49 research outputs found

    A Quarter Century of International Copyright on Software

    Full text link

    The usage of MIS applications to raise the efficiency and performance of the telecommunications services in the Kingdom of Saudi Arabia

    Get PDF
    PhD ThesisThere are different kinds of requirements on an information system. Of particular concern to this study are non-functional requirements (NFRs). These are aspects of a system. independent of any technical capabilities that it may have, which form a series of constraints on how a system will actually perform, and of which an organisation must take account in order to achieve success. This thesis studies non-functional requirements with particular reference to those that support an organisation in the process of structural change. Particular attention is paid to those non-functional requirements that will be constraints that hinder the performance and efficiency of any organisation if they are not fully understood and incorporated into the new information system. The way in which such non-functional requirements should be handled is illustrated by an extensive case study of the main provider of telecommunications services in Saudi Arabia. The researcher first took an interest in the Saudi telecommunications industry as a result of the recent moves to transform the country's telecommunications service from the traditional structure to a new system by the introduction of privatisation. The new modified system is called the Saudi Telecom Company (STC), though it is at present still under the effective control of the Saudi Ministry of Post, Telephone and Telegraph (MoPTT), the previous telecommunications service provider. The Saudi telecommunications service has been a monopoly managed through traditional public management systems, typically influenced by a dominant bureaucracy. The researcher's concern has been to study and describe the current management, structure, and operations (in particular the information systems) of the MoPTT in order to identifY key issues and potential areas for development which will help the MoPTT, as the STC, to offer a quality telecommunications service in the new competitive market. The researcher sets the telecommunications industry in Saudi Arabia in its national context by providing the political, cultural and economic background to the Kingdom of Saudi Arabia. This is of particular importance in view of the significance discovered by his study of non-technical environmental factors in the performance of the telecommunications service in the country. Using a combination of the qualitative and quantitative research approaches, the researcher examined the literature relevant to his topic and undertook a fieldtrip to Saudi Arabia, when he conferred extensively with MoPTI management and staff, observed MoPTI structures and operations, and consulted other experts in telecommunications. Reflection on the literature along with extensive fieldtrip consultation and observation reveal that a full account of the operations and potential of the Saudi telecommunications system cannot be provided by a consideration of its technical functions and processes alone. Due recognition must be given to the peculiarly Saudi setting of the service, and in particular attention must be paid to non-functional aspects, such requirements and constraints related to the environment in which the system has to operate. Culturally related non-functional requirements are of particular interest, and the case of Internet access in Saudi Arabia is examined, since it provides an especially good example of a non-functional requirement which is undergoing change, while still acting as a constraint on telecommunications usage. The case is related to a new conception of Saudisation, whereby Saudi personnel are no longer simply taking over and imitating western skills, but where they are providing Saudi solutions to Saudi questions. Using information gathered largely during his fieldtrip, the researcher provides a comprehensive description and discussion of the current MoPTT business areas, organisational structures, and information systems. Not only the commercial and technical features of these operations are examined, but also the extent to which they succeed in fulfilling or operating within the non-functional requirements and constraints, especially those of particularly Saudi origin, imposed upon them. Where appropriate, potential new approaches and directions for the MoPTI in relation to handling issues are indicated. Employing techniques developed by Dr. Michael Porter of Harvard University, an analysis has been provided of the of the MoPTI's enterprise strategy, since it is this which ultimately drives all the operations of the MoPTI, and upon which the MoPTI's telecommunications service will depend for commercial success in the new postprivatisation market. Based upon this analysis, the researcher has put forward explicit operational, managerial, and business proposals which should allow the MoPTT to seize the opportunities offered by privatisation, and to achieve success in both the domestic and the international telecommunications market. The researcher has felt able to identifY a number of specific factors within the MoPTr which might receive particular attention for revision and improvement, as they impact on all MoPTT operations and are of critical importance for its commercial success. These areas are strategic planning, marketing, training, customer relations, an integrated information system, and workforce management. As a result of his investigation into the operations of the MoPTT the researcher has been able to identify a new approach to the future of telecommunications in Saudi Arabia. He has designed an information architecture within which the MoPTT information systems might operate, and which takes full account of the role of non-functional aspects in the degree of success of such a complex operation. He offers a comprehensive description of the basis, operational details, and advantages of the implementation of this architecture for the MoPTT's information system operations. The particular benefits of Saudisation are stressed. It became clear during the research that the concept of Saudisation simply as the taking over and imitation of tasks previously carried out by non-Saudis (because they had the training and experience) was now inadequate. Saudisation has now to be understood as a cultural as well as a technical or business transformation, a dynamic concept relating both to enduring Saudi cultural values and to changing social attitudes and practices. Indeed this concept of Saudisation would repay further investigation as a suitable topic for future academic research, and the researcher makes this recommendation. He does so principally because the traditional understanding of the concept now seems inadequate and therefore a factor likely to inlnbit the truly indigenous development industry and services within Saudi ArabiaThe Government of Saudi Arabia: King AbdulAziz University

    Access Control for IoT: Problems and Solutions in the Smart Home

    Get PDF
    The Internet of Things (IoT) is receiving considerable amount of attention from both industry and academia due to the business models that it enables and the radical changes it introduced in the way people interact with technology. The widespread adaption of IoT in our everyday life generates new security and privacy challenges. In this thesis, we focus on "access control in IoT": one of the key security services that ensures the correct functioning of the entire IoT system. We highlight the key differences with access control in traditional systems (such as databases, operating systems, or web services) and describe a set of requirements that any access control system for IoT should fulfill. We demonstrate that the requirements are adaptable to a wide range of IoT use case scenarios by validating the requirements for access control elicited when analyzing the smart lock system as sample use case from smart home scenario. We also utilize the CAP theorem for reasoning about access control systems designed for the IoT. We introduce MQTT Security Assistant (MQTTSA), a tool that automatically detects misconfigurations in MQTT-based IoT deployments. To assist IoT system developers, MQTTSA produces a report outlining detected vulnerabilities, together with (high level) hints and code snippets to implement adequate mitigations. The effectiveness of the tool is assessed by a thorough experimental evaluation. Then, we propose a lazy approach to Access Control as a Service (ACaaS) that allows the specification and management of policies independently of the Cloud Service Providers (CSPs) while leveraging its enforcement mechanisms. We demonstrate the approach by investigating (also experimentally) alternative deployments in the IoT platform offered by Amazon Web Services on a realistic smart lock solution

    Hierarchical Group and Attribute-Based Access Control: Incorporating Hierarchical Groups and Delegation into Attribute-Based Access Control

    Get PDF
    Attribute-Based Access Control (ABAC) is a promising alternative to traditional models of access control (i.e. Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access control (RBAC)) that has drawn attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large-scale adoption is still in its infancy. The relatively recent popularity of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, etc. have been largely ignored or left to future work. This thesis seeks to aid in the adoption of ABAC by filling in several of these gaps. The core contribution of this work is the Hierarchical Group and Attribute-Based Access Control (HGABAC) model, a novel formal model of ABAC which introduces the concept of hierarchical user and object attribute groups to ABAC. It is shown that HGABAC is capable of representing the traditional models of access control (MAC, DAC and RBAC) using this group hierarchy and that in many cases it’s use simplifies both attribute and policy administration. HGABAC serves as the basis upon which extensions are built to incorporate delegation into ABAC. Several potential strategies for introducing delegation into ABAC are proposed, categorized into families and the trade-offs of each are examined. One such strategy is formalized into a new User-to-User Attribute Delegation model, built as an extension to the HGABAC model. Attribute Delegation enables users to delegate a subset of their attributes to other users in an off-line manner (not requiring connecting to a third party). Finally, a supporting architecture for HGABAC is detailed including descriptions of services, high-level communication protocols and a new low-level attribute certificate format for exchanging user and connection attributes between independent services. Particular emphasis is placed on ensuring support for federated and distributed systems. Critical components of the architecture are implemented and evaluated with promising preliminary results. It is hoped that the contributions in this research will further the acceptance of ABAC in both academia and industry by solving the problem of delegation as well as simplifying administration and policy authoring through the introduction of hierarchical user groups

    The use of frames in database modeling

    Get PDF
    Call number: LD2668 .T4 1984 S93Master of Scienc

    Fisheries Management Science Programme: an overview of development impact to 2005

    Get PDF
    This report examines the development impacts of the Department for International Development's Fisheries Management Science Programme, considering how the Programme has sought to achieve impact. Analysis of projects in Zanzibar, Laos and Namibia examines the development results

    A TxQoS-aware business transaction framework

    Get PDF
    In this thesis, we propose a transaction framework to provide comprehensive and flexible transaction support for contract-driven, service-oriented business processes. The research follows the research method outlined below. Initially, a thorough investigation on current state of affairs was made. Afterwards, we carried out a case study, which we utilized to identify the problems that are likely to occur during the execution of business processes. As the result of the solution design, the concepts, scenarios, life cycles, reference architectures, and mechanisms were proposed to address the problems. The design took place on the conceptual level, while the coding/programming and implementation is out of the scope of this thesis. The business-oriented solution design allows for transaction qualities to be specified and guaranteed by a contractual approach named as TxQoS (Transactional Quality of Service). The technology-oriented design enables flexible composition of ATCs (Abstract Transaction Constructs) as a transaction schema to support the execution of complex processes. As the last step of research, we validated the feasibility of our design by a utility study conducted in a large telecom project, which has complex processes that are service-oriented and contract-driven. Finally, we discussed the contributions and limitations of the research. The main contribution of the thesis is the BTF (Business Transaction Framework) that addresses process execution reliability. The TxQoS approach enables the specification of transaction qualities in terms of FIAT (Fluency, Interference, Alternation, Transparency) properties. This businessfriendly approach allows the providers and users to agree on transaction qualities before process execution time. The building blocks of the proposed framework, ATCs, are reusable and configurable templates, and are abstracted and generalized from existing transaction models. The various transaction requirements of sub-processes and process chunks can be represented by corresponding ATCs, which allow for a flexible composition. Integrated, the TxQoS and ATC approaches work together to form a TxQoS-aware business transaction framework

    ‘Enhanced Encryption and Fine-Grained Authorization for Database Systems

    Get PDF
    The aim of this research is to enhance fine-grained authorization and encryption so that database systems are equipped with the controls necessary to help enterprises adhere to zero-trust security more effectively. For fine-grained authorization, this thesis has extended database systems with three new concepts: Row permissions, column masks and trusted contexts. Row permissions and column masks provide data-centric security so the security policy cannot be bypassed as with database views, for example. They also coexist in harmony with the rest of the database core tenets so that enterprises are not forced to compromise neither security nor database functionality. Trusted contexts provide applications in multitiered environments with a secure and controlled manner to propagate user identities to the database and therefore enable such applications to delegate the security policy to the database system where it is enforced more effectively. Trusted contexts also protect against application bypass so the application credentials cannot be abused to make database changes outside the scope of the application’s business logic. For encryption, this thesis has introduced a holistic database encryption solution to address the limitations of traditional database encryption methods. It too coexists in harmony with the rest of the database core tenets so that enterprises are not forced to choose between security and performance as with column encryption, for example. Lastly, row permissions, column masks, trusted contexts and holistic database encryption have all been implemented IBM DB2, where they are relied upon by thousands of organizations from around the world to protect critical data and adhere to zero-trust security more effectively

    Privacy-Aware Risk-Based Access Control Systems

    Get PDF
    Modern organizations collect massive amounts of data, both internally (from their employees and processes) and externally (from customers, suppliers, partners). The increasing availability of these large datasets was made possible thanks to the increasing storage and processing capability. Therefore, from a technical perspective, organizations are now in a position to exploit these diverse datasets to create new data-driven businesses or optimizing existing processes (real-time customization, predictive analytics, etc.). However, this kind of data often contains very sensitive information that, if leaked or misused, can lead to privacy violations. Privacy is becoming increasingly relevant for organization and businesses, due to strong regulatory frameworks (e.g., the EU General Data Protection Regulation GDPR, the Health Insurance Portability and Accountability Act HIPAA) and the increasing awareness of citizens about personal data issues. Privacy breaches and failure to meet privacy requirements can have a tremendous impact on companies (e.g., reputation loss, noncompliance fines, legal actions). Privacy violation threats are not exclusively caused by external actors gaining access due to security gaps. Privacy breaches can also be originated by internal actors, sometimes even by trusted and authorized ones. As a consequence, most organizations prefer to strongly limit (even internally) the sharing and dissemination of data, thereby making most of the information unavailable to decision-makers, and thus preventing the organization from fully exploit the power of these new data sources. In order to unlock this potential, while controlling the privacy risk, it is necessary to develop novel data sharing and access control mechanisms able to support risk-based decision making and weigh the advantages of information against privacy considerations. To achieve this, access control decisions must be based on an (dynamically assessed) estimation of expected cost and benefits compared to the risk, and not (as in traditional access control systems) on a predefined policy that statically defines what accesses are allowed and denied. In Risk-based access control for each access request, the corresponding risk is estimated and if the risk is lower than a given threshold (possibly related to the trustworthiness of the requester), then access is granted or denied. The aim is to be more permissive than in traditional access control systems by allowing for a better exploitation of data. Although existing risk-based access control models provide an important step towards a better management and exploitation of data, they have a number of drawbacks which limit their effectiveness. In particular, most of the existing risk-based systems only support binary access decisions: the outcome is “allowed” or “denied”, whereas in real life we often have exceptions based on additional conditions (e.g., “I cannot provide this information, unless you sign the following non-disclosure agreement.” or “I cannot disclose this data, because they contain personal identifiable information, but I can disclose an anonymized version of the data.”). In other words, the system should be able to propose risk mitigation measures to reduce the risk (e.g., disclose partial or anonymized version of the requested data) instead of denying risky access requests. Alternatively, it should be able to propose appropriate trust enhancement measures (e.g., stronger authentication), and once they are accepted/fulfilled by the requester, more information can be shared. The aim of this thesis is to propose and validate a novel privacy enhancing access control approach offering adaptive and fine-grained access control for sensitive data-sets. This approach enhances access to data, but it also mitigates privacy threats originated by authorized internal actors. More in detail: 1. We demonstrate the relevance and evaluate the impact of authorized actors’ threats. To this aim, we developed a privacy threats identification methodology EPIC (Evaluating Privacy violation rIsk in Cyber security systems) and apply EPIC in a cybersecurity use case where very sensitive information is used. 2. We present the privacy-aware risk-based access control framework that supports access control in dynamic contexts through trust enhancement mechanisms and privacy risk mitigation strategies. This allows us to strike a balance between the privacy risk and the trustworthiness of the data request. If the privacy risk is too large compared to the trust level, then the framework can identify adaptive strategies that can decrease the privacy risk (e.g., by removing/obfuscating part of the data through anonymization) and/or increase the trust level (e.g., by asking for additional obligations to the requester). 3. We show how the privacy-aware risk-based approach can be integrated to existing access control models such as RBAC and ABAC and that it can be realized using a declarative policy language with a number of advantages including usability, flexibility, and scalability. 4. We evaluate our approach using several industrial relevant use cases, elaborated to meet the requirements of the industrial partner (SAP) of this industrial doctorate

    Measuring Information Security Awareness Efforts in Social Networking Sites – A Proactive Approach

    Get PDF
    For Social Network Sites to determine the effectiveness of their Information Security Awareness (ISA) techniques, many measurement and evaluation techniques are now in place to ensure controls are working as intended. While these techniques are inexpensive, they are all incident- driven as they are based on the occurrence of incident(s). Additionally, they do not present a true reflection of ISA since cyber-incidents are hardly reported. They are therefore adjudged to be post-mortem and risk permissive, the limitations that are inacceptable in industries where incident tolerance level is low. This paper aims at employing a non-incident statistic approach to measure ISA efforts. Using an object- oriented programming approach, PhP is employed as the coding language with MySQL database engine at the back-end to develop sOcialistOnline – a Social Network Sites (SNS) fully secured with multiple ISA techniques. Rather than evaluating the effectiveness of ISA efforts by success of attacks or occurrence of an event, password scanning is implemented to proactively measure the effects of ISA techniques in sOcialistOnline. Thus, measurement of ISA efforts is shifted from detective and corrective to preventive and anticipatory paradigms which are the best forms of information security approach
    corecore