| 1. |
- Lundgren, Björn, 1984-
(författare)
-
Semantic Information and Information Security : Definitional Issues
- 2016
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This licentiate thesis consist of two separate research papers which concern two tangential topics – that of semantic information and that of information security. Both topics are approached by similar methods, i.e. with a concern about conceptual and definitional issues. In Paper I – concerning the concept of information, and a semantic conception thereof – the conceptual, and definitional, issues focus on one property, that of truthfulness. It is argued – against the veridicality thesis – that semantic information need not be truthful. In Paper II – concerning information security – it is argued that the current leading definitions (so-called ‘CIA’ definitions, which define information as secure if, and only if, the properties of confidentiality, integrity, and availability are retained) suffer from both actual and possible counter-examples, and lack an appropriate conceptual sense. On the basis of this criticism a new kind of definitions is proposed and argued for.
|
|
| 2. |
- Brodin, Martin
(författare)
-
Mobile Device Strategy : A management framework for securing company information assets on mobile devices
- 2016
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The problem addressed by this research is a demand for increased flexibility in access to organisational information, driven by the increasing popularity of mobile devices. Employees increasingly bring private devices to work (Bring Your Own Device, BYOD) or use work devices for private purposes (Choose Your Own Device, CYOD). This puts managers in a difficult position, since they want the benefits of mobility, without exposing organisational data to further risk. The research focuses on management (particularly information security management) issues in the design and implementation of strategies for mobile devices. There are two objectives. The first is to identify existing information security management strategies for mobile and dual-use devices. The second is to develop a framework for analysing, evaluating and implementing a mobile device strategy.The overall research strategy is inspired by Design Science; where the mission is to develop an artefact, in this case a framework, which will help to solve a practical problem. Methods include literature review, theoretical development, and the collection and analysis of qualitative data through interviews with executives. The main result of this work is the framework, which deals with the complete process, including analysis, design and implementation of a mobile device management strategy. It helps researchers to understand necessary steps in analysing phenomenon like BYOD and gives practitioners guidance in which analyses to conduct when working on strategies for mobile devices. The framework was developed primarily through theoretical work (with inspiration from the mobile security and strategic management literature, and the ISO/IEC 27000 standard), and evaluated and refined through the empirical studies. The results include twelve management issues, a research agenda, argumentation for CYOD and, guidance for researchers and practitioners.
|
|
| 3. |
- Iqbal, Sarfraz
(författare)
-
Designing the online educational information security laboratories
- 2014
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Distance education and e-learning in the field of information security is gaining popularity. In the field of information security education, virtual labs have been suggested to facilitate hands-on learning in distance education. An internet-based information security lab is an artifact which involves a collection of systems and software used for teaching information security, and which is accessible through the Internet. This research is motivated from an on-going information security lab development initiative at Luleå University of Technology. A literature review on the online educational information security laboratories (InfoSec labs) in the academic literature was conducted. The current literature about online InfoSec labs still lacks well-specified pedagogical approaches and concrete design principles. It hinders the accumulation of technically and pedagogically rigorous knowledge for the implementation and use of online educational InfoSec labs. Moreover, the literature focused mainly on details of technical lab implementations whereas the pedagogical elements of the curriculum and rationale behind them were ignored. This leads to inadequate guidance about how the instructor and the learner can make use of the lab to pedagogically align the course objectives, teaching / learning activities and assessment methods.A theoretical framework comprising the Constructive alignment theory (Biggs 1996) and Conversational Framework (Laurillard 2002) was proposed to further guide the research process and analyze the case of an internet security course and e-learning platform. The framework suggested that the MSc program and individual courses in information security should be developed based on specific pedagogical principles in order to improve the quality of teaching and enhance the e-learning platform for flexible hands-on security education. Therefore, to design an online InfoSec lab to improve flexible hands-on education and security skills development in the courses; Action design research (ADR) was chosen as the whole approach to continue with this research project. The ultimate goal is to design an ensemble IT artifact as a result of emerging design, use, and refinement in context through continuous interaction between technology and organization during design process. This licentiate thesis is mainly focused on the 1st stage (Problem Formulation) of the ADR method where the trigger for the first stage is the problems perceived in the teaching of information security, i.e., how to improve students’ security knowledge, how to provide the students with flexible online educational information security lab.The review of prior research, observations, interviews with teachers and program management and reflection on pedagogical approaches lead to formalize five initial design principles (Contextualization, Collaboration, Flexibility, Cost-effectiveness and Scalability). These initial design principles have been derived keeping in view the requirements of an information security course in the degree program. A conceptual design for the information security course based on Personalized System Of Instruction (PSI) approach including online InfoSec lab design to promote student’s hands-on security knowledge level and to provide them flexibility to study at their desired speed has been proposed. The anatomy of design theory framework by Gregor & Jones (2007) is used for outlining a few first components of a design theory for an online-InfoSec-lab course. In its current form, this study makes a contribution to the literature by identifying and discussing about hitherto scattered research reports of educational online InfoSec labs in a common frame of reference, which will help other developers and researchers of information security pedagogy as an index of previous literature. The theoretical framework will be used to provide further guidelines to develop theory-ingrained artifact which will not only help to provide the necessary justification for elements of curriculum and the rationale behind its selection but also it will help to align the course objectives with teaching / learning activities in a specific teaching context for better hands-on education of information security. The initial design principles suggested in this study will provide help to start the next phase of ADR, Building, Intervention and Evaluation (BIE), which will support us to achieve a refined set of more concrete emergent design principles. The proposed conceptual design of online information security course will be implemented including development, implementation and use of online InfoSec lab. The future research will be focused on IT-dominant BIE (building, intervention and evaluation phases of the ADR method). Further research work after the licentiate phase will cover the rest of the phases of ADR.
|
|
| 4. |
|
|
| 5. |
- Hartikainen, Heidi
(författare)
-
Secure emergency communications of emergency responders : a case study of Kemi municipality in Finland
- 2013
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Emergency response is highly time-critical and information dependent: every moment counts and organizations need to access various information that supports their decision making and informs them about the scale and location of the emergency, the damages, and the availability of human and physical resources. This kind information can originate from many different places and the situation can be stressful as there is a need to communicate quickly, reliably and accurately within their own organization, but also inter-organizationally. ICTs make it possible to access and spread information with speed and efficiency, but other factors, such as different professional cultures, can still hinder information sharing. There is a growing need in emergency organizations to develop understanding for how communications between emergency responders can be secured. It seems important to consider how emergency responders respond to security objectives, since the assumptions for secure communications may not only be developed on the premise of ICT, but also how the emergency actors appreciate the emergency environments in terms of secure communications.The aim of this research is to develop understanding of information security and secure communications in a context where it has not been well researched. The research looks at secure emergency communications from a socio-technical viewpoint and concentrates on the communication inside and between the emergency organizations of police, the paramedics, and the rescue department in the municipality of Kemi, and more specifically on the communications of operative emergency actors while they are working in the preparedness and response phases of emergency management. Two persons from each organization were interviewed using semi-structured interviews, and the empirical data was used for writing the appended papers that are the basis of this thesis work.The research started by doing an extensive literature review and analysis on the field of secure emergency communications. The results show that while technical developments on the field aim at effective and secure technologies, organizational aspects of emergency communications seem to involve not only emergency actors, but also how these actors more and more utilize information technology. The landscape for emergency management is becoming very diverse, which challenges the way that secure emergency communications can be understood. The developers of future emergency communications structures not only need to ensure the technical aspects of confidentiality, availability and integrity of information, but they also need to take into account the social rules, norms and structures that guide the emergency communication. Next, this research sought out to re-conceptualize the role of information security in emergency response. A conceptual basis encompassing technical, cognitive and organizational information security layers as a relationship between association and connectivity was developed by synthesizing Actor Network Theory and Theory of Organizational Routines. The approach of combining two theoretical accounts details the enactment of information security in emergency response so as to understand how cognition ties technical security features with organizational security issues. Without the cognitive layer, the technical and organizational aspects of information security remain static or disconnected to the actions performed during emergency response. Theoretically the approach contributes constructively to describe an alternative approach to information security research to address the gap between formal and informal criteria of information security.Lastly, the research sought out to explore the current situation of the case organizations in detail concerning their level of information security, communication challenges faced, and training offered. It was learned that different aspects of information security are valued depending on whether emergency responders work in preparation periods or if they are responding to an emergency: 1) When working in their own respective organizations the most important aspect was information confidentiality 2) When responding to emergency the most important aspects were information availability and integrity. Most communication challenges present in emergency communications can be seen to arise when responding to emergencies. This is not something currently being taken into account in the case organizations. The basic training of emergency actors and the training and guidelines of each organization largely concentrate on confidentiality issues, and tools and communications training that would be needed to ensure information availability and integrity when responding to an emergency is not prioritized. To overcome the communication challenges present in emergency communications and to ensure confidentiality, availability and integrity of emergency information, those responsible for information security in emergency organizations must therefore provide up to date information security training and awareness building, but also tools and communications training that supports inter-organizational communication.
|
|
| 6. |
- Iwaya, Leonardo H
(författare)
-
Secure and Privacy-aware Data Collection and Processing in Mobile Health Systems
- 2016
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Healthcare systems have assimilated information and communication technologies in order to improve the quality of healthcare and patient's experience at reduced costs. The increasing digitalization of people's health information raises however new threats regarding information security and privacy. Accidental or deliberate data breaches of health data may lead to societal pressures, embarrassment and discrimination. Information security and privacy are paramount to achieve high quality healthcare services, and further, to not harm individuals when providing care. With that in mind, we give special attention to the category of Mobile Health (mHealth) systems. That is, the use of mobile devices (e.g., mobile phones, sensors, PDAs) to support medical and public health. Such systems, have been particularly successful in developing countries, taking advantage of the flourishing mobile market and the need to expand the coverage of primary healthcare programs. Many mHealth initiatives, however, fail to address security and privacy issues. This, coupled with the lack of specific legislation for privacy and data protection in these countries, increases the risk of harm to individuals. The overall objective of this thesis is to enhance knowledge regarding the design of security and privacy technologies for mHealth systems. In particular, we deal with mHealth Data Collection Systems (MDCSs), which consists of mobile devices for collecting and reporting health-related data, replacing paper-based approaches for health surveys and surveillance. This thesis consists of publications contributing to mHealth security and privacy in various ways: with a comprehensive literature review about mHealth in Brazil; with the design of a security framework for MDCSs (SecourHealth); with the design of a MDCS (GeoHealth); with the design of Privacy Impact Assessment template for MDCSs; and with the study of ontology-based obfuscation and anonymisation functions for health data.
|
|
| 7. |
- Verendel, Vilhelm, 1980
(författare)
-
Some Problems in Quantified Security
- 2010
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis contains work related to quantitative representation and analysis of computer and information security. The ability to accurately describe security using quantitative methods could offer better control and evaluation of security in operational settings. However, a number of challenges remain, generally in modeling but also in validation and usability. In this work, we improve knowledge about two identified challenges: (i) validation of methods and (ii) decision-making using quantified risk. The first part of the thesis critically surveys many of the proposed methods to quantitatively describe security, by focusing on their validity. After defining a taxonomy, we survey assumptions and methods for validation that have been used in a large fraction of previous work on the subject. We find that many methods lack clear validation with respect to operational environments, and how some model assumptions are not empirically well-supported. We also discuss the characteristics of operational security that make modeling and quantification a remaining challenge. Furthermore, we discuss what future efforts could target in validating quantitative methods for operational security. In the second part we consider a specific type of quantified security: quantified risk, an existing proposal to analyze security quantitatively in terms of probabilities and losses of events. We relate this to the usability of quantified information when people make risky decisions, drawing on previous experimental work in behavioral economics. A common assumption in economic and quantitative analysis of security is that correct knowledge about quantified risk leads to rational decision-making. However, previous experimental results show that people are not always handling quantitative information rationally. We hypothesize that this may impact security decision-making using quantified risk, and study this for two security decision-making problems by a combined theoretical and numerical study. This thesis has two main conclusions. First, validity of many current methods in quantified security is unknown, but there is room for improvement. Second, there are potential decision-making problems in using quantified risk for control of operational security.
|
|
| 8. |
- Bello, Luciano, 1981
(författare)
-
Information-Flow Tracking for Dynamic Languages
- 2013
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis explores information-flow tracking technologies and their applicability on industrial-scale dynamic programming languages. We aim to narrow the gap between the need for flexibility in current dynamic languages and the solid well-studied mechanisms from academia. Instead of translating perfect sound theoretical results into a practical implementation, this thesis focuses on practical problems found in dynamic languages and, from them on, looks for the academic support to tackle them.We investigate the compromise between security and flexibility for protecting confidentiality and integrity. Furthermore, using purely dynamic techniques, we implement our ideas to demonstrate their practicability.On the integrity protection side, a taint mode for Python has been implemented. Thanks to the flexibility of this language, the implementation is shipped as a library, allowing it to be used in Cloud Computing environments.On the confidentiality side, two works are presented which differ in their security property. On one hand, a dynamic dependency analysis is suggested as an alternative to flow-sensitive monitors. By relaxing the ambition of blocking every possible leak, we improve permissiveness, even for programming languages that support dynamic evaluation (such as the eval construct). On the other hand, a full JavaScript monitor was developed to enforce non-interference in the complex scenario of the web. This implementation allows us to explore the scalability boundaries of dynamic information-flow enforcements.
|
|
| 9. |
- Birgisson, Arnar, 1981
(författare)
-
Controlling Dependencies for Security and Privacy
- 2011
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis explores several ways to diversify the field of Information Flow Control. At the heart of the field lie on one hand policies for describing limitations on information dependencies induced by a program, and on the other hand mechanisms to enforce such policies.We aim to improve the current state of the art by pointing out areas where current policy definitions and enforcement mechanisms fall short in terms of providing information confidentiality and integrity. We identify that integrity properties often must go beyond simple data dependencies, and provide a notion of {\em generalized invariants} for describing certain program correctness properties and show their enforcement can be incorporated in a standard monitor for Information Flow Control. For confidentiality, we show that termination insensitive security definitions may not be appropriate when programs can be invoked multiple times by an attacker, and suggest an improvement to type-based enforcement that extends the security definition to the multirun case.Furthermore, we seek overlaps between Information Flow Control and other fields. We explore the application of capability systems to enforce Information Flow Control policies, with positive results. We also study how tracking of data dependencies can be applied to improve the programming model for Differential Privacy, a framework providing strong theoretical guarantees regarding privacy preserving use of data.
|
|
| 10. |
- Boldt, Martin
(författare)
-
Privacy-Invasive Software : Exploring Effects and Countermeasures
- 2007
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- As computers are increasingly more integrated into our daily lives, we need aiding mechanisms for separating legitimate software from their unwanted counterparts. We use the term Privacy-Invasive Software (PIS) to refer to such illegitimate software, sometimes loosely labelled as spyware. In this thesis, we include an introduction to PIS, and how it differs from both legitimate and traditionally malicious software. We also present empirical measurements indicating the effects that PIS have on infected computers and networks. An important contribution of this work is a classification of PIS in which we target both the level of user consent, as well as the degree of user consequences associated with PIS. These consequences, affecting both users and their computers, form a global problem that deteriorates a vast number of users’ computer experiences today. As a way to hinder, or at least mitigate, this development we argue for more user-oriented countermeasures that focus on informing users about the behaviour and consequences associated with using a particular software. In addition to current reactive countermeasures, we also need preventive tools dealing with the threat of PIS before it enters users’ computers. Collaborative reputation systems present an interesting way forward towards such preventive and user-oriented countermeasures against PIS. Moving the software reputations from old channels (such as computer magazines or friends’ recommendations) into an instantly fast reputation system would be beneficial for the users when distinguishing unwanted software from legitimate. It is important that such a reputation system is designed to address antagonistic intentions from both individual users and groups thereof, so that users could depend on the reputations. This would allow users to reach more informed decisions by taking the reported consequences into account when deciding whether they want a specific software to enter their computer or not.
|
|
