Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
As universities migrate online due to the advent of Covid-19, there is a need for enhanced security in information systems in the institution of higher learning. Many opted to invest in technological approaches to mitigate cybersecurity threats; however, the most common types of cybersecurity breaches happen due to the human factor, well known as end-user error or actions. Thus, this study aimed to identify and explore possible end-user errors in academia and the resulting vulnerabilities and threats that could affect the integrity of the university's information system. The study further presented state-of-the-art humanoriented security threats countermeasures to compliment universities' cybersecurity plans. Countermeasures include well-tailored ICT policies, incident response procedures, and education to protect themselves from security events (disruption, distortion, and exploitation). Adopted is a mixedmethod research approach with a qualitative research design to guide the study. An open-ended questionnaire and semi-structured interviews were used as data collection tools. Findings showed that system end-user errors remain the biggest security threat to information systems security in institutions of higher learning. Indeed errors make information systems vulnerable to certain cybersecurity attacks and, when exploited, put legitimate users, institutional network, and its computers at risk of contracting viruses, worms, Trojan, and expose it to spam, phishing, e-mail fraud, and other modern security attacks such as DDoS, session hijacking, replay attack and many more. Understanding that technology has failed to fully protect systems, specific recommendations are provided for the institution of higher education to consider improving employee actions and minimizing security incidents in their eLearning platforms, post Covid-19.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
As universities migrate online due to the advent of Covid-19, there is a need for enhanced security in information systems in the institution of higher learning. Many opted to invest in technological approaches to mitigate cybersecurity threats; however, the most common types of cybersecurity breaches happen due to the human factor, well known as end-user error or actions. Thus, this study aimed to identify and explore possible end-user errors in academia and the resulting vulnerabilities and threats that could affect the integrity of the university's information system. The study further presented state-of-the-art humanoriented security threats countermeasures to compliment universities' cybersecurity plans. Countermeasures include well-tailored ICT policies, incident response procedures, and education to protect themselves from security events (disruption, distortion, and exploitation). Adopted is a mixedmethod research approach with a qualitative research design to guide the study. An open-ended questionnaire and semi-structured interviews were used as data collection tools. Findings showed that system end-user errors remain the biggest security threat to information systems security in institutions of higher learning. Indeed errors make information systems vulnerable to certain cybersecurity attacks and, when exploited, put legitimate users, institutional network, and its computers at risk of contracting viruses, worms, Trojan, and expose it to spam, phishing, e-mail fraud, and other modern security attacks such as DDoS, session hijacking, replay attack and many more. Understanding that technology has failed to fully protect systems, specific recommendations are provided for the institution of higher education to consider improving employee actions and minimizing security incidents in their eLearning platforms, post Covid-19.
Top cited managing information technology articlesIJMIT JOURNAL
The International Journal of Managing Information Technology (IJMIT) is a quarterly open access peer-reviewed journal that publishes articles that contribute new results in all areas of the strategic application of information technology (IT) in organizations. The journal focuses on innovative ideas and best practices in using IT to advance organizations – for-profit, non-profit, and governmental.
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...IJNSA Journal
Social engineering attacks can be severe and hard to detect. Therefore, to prevent such attacks, organizations should be aware of social engineering defense mechanisms and security policies. To that end, the authors developed a taxonomy of social engineering defense mechanisms, designed a survey to measure employee awareness of these mechanisms, proposed a model of Social Engineering InfoSec Policies (SE-IPs), and designed a survey to measure the incorporation level of these SE-IPs. After analyzing the data from the first survey, the authors found that more than half of employees are not aware of social engineering attacks. The paper also analyzed a second set of survey data, which found that on average, organizations incorporated just over fifty percent of the identified formal SE-IPs. Such worrisome results show that organizations are vulnerable to social engineering attacks, and serious steps need to be taken to elevate awareness against these emerging security threats.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
ANALYZING AND IDENTIFYING FAKE NEWS USING ARTIFICIAL INTELLIGENCEIAEME Publication
The main reason behind the spread of fake news is because of many fake and hyperpartisan sites present on the Internet. These fake sites try to manipulate the truth which creates misunderstanding in society. Therefore, it is important to detect fake news and try to make people aware of the truth. This paper gives an insight into how to detect fake news using Machine Learning and Deep Learning Techniques. On observing our data, we have categorized our data into five attributes namely Title, Text, Subject, Date, and Labels. In order to develop an efficient fake news detection system, the feature along with its degree of impact on the system must be taken into consideration. This paper attempts at providing a detailed analysis of detecting fake news using various models such as LSTM, ANN, Naïve Bayes, SVM, Logistic Regression, XGBoost, and Bert.
Executive panel discussion at the 2010 BDPA Technology Conference on "Federal IT Initiatives".
Panel members: John James (US Navy), Bob Whitkp (US Navy), Tony McMahon (IRS) and Dr. Anthony Junior (US Navy)
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
Social engineering is a major threat to organizations as more and more companies digitize operations and increase connectivity through the internet. After defining social engineering and the problems it presents, this study offers a critical review of existing protection measures, tools, and policies for organizations to combat cyber security social engineering. Through a systematic review of recent studies published on the subject, our analysis identifies the need to provide training for employees to ensure they understand the risks of social engineering and how best to avoid becoming a victim. Protection measures include awareness programs, training of non-technical staff members, new security networks, software usage, and security protocols to address social engineering threats.
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?IJCNCJournal
Due to the increasingly online nature of business (e-commerce), it is essential to understand how end-users can be protected from malicious online activities such as malware. Several factors have been examined in the research on this topic. Digital native status was identified as a factor that has not been investigated thoroughly. This study examined how the security decision-making process is impacted by digital native status by looking at Protection Motivation Theory. Digital Native Status was investigated as a mediating factor in the PMT model. Intent to use antivirus was utilized as the protective measure. The findings indicate that digital native status does not mediate Fear. However, other factors, such as Fear, selfefficacy, and response efficacy, play a part in the intent to use antivirus. Conversely, the other constructs in the model, response-costs and maladaptive rewards, did not have a relationship with antivirus usage. Practically speaking, employers and eCommerce businesses could use these findings to identify factors that play into their end-user behaviors. These findings can be utilized to help guide training programs and professionals researching end-user behavior. These findings also suggest that future research should focus on factors other than age.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Bring Your Own Device 2014 TeamMate User Conference Palm Desert CaliforniaJim Kaplan CIA CFE
A presentation for the 2014 TeamMate User Conference as a guide for auditors on bring your own device and mobile device management – an important and timely topic for auditors in all organizations.
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMijcsit
Number and complicacy of malware attack has increased multiple folds in recent times. Informed Internet
users generally keep their computer protected but get confused when it comes to execute the untrusted
applications. In such cases users may fall prey to malicious applications. There are malware behavior
analyzers available but leave report analysis to the user. Common users are not trained to understand and
analyze these reports, and generally expect direct recommendation whether to execute this application on
their computer. This research paper tries to analyze behavior and help the common users and analysts to
quickly classify an application as safe or malicious.
Top cited managing information technology articlesIJMIT JOURNAL
The International Journal of Managing Information Technology (IJMIT) is a quarterly open access peer-reviewed journal that publishes articles that contribute new results in all areas of the strategic application of information technology (IT) in organizations. The journal focuses on innovative ideas and best practices in using IT to advance organizations – for-profit, non-profit, and governmental.
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...IJNSA Journal
Social engineering attacks can be severe and hard to detect. Therefore, to prevent such attacks, organizations should be aware of social engineering defense mechanisms and security policies. To that end, the authors developed a taxonomy of social engineering defense mechanisms, designed a survey to measure employee awareness of these mechanisms, proposed a model of Social Engineering InfoSec Policies (SE-IPs), and designed a survey to measure the incorporation level of these SE-IPs. After analyzing the data from the first survey, the authors found that more than half of employees are not aware of social engineering attacks. The paper also analyzed a second set of survey data, which found that on average, organizations incorporated just over fifty percent of the identified formal SE-IPs. Such worrisome results show that organizations are vulnerable to social engineering attacks, and serious steps need to be taken to elevate awareness against these emerging security threats.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
ANALYZING AND IDENTIFYING FAKE NEWS USING ARTIFICIAL INTELLIGENCEIAEME Publication
The main reason behind the spread of fake news is because of many fake and hyperpartisan sites present on the Internet. These fake sites try to manipulate the truth which creates misunderstanding in society. Therefore, it is important to detect fake news and try to make people aware of the truth. This paper gives an insight into how to detect fake news using Machine Learning and Deep Learning Techniques. On observing our data, we have categorized our data into five attributes namely Title, Text, Subject, Date, and Labels. In order to develop an efficient fake news detection system, the feature along with its degree of impact on the system must be taken into consideration. This paper attempts at providing a detailed analysis of detecting fake news using various models such as LSTM, ANN, Naïve Bayes, SVM, Logistic Regression, XGBoost, and Bert.
Executive panel discussion at the 2010 BDPA Technology Conference on "Federal IT Initiatives".
Panel members: John James (US Navy), Bob Whitkp (US Navy), Tony McMahon (IRS) and Dr. Anthony Junior (US Navy)
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
Social engineering is a major threat to organizations as more and more companies digitize operations and increase connectivity through the internet. After defining social engineering and the problems it presents, this study offers a critical review of existing protection measures, tools, and policies for organizations to combat cyber security social engineering. Through a systematic review of recent studies published on the subject, our analysis identifies the need to provide training for employees to ensure they understand the risks of social engineering and how best to avoid becoming a victim. Protection measures include awareness programs, training of non-technical staff members, new security networks, software usage, and security protocols to address social engineering threats.
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?IJCNCJournal
Due to the increasingly online nature of business (e-commerce), it is essential to understand how end-users can be protected from malicious online activities such as malware. Several factors have been examined in the research on this topic. Digital native status was identified as a factor that has not been investigated thoroughly. This study examined how the security decision-making process is impacted by digital native status by looking at Protection Motivation Theory. Digital Native Status was investigated as a mediating factor in the PMT model. Intent to use antivirus was utilized as the protective measure. The findings indicate that digital native status does not mediate Fear. However, other factors, such as Fear, selfefficacy, and response efficacy, play a part in the intent to use antivirus. Conversely, the other constructs in the model, response-costs and maladaptive rewards, did not have a relationship with antivirus usage. Practically speaking, employers and eCommerce businesses could use these findings to identify factors that play into their end-user behaviors. These findings can be utilized to help guide training programs and professionals researching end-user behavior. These findings also suggest that future research should focus on factors other than age.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Bring Your Own Device 2014 TeamMate User Conference Palm Desert CaliforniaJim Kaplan CIA CFE
A presentation for the 2014 TeamMate User Conference as a guide for auditors on bring your own device and mobile device management – an important and timely topic for auditors in all organizations.
APPBACS: AN APPLICATION BEHAVIOR ANALYSIS AND CLASSIFICATION SYSTEMijcsit
Number and complicacy of malware attack has increased multiple folds in recent times. Informed Internet
users generally keep their computer protected but get confused when it comes to execute the untrusted
applications. In such cases users may fall prey to malicious applications. There are malware behavior
analyzers available but leave report analysis to the user. Common users are not trained to understand and
analyze these reports, and generally expect direct recommendation whether to execute this application on
their computer. This research paper tries to analyze behavior and help the common users and analysts to
quickly classify an application as safe or malicious.
“If the purpose is right, the means will follow .” .This Book Focuses on how to manage during the disaster and to reach out to people in the least possible time.
STUDY OF Ε-SMOOTH SUPPORT VECTOR REGRESSION AND COMPARISON WITH Ε- SUPPORT ...ijscai
A new smoothing method for solving ε -support vector regression (ε-SVR), tolerating a small error in
fitting a given data sets nonlinearly is proposed in this study. Which is a smooth unconstrained
optimization reformulation of the traditional linear programming associated with a ε-insensitive support
vector regression. We term this redeveloped problem as ε-smooth support vector regression (ε-SSVR).
The performance and predictive ability of ε-SSVR are investigated and compared with other methods
such as LIBSVM (ε-SVR) and P-SVM methods. In the present study, two Oxazolines and Oxazoles
molecular descriptor data sets were evaluated. We demonstrate the merits of our algorithm in a series of
experiments. Primary experimental results illustrate that our proposed approach improves the
regression performance and the learning efficiency. In both studied cases, the predictive ability of the ε-
SSVR model is comparable or superior to those obtained by LIBSVM and P-SVM. The results indicate
that ε-SSVR can be used as an alternative powerful modeling method for regression studies. The
experimental results show that the presented algorithm ε-SSVR, , plays better precisely and effectively
than LIBSVMand P-SVM in predicting antitubercular activity
Information security threats encountered by Malaysian public sector data cen...nooriasukmaningtyas
Data centers are primarily the main targets of cybercriminals and security threats as they host various critical information and communication technology (ICT) services. Identifying the threats and managing the risks associated with data centers have become a major challenge as this will enable organizations to optimize their resources to focus on the most hazardous threats to prevent the potential risks and damages. The objective of this paper is to identify major ICT security threats to data centers in the Malaysian public sector and their causes. The data for this study was collected through interview sessions. A total of 33 respondents from various government organizations were interviewed. The results revealed that the technical threats, spyware, phishing, bluesnarfing threats, social engineering and virus, trojan, malware, ransomware, viral websites threats are the major categories of threats often encountered by the malaysian public sector organizations. The causes for these threats are lack of budget, competent personnel, and manpower for security tasks, user awareness; lack of compliances and monitoring; insufficient security policies and procedures as well as deliberate cyber attacks. The outcome of this study will give a greater degree of awareness and understanding to the ICT security officers, who are entrusted with data center security.
Cultivating Proactive Cybersecurity Culture among IT Professional to Combat E...AI Publications
In the current digital landscape, cybercriminals continually evolve their techniques to execute successful attacks on businesses, thus posing a great challenge to information technology (IT) professionals. While traditional cybersecurity approaches like layered defense and reactive security have helped IT professionals cope with traditional threats, they are ineffective in dealing with evolving cyberattacks. This paper focuses on the need for a proactive cybersecurity culture among IT professionals to enable them combat evolving threats. The paper emphasis that building a proactive security approach and culture can help among IT professionals anticipate, identify, and mitigate latent threats prior to them exploiting existing vulnerabilities. This paper also points out that as IT professionals use reactive security when dealing with traditional attacks, they can use it collaboratively with proactive security to effectively protect their networks, data, and systems and avoid heavy costs of dealing with cyberattack’s aftermaths and business recovery.
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
Classmate 1:
Cybersecurity risk can be characterized as the risk emerging from pernicious electronic or Non-electronic occasions influencing information innovation assets of firms, regularly bringing about the disturbance of business and budgetary misfortune. The significance of cybersecurity has become in the course of the most recent couple of decades with the fast development of electronic gadgets and the web (Biener, Eling, and Wirfs, 2015). Physical items where information and information were utilized to be put away, for example, records, floppy plates, and tapes are not, at this point utilized and practically all individuals store their own and work information electronically now.
Information is put away in a confined private system at work while at home individuals store their private information, for example, photographs, messages, and so on in their messages or even or cloud administrations, for instance, the Apple cloud where Apple iPhone clients will have their information continually upheld. This individual information may contain by and by recognizable information too, for example, the information that can be contained in an individual driver's permit, for example, date of birth, address (Fazlida, and Said, 2015). For the assailants, PII information is truly significant and thus they target global organizations where they could get this PII information effectively which can be connected with the client's record and their installment information.
We see a great deal of cyber-assault happening to global organizations, for example, Target and Home-stop along these lines. From a mechanical standpoint, firms regularly share associated risks and vulnerabilities of being penetrated together because of the use of normal security advances and the availability of PC systems. In the above articulation, we can see that all organizations have risks and vulnerabilities in their system which should be appropriately redesigned and checked to be made sure about. We additionally observe government databases being hacked from remote nationals to pick up the necessary information or PII of assets they are quick to acquire (Biener, Eling, and Wirfs, 2015). In this manner, we can say that cybersecurity isn't only a business danger yet, in addition, a matter of national security.
As an IT administrator, there are a few different ways I would attempt to deal with the IT risks inside my organization (Pei-Yu, Kataria, and Krishnan, 2011):
1. I would initially do a constant risk evaluation and distinguish the risks which are generally essential and touchy to the organization and make a rundown of basic resources, recognized risks, and future potential risks that would be tended to. The prioritizations of these risks are significant and likewise to include the administration about this.
2. The risk proprietors can possess the organized risks and work with the group to relieve these risks and record it. The most noteworthy risks are to be killed first.
Fundamental Areas of Cyber Security on Latest Technologyijtsrd
Cyber Security has developed one of the biggest challenges of information technology in the present day. Cyber security consists of controlling physical access of the hardware, application, networks and protecting against harm that may come via networks. It is a mixture of processes, technologies and practices. The objective of cyber Security is to protect programs, application, networks, computers and data from attack. Moreover, various measures of cyber security is quite a very huge concern to many. This paper mainly focuses on challenges faced by cyber security on the latest technologies. It also focuses on the latest about cyber security techniques, ethics and the trends changing the face of cyber security. This paper mainly focuses on cyber Security and its fundamental elements on latest technologies. Aye Mya Sandar | Ya Min | Khin Myat Nwe Win "Fundamental Areas of Cyber Security on Latest Technology" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26550.pdfPaper URL: https://www.ijtsrd.com/computer-science/computer-security/26550/fundamental-areas-of-cyber-security-on-latest-technology/aye-mya-sandar
Running Head: INFORMATION SECURITY VULNERABILITY 2
Information Security Vulnerability
Introduction
The most important part of any business or organization information is the security infrastructure. All information big or small, sensitive or insensitive must be protected by some degree of information security. "Navigating the multitude of existing security standards, including dedicated standards for information security and frameworks for controlling the implementation of IT, presents a challenge to organizations. Adding to the challenge is the increase in activities of terrorist groups and organized criminal syndicates” (Sipior & Ward, 2008).
Threats and Vulnerabilities
Threats and vulnerabilities are a common occurrence in regards to computer security. Computer networks that are flawed and weak are vulnerable to be exploited. The exploitation of computer networks can be done by terrorist, hackers, and an organizations or business on employee. "Inexperience, improper training, and the making of incorrect assumptions are just a few things that can cause these misadventures" (Whitman & Mattord, 2009, p. 42).
Problem Statement:
What is the protocol if an organization or business most critical information is leaked or hacked that can cause grave damage to an organization, business, or customers account information? What would be the financial situation to recover from such attack with the network? The following questions are a few questions that top management must have in information security policies.
It is most likely that any organization or business profits would decrease and the reputation of each would change. With that comes the legality responsibility of the organization or business. Owning up to a security breach within an organization or business can be detrimental to the overall health of finances throughout the organization or business as well as notifying all parties involved in the breach. Having coverage such as insurance to protect the organization or business is a must and also a great deal to protect the reputation, assets, and continue functioning overall. "Although every state breach notification law covers businesses, there are differences regarding coverage of other entities such as government agencies and third-party storage providers, as well as differences regarding the information each law defines as 'personal'" (Shaw, 2010).
Relevance and Significance:
There will always be some type of glitch with in a computer network that may deter the system from being fully secured unless the computer is not being used. Information security program goals is to deliver a level of security platforms that supports the organization or business security infrastructure at its best by meeting all requirements set forth through the policy and controls and keeping the bad guys out.
Key Concepts
Confidentiality, integrity, and availability are the largest threats of sensitive information. The need to know must be .
Replies Required for below Posting 1 user security awarene.docxsodhi3
Replies Required for below :
Posting 1 : user security awareness is the most important element of an organization as we know a single email can result in a multi-million dollar loss through a breach in very short time. that is the primary reason many large organizations have a specific division who deal with the security whose prime task is it identify and prevent security breaches and most interestingly companies like Facebook have one million dollar price reward for ethically breaching their security which helps them identify more ways and prevent them before they occur. speaking of which user security deals with various levels of users as mentioned below.
1. New employees
2. Company executives
3. Traveling Employees
4. IT Employees
5. For all employees
Security awareness should be covered focusing the four above mentioned categories using real-world examples like classroom training, and circulating latest updates in security patches and also articles or suggestions as well as visual examples about security awareness. Training employees by pasting most important security preventions every employee must consider in order to prevent security breach and pasting lastest updates about security measurements in common areas across office space and conduct brainstorm sessions with individual senior staff members to understand their needs and how to apply security awareness across teams.
and second thing is to secure customers who are the core revenue generating people to an organization and its organization's duty to secure customers. The customer is the benefit of any organization. At the present time, where online security turns into an essential, the association must view client's profitable data that movements between the server and the site. By building security culture, the association can spur clients, contractual workers, representatives. A fulfilled client dependably functions as a mouth exposure and will fill in as an advantage of the organization. The association can guarantee their clients that the amount they think about their web assurance. The association ought to likewise distribute a note of wellbeing safety measure on the site for clients while collaborating with the web world.
Posting 2:
Security is a key human thought that has ended up being harder to portray and approve in the Information Age. In rough social requests, security was compelled to ensuring the prosperity of the get-together's people and guaranteeing physical resources. As society has grown more mind-boggling, the centrality of sharing and securing the fundamental resource of data has extended. Before the extension of present-day trades, data security was confined to controlling physical access to oral or created correspondences. The essentials of data security drove social requests to make innovative techniques for guaranteeing their data.
Changes in security systems can be direct. Society needs to execute any new security innovation as a get-together, whic ...
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
Information security or Infosec worries with protecting information from unauthorized access. Its a part of information risk management and it therefore involves preventing or reducing the probability of unauthorized access, use, disclosure, disruption, deletion, corruption, modification, inspect or recording. In this article we will talk about the IT security, various threads to information security, different obstacles of information security and the various ways in which internet can be lucrative. Bhavya Verma | Purva Choudhary | Dr. Deepak Chahal "An Empirical Study on Information Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-4 , June 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30888.pdf Paper Url :https://www.ijtsrd.com/computer-science/computer-security/30888/an-empirical-study-on-information-security/bhavya-verma
Similar to AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES (20)
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
1. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
DOI : 10.5121/ijcsit.2013.5206 63
AN EFFECTIVE METHOD FOR INFORMATION
SECURITY AWARENESS RAISING INITIATIVES
AliMaqousi1
, TatianaBalikhina1
, Michael Mackay2
1
Petra University, Faculty of Information Technology, Jordan
amaqousi@uop.edu.jo, tbalikhina@uop.edu.jo
2
Liverpool John Moores University, UK
M.I.Mackay@ljmu.ac.uk
ABSTRACT
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
KEYWORDS
Information security awareness program, E-business, Security Policy, Security Culture
1. INTRODUCTION
Increasingly, a wide range of profit or nonprofit, public or private, organizations rely on
Information and Communications Technology (ICT) to conduct their businesses, in particular
organizations that offer their services online. In doing so, those organizations expose themselves
to the risk of information security breaches especially in the case of smaller businesses who lack
extensive ICT support services. Therefore, developing appropriate and affordable mechanisms to
protect an organization’s ICT infrastructure, systems, and data is a vital issue. One of the most
significant threats to information security comes from the system's users, because they are
familiar with its infrastructure and services but they may not be aware of the security policies in
place to protect them and their significance. This reaffirms the finding that it is not always
dissatisfied workers and corporate spies (so called insider attacks) that cause problems but often,
it is the non-malicious, uninformed employees (users) that pose the greater threat [1].
E-Business refers to the use of ICT by organizations that gives them the capacity to offer online
services, transform relations with customers, businesses, and other organization’s departments.
Any organization can deploy E-Business as a means to improve the internal workings of its
operations, the relationship with its customers who consume its services, and manage its
2. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
64
relationships with other businesses. Researchers usually split IT users into categories such as
home user, business user, and academic user [2,3,4] to differentiate levels of competence but this
can often be misleading. In this paper we focus on the novice(business) users of an organization’s
intranet who may be unskilled in ICT but will nevertheless have access to the organization’s IT
resources.
Often huge amounts of money and time are invested by organizations into technical solutions to
security issues while the human factor receives less attention. Technical solutions are of course
necessary to address vulnerabilities such as viruses, denial of service attacks, and prevent
unauthorized access. However, the involvement of humans in information security is of equal if
not greater importance and many examples of security issues such as "Phishing" and Social
Engineering exist where any technical solutions can be subverted by misleading the user [5].
Therefore, user information security awareness is a major component within industry good
practice for security. In short, we argue that, rather than focusing purely on developing
increasingly restrictive technologies and policies that often restrict usability, organizations should
focus on making users intrinsic to the security process through education, training, and
awareness.
We propose that, in addition to any technological security solutions deployed, an organization has
to have an information security awareness program for its users. In this paper we present our
approach to build a user-oriented security awareness program to increase and maintain a certain
level of user awareness to the risks of ICT and reinforce good security practice. The Information
Security Forum (ISF) one of the world's leading independent authorities on information security
defines information security awareness as: "An ongoing process of learning that is meaningful to
recipients, and delivers measurable benefits to the organization from lasting behavioral change"
[6]. This could be implemented alongside the organization’s website and/or within specific
organizational administration tools. This is fundamental to ensure that all staff acts in an
appropriate manner to keep sensitive information secure given the broad increase in reliance on
IT systems and information stored electronically. This is made all the more pressing due to the
extraordinary increase in the use of Internet services to support internal business processes and
the advent of Cloud Computing [7, 8, and 23]. This risk is further increased through the
availability of personal electronic equipment such as tablet PCs and smart-phones, which are able
to communicate wirelessly with many other devices and have massive internal storage capacities
[9, 24].
The remainder of this paper is organized as follows; section 2 will present an overview of existing
approaches to maintaining user security and awareness raising approaches. Section 3 will
describe our methods for conducting an awareness raising program and then explain our
experimental design. Thereafter, section 4 presents our approach to raising security awareness
among users and section 5 abstracts this to define our overall approach. Finally, we conclude in
section 6 with some final thoughts and an outline for further work.
2. RESEARCH OVERVIEW
The growth in organizations using ICT for E-Business imposes the need to develop extensive and
robust computer and mobile security mechanisms. These mechanisms are largely intended to help
organizations protect their assets, such as information, databases, programs/services, and
hardware from any inadvertent or malicious harm or damage with the minimal level of user
knowledge or input. The level of severity obviously varies from one case to another and depends
largely on the users’ awareness of possible harm and damage, their knowledge of the source of
threats, and whether they are applying security good practice or not [2,3].
3. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
65
The problem of lax security awareness among non-malicious users has long been recognised as a
significant vulnerability in any IT system. A 2005 report from Mcaffee [10] highlighted the
following statistics:
• “One in five workers (21%) let family and friends use company laptops and PCs to access the
Internet”.
• “More than half (51%) connect their own devices or gadgets to their work PC... a quarter of
who do so every day”.
• “One in ten confessed to downloading content at work they should not”.
• “Two thirds (62%) admitted they have a very limited knowledge of IT Security”.
• “More than half (51%) had no idea how to update the anti-virus protection on their company
PC”.
• “5% say they have accessed areas of their IT system they should not have”.
The impact of these bad practises are reaffirmed in the most recent report for Q1 2012 [11] which
demonstrates that many of the common exploits targeted at unwitting users continue to thrive.
The development of an effective Information Security Awareness Program is therefore
recognised as a cornerstone for the effective protection of IT infrastructures and there has been a
significant amount of research work done in order to establish the most effective approaches to
this. For example, in the United States, the National Institute of Standards and Technology
(NIST) published a report to guide firms in building an Information Technology Security
Awareness and Training Program [12]. This is just one example of the broader movement
towards security awareness and many organisations now publish such information for their
employees [13] or for the general public at large [14, 15].
Fundamentally however, this research is done either from an academic or managerial perspective
and less consideration is typically given to tailoring this to a specific user base or company.
Whether it is due to educational, regional, cultural, or ethnic reasons, groups of users will
respond differently to any programs or policies which aim to govern how they interact with ICT
[16]. As such, more recent works focus on how to effectively ‘segment’ the audience to refine the
program and produce a more fine-grained security approach [17]. These efforts propose 5 steps to
more effectively identify and engage users into security awareness:
1. Ascertain the current level of computer usage
2. Understand what the audience really wants to learn
3. Test how receptive the audience is to a security program
4. Examine how to gain acceptance
5. Research who might be a possible ally
2.1 Progressive development in an Information Security Awareness Program
Once the target audience has been selected and engaged, the next task is to consider the level of
awareness that is necessary and desirable for users to reach. Of course, any organisation must be
realistic in defining what is achievable through such a program based on the level of user
expertise, the available resources to implement the program, and the overheads involved. Four
levels of awareness can be identified here which represent increasing stages of user
understanding: All Users, IT aware Users, Trained IT users, and IT specialists. The transition
between each level can also be broadly understood in terms of the types of engagement required,
a summary of which is presented in figure 1 below:
4. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
66
Figure 1- User transitions in Information Security Awareness
This diagram shows that some effort is necessary in order to promote users from the lowest,
uninitiated, level to the first stage where they have some basic awareness of IT security issues.
This may be intrinsically present in some cases, in a ‘western’ university environment for
example, where one can assume that by virtue of being immersed in an IT environment some
basic awareness is imbued in to users by default whereas this may require an explicit step in other
cases [15, 18]. Beyond this, a degree of formal training is required in order to transition users to
the next step up where some assurance is present that the users have been trained in IT security
issues and will adhere to a formal security policy. This is considered to be the ideal level of
awareness in organisational environments. Moving upwards, there exists a higher level of
training where education is provided to impart a level of IT specialism to users. This may
however only be necessary for users who need to understand the underlying complexities in order
to develop further protection or update existing mechanisms, i.e. IT support staff.
2.2 Developing an Information Security Awareness Program
Past research has also highlighted the importance of the proper development of an awareness
program that not only considers how it should be implemented but also how it can be used to
maintain user awareness going forward [19]. In total, four stages have been defined in order to
deliver an effective program; Analysis, Design, Implementation, and Maintenance.
The steps discussed above such as user identification and training level represent the core points
of the Analysis stage. This should also be put in an organisational context by first conducting a
needs assessment and then refined to establish more fine-grained priorities. The Design stage will
then take the output of the analysis and develop awareness training material based on the critical
topics that have been identified, and select the optimal means to deliver them. From there, the
Implementation stage will present the awareness program to users in an effective manner [20]
and incorporate a feedback mechanism to refine further delivery based on user response. Beyond
this, the program should include a fully considered Maintenance stage that measures user
compliance and plans for further developments, perhaps as part of a wider professional
development program.
5. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
67
This paper aims to present the best practices of how to present (methods of implementing) a web-
based security awareness program for an organizations users. The specific focus of this work is to
highlight the relationship between an organization’s website and its information security
awareness program. This relationship is an amalgamation one. We believe that by including the
information security awareness program into the organization’s website, it will contribute
positively to increasing the level of users’ security awareness while ensuring the program is
sustainable. This solution is an alternative to having a separate mechanism for promoting the
security awareness program.
3. METHODS OF CONDUCTING INFORMATION SECURITY AWARENESS
RAISING
As we have seen, continuous education, and training are the best practices to conduct any
information security awareness program. Learning from previous experience is a good way to
develop future working plans and, in this regard, in order to build a security awareness culture we
need to learn from previous lessons and avoid their mistakes. Two decades ago when
organisations started to use personal computers in conjunction with the Internet, they asked their
users to be aware of and use simple security measures, such as employing user-names and
passwords, and installing antivirus software. Nowadays changes in technology challenge users to
become ever more immersed with computers and the Internet, and, therefore stronger and more
thorough security issues should be introduced and enforced. For example, the South Carolina
Department of Revenue IT Security failure happened when hackers managed to get valid user
credentials and use them to gain access to sensitive files. The credentials were handed over when
a user clicked on a malicious email link [21].
Increasing the level of user awareness can be achieved most quickly by building a security
awareness culture. As an example, using strong user-names and passwords is now deeply
incorporated in our daily working actions not just for logging onto computers but when accessing
any online service. The results in [2] show that the majority of surveyed users (96%) believe in
the importance of using user-name and password and 97.5% are using them. This result has been
achieved because of: firstly, the academic environment they belong to, and secondly, many years
have passed since E-Society encouraged and in many cases enforced the use of user-name and
passwords. We want to build upon this experience to promote mass collective education as a
means of increasing the level of users' security awareness both in the academic and wider
environment. Of course, this is just an example of how a security culture can be manifested, other
examples include:
- User education and training
- Analysis of user behaviors
- Setting organizational policies and regulations
- Monitoring for compliance to policies and regulations.
- Identifying security threats and vulnerabilities
- Deploying effective security tools and instruments.
3.1. Experimental Approach
In previous works [2, 3] we presented the results that show the importance of raising users’
security awareness where, in summary, we surveyed a range of educational organization’s
employees to gather information and statistics about the current level of user’s security
awareness. We also interviewed computer center staff at an organization to identify the
challenges faced when dealing with problems caused by users, to learn about the frequency of
breaches, and to understand the computer center’s wider security goals. Based on this, we created
6. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
68
a number of posters to be distributed at different locations around the organization premises and
developed a security awareness website to be used by the organization's users (employees and
students). We also conducted security awareness sessions and workshops that aim to introduce
users to the organizations security policies and available tools. We consider this work as a
necessary first steps towards achieving the overall objective of the program. The main outcomes
of this work showed the importance of measuring the level of security awareness levels among
the organization’s users. In few areas this level was acceptable but in many others this level was
low and needed to be raised to avoid the potential of security issues.
One of the challenges in the process of designing and developing the security awareness program
is collecting the right material for targeted groups of users. As an example, a poster that includes
technical tips in a number of steps may be appropriate for an educational organization’s users
while a poster with more drawings is better for another type of users. Another example, advanced
and up-to-date security tips could be presented to skilled IT users while simple and more basic
tips will be more appropriate for novice-IT users. Having the material ready for use by the
implementers, it can then be distributed via different available communication channels. One of
the most powerful communication tools is the organization’s website which can be accessed by
the organization’s intranet users. Our primary goal is therefore to explore how this mechanism
can be used to disseminate the information security awareness program and how this forms an
important part of the security life cycle
4. METHODS OF DISTRIBUTING THE SECURITY AWARENESS PROGRAM
In order to drive towards continuous user education, we have designed and developed a website
for disseminating our information security awareness program. This channel of distribution is the
best candidate amongst other mechanisms as it intrinsically satisfies the requirement for reaching
a large number of targeted users as the employees and students of the organization will likely be
the prime users of website. The website includes several ways to educate users and to keep them
informed with the latest news, updates, and training that might be used to secure users' and the
organization’s assets. One of the other main services provided by the website is the possibility to
enable users to participate in different periodic surveys to monitor awareness.
Moreover, the website provides a channel for IT Support staff to distribute necessary information
and updates on security issues to keep organization’s users informed with emerging security
threats and vulnerabilities. It also works as an E-learning tool to conduct training on topics related
to users security awareness such as how to use a certain security tool. Moreover the website has
many other ancillary features such as poster galleries, forums and bulletin boards, and blogging.
One issue we identified after initially implementing the program was deploying it as a separate
website, which had the effect of limiting the number of website visitors as it was designed and
developed as an independent entity. The reasons for this limitation were: first; the website
popularity as the URL is not well known for users. Second; users usually don’t see a reason to
browse a security website when he/she has no perceived security problem. For three months of
publishing the website we recorded less than 1% of potential users who had accessed the website.
4.1 Awareness Program Analysis
As a result of these findings we decided to incorporate the information security awareness
program into the organization’s website. By doing this we aim to have a clear component built
straight into the website so all registered users will be able to locate and use the program easily.
This is an especially powerful mechanism where organizations default their browser homepage to
their website.
7. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
69
In order to generalize this process into any website development life cycle, we have conducted a
seminar with 30 web developers gathered at a specialized workshop for web developers in the
Arab world [22]. A survey that was performed at the workshop highlighted the following facts:
- 53% of surveyed web developers are not familiar with information security awareness
programs.
- Only 18% of surveyed web developers confirm the existence of information security
awareness program on their websites.
- 33% of those who answered positively on the existence of information security awareness
program on their website indicate that they don’t use a reference model for development.
- Only 10% of surveyed web developers confirm that the material of information security
awareness program is presented explicitly.
The above facts formed the basis for us to propose adding a requirement of information security
awareness programs to be added into the requirements phase of any web site design methodology
such as the waterfall model.
5. GENERAL MODEL
In this section we propose our general model for an Information Security Awareness Program
(ISAPM). Figure 4 shows our model which is built around seven core blocks. This model has
been adopted based on the proven concept of educating users is the best practice to increase users
security awareness level. Any organization starts its program by learning its own security goals.
This information will be used to design the program, after that the program will be developed and
implemented. Maintaining the program is also a crucial stage, which aims to keep the program
running with up to date information. As the aim of the program is to raise security awareness, it is
necessary to measure this on a regular basis. Finally, it is important to review the program by
taking into consideration the results of these measurements with any changes in the
organization’s security goals feeding back into the design block for any further updates. In this
work we have focused on the design and development blocks and we leave details of other blocks
for further work. However, we will give a brief description of the whole model in this section.
The requirements process in the model starts with identification of organization’s security goals.
This initial process includes interviewing computer center staff (and the staff responsible for
managing and running computer and Internet services in the organization). The purpose of these
interviews is to identify and understand the organization’s security goals, taking into
consideration the nature of its business, it’s customers’ needs for computer and Internet services,
it’s employees qualifications and expertise, the methods of IT security employed and existing
policies and procedures.
8. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
70
Figure 4 – The ISAPM model
The design process mainly concerns identifying the required program elements that should be
included in the security awareness program. Among the program’s elements could be guidelines
booklets, posters, awareness training workshops, online forums to enable users to interact, alert
and news sections, and online surveys and statistics. Such a system needs to be easily accessed,
have clear content, and be interactive by utilizing different multimedia elements.
The development process of the security awareness program can be done using a range of web
based development tools such as ASP.NET or PHP. The decision should be made based on
available resources and developers’ expertise. The system should be built based on the concept of
a Content Management System (CMS) to provide an online platform for enabling users’
contributions to enrich the system’s content and emphasize their responsibilities towards raising
security awareness for all.
The implementation process includes selecting one of three ways to run and distribute the
program: as part of the organization’ website, as part of organization’s administrative tools, or as
a separate website. We propose in this paper to integrate the program within the organization’s
website for the reasons discussed in section 4. We believe this solution will increase the visibility
of the program and make it more accessible to all organization’s users.
The maintenance process includes defining a procedure to maintain the program by consistently
providing up to date and appropriate content. To ensure proper maintenance, the organization
should employ skilled staff that are qualified to run and maintain the program.
The measuring process concerns establishing ways to evaluate and measure the current users’
security awareness level. This should be done on a regular basis both online or offline. Based on
this, a number of periodical reports and statistics should be generated and published so it can be
made available to any authorized users, potentially via the main security awareness website.
International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
70
Figure 4 – The ISAPM model
The design process mainly concerns identifying the required program elements that should be
included in the security awareness program. Among the program’s elements could be guidelines
booklets, posters, awareness training workshops, online forums to enable users to interact, alert
and news sections, and online surveys and statistics. Such a system needs to be easily accessed,
have clear content, and be interactive by utilizing different multimedia elements.
The development process of the security awareness program can be done using a range of web
based development tools such as ASP.NET or PHP. The decision should be made based on
available resources and developers’ expertise. The system should be built based on the concept of
a Content Management System (CMS) to provide an online platform for enabling users’
contributions to enrich the system’s content and emphasize their responsibilities towards raising
security awareness for all.
The implementation process includes selecting one of three ways to run and distribute the
program: as part of the organization’ website, as part of organization’s administrative tools, or as
a separate website. We propose in this paper to integrate the program within the organization’s
website for the reasons discussed in section 4. We believe this solution will increase the visibility
of the program and make it more accessible to all organization’s users.
The maintenance process includes defining a procedure to maintain the program by consistently
providing up to date and appropriate content. To ensure proper maintenance, the organization
should employ skilled staff that are qualified to run and maintain the program.
The measuring process concerns establishing ways to evaluate and measure the current users’
security awareness level. This should be done on a regular basis both online or offline. Based on
this, a number of periodical reports and statistics should be generated and published so it can be
made available to any authorized users, potentially via the main security awareness website.
International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
70
Figure 4 – The ISAPM model
The design process mainly concerns identifying the required program elements that should be
included in the security awareness program. Among the program’s elements could be guidelines
booklets, posters, awareness training workshops, online forums to enable users to interact, alert
and news sections, and online surveys and statistics. Such a system needs to be easily accessed,
have clear content, and be interactive by utilizing different multimedia elements.
The development process of the security awareness program can be done using a range of web
based development tools such as ASP.NET or PHP. The decision should be made based on
available resources and developers’ expertise. The system should be built based on the concept of
a Content Management System (CMS) to provide an online platform for enabling users’
contributions to enrich the system’s content and emphasize their responsibilities towards raising
security awareness for all.
The implementation process includes selecting one of three ways to run and distribute the
program: as part of the organization’ website, as part of organization’s administrative tools, or as
a separate website. We propose in this paper to integrate the program within the organization’s
website for the reasons discussed in section 4. We believe this solution will increase the visibility
of the program and make it more accessible to all organization’s users.
The maintenance process includes defining a procedure to maintain the program by consistently
providing up to date and appropriate content. To ensure proper maintenance, the organization
should employ skilled staff that are qualified to run and maintain the program.
The measuring process concerns establishing ways to evaluate and measure the current users’
security awareness level. This should be done on a regular basis both online or offline. Based on
this, a number of periodical reports and statistics should be generated and published so it can be
made available to any authorized users, potentially via the main security awareness website.
9. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
71
The reviewing process is performed offline by administrative and technical staff (a reviewing
team). They will periodically review all reports and statistics gathered from the measuring
process and approve or define a new set of requirements to be included in the program. The
reviewing team’s recommendations will be forwarded to the development process for further
actions, which forms the closed system.
6. CONCLUSIONS
Organizations are part of the E-society where the Internet, computers, and mobile devices
become the main tools that help us to participate as users and perform our daily activities.
However, E-business adds new security challenges since its users are businesses and employees.
We have shown that in order to protect an organization’s IT assets against emerging threats, there
is an on-going need to educate and train the systems users to be aware of possible threats and
guard against them as part of their everyday working practices. In this paper we have shown the
importance of incorporating an information security awareness program into an organization’s
website and proposed a general model that could be integrated into the development life cycle.
For future work we intend to investigate the impact of integrating the security awareness program
requirements into various software development models and investigate different measurement
methods to evaluate and monitor users’ security awareness levels.
ACKNOWLEDGEMENTS
This research was supported and funded by the Scientific Research Deanship at Petra University.
REFERENCES
[1] Corporate Technology Group 2008, "The threat within: is your company safe from itself?", Corporate
Technology Group Web site:
http://www.ctgyourit.com/newsletter.php. Feb 2009.
[2] A. Maqousi, T. Balikhina, "Building Security Awareness Culture to Serve E-Government Initiative",
book chapter in Handbook of Research on E-Services in the Public Sector: E-Government Strategies
and Advancements, Editors Dr. Abid Al Ajeeli and Yousif Al Bastaki, 2010, Ch 24, Information
Science Reference (IGI Global), Hershey-New York, USA. ISBN 978-1-61520-789-3
[3] A. Maqousi, and T.Balikhina, “User Security Awareness in E-Society”, International Arab
Conference of e-Technology, IACeT 2008, 5th
- 16th
October 2008, Amman, Jordan.
[4] Enisa, European Network and Information Security Agency “A user’s Guide: how to raise
information security awareness”, June, 2006.
[5] Kruger H.A., Drevin L., Steyn T. A framework for evaluating ICT security awareness.
http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.
jsp?&pName=security_level1_article&TheCat=1001&path=security/2006/v4n5&file=bsi.xml& May,
2008
[6] ISF,https://www.securityforum.org/index.htm June, 2008
[7] ENISA,http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf, May 2008
[8] Robert Ayoub, The 2011 (ISC) 2 Global Information Security Workforce Study, Frost &sullivan,
2011.
[9] The Guardian 16/10/12, “Police force fined £120,000 after theft of unencrypted memory stick”,
http://www.guardian.co.uk/uk/2012/oct/16/police-force-fine-theft-memory-stick (last accessed
04/12/12).
[10] Bruce Schneier on the Insider Threat: December 19, 2005,
http://www.schneier.com/blog/archives/2005/12/insider_threat.html.
[11] McAfee Threats Report: First Quarter 2012.
[12] M. Wilson, J. Hash, “Building an Information Technology Security Awareness and Training
Program”, NIST Special Publication 800-50, October 2003.
[13] University of Arizona Security Homepage: http://security.arizona.edu/basics (last accessed 30/11/12).
10. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 2, April 2013
72
[14] BBC webwise safety page: http://www.bbc.co.uk/webwise/topics/safety-and-privacy/ (last accessed
30/12/12).
[15] Microsoft Safety and Security Centre,
http://www.microsoft.com/protect/promotions/us/cybersecuritymonth_us.mspx May, 2008
[16] A. Marks, Y. Rezgui, "A Comparative Study of Information Security Awareness in Higher Education
Based on the Concept of Design Theorizing," Management and Service Science, 2009 (MASS '09),
pp.1-7, 20-22 September 2009.
[17] T. R. Peltier, “Implementing an Information Security Awareness Program”, Information Systems
Security, 14:2, 37-49 (2005).
[18] F. Aloul, “The Need for Effective Information Security Awareness”, Journal of Advances in
Information Technology, Vol 3No 3, August 2012.
[19] F. H. Katz, “Integrating a security awareness program into an information security course”, Journal of
Computing Sciences in Colleges, v.23 n.2, p.181-187, December 2007.
[20] W. A. Al-Hamdani. “Assessment of need and method of delivery for information security awareness
program”, 3rd conference on Information security curriculum development (InfoSecCD '06), pp102-
108. 2006.
[21] Internet Evolution 11/12/12, “South Carolina’s IT Security failure Teaches Valuable Lessons”,
http://www.internetevolution.com/author.asp?section_id=679&doc_id=254786 (last accessed
11/12/12).
[22] Training Conference. “Strategies andsubstantive and technical skillsto manage
anddevelopWebsitesand checkingthem andprotect them" 21-25 Feb, 2010, Amman, Jordan.
[23] Swarnpreet Singh and Tarun Jangwal “Cost Breakdown of Public Cloud Computing and Private
Cloud Computing and Security Issues ”, International Journal of Computer Science & Information
Technology (IJCSIT), Vol 4 No 2, April 2012.
[24] Palson Kennedy “Shaping of Location Conscious Information”, International Journal of Computer
Science & Information Technology (IJCSIT), Vol 4 No 6, December 2012.
AUTHORS
Ali Maqousi (amaqousi@uop.edu.jo). He is an assistance professor at Petra
University, Faculty of Information Technology, Amman-Jordan. He is acting as a head
of the department of Computer Science and Computer Networks. He received his PhD
in computer science from Oxford Brookes University, UK, 2003 for his work on
providing Quality of Service (QoS) in packet switched networks. He was a network
administrator and part-time teacher assistant at Petra University (PU) from 1993–1997
and full-time teacher assistant from 1999-2003. Since 2003 he is an assistant professor
at the Faculty of Information Technology at PU and currently he is the head of computer science and
networking department. He is ITSAF Secretary - General (Information Technology Students Activity Fair,
ITSAF is a yearly event for University students since 2005). He is the university liaison officer for
European Union 7th
framework program (FP7) and Tempus since 2007. He is involved in research relating
to multi-service networking, network performance, security and privacy, and social networks.