An anti-malvertising model for university students to increase security awareness

Accessing the website through the Internet has introduced a new way of advertising information to the users. The term “malvertising” comes from the word malware and advertising. It is one type of attack that performs malware or scareware injection into the online advertisements. The purpose of this study is to investigate security awareness on malvertising attack among university students, propose an anti-malvertising model to improve security awareness, and to evaluate the security awareness of the proposed model. The data collection of the research starts with preliminary study in understanding the malvertising issue. Then, survey questionnaire is distributed to university students from two different local universities (UTM, Kuala Lumpur and UMP, Pahang) from two different backgrounds (IT related and non-IT related courses) to investigate current security awareness on malvertising attack. The study proposes theoretical model on antimalvertising and the security awareness will be analyzed through the survey. The proposed model consists of protection, behavior and monitoring components, identified as independent variables and the security awareness on the antimalvertising will is identified as the dependent variable. The study had found that more than half of the students are aware with the malvertising attack by practicing protection measures, security behavior, and security monitoring that give positive impact to the students’ security awareness. This proposed theoretical model may be beneficial for the students as a basis of reference for anti-malvertising exercise, while promoting the security awareness among university students. Besides, the theoretical model can be used as a reference for the researchers in this field as well as other security practitioners in practicing the suitable components that constitute security awareness for malvertising

A framework to integrate information and communication technology security awareness into the South African education system

Text in EnglishThere is general consensus about the importance of Information and Communication Technology (ICT) security in South Africa. This consensus is evident from initiatives related to the formulation of legislation and policies like the Electronic Communications and Transactions (ECT) Act and the National Cyber Security Policy. A number of South African academic institutions have also come on board with initiatives aimed at enhancing ICT security awareness all over the country. In fact, ICT security awareness has been classified as an important component of South Africa’s national security. Many countries use ICT to improve and enhance the standard of their education systems. A number of scholars in South Africa have conducted studies with the aim of proving that ICT can play a major role in improving the quality of education in the country. The research in hand investigates the lack of integration of ICT security awareness into the South African education system. The literature review that was conducted reveals that there is a huge problem especially when it comes to the integration of ICT security awareness into the South African schooling system. The advancement of technology has come with a number of advantages and disadvantages. The easy access to information via the internet, coupled by unsupervised access to instant messaging applications (Skype, MXiT) and social media platforms (Facebook, Twitter and many more), hugely increases the vulnerability of school learners to ICT security attacks and ICT-related crime. The current research therefore investigates the vulnerability caused by the lack of ICT security awareness among school learners as one of the main disadvantages of the advancement of information technology. An analysis of existing models and frameworks in the two spheres of ICT, namely education and ICT security was conducted. The aim was to determine any similarities or overlap between these spheres and to determine whether the existing ICT models and frameworks are relevant to South Africa. The analysis showed a significant disparity and inconsistency between the two spheres and proved that there is a definite need for a framework (relevant to South Africa) that can be used for the integration of ICT security awareness into South African education. Hence, the researcher proposed a more integrated approach in the form of a framework that is directed at South African school learners, based on an in-depth literature review of past scholarly work, models and frameworks. Having reviewed a number of existing models and frameworks, and identifying the potential gaps, the researcher proposed a framework to address the lack of integration of ICT security awareness into the South African education system. The proposed framework, called the South African ICT Security Awareness Framework for Education (SAISAFE), was reviewed for its potential applicability in the South African context, and the results of the literature review analysis are reported to support the analysis of models and frameworks.School of ComputingM. A. (Computing

A model on evaluating information security awareness in Majmaah University in Saudi Rabia

Evaluating the Information security awareness is consider one of the key and crucial elements of securing information system in organizations. It has been used widely in many fields such as in business, education, marketing, transportation, medical and many other fields. It plays a vital role and thus become challenging issue. Thus security managers should be ready installed and resistance to various numbers of potential attacks. The main reason to fail in many assessment information security awareness is the complexity and inflexibility of the existing models. Domain modulars usually spend many times to understand the nature of the domain, which they desire to model. Even though there are many existing method to evaluate ISA levels appears, but to find best suited way which could provide a straight guideline to ISA users based on their own problems are limited. To solve this limitation, this project follows several steps to create a generic model, which can determine the level of ISA, and its solutions through a unified model. This project addresses the issues of information security awareness towards employees and students in Majmaah University by implementing a conceptual model to support information security awareness for employees and students. The proposed model includes some factors such as; Information security awareness, Education, Bad Experience, Guidelines, Roles and responsibility, Behaviour, Knowledge and Attitude. The model is measured by conducting an online survey to collect data to support the proposed project which results these factors affect on Information Security Awareness by 263 employees and students. The proposed research has contributed to gain a better understanding of evaluating information security awareness to support the Majmaah University by using Cronbach’s alpha and regression in the analysis phase. The finding shows the level of information security awareness among students and staff of Majmaah University is moderately aware

A model on evaluating information security awareness in Majmaah University in Saudi Rabia

Evaluating the Information security awareness is consider one of the key and crucial elements of securing information system in organizations. It has been used widely in many fields such as in business, education, marketing, transportation, medical and many other fields. It plays a vital role and thus become challenging issue. Thus security managers should be ready installed and resistance to various numbers of potential attacks. The main reason to fail in many assessment information security awareness is the complexity and inflexibility of the existing models. Domain modulars usually spend many times to understand the nature of the domain, which they desire to model. Even though there are many existing method to evaluate ISA levels appears, but to find best suited way which could provide a straight guideline to ISA users based on their own problems are limited. To solve this limitation, this project follows several steps to create a generic model, which can determine the level of ISA, and its solutions through a unified model. This project addresses the issues of information security awareness towards employees and students in Majmaah University by implementing a conceptual model to support information security awareness for employees and students. The proposed model includes some factors such as; Information security awareness, Education, Bad Experience, Guidelines, Roles and responsibility, Behaviour, Knowledge and Attitude. The model is measured by conducting an online survey to collect data to support the proposed project which results these factors affect on Information Security Awareness by 263 employees and students. The proposed research has contributed to gain a better understanding of evaluating information security awareness to support the Majmaah University by using Cronbach’s alpha and regression in the analysis phase. The finding shows the level of information security awareness among students and staff of Majmaah University is moderately aware

Medvetenhet om Informationssäkerhet

Informationssäkerhet är idag en stor angelägenhet för organisationer runt om i världen. I takt med att den tekniska utvecklingen går framåt skapas allt fler sätt där känslig information blir utsatt för externa hot. Det finns idag många studier kring informationssäkerhet där granskning sker gällande den mänskliga faktorn, som är en viktig komponent inom detta område. Den mänskliga faktorn innebär även att det skapas interna hot där företag idag ofta brister. På grund av det agila arbetssätt som många organisationer har idag blir det allt vanligare med externt inhyrd arbetskraft. Detta i sin tur ökar problematiken för hur företag ska agera när det kommer till att informera sina anställda om hur informationssäkerhet ska hanteras. I denna uppsats utförs en jämförande studie som granskar skillnaden mellan externa konsulter och fast anställdas medvetenhet kring informationssäkerhet. Resultatet visar på en skillnad där konsulternas medvetenhet överlag är sämre. Avslutningsvis redovisas även exempel på vad företag borde tänka på för att minska denna skillnad

Enhancing Key Digital Literacy Skills: Information Privacy, Information Security, and Copyright/Intellectual Property

Key Messages Background Knowledge and skills in the areas of information security, information privacy, and copyright/intellectual property rights and protection are of key importance for organizational and individual success in an evolving society and labour market in which information is a core resource. Organizations require skilled and knowledgeable professionals who understand risks and responsibilities related to the management of information privacy, information security, and copyright/intellectual property. Professionals with this expertise can assist organizations to ensure that they and their employees meet requirements for the privacy and security of information in their care and control, and in order to ensure that neither the organization nor its employees contravene copyright provisions in their use of information. Failure to meet any of these responsibilities can expose the organization to reputational harm, legal action and/or financial loss. Context Inadequate or inappropriate information management practices of individual employees are at the root of organizational vulnerabilities with respect to information privacy, information security, and information ownership issues. Users demonstrate inadequate skills and knowledge coupled with inappropriate practices in these areas, and similar gaps at the organizational level are also widely documented. National and international regulatory frameworks governing information privacy, information security, and copyright/intellectual property are complex and in constant flux, placing additional burden on organizations to keep abreast of relevant regulatory and legal responsibilities. Governance and risk management related to information privacy, security, and ownership are critical to many job categories, including the emerging areas of information and knowledge management. There is an increasing need for skilled and knowledgeable individuals to fill organizational roles related to information management, with particular growth in these areas within the past 10 years. Our analysis of current job postings in Ontario supports the demand for skills and knowledge in these areas. Key Competencies We have developed a set of key competencies across a range of areas that responds to these needs by providing a blueprint for the training of information managers prepared for leadership and strategic positions. These competencies are identified in the full report. Competency areas include: conceptual foundations risk assessment tools and techniques for threat responses communications contract negotiation and compliance evaluation and assessment human resources management organizational knowledge management planning; policy awareness and compliance policy development project managemen

O comportamento dos utilizadores na segurança dos sistemas de informação nas organizações: um risco ou uma protecção?

Numa sociedade cada vez mais global e em constante mutação, onde as organizações necessitam de ter sempre disponível a informação necessária e útil para desenvolver, de uma forma rápida e eficaz, as suas actividades no dia-a-dia, garantir a segurança da informação é um factor do qual depende a sua continuidade e sucesso. O presente trabalho tem como objectivo saber em que medida os comportamentos e as atitudes dos utilizadores constituem um risco ou uma protecção para a segurança dos Sistemas de Informação nas organizações. Para alcançar este objectivo será efectuada uma revisão bibliográfica baseada em fontes secundárias. Numa segunda fase será elaborado um questionário com base nos procedimentos de segurança identificados na revisão da literatura a aplicar aos utilizadores de Sistemas de Informação e Tecnologias de Informação, e posteriormente analisados os resultados e retiradas as conclusões. A principal conclusão deste estudo revela que os utilizadores, de forma geral, são uma protecção para a segurança dos Sistemas de Informação nas organizações. Existem, no entanto, alguns procedimentos que necessitam de ser melhorados pelos utilizadores, para evitar que o seu comportamento seja considerado de risco; ABSTRACT: In an ever changing and more and more globalized society, in which the organizations need to always have the necessary and useful information available in order to develop, in a fast and accurate way, their daily activities, to ensure the safety of information is a factor on which their continuity and success depend. The goal of the present work is to know to which extent the users’ behaviours and attitudes are a risk or a protection for the Information systems’ security inside the organizations. In order to reach this goal, a bibliographic revision based on secondary sources will be done. Secondly, a questionnaire will be elaborated based on the safety procedures identified in the literature revision and applied to the Information Systems’ users. The results and the conclusions will then be analysed and thought over. The results of this study show that, in general, users are a protection for the security of the Information Systems inside the organizations. However, there are some procedures that the users have to improve, to avoid what may be considered a risky behaviour

The impact of information security awareness training on information security behaviour

Information Security awareness initiatives are seen as critical to any information security programme. But, how do we determine the effectiveness of these awareness initiatives? We could get our employees to write a test after the awareness to determine how well they understand the policies, but this does not show how they affect the employee’s on the job behaviour. Does awareness training have a direct influence on the security behaviour of individuals, and what is the direct benefit of awareness training? This research report aims to answer the question: To what extent does information security awareness training influence information security behaviour? Technologies meant to provide security ultimately depend on the effective implementation and operation of these technologies by people. Thus awareness of policies is needed by all individuals in an organisation to ensure that policies are well understood and not misinterpreted. Some researchers have maintained that educating users is futile mainly because it is believed that it is difficult to teach users complex security issues and, secondly, because if security is seen as secondary by the user they will not pay enough attention to it. This research found that, firstly, there is a shortage of in-depth information security awareness research and that behavioural concepts are not properly taken into account for security awareness programmes. There is a shortage of theoretical models explaining how awareness training affects behaviour. Secondly, this research tested a proposed model empirically using system-generated data as indicators of behaviour in a pretest-posttest experimental design. It was found that security awareness training was effective in terms of end-users retaining security knowledge. However, there was no evidence to suggest that security awareness by itself is sufficient to ensure compliant behaviour by endusers. Security awareness training is a necessary, integral component that could influence compliant behaviour, but is not adequate to do so fully. Practitioners must insist that their security awareness programmes are measured in terms of effectiveness and focus on behavioural aspects to complement traditional security awareness initiatives

A framework for cyber security awareness in small, medium and micro enterprises (SMMEs) in South Africa

In South Africa, there is a rapid increase of cyber attacks intended for organisations regardless of size and industry. Cyber attacks are directed at businesses of all sizes; however, small, medium and micro enterprises (SMMEs) are impacted most because of limited information technology (IT) skills and financial support to prevent cyber threats. There is a significant increase in SMMEs in South Africa which are important because of their contribution to the country’s economy. Organisations, including SMMEs, are converted gradually to depend on IT to sustain their competitive advantage and boost services. In South Africa, many organisations, including SMMEs, are still not effectively prepared to prevent cybercrimes. Therefore, there is a need to create cyber security awareness for SMMEs because they have a direct impact on the cyber security infrastructure of the country. Based on systematic literature review findings, a research gap has been identified whereby a cyber security awareness study has not been conducted for South African SMMEs where a suitable model and framework for raising cyber security awareness for SMMEs in South Africa have been developed. The main aim of the research study is to develop a framework for cyber security awareness for South African SMMEs (Csa4Smmes {RSA} framework). This research study follows the design science research methodology (DSRM) approach. This approach is most suitable and carefully selected to address the purpose of the study. Models and frameworks have been evaluated to develop components of the conceptual Csa4Smmes {RSA} framework which are used as building blocks to develop the intermediate Csa4Smmes {RSA} framework. Semi-structured interviews with experts in cyber security, science and technology awareness as well as SMMEs management and operation were conducted to demonstrate and evaluate the intermediate Csa4Smmes {RSA} framework. Consequently, this framework was produced as an artefact to enhance cyber security awareness levels within SMMEs in South Africa. Cyber security awareness has been demonstrated to be an effective approach to enhance cyber security awareness level. Therefore, the Csa4Smmes {RSA} framework can assist government in reducing cyber attacks associated with internet users.School of ComputingM. Sc. (Computing