Identifying Failures in Mobile Devices

Mobile devices are well-known communication tools. People, especially young people, cannot go even one step without them. Technological advancements provide better features, but at the same time, such systems still face security risks. Protective layers do exist, but some systems are automated and engineered, while others rely on humans. This work begins with examining some critical points related to the weakest link in the security chain: the human factor. Errors are given in the view of the Swiss Cheese Model by emphasizing the role of latent conditions in “holes”. We found that the Swiss Cheese Model has some limitations. In order to enhance it, we have used the Failure Mode and Effect Analysis risk matrix methodology. Thus, we represent its application on mobile devices to demonstrate that it can give us more accurate results by identifying the most critical points where manufacturers should focus on. This work is based on qualitative data, and it provides the basis for quantitative research. In the end, we suggest that in order to obtain more accurate findings, the Failure Mode and Effect Analysis can be further extended

Reducing human error in cyber security using the Human Factors Analysis Classification System (HFACS).

For several decades, researchers have stated that human error is a significant cause of information security breaches, yet it still remains to be a major issue today. Quantifying the effects of security incidents is often a difficult task because studies often understate or overstate the costs involved. Human error has always been a cause of failure in many industries and professions that is overlooked or ignored as an inevitability. The problem with human error is further exacerbated by the fact that the systems that are set up to keep networks secure are managed by humans. There are several causes of a security breach related human error such as poor situational awareness, lack of training, boredom, and lack of risk perception. Part of the problem is that people who usually make great decisions offline make deplorable decisions online due to incorrect assumptions of how computer transactions operate. Human error can be unintentional because of the incorrect execution of a plan (slips/lapses) or from correctly following an inadequate plan (mistakes). Whether intentional or unintentional, errors can lead to vulnerabilities and security breaches. Regardless, humans remain the weak link in the process of interfacing with the machines they operate and in keeping information secure. These errors can have detrimental effects both physically and socially. Hackers exploit these weaknesses to gain unauthorized entry into computer systems. Security errors and violations, however, are not limited to users. Administrators of systems are also at fault. If there is not an adequate level of awareness, many of the security techniques are likely to be misused or misinterpreted by the users rendering adequate security mechanisms useless. Corporations also play a factor in information security loss, because of the reactive management approaches that they use in security incidents. Undependable user interfaces can also play a role for the security breaches due to flaws in the design. System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it. One major problem with systems design is that they designed for simplicity, which can lead a normally conscious person to make bad security decisions. Human error is a complex and elusive security problem that has generally defied creation of a structured and standardized classification scheme. While Human error may never be completely eliminated from the tasks, they perform due to poor situational awareness, or a lack of adequate training, the first step to make improvements over the status quo is to establish a unified scheme to classify such security errors. With this background, I, intend to develop a tool to gather data and apply the Human Factors Analysis and Classification System (HFACS), a tool developed for aviation accidents, to see if there are any latent organizational conditions that led to the error. HFACS analyzes historical data to find common trends that can identify areas that need to be addressed in an organization to the goal of reducing the frequency of the errors

Cybersecurity Continuity Risks: Lessons Learned from the COVID-19 Pandemic

The scope and breadth of the COVID-19 pandemic were unprecedented. This is especially true for business continuity and the related area of cybersecurity. Historically, business continuity and cybersecurity are viewed and researched as separate fields. This paper synthesizes the two disciplines as one, thus pointing out the need to address both topics simultaneously. This study identifies blind spots experienced by businesses as they navigated through the difficult time of the pandemic by using data collected during the height of the COVID-19 pandemic. One major shortcoming was that most continuity and cybersecurity plans focused on single-axis threats. The COVID-19 pandemic resulted in multi-axes threats, pointing out the need for new business strategies moving forward. We performed multiple regression analysis and constructed a correlation matrix to capture significant relationships between percentage loss of revenue and levels of concern for different business activities moving forward. We assessed the most pervasive issues Florida small businesses faced in October 2020 and broke these down by the number of citations, the total number of impacts cited, and industry affectedness. Key security risks are identified and specific mitigation recommendations are given

Readiness of local authorities in implementing information security management system (ISMS)

Information Security Management System (ISMS) is an ICT Compliance Standards to provide specifications and controls for protecting information security assets and to increase the integrity and confidence of clients against the agencies, especially those involving the government delivery service. This certification is certified by a certification body of the Standards Industrial Research Institute of Malaysia (SIRIM) and a survey covering the problems faced by Local Authorities in ensuring the confidentiality, integrity and availability of information from any threat and risks that can cripple the agency services. The research process include factors such as threats and vulnerabilities, particularly in security management practices of the agency, which can cause loss of agencies' information and negative impact on the services provided by the Local Authority. Then with studying these factors it can measure the readiness of local authorities in implementing Information Security Management System (ISMS). The process of research studies using quantitative methods in gathering information to analyze the problems faced by the agency to ensure information security is protected such as assessment taxes is the largest contributor earning council. The final result of this research concluded that local authorities are still not ready in implementing Information Security Management System (ISMS)

Foundations for an Intelligence-driven Information Security Risk-management System

Information security risk management (ISRM) methods aim to protect organizational information infrastructure from a range of security threats by using the most effective and cost-efficient means. We reviewed the literature and found three common deficiencies in ISRM practice: 1) information security risk identification is commonly perfunctory, 2) information security risks are commonly estimated with little reference to the organization’s actual situation, and 3) information security risk assessment is commonly performed on an intermittent, non-historical basis. These deficiencies indicate that, despite implementing ISRM best-practice, organizations are likely to have inadequate situation awareness (SA) regarding their information security risk environments. This paper presents a management system design that organizations can use to support SA in their ISRM efforts

Proposal of a method to support the implementation of vertical integration in the context of Industry 4.0

One of the fundamental principles of Industry 4.0 in the field of intelligent manufacturing is the implementation of vertical integration, that is, the integration of information systems at the different hierarchical levels of the company to provide data flow over time and support decisionmaking. However, the academic literature still needs to present empirical evidence on how vertical integration and the technologies that compose it can be implemented to contribute to the requirements of Industry 4.0. Although vertical integration is presented as a solution to the need for data visibility that Industry 4.0 requires, it is known that there are different ways to implement vertical integration that depend on the desired operational objectives and the characteristics of the companies. Therefore, the technological sets of vertical integration can have different ways of contributing to achieving greater visibility of production processes. This thesis aims to propose a methodology to support companies in the implementation of vertical integration that allows companies to advance in Industry 4.0. The study followed a mixed approach, combining qualitative and quantitative methods. In qualitative terms, the thesis presents a multi-case study of 10 leading manufacturing companies in implementing 4.0 technologies, aiming to understand the main factors that influence these companies in adopting information systems for vertical integration. Furthermore, a multi-case qualitative study in 3 buyer-supplier dyads to understand the implications of information asymmetry in MES purchasing allows vertical integration in Industry 4.0. On the other hand, in quantitative terms, the thesis presents a survey conducted with 132 companies in the machinery and equipment sector, through which the contribution of cybersecurity actions to vertical integration is analyzed, making it possible to achieve greater digital transformation. This thesis demonstrates that the implementation of vertical integration is challenging for companies due to its complexity and novelty but that the methodologies presented contribute to clarifying this implementation. Furthermore, it explores the limitations and nuances of these contributions in different situations. The main contribution of this study is to provide empirical evidence of methodologies that support companies in the implementation of vertical integration in the context of Industry 4.0.Um dos princípios fundamentais da Indústria 4.0 no domínio da manufatura inteligente é a implementação da integração vertical, ou seja, a integração dos sistemas de informação dos diferentes níveis hierárquicos da empresa para fornecer fluxo de dados no tempo e suporte à tomada de decisão. Contudo, a literatura acadêmica ainda não tem apresentado evidências empíricas sobre a forma como a integração vertical e as tecnologias que a compõe podem ser implementadas de maneira a contribuir com os requisitos da Indústria 4.0. Embora integração vertical seja apresentada como uma solução para necessidade de visibilidade de dados que a Indústria 4.0 requer, é sabido que existem diferentes caminhos para implementação da integração vertical que dependem dos objetivos operacionais almejados e das características das empresas. Portanto, os conjuntos tecnológicos da integração vertical podem ter diferentes formas de contribuição para alcançar uma maior visibilidade dos processos de produção. O objetivo desta tese é propor uma metodologia para suportar as empresas na implementação de integração vertical que permita que as empresas avancem na Indústria 4.0. O estudo seguiu uma abordagem mista, combinando métodos qualitativos e quantitativo. Em termos qualitativos, a tese apresenta um estudo multicasos em 10 empresas de manufatura líderes na implantação de tecnologias 4.0, visando entender os principais fatores que influenciam essas empresas na adoção de sistemas de informação para integração vertical. E ainda, um estudo qualitativo multicascos em 3 díades de comprador e fornecedor para compreender as implicações da assimetria da informação na compra de MES que permita a integração vertical na Indústria 4.0. Por outro lado, em termos quantitativos, a tese apresenta uma pesquisa survey conduzida com 134 empresas do setor de máquinas e equipamentos, através da qual se analisa a contribuição de ações em cibersegurança na integração vertical possibilita alcançar maior transformação digital. A presente tese demonstra que, de fato, a implementação da integração vertical é desafiadora para as empresas devido sua complexidade e novidade, mas que as metodologias apresentadas contribuem para o esclarecimento dessa implementação. Além disso, explora as limitações e nuances dessas contribuições em diferentes situações. A principal contribuição deste estudo é fornecer evidências empíricas de metodologias que suportem as empresas na implementação de integração vertical no contexto da Indústria 4.0

Analysis of a South African cyber-security awareness campaign for schools using interdisciplinary communications frameworks

To provide structure to cyber awareness and educational initiatives in South Africa, Kortjan and Von Solms (2014) developed a five-layer cyber-security awareness and education framework. The purpose of the dissertation is to determine how the framework layers can be refined through the integration of communication theory, with the intention to contribute towards the practical implications of the framework. The study is approached qualitatively and uses a case study for argumentation to illustrate how the existing framework can be further developed. Drawing on several comprehensive campaign planning models, the dissertation illustrates that not all important campaign planning elements are currently included in the existing framework. Proposed changes in the preparation layer include incorporating a situational and target audience analysis, determining resources allocated for the campaign, and formulating a communication strategy. Proposed changes in the delivery layer of the framework are concerned with the implementation, monitoring and adjustment, as well as reporting of campaign successes and challenges. The dissertation builds on, and adds to, the growing literature on the development of campaigns for cyber-security awareness and education aimed at children

Managing information security risks during new technology adoption

In the present study, we draw on previous system dynamics research on operational transition and change of vulnerability to investigate the role of incident response capability in controlling the severity of incidents during the adoption of new technology. Toward this end, we build a system dynamics model using the Norwegian Oil and Gas Industry as the context. The Norwegian Oil and Gas Industry has started to adopt new information communication technology to connect its offshore platforms, onshore control centers, and suppliers. In oil companies, the management is generally aware of the increasing risks associated with operational transition; however, to date, investment in incident response capability has not been highly prioritized because of the uncertainty related to risks and the present reactive mental model of security risk management. The model simulation shows that a reactive approach to security risk management might trap the organization into blindness to minor incidents and low incident response capability, which can lead to severe incidents. The system dynamics model can serve as a means to promote proactive investment in incident response capability

A functional-interpretive approach to information systems security e competencies development in the higher education institution: a comparativ e case of four South African higher education institutions

Philosophiae Doctor - PhDThe research reported in this thesis examines the approaches of four (4) HEIs in the Western Cape Province in South Africa to institutional development of IS security ecompetencies across their full staff compliments. It used a mixed research methodology and multiple case study research design in which four Higher Education Institutions (HEIs) participated. A total of 26 in-depth interviews were conducted and 385 questionnaires were completed. The research found that these HEIs do not formally develop the IS security e-competencies of their IS resources end users. Because end users handle critical information and research projects of importance not only to the HEIs, but also to the country, this situation creates a potential risk to their IS resources. In other words, the HEIs that participated in this research rely more on the ICT security technology itself to protect their IS resources than on the human side of ICT security. This is in direct contrast to the established literature which clearly points out that it is the internal end users that pose the most threats to IS security resources and these threats are more dangerous than the external threats