A model for enhancing presence handling in instant messaging

Instant Messaging (IM) is becoming increasingly popular in social as well as workplace environments. In fact, many employees use the same IM client to communicate with both colleagues and social contacts. Thus, there are valid concerns about the impact of IM on employee productivity. One of the major advantages of IM over other workplace communication tools such as e-mail and the telephone is the implementation of presence information. In particular, presence awareness is used to determine the avail- ability and willingness of a contact to engage in communication. A current problem with IM is the one-for-all approach to presence: all contacts receive the same set of presence information. However, presence is rooted in social psychology where it is known that the awareness of another person changes the behavior of oneself. Therefore the identity of a contact affects the availability and willingness directed towards that contact. In order for presence information to be provided to contacts, it must be represented in some type of data format. The Internet Engineering Task Force (IETF) has done much work in standardizing IM and presence systems. In particular their data format for presence describes a rich set of presence information including, but not limited to, location, activity, awareness, and mood information. Such information may be sensitive and access to it needs to be controlled to ensure privacy. As with access control policies, managing the information as the number of contacts increases becomes cumbersome and complex. This dissertation draws on the theoretical foundations of presence, current standards in the domain of IM, and lessons from access control to present an enhanced presence handling model for IM. The model is developed in stages, with each stage providing a specific improvement. The first stage of the model is grounded on the current work of the IETF. As such it distributes presence on a per-watcher basis. In the second stage of the model watchers fulfill a specific role and based on this role they receive only the entrusted presence information. In practice, it implies that a "friend" may get more (or less) information than a "colleague". The third stage of the model introduces the concept of availability profiles by drawing on social awareness principles. Availability profiles add the ability to transform presence and change the presentity's behavior to incoming messages according to the provided presence information. Finally the dissertation reports on the development of the RoBIM (Role- Based Instant Messenger) prototype. RoBIM is a standards-based IM system that conforms to the IETF SIMPLE protocol and provides various standard IM features. Here, RoBIM serves as a proof-of-concept for the proposed model. This study contributed to the domain of IM and presence by addressing some of the current presence handling issues. Most importantly, the proposed model takes into account the interpersonal effects of individualizing presence information for different contacts. Thus, the model challenges conventional thought and implementation of presence in IM

A model for enhancing presence handling in instant messaging

Instant Messaging (IM) is becoming increasingly popular in social as well as workplace environments. In fact, many employees use the same IM client to communicate with both colleagues and social contacts. Thus, there are valid concerns about the impact of IM on employee productivity. One of the major advantages of IM over other workplace communication tools such as e-mail and the telephone is the implementation of presence information. In particular, presence awareness is used to determine the avail- ability and willingness of a contact to engage in communication. A current problem with IM is the one-for-all approach to presence: all contacts receive the same set of presence information. However, presence is rooted in social psychology where it is known that the awareness of another person changes the behavior of oneself. Therefore the identity of a contact affects the availability and willingness directed towards that contact. In order for presence information to be provided to contacts, it must be represented in some type of data format. The Internet Engineering Task Force (IETF) has done much work in standardizing IM and presence systems. In particular their data format for presence describes a rich set of presence information including, but not limited to, location, activity, awareness, and mood information. Such information may be sensitive and access to it needs to be controlled to ensure privacy. As with access control policies, managing the information as the number of contacts increases becomes cumbersome and complex. This dissertation draws on the theoretical foundations of presence, current standards in the domain of IM, and lessons from access control to present an enhanced presence handling model for IM. The model is developed in stages, with each stage providing a specific improvement. The first stage of the model is grounded on the current work of the IETF. As such it distributes presence on a per-watcher basis. In the second stage of the model watchers fulfill a specific role and based on this role they receive only the entrusted presence information. In practice, it implies that a "friend" may get more (or less) information than a "colleague". The third stage of the model introduces the concept of availability profiles by drawing on social awareness principles. Availability profiles add the ability to transform presence and change the presentity's behavior to incoming messages according to the provided presence information. Finally the dissertation reports on the development of the RoBIM (Role- Based Instant Messenger) prototype. RoBIM is a standards-based IM system that conforms to the IETF SIMPLE protocol and provides various standard IM features. Here, RoBIM serves as a proof-of-concept for the proposed model. This study contributed to the domain of IM and presence by addressing some of the current presence handling issues. Most importantly, the proposed model takes into account the interpersonal effects of individualizing presence information for different contacts. Thus, the model challenges conventional thought and implementation of presence in IM

The cost of free instant messaging: an attack modelling perspective

Instant Messaging (IM) has grown tremendously over the last few years. Even though IM was originally developed as a social chat system, it has found a place in many companies, where it is being used as an essential business tool. However, many businesses rely on free IM and have not implemented a secure corporate IM solution. Most free IM clients were never intended for use in the workplace and, therefore, lack strong security features and administrative control. Consequently, free IM clients can provide attackers with an entry point for malicious code in an organization’s network that can ultimately lead to a company’s information assets being compromised. Therefore, even though free IM allows for better collaboration in the workplace, it comes at a cost, as the title of this dissertation suggests. This dissertation sets out to answer the question of how free IM can facilitate an attack on a company’s information assets. To answer the research question, the dissertation defines an IM attack model that models the ways in which an information system can be attacked when free IM is used within an organization. The IM attack model was created by categorising IM threats using the STRIDE threat classification scheme. The attacks that realize the categorised threats were then modelled using attack trees as the chosen attack modelling tool. Attack trees were chosen because of their ability to model the sequence of attacker actions during an attack. The author defined an enhanced graphical notation that was adopted for the attack trees used to create the IM attack model. The enhanced attack tree notation extends traditional attack trees to allow nodes in the trees to be of different classes and, therefore, allows attack trees to convey more information. During the process of defining the IM attack model, a number of experiments were conducted where IM vulnerabilities were exploited. Thereafter, a case study was constructed to document a simulated attack on an information system that involves the exploitation of IM vulnerabilities. The case study demonstrates how an attacker’s attack path relates to the IM attack model in a practical scenario. The IM attack model provides insight into how IM can facilitate an attack on a company’s information assets. The creation of the attack model for free IM lead to several realizations. The IM attack model revealed that even though the use of free IM clients may seem harmless, such IM clients can facilitate an attack on a company’s information assets. Furthermore, certain IM vulnerabilities may not pose a great risk by themselves, but when combined with the exploitation of other vulnerabilities, a much greater threat can be realized. These realizations hold true to what French playwright Jean Anouilh once said: “What you get free costs too much”