| 1. |
- Al Sabbagh, Bilal, 1978-
(författare)
-
Cybersecurity Incident Response : A Socio-Technical Approach
- 2019
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis examines the cybersecurity incident response problem using a socio-technical approach. The motivation of this work is the need to bridge the knowledge and practise gap that exists because of the increasing complexity of cybersecurity threats and our limited capability of applying cybersecurity controls necessary to adequately respond to these threats. Throughout this thesis, knowledge from Systems Theory, Soft Systems Methodology and Socio-Technical Systems is applied to examine and document the socio-technical properties of cybersecurity incident response process. The holistic modelling of cybersecurity incident response process developed concepts and methods tested to improve the socio-technical security controls and minimise the existing gap in security controls.The scientific enquiry of this thesis is based on pragmatism as the underpinning research philosophy. The thesis uses a design science research approach and embeds multiple research methods to develop five artefacts (concept, model, method, framework and instantiation) outlined in nine peer-reviewed publications. The instantiated artefact embraces the knowledge developed during this research to provide a prototype for a socio-technical security information and event management system (ST-SIEM) integrated with an open source SIEM tool. The artefact relevance was validated through a panel of cybersecurity experts using a Delphi method. The Delphi method indicated the artefact can improve the efficacy of handling cybersecurity incidents.
|
|
| 2. |
- Kajtazi, Miranda, 1983-
(författare)
-
Assessing Escalation of Commitment as an Antecedent of Noncompliance with Information Security Policy
- 2013
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- For organizations, emphasizing investments in security technology has become the norm. Trending security technologies are important for an organization’s information security strategy. Organizations commonly use such technologies to enforce information security policy (ISP) compliance on the part of their employees, to ensure the security of their information resources. Yet, it seems that employees frequently establish rules of their own for complying with the ISP. Questioning this concern, the present dissertation addresses employees’ violation of information security rules and regulations. The motivation is based on the concern that information security policy noncompliance is largely influenced by escalation of commitment. Escalation is a phenomenon that explains how employees in organizations often get involved in nonperforming tasks, commonly reflecting the tendency of persistence, when investments of resources have been initiated. This dissertation develops an integrated model based on Self-Justification theory, Prospect theory, and Approach Avoidance theory, that centres on two main factors of noncompliance, namely self-justification and sunk costs. These factors act as mediating mechanisms to explain the dependent factor of the willingness to engage in noncompliant behaviour. The theoretical model is empirically tested with a data set that represents responses from 639 respondents across 27 organizations using the scenario-based survey approach. The results of this dissertation present a dual outcome. For theory, our theoretical framework not only enriches the literature on information security by proving that escalation behaviour is an antecedent of noncompliance, but also generates new insights about the escalation of commitment literature. The findings suggest that employees’ cognitive traits are escalation’s main antecedents that present the necessary stimulation to violate an ISP, while employees’ emotional traits do not influence such stimulation when overpowered by cognitive traits. Our results also suggest that employees engaged in nonperforming tasks often become noncompliant, even though they were complying before. In principle, the findings show that employees prioritize the completion of their tasks, rather than their commitment to comply with the ISP, and thus become noncompliant. In practice, our results show that employees’ willingness to engage in noncompliant behaviour is largely influenced by self-justification and sunk costs. The main results suggest that (a) self-justification is largely driven by the benefits of noncompliance outweighing the costs of compliance; (b) sunk costs are largely driven by the completion effect; (c) the benefit of noncompliance is a significant factor in self-justification, partially mediated by its influence on the willingness to engage in noncompliance; and (d) the completion effect is a significant factor in the sunk costs, fully mediated by its influence on the willingness to engage in noncompliance. This dissertation advocates that further research is needed to account for and explain noncompliant behaviour by utilizing escalation theories in more depth, and that such an account requires an innovative and empirically driven effort.
|
|
| 3. |
- Odero, Jared O., 1963-
(författare)
-
ICT-based Distance Education : A Study of University Students’ Views and Experiences in Early Post-Apartheid South Africa
- 2017
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The overall aim of this study was to investigate how the introduction of ICT into distance education at public institutions of higher learning in South Africa during the early post-apartheid period from 1994 to 2002, provided learning opportunities for students and facilitated the delivery of learning content. More explicitly, it examined and analyzed the views and experiences of students and course facilitators at selected higher education institutions, which provided ICT-based distance education. The study also examined and analyzed the views and experiences of students regarding the services of a private on-campus Internet café located in a South African technikon (a technological institution). The empirical part of the current study was conducted in 2002, when some public higher education institutions in the country were involved in the provision of distance education as a means of increasing student participation and generating income. However, the proliferation of private actors who collaborated with some of these institutions to provide ICT-based distance education caused concern to the government that questioned their quality of content delivery.A case study research design was applied to collect, analyze and interpret quantitative and qualitative data at four universities and one technikon. Two electronic surveys were administered by email and on the Web, to self-selected students at the five case institutions. The first survey examined the views and experiences of respondents (n = 605) who participated in ICT-based distance education, while the second one investigated the views and experiences of respondents (n = 274) who used a private campus-based Internet café. Non-participant observations were made at some learning centers to understand how classes were carried out, and at the Internet café, to understand the type of services offered. Unstructured interviews were held with selected students and course facilitators at one institution, whereas informal interviews were conducted with some students and the Internet café manager. Further, a literature review was undertaken to understand certain issues and trends in ICT-based distance education, within and beyond South Africa.The findings indicate that the majority of respondents chose ICT-based distance education because it was flexible. They were also comfortable with using the English language for instruction. However, some complained that the learning materials were irrelevant and were not delivered on time. The course facilitators were generally satisfied with their work, although they were disappointed for not having the opportunity to influence changes in the study guides. Many respondents used the Internet café because they did not have any other means of accessing the Internet. Moreover, it was affordable and they used it for socializing.The study concludes that the system of instructional design and content delivery to distance education students in South Africa should be improved to become efficient. Further studies are recommended to examine the ongoing development of ICT-based distance higher education in South Africa.
|
|
| 4. |
- Mwakalinga, Jeffy, 1962-
(författare)
-
A Framework for Adaptive Information Security Systems : A Holistic Investigation
- 2011
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This research proposes a framework for adaptive information security systems that considers both the technical and social aspects of information systems security. Initial development of information systems security focused on computer technology and communication protocols. Researchers and designers did not consider culture, traditions, ethics, and other social issues of the people using the systems when designing and developing information security systems. They also seemed to ignore environments where these systems run and concentrated only on securing parts of the information systems. Furthermore, they did not pay adequate attention to the enemies of information systemsand the need for adaption to a changing enviroment. The consequences of this lack of attentions to a number of important factors have given us the information security systems that we have today, which appear to be systemically insecure. To approach this systemic insecurity problem the research was divided into mini studies that were based on the Systemic-Holistic paradigm, Immune System concepts, and Socio-Technical System theory. Applying the holistic research process the author started first by exploring adaptation systems. After exploring these systems, the focus of the research was to understand the systems and features required for making information security systems learn to adapt to the changing environments. Designing and testing the adaptive framework were the next steps. The acquired knowledge from this research was structured into domains in accordance to ontological principles and relationship between domains was studied. These domains were then integrated with the security value-based chain concept, which include deterrence, prevention, detection, response, and recovery functions to create a framework for adaptive information security systems. The results of the mini studies were reported in a number of papers, which were published in proceedings of international conferences and a journal. For this work, 12 of the thesis papers are included. A framework for adaptive information security system was created. Trials to apply and validate the framework were performed using three methods. The first method was a panel validation, which showed that the framework could be used for providing adaptive security measures and structuring security work. The second method mapped the framework to the security standards, which showed that the framework was aligned with the major information systems security standards. The third and last validation method was to map the framework with reported ICT crimes cases. The results indicated that most crimes appear to occur because the security systems in place lacked deterrence security measures and had weak prevention, detection, and response security measures. The adaptive information security systems framework was also applied to a number of areas including a secure e-learning, social networks, and telemedicine systems. It is concluded in this thesis that this adaptive information security system framework can be applied to minimize a number of systemic insecurity problems and warrants more applied research and practical implementations.
|
|
| 5. |
- Nohlberg, Marcus
(författare)
-
Securing Information Assets : Understanding, Measuring and Protecting against Social Engineering Attacks
- 2008
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.
|
|
| 6. |
- Rocha Flores, Waldo
(författare)
-
Shaping information security behaviors related to social engineering attacks
- 2016
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.
|
|
| 7. |
- Wahlgren, Gunnar, 1944-
(författare)
-
A Maturity Model for Measuring Organizations Escalation Capability of IT-related Security Incidents
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- An inability to handle IT-related security incidents can have devastating effects on both organizations and society at large. The European Union Agency for Network and Information Security (ENISA) emphasizes that cyber-security incidents affecting critical information infrastructures may simultaneously create significant negative impacts for several countries, and when incidents strike, the primary business processes of many organizations may be jeopardized. For example, the Swedish civil contingencies agency, MSB, reported in 2011 that a major Swedish IT services provider caused an IT-related security incident which in turn created large operational disruptions for a number of public and private organizations in Sweden. The management of IT-related security incidents is therefore an important issue facing most organizations today. Such incidents may threaten the organization as a whole and are not purely an IT issue; when handling incidents, escalation to the correct individual or groups of individuals for decision making is very important, as the organization must react quickly. Consequently, the major research goal of this thesis is to examine if the ability of an organization to escalate IT-related security incidents can be modeled, measured and improved. To achieve this goal, an artifact that can be used within an organization to model and measure its capability to escalate IT-related security incidents was designed, implemented and tested. This artifact consists of a maturity model whose purpose is to measure the level of maturity of the various attributes identified as necessary for an organization to handle escalations. In this thesis, a design science approach is applied, and the research project is divided into three design cycles, with the artifact being gradually developed and evaluated in each cycle. Evaluations were performed via interviews with representatives of 13 different organizations, including both private and public entities, and five different surveys with 78 individual participants. The conclusions of the research are that the use of the proposed self-assessment artifact can allow organizations to predict their ability to handle the escalation of IT-related security incidents with improved certainty.
|
|
| 8. |
- Lundgren, Martin
(författare)
-
Making the Dead Alive : Dynamic Routines in Risk Management
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.
|
|
