Towards better information security with UX practices : A Systematic Literature Review

When the risk of information security breach is rising higher, companies are trying to find ways to take better care of information security. There have been implications of making information security on the expense of user experience and vice versa. It’d be important to get people to understand that both information security and user experience are everyone’s responsibility. This work attempts to find ways to combine information security and user experience theories and practices in a way which could make better and safer user experiences possible. This work is taking look at the subject on metalevel, and aim is to bring better understanding of possibilities in improving information security and user experience in collaboration with each other. A systematic literature review was conducted to meet the goals set. Literature was retrieved from two different databases in January 2023. The research time range consisted of studies pub-lished during Covid-19 pandemic meaning January 2020 – January 2023. Material was evaluated on the relativity basis on both information security and user experiences studies. The material selection proceeded on first evaluating the article titles and abstracts also leaving out studies published out of the set time range. Secondly the introductions and conclusions and on the final round the studies were evaluated as whole and the most relevant 21 articles were chosen as primary studies. The combination of information security and user experience has not been studied for long as it seems to have been studied for about past 20 years. Also based on the number of articles related it seems that the interest towards the subject has risen as the number of published articles an-nually has increased from about dozen to tens and during recent years even over 100 articles a year. Synthesis was done based on the chosen primary articles. Plenty of different user experience actions were found to improve information security, as information security actions mostly ei-ther decreased usability or were mentioned not to decrease user experience. Only focusing de-velopment to security features users valued was considered to improve user experience. The most important findings were, that organizations are providing different kinds of infor-mation security training, but plenty of adjustments can be made to make the training more ef-fective. Interactivity, providing modest amount of visual effects, providing examples with more thorough feedback about signs of fraudulent actions, and including little bit of gamification in-creased the effects and therefore also the value of the training. The research managed to show value in cooperation between information security and user experience experts and providing information regarding recent changes in the post-pandemic world.Aikana, jona tietoturvallisuus poikkeamien riski kasvaa korkeammalle, yritykset yrittävät löytää keinoja vastata tietoturvallisuudesta paremmin. Aiemmin on esiintynyt näkemyksiä tietoturvallisuuden toteuttamisesta käyttäjäkokemuksen kustannuksella ja toisin päin. Olisi tärkeää saada ihmiset ymmärtämään, että sekä tietoturvallisuus että käyttäjäkokemus ovat kaikkien toimijoiden vastuulla. Tämä tutkimus tarkastelee aihetta metatasolla tarkoituksena tuoda lisää ymmärrystä mahdollisuuksista parantaa tietoturvallisuutta ja käyttäjäkokemusta yhteistyössä toistensa kanssa. Vastauksia haettiin systemaattisella kirjallisuuskatsauksella. Hyödynnetty aineisto noudettiin kahdesta eri tietolähteestä tammikuussa 2023. Tutkimukseen valittiin mukaan aineistoja, jotka oli julkaistu Covid-19 pandemian aikana tammikuussa 2020 – tammikuussa 2023. Aineistoa arvioitiin tutkimusten esittämän liitännäisyyden perusteella koskien tietoturvallisuutta ja käyttäjäkokemusta ja näiden vaikutusta toisiinsa. Aineiston valinta eteni ensin rajaamalla aikarajoituksen ulkopuolelle jäävät tutkimukset pois ja arvioimalla artikkeleiden otsikoita ja tiivistelmiä, sitten johdantoa ja lopputuloksia, ja tämän jälkeen vielä mukana olleet tutkimukset luettiin kokonaan, jolloin lopulta tutkimukseen valikoitui 21 artikkelia. Tietoturvallisuutta ja käyttäjäkokemusta yhdessä on tutkittu vasta viimeiset 20 vuotta. Mielenkiinto tutkimukseen on kuitenkin yhteisöllä herännyt, sillä viime vuosina vuosittain julkaistujen artikkelien määrä on noussut noin tusinasta artikkeleita kymmeniin ja viime vuosina jopa yli sataan artikkeliin vuodessa. Synteesi perustui valittuihin primaaritutkimuksiin. Tuloksissa korostui käyttäjäkokemukseen liittyvät toimet, jotka auttoivat parantamaan tietoturvallisuutta. Tietoturvallisuuden toimien osalta toimet lähinnä joko heikensivät käytettävyyttä tai niistä mainittiin, ettei toimet heikentäneet käyttäjäkokemusta. Ainoa käyttäjäkokemusta parantava asia oli tuotekehityksen keskittäminen tietoturvaominaisuuksiin, joita käyttäjät pitävät tärkeinä. Tutkimuksen tärkeimmät tulokset olivat, että organisaatiot tarjoavat monenlaista tietoturvallisuuskoulutusta, mutta koulutuksen tehokkuuteen voidaan vaikuttaa useammillakin toimilla. Tehokkuutta saatiin parannettua interaktiivisuudella, rajaamalla visuaalisten efektien määrää, sisällyttämällä vähän pelillisiä piirteitä, nostamalla esille esimerkkejä ja sisällyttämällä niihin mukaan tarkempia palautteita ja sisällyttämällä tietoa potentiaalisen tietoturvapoikkeaman merkeistä. Tutkimus onnistui osoittamaan, millaista arvoa on mahdollista tuottaa yhdistämällä tietoturvallisuuden ja käyttäjäkokemuksen asiantuntemusta. Lisäksi pystyttiin tarjoamaan tietoa liittyen viimeaikaisiin muutoksiin Covid-19 pandemian jälkeisessä maailmassa

Tackling the barriers to achieving Information Assurance

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.This original, reflective practitioner study researched whether professionalising IA could be successfully achieved, in line with the UK Cyber Security Strategy expectations. The context was an observed changing dominant narrative from IA to cybersecurity. The research provides a dialectical relationship with the past to improve IA understanding. The Academic contribution: Using archival and survey data, the research traced the origins of the term IA and its practitioner usage, in the context of the increasing use of the neologism of cybersecurity, contributing to knowledge through historical research. Discourse analysis of predominantly UK government reports, policy direction, legislative and regulatory changes, reviewing texts to explore the functions served by specific constructions, mainly Information Security (Infosec) vs IA. The Researcher studied how accounts were linguistically constructed in terms of the descriptive, referential and rhetorical language used, and the function that serves. The results were captured in a chronological review of IA ontology. The Practitioner contribution: Through an initial Participatory Action Research (PAR) public sector case study, the researcher sought to make sense of how the IA profession operates and how it was maturing. Data collection from self-professed IA practitioners provided empirical evidence. The researcher undertook evolutionary work analysing survey responses and developed theories from the analysis to answer the research questions. The researcher observed a need to implement a unified approach to Information Governance (IG) on a large organisation-wide scale. Using a constructivist grounded theory the researcher developed a new theoretical framework - i3GRC™ (Integrated and Informed Information Governance, Risk, and Compliance) - based on what people actually say and do within the IA profession. i3GRC™ supports the required Information Protection (IP) through maturation from IA to holistic IG. Again, using PAR, the theoretical framework was tested through a private sector case study, the resultant experience strengthening the bridge between academia and practitioners

Security in remote monitoring devices in critical areas

Dissertação de mestrado integrado em Engineering and Management of Information SystemsThe use of Information Technologies has grown exponentially over the past years affecting many critical sectors from the industrial to the financial, energy, and health sectors. The ability to track and remotely monitor people and objects in real-time is one of the changes made possible by Information Technologies. Although those Information Technologies innovations sprang several significant advantages for people and organizations, there are also some security and privacy concerns regarding the monitoring of people, objects, and processes in critical areas. Every day new and more effective cyberattacks are discovered which steal sensitive information from their holders and affect people and organizations. Computational power is increasing and organizations are emerging whose main objective is to profit from the sale of the stolen information assets. These attacks can impact critical areas, such as health and energy; they may even jeopardize the physical integrity of individuals. In Healthcare, a Critical Area, the number of Remote Patient Monitoring Devices Systems is increasing, and the number of patients using them increases as well. At the same time, there have been identified new security vulnerabilities on high technological medical devices. People privacy is also being called into question. Several privacy gaps have forced governments to take action with the main objective of safeguarding the privacy of their citizens, as was the case with the much-discussed General Data Protection Regulation of the European Union. Standards and Frameworks play an important role in the improvement o security. In this scientific work, it was developed and validated a proposal of a sector-specific Security Framework that can be applied to Remote Patient Monitoring Devices Systems to improve their overall security. That framework is based on the best widely spread Security Standards and Frameworks. The Framework define 30 requirements divided into 5 assets. Each requirement has one or more functions, in a total of 4 available. It was also defined 8 implementation groups. To validate the Framework it was developed a Remote Patient Monitoring Device System Simulator composed by a Micro-controller NodeMCU with an ESP8266 Wi-Fi chip connected to a Heart Rate Analog Sensor, and an Interface. When applied to the Framework, the developed simulator obtained a score of 9 in 29 available requirements for that implementation group device. The selected research method used to guide this scientific research was the Design Science Research.A utilização das Tecnologias de Informação tem crescido exponencialmente ao longo dos últimos anos afetando vários setores críticos que vão desde a indústria, passando pelo setor financeiro, energético e até mesmo pela saúde. A capacidade de acompanhamento e monitorização remota de pessoas e objetos em tempo real é uma das mudanças potenciadas pelas Tecnologias de Informação. Embora destas inovações ao nível das Tecnologias de Informação advenham um conjunto de vantagens significativas para pessoas e organizações, surgem também algumas preocupações ao nível da segurança e privacidade no que concerne à monitorização de pessoas, objetos e processos em áreas críticas. Diariamente são identificados e descritos novos e mais eficazes ataques cibernéticos, a pessoas e organizações com o intuito de roubar informação sensível para os seus detentores. O poder computacional é crescente e insurgem-se organizações cujo principal objetivo é lucrar com a venda de ativos informacionais roubados. Estes ataques podem atingir áreas tão críticas, como o setor da saúde e energético, podendo mesmo colocar em causa a integridade física de pessoas. Nos cuidados de saúde, uma área crítica, o número de Sistemas de Dispositivos de Monitorização Remota esta a crescer, bem como o número de pacientes que os usam. Ao mesmo tempo, têm sido identificadas novas vulnerabilidades de segurança em dispositivos médicos altamente tecnológicos. A privacidade das pessoas está também a ser comprometida. É possível assistir-se a várias falhas ao nível da privacidade que obrigou os governos a tomar medidas com o principal objetivo de salvaguardar a privacidade dos seus cidadãos como foi o caso do tão falado Regulamento Geral de Proteção de Dados da União Europeia. Standards e Frameworks desempenham um papel importante na melhoria da segurança. Neste trabalho de investigação foi desenvolvida e validada uma proposta de Framework de Segurança específica para o setor da Saúde e que pode ser aplicada em Sistemas de Dispositivos de Monitorização Remota com o objetivo de aumentar a sua segurança. Esta Framework é baseada nas melhores e mais usadas Frameworks e Standards. A Framework define 30 requisitos divididos em 5 ativos. Cada requisito tem uma ou mais funções, de um total de 4. Foi também definido 8 grupos de implementação. Para validar a Framework foi desenvolvido um Simulador composto por um micro controlador NodeMCU com um chip Wi-FI ESP8266 conectado a um Sensor Analógico de Frequência Cardíaca. Quando aplicado à Framework, o simulador obteve um score de 9 em 29 requisitos disponíveis para aquele grupo de implementação. A metodologia de investigação selecionada para guiar este projeto foi a Design Science Research

Investigating and mitigating the role of neutralisation techniques on information security policies violation in healthcare organisations

Healthcare organisations today rely heavily on Electronic Medical Records systems (EMRs), which have become highly crucial IT assets that require significant security efforts to safeguard patients’ information. Individuals who have legitimate access to an organisation’s assets to perform their day-to-day duties but intentionally or unintentionally violate information security policies can jeopardise their organisation’s information security efforts and cause significant legal and financial losses. In the information security (InfoSec) literature, several studies emphasised the necessity to understand why employees behave in ways that contradict information security requirements but have offered widely different solutions. In an effort to respond to this situation, this thesis addressed the gap in the information security academic research by providing a deep understanding of the problem of medical practitioners’ behavioural justifications to violate information security policies and then determining proper solutions to reduce this undesirable behaviour. Neutralisation theory was used as the theoretical basis for the research. This thesis adopted a mixed-method research approach that comprises four consecutive phases, and each phase represents a research study that was conducted in light of the results from the preceding phase. The first phase of the thesis started by investigating the relationship between medical practitioners’ neutralisation techniques and their intention to violate information security policies that protect a patient’s privacy. A quantitative study was conducted to extend the work of Siponen and Vance [1] through a study of the Saudi Arabia healthcare industry. The data was collected via an online questionnaire from 66 Medical Interns (MIs) working in four academic hospitals. The study found that six neutralisation techniques—(1) appeal to higher loyalties, (2) defence of necessity, (3) the metaphor of ledger, (4) denial of responsibility, (5) denial of injury, and (6) condemnation of condemners—significantly contribute to the justifications of the MIs in hypothetically violating information security policies. The second phase of this research used a series of semi-structured interviews with IT security professionals in one of the largest academic hospitals in Saudi Arabia to explore the environmental factors that motivated the medical practitioners to evoke various neutralisation techniques. The results revealed that social, organisational, and emotional factors all stimulated the behavioural justifications to breach information security policies. During these interviews, it became clear that the IT department needed to ensure that security policies fit the daily tasks of the medical practitioners by providing alternative solutions to ensure the effectiveness of those policies. Based on these interviews, the objective of the following two phases was to improve the effectiveness of InfoSec policies against the use of behavioural justification by engaging the end users in the modification of existing policies via a collaborative writing process. Those two phases were conducted in the UK and Saudi Arabia to determine whether the collaborative writing process could produce a more effective security policy that balanced the security requirements with daily business needs, thus leading to a reduction in the use of neutralisation techniques to violate security policies. The overall result confirmed that the involvement of the end users via a collaborative writing process positively improved the effectiveness of the security policy to mitigate the individual behavioural justifications, showing that the process is a promising one to enhance security compliance

Enhancing and integration of security testing in the development of a microservices environment

In the last decade, web application development is moving toward the adoption of Service-Oriented Architecture (SOA). Accordingly to this trend, Software as a Service (SaaS) and Serverless providers are embracing DevOps with the latest tools to facilitate the creation, maintenance and scalability of microservices system configuration. Even if within this trend, security is still an open point that is too often underestimated. Many companies are still thinking about security as a set of controls that have to be checked before the software is used in production. In reality, security needs to be taken into account all along the entire Software Development Lifecycle (SDL). In this thesis, state of the art security recommendations for microservice architecture are reviewed, and useful improvements are given. The main target is for secure to become integrated better into a company workflow, increasing security awareness and simplifying the integration of security measures throughout the SDL. With this background, best practices and recommendations are compared with what companies are currently doing in securing their service-oriented infrastructures. The assumption that there still is much ground to cover security-wise still standing. Lastly, a small case study is presented and used as proof of how small and dynamic startups can be the front runners of high cybersecurity standards. The results of the analysis show that it is easier to integrate up-to-date security measures in a small company

A study of standards and the mitigation of risk in information systems

Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

A risk based approach for managing information technology security risk within a dynamic environment

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves.ComputingM. Sc. (Computing