| 1. |
- Bergström, Erik, 1976-
(author)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doctoral thesis (other academic/artistic)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Rostami, Elham, 1983-
(author)
-
Tailoring information security policies : a computerized tool and a design theory
- 2023
-
Doctoral thesis (other academic/artistic)abstract
- Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
|
|
| 3. |
- Stirparo, Pasquale
(author)
-
MobiLeak : Security and Privacy of Personal Data in Mobile Applications
- 2015
-
Doctoral thesis (other academic/artistic)abstract
- Smartphones and mobile applications have become an essential part of our daily lives. People always carry their smartphones with them and rely on mobile applications for most of their tasks: from checking emails for personal or business purposes, to engaging in social interactions via social networks, from trading online or checking their bank accounts to communicating with families and friends through instant messaging applications. It is therefore clear to anyone that these devices and these applications handle, store and process a huge amount of people’s personal data, and therefore confidential and sensitive. Whether the person is famous or not, whether he/she is an important public personality or not, whether he or she manages and possess a big amount of money or not, the protection of his/her personal data should be of great importance, since threats can target anyone, with consequences ranging from defamation of person to economic losses due to a compromised bank account, to identity theft, location tracking, and many more. In this scenario it becomes very important that mobile applications are a) secure from a program code point of view, written following secure coding and Secure Software Development Life Cycle (S- SDLC) guidelines and best practices, and b) capable of handling, storing and processing user data in a proper and stringently secure manner to maintain user’s privacy.Secure Coding and S-SDLC concepts are well known and have been inherited from the classical software engineering development domain, although not too much widespread and applied in the mobile world. However, even the most secure application, from a code point of view, can pose threat to the security and privacy of users if the data are not handled properly. An application very well written from a code point of view (i.e. without presence of evident bug which may lead to its exploitability) may, for example, store user credentials or other personal data in plaintext inside the device. In case that a device is lost, stolen or compromised via other channels (i.e. other vulnerable applications or through the mobile OS itself), those data are completely exposed. A simple, standard vulnerability or penetration test against the application may not reveal such vulnerability.Thus, this thesis addressed and solved the problems related to the following three research questions for mobile environment and applications:What are data and where can such data exist?How is personal data handled?How can one properly assess the security and privacy of mobile applications?The research work started with studying and identifying every possible state at which data can exist, which is a fundamental prerequisite in order to be able to properly treat them. The lack of understanding of this aspect is where most of the existing approaches failed by focusing mainly on finding bugs in the code instead of looking at sources and transfers of data too. After this step, we analysed how real life mobile applications and operating systems handle users’ personal data for each of the states previously identified. Based on the results of these two steps, we developed a novel methodology for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. The methodology, which we named MobiLeak, also combined concepts and principles from the digital forensics discipline.Some of the solutions presented in this dissertation may sound a bit more obvious compared to when they have been developed within the MobiLeak Methodology. However, this research work started in January 2011 and back in 2010, when the research proposal that led to this Ph.D. was presented, the mobile application security landscape was quite different, at a very early rudimentary stage. At that time iPhone 4 and iOS4 had just been released; now we have reached iPhone 6 and iOS8. In December 2010 the first Near Field Communication (NFC) enabled smartphone was released, the Samsung Google Nexus S. Until that moment the only mobile phone (not smartphone) with NFC capabilities was a particular version of the Nokia 6131 released in 2006. Incredibly enough, at that time there were not yet publicly known Android malware. In fact, the first Android Trojans, FakePlayer and DroidSMS, were discovered in August 2010 and now, according to a recent report released by the security firm Kaspersky1 in February 2015, the number of financial malware attacks against Android counts up to 2,317,194 in 2014.Part of the significant contribution from the research work reported in this dissertation, was in the initial development of the Mobile Security Testing Guidelines developed by Open Web Application Security Project (OWASP) for the Mobile Security Project, pushing the need of mobile digital forensics methodology to be a mandatory part of a mobile application security assessment methodology. It also contributed to the works of the European Telecommunications Standards Institute (ETSI) and the International Organization for Standardization (ISO/IEC SC 27) committees related to digital forensics and, last but not least, it resulted in eleven peer-reviewed publications, one book chapter and one book co-authored.
|
|
| 4. |
- Alaqra, Ala Sarah
(author)
-
Tinkering the Wicked Problem of Privacy : Design Challenges and Opportunities for Crypto-based Services
- 2020
-
Doctoral thesis (other academic/artistic)abstract
- Data privacy has been growing in importance in recent years, especially with the constant increase of online activity. Consequently, researchers study, design, and develop solutions aimed at enhancing users' data privacy. The wicked problem of data privacy is a dynamic challenge that defies straightforward solutions. Since there are many factors involved in data privacy, such as technological, legal, and human aspects, we can only aim at mitigating rather than solving this wicked problem.Our aim was to explore challenges and opportunities with a focus on human aspects for designing usable crypto-based privacy-enhancing technologies (PETs). Mainly, there were three PETs in the cloud context included in our studies: malleable signatures, secret sharing, and homomorphic encryption. Based on the three PETs, services were developed within European research projects that were the scope of our user studies. We followed a user-centered design approach by using empirical qualitative and quantitative means for collecting study data. Our results and tinkering conveyed (i) analysis of different categories of user's perspectives, mental models, and trade-offs, (ii) user requirements for PET services, and (iii) user interface design guidelines for PET services. In our contributions, we highlight considerations and guidelines for supporting the design of future solutions.
|
|
| 5. |
- Herzog, Almut, 1969-
(author)
-
Usable Security Policies for Runtime Environments
- 2007
-
Doctoral thesis (other academic/artistic)abstract
- The runtime environments provided by application-level virtual machines such as the Java Virtual Machine or the .NET Common Language Runtime are attractive for Internet application providers because the applications can be deployed on any platform that supports the target virtual machine. With Internet applications, organisations as well as end users face the risk of viruses, trojans, and denial of service attacks. Virtual machine providers are aware of these Internet security risks and provide, for example, runtime monitoring of untrusted code and access control to sensitive resources.Our work addresses two important security issues in runtime environments. The first issue concerns resource or release control. While many virtual machines provide runtime access control to resources, they do not provide any means of limiting the use of a resource once access is granted; they do not provide so-called resource control. We have addressed the issue of resource control in the example of the Java Virtual Machine. In contrast to others’ work, our solution builds on an enhancement to the existing security architecture. We demonstrate that resource control permissions for Java-mediated resources can be integrated into the regular Java security architecture, thus leading to a clean design and a single external security policy.The second issue that we address is the usabilityhttps://www.diva-portal.org/liu/webform/form.jspDiVA Web Form and security of the setup of security policies for runtime environments. Access control decisions are based on external configuration files, the security policy, which must be set up by the end user. This set-up is security-critical but also complicated and errorprone for a lay end user and supportive, usable tools are so far missing. After one of our usability studies signalled that offline editing of the configuration file is inefficient and difficult for end users, we conducted a usability study of personal firewalls to identify usable ways of setting up a security policy at runtime. An analysis of general user help techniques together with the results from the two previous studies resulted in a proposal of design guidelines for applications that need to set up a security policy. Our guidelines have been used for the design and implementation of the tool JPerM that sets the Java security policy at runtime. JPerM evaluated positively in a usability study and supports the validity of our design guidelines.
|
|
| 6. |
- Kävrestad, Joakim, 1989-
(author)
-
Context-Based Micro-Training : Enhancing cybersecurity training for end-users
- 2022
-
Doctoral thesis (other academic/artistic)abstract
- This research addresses the human aspect of cybersecurity by developing a method for cybersecurity training of end-users. The reason for addressing that area is that human behaviour is widely regarded as one of the most used attack vectors. Exploiting human behaviour through various social engineering techniques, password guessing, and more is a common practice for attackers. Reports even suggest that human behaviour is exploited in 95% of all cybersecurity attacks. Human behaviour with regard to cybersecurity has been long discussed in the research. It is commonly suggested that users need support to behave securely. Training is often suggested as the way to improve user behaviour, and there are several different training methods available. The available training methods include instructor-led training, game-based training, eLearning, etc. However, even with the diversity of existing training methods, the effectiveness of such training has been questioned by recent research. Research suggests that existing training does not facilitate knowledge retention and user participation to a high enough degree. This research aims to address the problems with current training practices by developing a new method for cybersecurity training of end-users. The research used a design science (DS) approach to develop the new method in three increasingly complex design cycles. Principles for cybersecurity training were developed based on previous research and the Technology Acceptance Model and made the theoretical foundation of the reserach. The result is a theoretically grounded method for cybersecurity training that outlines goals and guidelines for how such training should be implemented. It has been evaluated in several steps with more than 1800 survey participants and 300 participants in various experiments. The evaluations have shown that it can both support users towards secure behaviour and be appreciated by its users. The main contribution of this research is the method for cybersecurity training, Context-Based Micro-Training (CBMT). CBMT is a theoretical contribution that describes good practices for cybersecurity training for end-users. Practitioners can adopt it as a guide on how to implement such training or to support procurement decisions. The research also shows the importance of integrating usability into the development of security practices. Users must positively receive both training and the guidelines imposed by training since positive user perception increases user adoption. Finally, the research shows that following security guidelines is difficult. While training is essential, this research suggests that training alone is not enough, and future research should consider the interplay between training and other support mechanisms.
|
|
