Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standards (CTC&CS)

The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Mobile device users are continually being targeted for cybersecurity threats via vectors such as public information sharing on social media, user surveillance (geolocation, camera, etc.), phishing, malware, spyware, trojans, and keyloggers. Users are often uninformed about the cybersecurity threats posed by mobile devices. Users are held responsible for the security of their device that includes taking precautions against cybersecurity threats. In recent years, financial institutions are passing the costs associated with fraud to the users because of the lack of security. The purpose of this study was to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The conceptual foundation is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This study extended the HCS framework as a model to support new criteria for cybersecurity classification and communication standards. This study involved three phases. The first phase conducted two rounds of the Delphi technique and collected quantitative data from 26 Subject Matter Experts (SMEs) in round one and 22 SMEs in round two through an anonymous online survey. Results of Phase 1 emerged with six threats categories and 62 cybersecurity threats. Phase 2 operationalized the elicited and validated criteria into pictograms, labels, and safety data sheets. Using the results of phase one as a foundation, two to three pictograms, labels, and safety data sheets (SDSs) from each of the categories identified in phase one were developed, and quantitative data were collected in two rounds of the Delphi technique from 24 and 19 SMEs respectively through an online survey and analyzed. Phase 3, the main data collection phase, empirically evaluated the developed and validated pictograms, labels, and safety data sheets for their perceived effectiveness as well as performed an analysis of covariance (ANCOVA) with 208 non-IT professional mobile device users. The results of this study showed that pictograms were highly effective; this means the participants were satisfied with the characteristics of the pictograms such as color, shapes, visual complexity, and found these characteristics valuable. On the other hand, labels and Safety Data Sheets (SDS) did not show to be effective, meaning the participants were not satisfied or lacked to identify importance with the characteristics of labels and SDS. Furthermore, the ANCOVA results showed significant differences in perceived effectiveness with SDSs with education and a marginal significance level with labels when controlled for the number of years of mobile device use. Based on the results, future research implications can observe discrepancies of pictogram effectiveness between different educational levels and reading levels. Also, research should focus on identifying the most effective designs for pictograms within the cybersecurity context. Finally, longitudinal studies should be performed to understand the aspects that affect the effectiveness of pictograms

Managing security and compliance risks of outsourced IT projects

PhD ThesisSeveral sources of constraints, such as business, financial and legal, can lead organisations to outsource some of their IT services. As a consequence, different security risks may be introduced, such as confidentiality, integrity and availability risks. Analysing and managing the potential security risks in the early stages of project execution allow organisations to avoid or mitigate the impact of these security risks. Several organisations have adopted ISMS standards and frameworks in an endeavour to manage outsourced IT project security risks. In this thesis, existing ISMS standards and frameworks have been reviewed and analysed to assess their ability to effectively manage the security and compliance risks of outsourced IT projects and satisfy their security needs. The review reveals that existing ISMS standards and frameworks represent only general security recommendations and do not consider variation in security requirements from one organisation to another. There is also a lack of adequate guidance for implementing or complying with these standards and frameworks, and they are not designed to manage the security and compliance risks of outsourced IT projects. To overcome these weaknesses, a new framework has been introduced. The framework is a structured approach that is designed to manage variation in security requirements, as well as provide a methodology to guide organisations for the purpose of security management and implementation. The framework was evaluated using different evaluation methods including a focus group, questionnaire, and case study, which were also used to generate recommendations and suggestions for improvements. The evaluation results confirmed that the framework provided the participants with an effective approach for managing security and compliance risks in the outsourcing context. It was understandable, easy to use, and independent from different constraints such as project size, cost or execution time. The framework is now ready to be put into practice by organisations that intend to outsource their IT services partially or totally