A review of behavioural research on data security

Protection of confidential information or data from being leaked to the public is a growing concern among organisations and individuals. This paper presents the results of the search for literature on behavioural and security aspects of data protection. The topics covered by this review include a summary of the changes brought about by the EU GDPR (General Data Protection Regulation). It covers human and behavioural aspects of data protection, security and data breach or loss (threats), IT architectures to protect data (prevention), managing data breaches (mitigation), risk assessment and data protection audits. A distinction is made between threats and prevention from within an organisation and from the outside

Security Audit Compliance for Cloud Computing

Cloud computing has grown largely over the past three years and is widely popular amongst today's IT landscape. In a comparative study between 250 IT decision makers of UK companies they said, that they already use cloud services for 61% of their systems. Cloud vendors promise "infinite scalability and resources" combined with on-demand access from everywhere. This lets cloud users quickly forget, that there is still a real IT infrastructure behind a cloud. Due to virtualization and multi-tenancy the complexity of these infrastructures is even increased compared to traditional data centers, while it is hidden from the user and outside of his control. This makes management of service provisioning, monitoring, backup, disaster recovery and especially security more complicated. Due to this, and a number of severe security incidents at commercial providers in recent years there is a growing lack of trust in cloud infrastructures. This thesis presents research on cloud security challenges and how they can be addressed by cloud security audits. Security requirements of an Infrastructure as a Service (IaaS) cloud are identified and it is shown how they differ from traditional data centres. To address cloud specific security challenges, a new cloud audit criteria catalogue is developed. Subsequently, a novel cloud security audit system gets developed, which provides a flexible audit architecture for frequently changing cloud infrastructures. It is based on lightweight software agents, which monitor key events in a cloud and trigger specific targeted security audits on demand - on a customer and a cloud provider perspective. To enable these concurrent cloud audits, a Cloud Audit Policy Language is developed and integrated into the audit architecture. Furthermore, to address advanced cloud specific security challenges, an anomaly detection system based on machine learning technology is developed. By creating cloud usage profiles, a continuous evaluation of events - customer specific as well as customer overspanning - helps to detect anomalies within an IaaS cloud. The feasibility of the research is presented as a prototype and its functionality is presented in three demonstrations. Results prove, that the developed cloud audit architecture is able to mitigate cloud specific security challenges

The prevention of internal identity theft-related crimes: a case study research of the UK online retail companies.

Ranked the third biggest cyber security threats of 2013 by Forbes, Internal Identity Theft-Related Crimes (IIDTRC) leave countless victims in their wake, including online retail companies and consumers. With the rapid growth in the use of credit and debit cards in e-commerce, the online retail has been a key target for the IIDTRC perpetrators. IIDTRC involve the misuse of information systems (IS) by the dishonest employees to steal victims’ personal identifiable data. The crimes pose significant socio-economic impact and data security risks. In the context of online retail, relatively little research has been done to prevent IIDTRC. A few studies focus on situational-based IIDTRC prevention approach built on an independent use of software security. Others develop IIDTRC prevention frameworks in the context of generic e-businesses. The majority of the frameworks have little or no grounded empirical research. This research entitled the ‘The Prevention of Internal Identity Theft-Related Crimes: A Case Study Research of the UK Online Retail Companies’, attempts to bridge this research gap. It provides answers to two questions – what is the nature of IIDTRC in online retail companies and what framework can be used for IIDTRC prevention. This research set out three aims to answer the two questions. First, it provides understanding of causes, methods of carrying out and prevention of IIDTRC. Second, it extends a role-based framework (RBF) for the prevention of IIDTRC. Third, it evaluates the extent the RBF can be applied in the prevention of IIDTRC in online retail companies. A qualitative case study was used to achieve these aims. The empirical data were collected in the northwest of UK from 2011 to 2013. The field study was carried through archival analysis, semi-structured interview and participant observation. Organisational role theory (ORT) was used to guide the concept of a role-based framework (RBF) – a collaborative approach where the key components of management work in unison is required to prevent IIDTRC. The attributes of RBF were synthesised from the recommended IIDTRC prevention practices. The empirical evidence suggests that IIDTRC perpetrators in online retail companies are likely to be the top management and call centre employees. The findings suggest that online retail consumers’ credits/debits cards details are as much vulnerable to IIDTRC as the companies’ identities such as trade secrets and trademarks. Furthermore, the common methods used by the IIDTRC perpetrators include collaboration, collusion, infiltration and social engineering. Some of the IIDTRC prevention practices, of which the majority is software security, are implemented without considering the contribution of human-centred security based on management roles. In examining the contribution of the management roles in implementing Information Systems security practices, major challenges that are faced by online retail companies were identified. They include lack of resources, lack of management support and lack of IIDTRC prevention awareness training. This research concludes that an application of RBF can reduce the impact of the identified challenges. This was suggested by applying RBF in conducting IS security auditing in three online retail companies. The finding from the selected companies suggests that the RBF approach can maximise management performance in providing effective IIDTRC prevention practices. It provides better returns on cost, quality and time in the IS security auditing. It has an impact on management attitudes on preventing IIDTRC by clarifying and aligning their roles in implementing effective IS security auditing. There is heterogeneity of this effect across the companies suggesting that some are utilising the RBF approach while others are not. The finding confirms the plausibility of the RBF attributes. It suggests that the human-centred security play an integral role for effective internal data security in preventing IIDTRC. It suggests that it pays to use the collaborative management roles approach for implementing IIDTRC prevention practices. Furthermore, the use of the RBF approach can improve the effectiveness of the online retail companies in preventing IIDTRC. The findings suggest that benefits may accrue from the RBF approach when supplemented with a collaborative IS auditing. The benefits depend on the level of management IT skills, their perception of their roles, top management support and the organisational operations. This research contributes to the literature in identity theft prevention in online retail. To IS security practitioners, it identifies the data security challenges and IIDTRC prevention practices. To theory, it extends a role-based framework for IIDTRC prevention. To the emerging research in the digital economy, it puts forward as a robust starting point for further related works in cyber security, cybercrimes prevention and criminology

Campus Communications Systems: Converging Technologies

This book is a rewrite of Campus Telecommunications Systems: Managing Change, a book that was written by ACUTA in 1995. In the past decade, our industry has experienced a thousand-fold increase in data rates as we migrated from 10 megabit links (10 million bits per second) to 10 gigabit links (10 billion bits per second), we have seen the National Telecommunications Policy completely revamped; we have seen the combination of voice, data, and video onto one network; and we have seen many of our service providers merge into larger corporations able to offer more diverse services. When this book was last written, A CUT A meant telecommunications, convergence was a mathematical term, triple play was a baseball term, and terms such as iPod, DoS, and QoS did not exist. This book is designed to be a communications primer to be used by new entrants into the field of communications in higher education and by veteran communications professionals who want additional information in areas other than their field of expertise. There are reference books and text books available on every topic discussed in this book if a more in-depth explanation is desired. Individual chapters were authored by communications professionals from various member campuses. This allowed the authors to share their years of experience (more years than many of us would care to admit to) with the community at large. Foreword Walt Magnussen, Ph.D. Preface Ron Kovac, Ph.D. 1 The Technology Landscape: Historical Overview . Walt Magnussen, Ph.D. 2 Emerging Trends and Technologies . Joanne Kossuth 3 Network Security . Beth Chancellor 4 Security and Disaster Planning and Management Marjorie Windelberg, Ph.D. 5 Student Services in a University Setting . Walt Magnussen, Ph.D. 6 Administrative Services David E. O\u27Neill 7 The Business Side of Information Technology George Denbow 8 The Role of Consultants . David C. Metz Glossary Michelle Narcavag

Fighting Cybercrime After \u3cem\u3eUnited States v. Jones\u3c/em\u3e

In a landmark non-decision last term, five Justices of the United States Supreme Court would have held that citizens possess a Fourth Amendment right to expect that certain quantities of information about them will remain private, even if they have no such expectations with respect to any of the information or data constituting that whole. This quantitative approach to evaluating and protecting Fourth Amendment rights is certainly novel and raises serious conceptual, doctrinal, and practical challenges. In other works, we have met these challenges by engaging in a careful analysis of this “mosaic theory” and by proposing that courts focus on the technologies that make collecting and aggregating large quantities of information possible. In those efforts, we focused on reasonable expectations held by “the people” that they will not be subjected to broad and indiscriminate surveillance. These expectations are anchored in Founding-era concerns about the capacity for unfettered search powers to promote an authoritarian surveillance state. Although we also readily acknowledged that there are legitimate and competing governmental and law enforcement interests at stake in the deployment and use of surveillance technologies that implicate reasonable interests in quantitative privacy, we did little more. In this Article, we begin to address that omission by focusing on the legitimate governmental and law enforcement interests at stake in preventing, detecting, and prosecuting cyber-harassment and healthcare fraud

The Technologization of Insurance: An Empirical Analysis of Big Data and Artificial Intelligence’s Impact on Cybersecurity and Privacy

This Article engages one of the biggest issues debated among privacy and technology scholars by offering an empirical examination of how big data and emerging technologies influence society. Although scholars explore the ways that code, technology, and information regulate society, existing research primarily focuses on the theoretical and normative challenges of big data and emerging technologies. To our knowledge, there has been very little empirical analysis of precisely how big data and technology influence society. This is not due to a lack of interest but rather a lack of disclosure by data providers and corporations that collect and use these technologies. Specifically, we focus on one of the biggest problems for businesses and individuals in society: cybersecurity risks and data breach events. Due to the lack of stringent legal regulations and preparation by organizations, insurance companies are stepping in and offering not only cyber insurance but also risk management services aimed at trying to improve organizations’ cybersecurity profile and reduce their risk. Drawing from sixty interviews of the cyber insurance field, a quantitative analysis of a “big data” set we obtained from a data provider, and observations at cyber insurance conferences, we explore the effects of what we refer to as the “technologization of insurance,” the process whereby technology influences and shapes the delivery of insurance. Our study makes two primary findings. First, we show how big data, artificial intelligence, and emerging technologies are transforming the way insurers underwrite, price insurance, and engage in risk management. Second, we show how the impact of these technological interventions is largely symbolic. Insurtech innovations are ineffective at enhancing organizations’ cybersecurity, promoting the role of insurers as regulators, and helping insurers manage uncertainty. We conclude by offering recommendations on how society can help technology to assure algorithmic justice and greater security of consumer information as opposed to greater efficiency and profit

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

The Applications of the Internet of things in the Medical Field

The Internet of Things (IoT) paradigm promises to make “things” include a more generic set of entities such as smart devices, sensors, human beings, and any other IoT objects to be accessible at anytime and anywhere. IoT varies widely in its applications, and one of its most beneficial uses is in the medical field. However, the large attack surface and vulnerabilities of IoT systems needs to be secured and protected. Security is a requirement for IoT systems in the medical field where the Health Insurance Portability and Accountability Act (HIPAA) applies. This work investigates various applications of IoT in healthcare and focuses on the security aspects of the two internet of medical things (IoMT) devices: the LifeWatch Mobile Cardiac Telemetry 3 Lead (MCT3L), and the remote patient monitoring system of the telehealth provider Vivify Health, as well as their implementations

But is it exploitable? Exploring how Router Vendors Manage and Patch Security Vulnerabilities in Consumer-Grade Routers

Millions of consumer-grade routers are vulnerable to security attacks. Router network attacks are dangerous and infections, presenting a serious security threat. They account for 80% of infected devices in the market, posing a greater threat than infected IoT devices and desktop computers. Routers offer an attractive target of attacks due to their gateway function to home networks, internet accessibility, and higher likelihood of having vulnerabilities. A major problem with these routers is their unpatched and unaddressed security vulnerabilities. Reports show that 30% of critical router vulnerabilities discovered in 2021 have not received any response from vendors. Why? To better understand how router vendors manage and patch vulnerabilities in consumer-grade routers, and the accompanying challenges, we conducted 30 semi-structured interviews with professionals in router vendor companies selling broadband and retail routers in the UK. We found that router professionals prioritize vulnerability patching based on customer impact rather than vulnerability severity score. However, they experienced obstacles in patching vulnerabilities due to outsourcing development to third parties and the inability to support outdated models. To address these challenges, they developed workarounds such as offering replacement routers and releasing security advisories. However, they received pushback from customers who were not technically capable or concerned about security. Based on our results, we concluded with recommendations to improve security practice in routers

The Importance and Implications of Forensic Accounting in the Financial World

This thesis thoroughly explores fraud and the forensic accounting profession. It details the education, training, and careers of forensic accountants; and why demand for this profession has suddenly spiked. The necessary skills of forensic accountants and why these skills are valuable is explored; a need for better education and training is also proposed. It also details popular forensic accounting methods and how these may be used to detect fraud. This thesis explains several fraud schemes and famous frauds that were contributors to the growing demand of forensic accountants. The fraud triangle and other contributing factors are explored. This thesis also emphasizes the importance of strong internal controls and explains the COSO internal control framework; several important internal controls are listed and explained. Cybersecurity is also explained; including why it has become an absolute necessity and how businesses can better enforce cybersecurity measures. This thesis also explains the changes that were made following the Enron and WorldCom scandals and details the Sarbanes-Oxley Act of 2002. Explanations for the relevant changes and why they were necessary are included. The purpose of this thesis is to demonstrate the importance of forensic accounting and to thoroughly explain the facets of fraud and forensic accounting