Investigating the leakage of sensitive personal and organisational information in email headers

Email is undoubtedly the most used communications mechanism in society today. Within business alone, it is estimated that 100 billion emails are sent and received daily across the world. While the security and privacy of email has been of concern to enterprises and individuals for decades, this has predominately been focused on protecting against malicious content in incoming emails and explicit data exfiltration, rather than inadvertent leaks in outgoing emails. In this paper, we consider this topic of outgoing emails and unintentional information leakage to better appreciate the security and privacy concerns related to the simple activity of sending an email. Specifically, our research seeks to investigate the extent to which potentially sensitive information could be leaked, in even blank emails, by considering the metadata that is a natural part of email headers. Through findings from a user-based experiment, we demonstrate that there is a noteworthy level of exposure of organisational and personal identity information, much of which can be further used by an attacker for reconnaissance or develop a more targeted and sophisticated attack

Investigating the leakage of sensitive personal and organisational information in email headers

Email is undoubtedly the most used communications mechanism in society today. Within business alone, it is estimated that 100 billion emails are sent and received daily across the world. While the security and privacy of email has been of concern to enterprises and individuals for decades, this has predominately been focused on protecting against malicious content in incoming emails and explicit data exfiltration, rather than inadvertent leaks in outgoing emails. In this paper, we consider this topic of outgoing emails and unintentional information leakage to better appreciate the security and privacy concerns related to the simple activity of sending an email. Specifically, our research seeks to investigate the extent to which potentially sensitive information could be leaked, in even blank emails, by considering the metadata that is a natural part of email headers. Through findings from a user-based experiment, we demonstrate that there is a noteworthy level of exposure of organisational and personal identity information, much of which can be further used by an attacker for reconnaissance or develop a more targeted and sophisticated attack

Information security behaviour of smartphone users: An empirical study on the students of University of Dhaka, Bangladesh.

Smartphone is the most popular electronic device in the present world. Along with the use of internet, smartphone has made revolution in the information communication technology sector. The current operating systems of smartphones allow to download mobile applications providing diverse types of features and functions. At the present days, the use of smartphone increases to a large extent that it is impossible to think a single day without using the smartphones. The widespread use of smartphones has introduced new types of information security threats, risks and vulnerabilities. The risky user behaviours, non-implementation of security counter measures and storage, and transmission of the vast amount of sensitive information in the smartphones are causing massive information security problems. Security of information is greatly depending on the information security behaviour of the users. Moreover, Information security behaviour has a direct impact to secure the information in the use of smartphone. In this study, the information security behaviour of the students of university of Dhaka, Bangladesh in the use of smartphone has been explored. This study will help to raise information security awareness among the students and encourage the authority to adopt appropriate strategy, policy and develop necessary training program to resolve information security risks in the use of smartphones. However, further research can be conducted by inclusion of a large sample size out of the students of other universities also

Empirical Analysis of Socio-Cognitive Factors Affecting Security Behaviors and Practices of Smartphone Users

The overall security posture of information systems (IS) depends on the behaviors of the IS users. Several studies have shown that users are the greatest vulnerability to IS security. The proliferation of smartphones is introducing an entirely new set of risks, threats, and vulnerabilities. Smartphone devices amplify this data exposure problem by enabling instantaneous transmission and storage of personally identifiable information (PII) by smartphone users, which is becoming a major security risk. Moreover, companies are also capitalizing on the availability and powerful computing capabilities of these smartphone devices and developing a bring-your-own-device (BYOD) program, which makes companies susceptible to divulgence of organizational proprietary information and sensitive customer information. In addition to users being the greatest risk to IS security, several studies have shown that many people do not implement even the most basic security countermeasures on their smartphones. The lack of security countermeasures implementation, risky user behavior, and the amount of sensitive information stored and transmitted on smartphones is becoming an ever-increasing problem. A literature review revealed a significant gap in literature pertaining to smartphone security. This study identified six socio-cognitive factors from the domain of traditional computer security which have shown to have an impact on user security behaviors and practices. The six factors this study identified and analyzed are mobile information security self-efficacy, institutional trust, party trust, and awareness of smartphone risks, threats, and vulnerabilities and their influence on smartphone security practices and behaviors. The analysis done in this research was confirmatory factor analysis (CFA) – structural equation modeling (SEM). The goal of this study was to cross-validate previously validated factors within the context of traditional computer security and assess their applicability in the context of smartphone security. Additionally, this study assessed the influential significance of these factors on the security behaviors and practices of smartphone users. This study used a Web-based survey and was distributed to approximately 539 users through Facebook® and LinkedIn® social media outlets which resulted in 275 responses for a 51% response rate. After pre-analysis data screening was completed, there were a total of 19 responses that had to be eliminated due to unengaged responses and outliers leaving 256 responses left to analyze. The results of the analysis found that vulnerability awareness, threat awareness, and risk awareness are interrelated to one another which all in turn had significance in predicting self-efficacy, security practices, and behaviors. This intricate relationship revealed in this study indicates that a user has to have an increased awareness in all three categories of awareness before they can fully understand how to protect themselves. Having an increased awareness in one category does not impact the overall security posture of the user and that risk, threat, and vulnerability awareness all work together. Another interesting find was that as risk awareness increased the less the smartphone users protected themselves. This finding warrants additional research to investigate why the user is more averse to risk, and willing to accept the risk, despite their increased awareness. Finally, institutional trust and party trust was found not to have any significance on any of the factors. These findings should give smartphone users and organizations insight into specific areas to focus on in minimizing inappropriate security behaviors and practices of smartphone users. More specifically, users and organizations need to focus on educating users on all three factors of threats, risks, and vulnerabilities in order for there to have any impact on increasing self-efficacy and reducing inappropriate security behaviors and practices

A framework to manage sensitive information during its migration between software platforms

Software migrations are mostly performed by organisations using migration teams. Such migration teams need to be aware of how sensitive information ought to be handled and protected during the implementation of the migration projects. There is a need to ensure that sensitive information is identified, classified and protected during the migration process. This thesis suggests how sensitive information in organisations can be handled and protected during migrations by using the migration from proprietary software to open source software to develop a management framework that can be used to manage such a migration process.A rudimentary management framework on information sensitivity during software migrations and a model on the security challenges during open source migrations are utilised to propose a preliminary management framework using a sequential explanatory mixed methods case study. The preliminary management framework resulting from the quantitative data analysis is enhanced and validated to conceptualise the final management framework on information sensitivity during software migrations at the end of the qualitative data analysis. The final management framework is validated and found to be significant, valid and reliable by using statistical techniques like Exploratory Factor Analysis, reliability analysis and multivariate analysis as well as a qualitative coding process.Information ScienceD. Litt. et Phil. (Information Systems