sessions, 3 IT security managers discussed with us mock-up tool prototypes that embody these principles, alongside a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and "hot-desking" initiatives). Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs

GRAPHICAL ONE-TIME PASSWORD AUTHENTICATION

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.King Abdulaziz City for Science and Technolog

A Privacy-Enhancing Framework for Mobile Devices

The use of mobile devices in daily life has increased exponentially, leading to them occupying many essential aspects of people’s lives, such as replacing credit cards to make payments, and for various forms of entertainment and social activities. Therefore, users have installed an enormous number of apps. These apps can collect and share a large amount of data, such as location data, images, videos, health data, and call logs, which are highly valuable and sensitive for users. Consequently, the use of apps raises a variety of privacy concerns regarding which app is allowed to access and share; to what degree of granularity, and how to manage and limit the disclosure of this data. Accordingly, it is imperative to develop and design a holistic solution for enhancing privacy on mobile apps to meet users’ privacy preferences. The research design in this study involved an attempt to address the problem in a coherent and logical way. Therefore, the research involved different phases, starting with identifying potential user requirements based on the literature, and then designing a participatory study to explore whether the initial requirements and design meet users’ preferences, which in turn led to the design of a final artefact. Design science requires the creation of a viable artefact for the current problem in the field. Thus, this study reviews the current use of privacy technologies and critically analyses the available solutions in order to investigate whether these solutions have the capability to meet personal privacy preferences and maximise users’ satisfaction. It is evident that most of the prior studies assume the homogeneity of privacy preferences across users, yet users’ privacy preferences differ from one user to another in the context of how to control and manage their data, prioritisation of information, personalised notifications, and levels of knowledge. Moreover, solutions with a user interface designed according to the users’ perceptions and based on HCI principles are not readily available. Therefore, it is paramount to meet and adopt user’s need and requirements to enhance privacy technology for mobile apps. A survey of 407 mobile users was undertaken to discover users’ privacy preferences. The outcome of the survey shows that it is possible to prioritise information into 10 unique profiles. Each profile effectively represents a cluster of likeminded users and captures their privacy-related information preferences. The outcomes of the analysis also revealed that users differ not only in the context of prioritisation of their information, but also regarding design, protection settings, responses, and level of knowledge. This, in turn, emphasises the need to develop and design a holistic solution for users, considering all these dimensions. As such, the thesis proposes a novel framework for enhancing privacy technology in a modular and robust manner that would support such a system in practice. This system provides a comprehensive solution that has been developed by considering different dimensions, and it includes a personalised response, prioritisation of privacy-related information, multilevel privacy controls, and also considers users’ varying levels of knowledge. As a result, this approach should enhance users’ privacy awareness and meet their needs to protect their privacy. Additionally, the proposed of the system consists of user interfaces designed according to the users’ perceptions and based on HCI principles to overcome the usability issues without compromising the users’ convenience. Ultimately, the evaluation of the effectiveness of the proposed approach shows that it is feasible and would enhance privacy technology as well as user convenience. This, in turn, would increase trust in the system and reduce privacy concerns

Improving Intrusion Prevention, Detection and Response

Merged with duplicate record 10026.1/479 on 10.04.2017 by CS (TIS)In the face of a wide range of attacks. Intrusion Detection Systems (IDS) and other Internet security tools represent potentially valuable safeguards to identify and combat the problems facing online systems. However, despite the fact that a variety o f commercial and open source solutions are available across a range of operating systems and network platforms, it is notable that the deployment of IDS is often markedly less than other well-known network security countermeasures and other tools may often be used in an ineffective manner. This thesis considers the challenges that users may face while using IDS, by conducting a web-based questionnaire to assess these challenges. The challenges that are used in the questionnaire were gathered from the well-established literature. The participants responses varies between being with or against selecting them as challenges but all the listed challenges approved that they are consider problems in the IDS field. The aim of the research is to propose a novel set of Human Computer Interaction-Security (HCI-S) usability criteria based on the findings of the web-based questionnaire. Moreover, these criteria were inspired from previous literature in the field of HCI. The novelty of the criteria is that they focus on the security aspects. The new criteria were promising when they were applied to Norton 360, a well known Internet security suite. Testing the alerts issued by security software was the initial step before testing other security software. Hence, a set of security software were selected and some alerts were triggered as a result of performing a penetration test conducted within a test-bed environment using the network scanner Nmap. The findings reveal that four of the HCI-S usability criteria were not fully addressed by all of these security software. Another aim of this thesis is to consider the development of a prototype to address the HCI-S usability criteria that seem to be overlooked in the existing security solutions. The thesis conducts a practical user trial and the findings are promising and attempt to find a proper solution to solve this problem. For instance, to take advantage of previous security decisions, it would be desirable for a system to consider the user's previous decisions on similar alerts, and modify alerts accordingly to account for the user's previous behaviour. Moreover, in order to give users a level of fiexibility, it is important to enable them to make informed decisions, and to be able to recover from them if needed. It is important to address the proposed criteria that enable users to confirm / recover the impact of their decision, maintain an awareness of system status all the time, and to offer responses that match users' expectations. The outcome of the current study is a set of a proposed 16 HCI-S usability criteria that can be used to design and to assess security alerts issued by any Internet security suite. These criteria are not equally important and they vary between high, medium and low.The embassy of the arab republic of Egypt (cultural centre & educational bureau) in Londo