Introduction Internet usage in Oman IT Security incidents in Oman Proposed work Key findings Effective usage Organization network awareness Threat awareness Password management Content awareness Security practices awareness ITSACAS Approach Conclusion

1. THE NEED FOR EFFECTIVE
INFORMATION SECURITY
AWARENESS PRACTICES IN OMAN
HIGHER EDUCATIONAL
INSTITUTIONS
Mr. Rajasekar Ramalingam
Mr. Shimaz Khan
Mr. Shameer Mohammed
Ministry of Higher Education,
Sur College of Applied Sciences,
Department of Information Technology,
Post Box: 484 Post Code: 411, Sultanate of Oman
Symposium on Communication, Information Technology and Biotechnology:
Current Trends and Future Scope, Sur College of Applied Sciences, Ministry
of Higher education, Sultanate of Oman, 12th and 13th May, 2015
1

2. PRESENTATION PATH
 Introduction
 Internet usage in Oman
 IT Security incidents in Oman
 Proposed work
 Key findings
 Effective usage
 Organization network awareness
 Threat awareness
 Password management
 Content awareness
 Security practices awareness
 ITSACAS Approach
 Conclusion
2

3. 1. INTRODUCTION
 Internet technology & Mobile Technology.
 Online transactions and electronic data transfer.
 In the late 1990s: Melissa and Code Red
 Information security - received attention globally.
 Since then: Spam emails, Identity theft, Data leakage,
Phishing, Adware, Intrusion etc.,
 Considerable impact on the information assets of
organization / individuals.
 Cybercrime incidents – increases globally.
 Sultanate of Oman is also a victim.
3

4. 2. INTERNET USAGE IN OMAN
 According to the World Internet usage statistics news:
Internet users:
 Oman constitutes - 2.1% of worldwide internet users.
 2,139,540 - internet users (December 31st, 2013)
Card usage in Oman:
 2008 – 1.9 million
 2012 – 3.3 million
 2013 – 3.6 million
 2017 – 4.4 million (Forecast)
 Increase in internet usage and online transactions -
increases the number of cybercrime incidents in Oman.
 ITA (2012 & 13) - Significant increase in the number of
cybercrime incidents in Oman. 4

5. 3. IT SECURITY INCIDENTS IN OMAN
 As per the ITA annual report (2012 and 2013):
 Increase of 13.5% reported incidents.
 200% increase of Malware incidents.
 10,84,369 malicious attempts were prevented & analyzed.
 19,171 malicious attempts against government networks
were identified & prevented.
 25,827 vulnerabilities were discovered.
 9,41,079 malicious wares were analyzed.
 6,59,090 web violations were analyzed and prevented.
 15,855 security attacks discovered & handled - OCERT.
5

6. 6
Figure 1: Number and classification of incidents – 2012
(Source: ITA Annual report 2012)

7. 7
Figure 2: The Malware statistics for each month in 2012 – OCERT
(Source: ITA Annual report 2012)

8. 4. PROPOSED WORK
 Survey
 Education institutions in Oman
 To investigate the level of information security awareness.
 Entities: Students, Technical staff and Academic staff.
 ISAIM – Proposed model – Survey
 The survey attracted 173 respondents.
 Results were correlated and analyzed.
 The areas of weakness were identified.
 ITSACAS approach – increase security awareness.
8

9. 4.1 INFORMATION SECURITY AWARENESS
IDENTIFICATION MODEL (ISAIM)
 The proposed model - 6 key elements.
9
Security
Practice
Effectiv
e Usage
Organiz
ation
Awaren
ess
Threats
Awaren
ess
Protecti
on
Awaren
ess
Content
Awaren
ess

10. 10
ISAIM
Demogra
phics
Internet
Usage
Organizatio
n’s network
knowledge
Security
Practices
Email
security
Password
managem
ent
Security
threats
experience

11. 11
S# Name of the Educational Institution S# Name of the Educational Institution
1 Al Buraimi University College 10 Sohar College of Applied Sciences
2 Higher College of Technology
(Muscat)
11 Nizwa College of Technology
3 Ibra College of Technology 12 Oman College of Management Technology
4 Salalah College of Technology 13 Al Sharqiyah University
5 Sur College of Applied Sciences 14 German University of Technology in Oman
6 Waljat College of Applied Sciences 15 Ibri College of Applied Sciences
7 Majan University College 16 Sultan Qaboos University
8 College of Applied Sciences, Rustaq 17 Caledonian College of Engineering
9 Sohar University 18 College of applied sciences – Salalah

12. 5. EFFECTIVE USAGE - KEY FINDINGS
12
Age Group 18 to 29 – 34%
Educational Qualification 35% - Graduates
38% - Masters
23% - PhD
Academic staff. 54%
Smart phone device 70%
Purpose of using Internet Emailing
Educational References
Net Banking
Internet usage 27% - 2 to 3 Hrs. / Day
14% - More than 7 Hrs. / Day

13. 6. ORGANIZATION AWARENESS – KEY FINDINGS
13
Yes No Don’t
Know
Does your organization practice any IS-MS
Standard(ISO 27001)
39.4% 21.9% 38.7%
Does your organization use local firewall 88.4% 3.9% 7.7%
Does your organization use a IDS. 41.3% 10.3% 48.4%
Does your organization use DMZ 22.9% 13.1% 64.1%
Does your organization uses any AV
Software
92.9% 3.9% 3.2%

14. 14
Yes No Do not
know
Does your organization have a written
security policy
44.5% 17.1% 38.4%
Does your organization have any
reporting mechanism for security issues
37% 25.3% 37.7%
Did you ever reported to your
organization about any security issues?
32.2% 67.8%

15. 7. THREAT AWARENESS – KEY FINDINGS
15
Yes No Do not
know
Have you ever been attacked through the
Internet
55.7% 38.9% 5.4%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Viruses Spam Adware Phishing Intrusions Password
theft
Other
If yes, please choose the type of attack you have
experienced, Check that apply:

16. 16
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
Lose of personal
data
Lose of money System Crash Block of any
account
Other
If you have been attacked, choose the loss that you faced:
71%
12%
4%
13%
Number of Security Attacks
1 - 3 4 - 6 7 - 10 Above 10

17. 8. PASSWORD MANAGEMENT AWARENESS
17
3% 3%
19%
56%
19%
Frequency of changing the password
Daily Once in weak Once in month Once the application insists Never
Choosing 17.6% uses same password for all web
applications
Construct 16.3% using personal information
Managing 7.9% uses password management tools
21% Write it and keep it safe
Changing 19.3% Never change password
56.4% Once Application insists

18. 9. CONTENT AWARENESS
18
32% interested in opening an email from the unknown
source.
39% No email policy in the institution.
23% Email policies - I do not know & I could not
understand.
84% Do not reveal their personal information.
3% Willing to provide their bank details.

19. 19
Confident in organization’s protection against information security risk?
Answer Options Response Percent
Very confident 26.6%
Confident 34.7%
Somewhat confident 24.2%
No confident 14.5%
Does you organization conducted any security awareness program?
Answer Options Response Percent
Yes 44.4%
No 55.6%
How many information security training programs do you attended in the past 12
month?
Answer Options Response Percent
1 to 3 29.1%
4 to 6 4.7%
More than 6 7.1%
None 59.1%
10. SECURITY PRACTICE AWARENESS

20. 20
Identify
Plan
Educate
Measure
11. The ITSACAS approach
C1: Information Security awareness training
C2: Security awareness using social media
C3: Security awareness using posters
C4: Creating awareness on IT law
C5: Promoting the usage of security tools
C6: Security awareness through interactive
media
• Monitor
• Evaluate
• Target group.
• Approach
• Team
• Tools
• Schedule
• Timeline
• Resource utilization
• Technical assistance

21. 12. Conclusion
 IT security awareness - an essential / foundational element.
 To assure the nation’s information assets are protected.
 Found several important issues that need to be addressed.
 Basic knowledge on security exist.
 As an individual, the knowledge of information security awareness is considerably
better but as an institution, information security awareness should be improved
 Still not aligned to the security practices.
 Urgency on the part of the government, other professional bodies and the educational
institution to educate users about the information security needs of an institution.
 Implementing awareness training programs will solve the problems to some extend.
21

22. 13. REFERENCES
 [1] http://www.prweb.com
 [2] http://www.internetworldstats.com/stats.htm, Miniwatts Marketing Group, 2010 Internet World Stats.
 [3] A framework of anti-phishing measures aimed at protecting the online consumer's identity, Butler, The
electronic library, 25, 517-533.
 [4] http://localazon.com/pro/oman-online-retail-sales-report/ , Oman Online Retail Sales Report.
 [5]https://timetric.com/research/report/VR0938MR/, Emerging Opportunities in Oman’s Cards and
Payments Industry
 [6] Information Technology Authority – Oman, Annual Report- 2012-2013.
 [7] Mishandling of Classified Information. In: PRESIDENT, E. O. O. T. (Ed.). Washington, D.C., Lew, J.J.,
Wikileaks
 [8] Phishing Websites Detection based on Phishing Characteristics in the Webpage Source Code,
MonaGotaishAlkhozae
 [9] http://en.wikipedia.org/wiki/AdWords
 [10] Md. Shafiqul Islam, Syed AhsiqurRehman, Anomaly Intrusion Detection System in wireless Networks
:Security threats and existing approaches, International Journal of Advanced Science and Technology ,
Vol 36, November 2011.
 [11] Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance: An Empirical
Study of Rationality-Based Beliefs and Information Security Awareness’, MIS Quarterly, vol. 34, no. 3, pp.
523-A7.
 [12]http://www.fiercecio.com/story/colleges-and-universities-among-highest-risk-data-breaches/2014-08-
21
 [13] Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of organizational
information security measures’, Information Management & Computer Security, vol. 16, no. 4, pp. 377-
397.
22

23. 23
Thank You