Bring your own device: an overview of risk assessment

As organizations constantly strive to improve strategies for ICT management, one of the major challenges they must tackle is bring your own device (BYOD). BYOD is a term that collectively refers to the related technologies, concepts, and policies in which employees are allowed to access internal corporate IT resources, such as databases and applications, using their personal mobile devices like smartphones, laptop computers, and tablet PCs [1]. It is a side effect of the consumerization of IT, a term used to describe the growing tendency of the new information technologies to emerge first in the consumer market and then spread into business and government organizations [2]. Basically, employees want to act in an any-devices, anywhere work style, performing personal activities during work and working activities during personal time [2]. There are several risks associated with BYOD [3, p. 63], and the big gaps in BYOD policies adopted by today\u27s organizations [4, p. 194] show that the solution to BYOD is not well understood. This article establishes a background to understand BYOD risks by considering conditions that increase the occurrence of these risks and the consequences of the risks occurring. It then aims to present the most commonly adopted BYOD solutions, their limitations, and remedies, as well as important policy considerations for successfully implementing them

Towards a Privacy Rule Conceptual Model for Smart Toys

A smart toy is defined as a device consisting of a physical toy component that connects to one or more toy computing services to facilitate gameplay in the cloud through networking and sensory technologies to enhance the functionality of a traditional toy. A smart toy in this context can be effectively considered an Internet of Things (IoT) with Artificial Intelligence (AI) which can provide Augmented Reality (AR) experiences to users. In this paper, the first assumption is that children do not understand the concept of privacy and the children do not know how to protect themselves online, especially in a social media and cloud environment. The second assumption is that children may disclose private information to smart toys and not be aware of the possible consequences and liabilities. This paper presents a privacy rule conceptual model with the concepts of smart toy, mobile service, device, location, and guidance with related privacy entities: purpose, recipient, obligation, and retention for smart toys. Further the paper also discusses an implementation of the prototype interface with sample scenarios for future research works

Mitigating BYOD Information Security Risks

Organisations that allow employees to Bring Your Own Device (BYOD) in the workplace trade off the convenience of allowing employees to use their own device against higher risks to the confidentiality, integrity, and availability of organisational information assets. While BYOD is a well-defined and accepted trend in some organisations, there is little research on how policies can address the information security risks posed by BYOD. This paper reviews the extant literature and develops a comprehensive list of information security risks that are associated with allowing BYOD in organisations. This list is then used to evaluate five BYOD policy documents to determine how comprehensively BYOD information security risks are addressed. The outcome of this research shows that of the 13 identified BYOD risks, only 8 were adequately addressed by most of the organisations

Modelling semantics of security risk assessment for bring your own device using metamodelling technique

Rapid changes in mobile computing devices or modern devices such as smartphones, tablets and iPads have encouraged employees to use their personal devices at workplace. Bring Your Own Devices (BYOD) phenomenon in an enterprise has become pervasive in demand for business purposes. Most organizations practice BYOD as it offers a wide variety of advantages such as increasing work productivity, reducing cost and giving employee’s satisfaction. Despite that, BYOD practices trigger opportunities and challenges for the enterprise if there have no security policies, regulations and management on personal devices. Common BYOD security threats includes data leakage, exposure to malicious malware and sensitive corporates information. In this study, the Security-based BYOD Risk Assessment Metamodel (Security-based BYODRAM), a high-level knowledge structure was proposed for describing Security-based BYOD Risk Assessment domain. Review on thirty-five existing models which comprises of Risk Assessment and BYOD security models was done to identify the important concepts and semantic. Meta Object Facility (MOF) was the metamodeling language used in developing the metamodel. This study contributes a platform of incorporating and sharing of the Security-based BYOD Risk Assessment knowledge and giving solutions in managing BYOD security breaches. Real BYOD scenarios such as the Ottawa Hospital, privacy risks in enterprise and independent schools in Western Australian were used in demonstrating the semantics of proposed metamodel

An Exploratory Study of the Approach to Bring Your Own Device (BYOD) in Assuring Information Security

The availability of smart device capabilities, easy to use apps, and collaborative capabilities has increased the expectations for the technology experience of employees. In addition, enterprises are adopting SaaS cloud-based systems that employees can access anytime, anywhere using their personal, mobile device. BYOD could drive an IT evolution for powerful device capabilities and easy to use apps, but only if the information security concerns can be addressed. This research proposed to determine the acceptance rate of BYOD in organizations, the decision making approach, and significant factors that led to the successful adoption of BYOD using the expertise of experienced internal control professionals. The approach and factors leading to the decision to permit the use of BYOD was identified through survey responses, which was distributed to approximately 5,000 members of the Institute for Internal Controls (IIC). The survey participation request was opened by 1,688 potential respondents, and 663 total responses were received for a response rate of 39%. Internal control professionals were targeted by this study to ensure a diverse population of organizations that have implemented or considered implementation of a BYOD program were included. This study provided an understanding of how widely the use of BYOD was permitted in organizations and identified effective approaches that were used in making the decision. In addition, the research identified the factors that were influential in the decision making process. This study also explored the new information security risks introduced by BYOD. The research argued that there were several new risks in the areas of access, compliance, compromise, data protection, and control that affect a company’s willingness to support BYOD. This study identified new information security concerns and risks associated with BYOD and suggested new elements of governance, risk management, and control systems that were necessary to ensure a secure BYOD program. Based on the initial research findings, future research areas were suggested

A Risk management framework for the BYOD environment

Computer networks in organisations today have different layers of connections, which are either domain connections or external connections. The hybrid network contains the standard domain connections, cloud base connections, “bring your own device” (BYOD) connections, together with the devices and network connections of the Internet of Things (IoT). All these technologies will need to be incorporated in the Oman Vision 2040 strategy, which will involve changing several cities to smart cities. To implement this strategy artificial intelligence, cloud computing, BYOD and IoT will be adopted. This research will focus on the adoption of BYOD in the Oman context. It will have advantages for organisations, such as increasing productivity and reducing costs. However, these benefits come with security risks and privacy concerns, the users being the main contributors of these risks. The aim of this research is to develop a risk management and security framework for the BYOD environment to minimise these risks. The proposed framework is designed to detect and predict the risks by the use of MDM event logs and function logs. The chosen methodology is a combination of both qualitative and quantitative approaches, known as a mixed-methods approach. The approach adopted in this research will identify the latest threats and risks experienced in BYOD environments. This research also investigates the level of user-awareness of BYOD security methods. The proposed framework will enhance the current techniques for risk management by improving risk detection and prediction of threats, as well as, enabling BYOD risk management systems to generate notifications and recommendations of possible preventive/mitigation actions to deal with them

Securing the "Bring Your Own Device" Paradigm

none4The current mobile application distribution model cannot cope with the complex security requirements of the emerging "bring your own device" (BYOD) paradigm. A secure metamarket architecture supports the definition and enforcement of BYOD policies and offers a promising prototype implementation tested under realistic conditions.Armando A.; Costa G.; Verderame L.; Merlo A.Armando, Alessandro; Costa, G.; Verderame, L.; Merlo, A

BYOD-Insure: A Security Assessment Model for Enterprise BYOD

As organizations continue allowing employees to use their personal mobile devices to access the organizations’ networks and the corporate data, a phenomenon called ‘Bring Your Own Device’ or BYOD, proper security controls need to be adopted not only to secure the corporate data but also to protect the organizations against possible litigation problems. Until recently, current literature and research have been focused on specific areas or solutions regarding BYOD. The information associated with BYOD security issues in the areas of Management, IT, Users and Mobile Device Solutions is fragmented. This research is based on a need to provide a holistic approach to securing BYOD environments. This dissertation puts forth design science research methods to develop a comprehensive security assessment model, BYOD-Insure, to assess the security posture of an organization’s BYOD environment. BYOD-Insure aims to identify security vulnerabilities in organizations that allow (or are planning to adopt) BYODs. The main questions this research aims to answer are: 1) In order to protect the enterprise and its corporate data, how can an organization identify and mitigate the security risks associated with BYOD? 2) How can a holistic approach to security strengthen the security posture of BYOD environments? BYOD-Insure is composed of 5 modules that, in tandem, use a holistic approach to assess the security posture of the four domains of BYOD environments: assessment of management (BYOD-Insure-Management), assessment of IT (BYOD-Insure-IT), assessment of users’ behavior/security (BYOD-Insure-User), and assessment of the mobile device security adopted by the organization (BYOD-Insure-Mobile). The combined results of the 4 domains provide the overall security posture of the organization (BYOD-Insure-Global). The evaluation process for this model is based on a design science method for artifact evaluation. For BYOD-Insure, this process involves the use of descriptive scenarios to describe different types of BYOD security postures. This entails a detailed description of scenarios that depict low, moderate and high security postures with respect to BYOD. The results, for a particular organization, show the security controls that need to be strengthened, and the safeguards recommended. The BYOD-Insure assessment model helps answer the research questions raised in this study

A framework for implementing bring your own device in higher education institutions in South Africa

Although the concept of Bring Your Own Device (BYOD) was only first introduced in 2009, organisations and higher education institutions have shown an increasing interest in and tolerance for employees and students using their own mobile devices for work and academic purposes, to such an extent that it is predicted that BYOD will become the leading practice for all educational environments by the year 2017. Although mobile device usage is increasing in higher education institutions, it has been found that currently no generally recognised framework exists to aid South African higher education institutions with the implementation of BYOD. The problem is further worsened as research suggests that the number of new mobile vulnerabilities reported each year has increased. The primary objective of this study is to develop a framework for implementing BYOD in higher education institutions in South Africa. This primary objective is divided into several secondary objectives, which collectively aim to address the proposed problem. Therefore, the secondary objectives are to understand BYOD in organisations and the challenges it brings; to determine how BYOD challenges differ in higher education institutions; to determine the key components for implementing BYOD in higher education institutions; to determine the extent to which the BYOD key components relate to a higher education institution in South Africa; and to validate the proposed BYOD framework, verifying its quality, efficacy and utility. At first, a comprehensive literature study is used to determine and understand the benefits, challenges and key components for the implementation of BYOD in both organisations and higher education institutions. Thereafter, a case study is used to determine the extent to which the components, identified in the literature study, relate to an educational institution in South Africa. The findings from the case study, in combination with the key components, are then triangulated and a preliminary framework for implementing BYOD in higher education institutions in South Africa is argued. Furthermore, elite interviews are used to determine the quality, efficacy and utility of the proposed BYOD framework. To address the proposed problem, this research proposes a stepby- step holistic framework to aid South African higher education institutions with the implementation of BYOD. This framework adds a significant contribution to the work on this topic, as it provides a foundation upon which further such research can build. It is believed that such a framework would be useful for higher education institutions in South Africa and would result in the improved implementation of BYOD