Computing and Information Systems - Research Publications
Permanent URI for this collection
Search Results
1 - 10 of 13
-
ItemAssessing and controlling risks associated with Denial of Service (DoS) attacks on organizational networks( 2014-08)and control of information security risks have emerged as a primary mean by which organizations secure information infrastructure. Key assets are identified and protected as a part of risk management strategy. In this process, commonly Denial of Service (or DoS) attacks are overlooked. DoS service is traditionally not considered as information security risk, hence the treatment of that remains low priority. But in the recent past, several such attacks had made high profile business’s web servers unavailable or un-accessible for considerable period of time, which consequently caused monitory and reputational losses. Hence now there is a substantial need to consider DoS attacks as a potential risk for information security and its assessment and treatment should be included in organization’s risk management process. This paper examines the major forms of DoS attacks that are lodged on critical network infrastructure of an organization, targeting the availability and access of its critical business and IT Services and further how the risk of such attacks can be reduced or mitigated through risk management process.
-
ItemImplications of social media networks on information security risks( 2014-08)The user base of Social Media Networks (SMN) has grown dramatically over the last 10 years, with the Facebook platform alone commanding 18% of the world’s population as active users. Thus SMN provide a mechanism to disseminate information both rapidly and globally. Despite this fact, little research has been conducted into the implications of SMN on information security risk. Here we conduct a literature review in order to provide information security professionals with insight into the threats, threat agents, vulnerabilities and potential risks faced by individuals and organisations from SMN. Findings suggest that confidentiality and integrity of information can be threatened by multiple actors and mechanisms, putting information and reputation at risk. Information security professionals face a mammoth task to manage such risks and a standard approach to risk management seems unlikely to be effective.
-
ItemInformation security culture as an enabler: addressing the gap between organisational knowledge sharing and information security( 2014-08-01)Knowledge sharing is a vital business strategy that creates value for an organisation. It also leads to accidental or deliberate loss of information and knowledge. With an ideal culture, the knowledge sharing barrier can be broken without leaking information. We gathered data from the literature on the benefits of knowledge sharing in organisations and the related risks, addressing the role of a positive organisational culture. We interviewed information security specialists in small and large organisations in Melbourne and overseas. The study confirms the findings from literature that organisations value knowledge sharing to gain a competitive advantage. They also revealed that the preventive measures of knowledge leakage usually involved fostering a sharing culture with strategy, policies and controls in place with regular training and awareness. Based on these observations, we propose the need for future research on organisations that have fostered a culture of sharing knowledge without compromising its security.
-
ItemSecurity challenges of BYOD: a security education, training and awareness perspective(The University of Melbourne, 2013)This paper explores the security challenges of Bring Your Own Device (BYOD) for users and organisations by identifying the security threats to mobile devices. Based on these challenges, this paper will aim to identify the security education, training and awareness approaches and concepts based on existing literature to form an understanding of how users can be motivated to commit to BYOD policies and practices. The extent in which users are accountable for the security threats related to BYOD is found to be significant in this paper. It is therefore critical that organisations considering implementing BYOD should focus on developing the education, training and awareness programs for its employees based on concepts of motivation, commitment, knowledge retention and the tradeoff between user/device monitoring and user privacy.
-
ItemEffectiveness of security controls in BYOD environments(The University of Melbourne, 2013)Mobile computing introduced completely new security risks and increased the potential of the old ones. Remote access as an enabler of mobile computing opened the organisations’ systems to various attacks from the Internet, both technical and social ones. Regular access to the Internet outside corporate systems exposed mobile devices to malicious code and hackers which improved the attack success rate. As a response, security experts have been developing technical and non-technical mechanisms for protection of information. They have been trying to identify the most effective approach and combination of security controls that can deliver maximum security without impairing the business processes. These efforts increased with the introduction of Bring Your Own Device (BYOD) concept. BYOD reduces IT costs and provides more flexible work experience. So far, many organisations decided to allow userowned devices on the system and the trend is still growing. From information security perspective, BYOD comes with risks common for mobile computing, but it also introduces new technical and legal ones. Technical solution providers have been trying to develop security systems that can help organisation in adopting the BYOD concept, and security experts have been trying to design a complete security strategy that can meet the challenges of BYOD. The focus of these efforts is information security.
-
ItemDoes BYOD increase risks or drive benefits?(The University of Melbourne, 2013)This paper looks at the benefits and risks associated with bring your own device (BYOD), a practice that is becoming common to many organisations. Literature reviews of established academic journals were conducted to illustrate key points, arguments, and supporting evidence to draw conclusions. The paper has found that BYOD is an inevitable part of modern organizations’ business practice. Its adoption will continue to rise due to its effectiveness in supporting business operations. The paper also found that there are substantial risks in BYOD that can be harmful to organizations, and thus its ability to control BYOD is crucial in the prevention and mitigation of these risks. The paper contributes to current literature by emphasizing that in order to fully realize the potential ongoing benefits of BYOD, control strategies must be applied, and that the human factor must be taken into account as it plays a pivotal role in the effectiveness of these security measures.
-
ItemConfidentiality and health: a literature review(The University of Melbourne, 2013)Confidentiality in the growing Electronic Patient Records is a heated argument in the current world with heavy political involvement; this paper aims at learning how to achieve EPRs confidentiality through security policies to satisfy privacy legislations electronic health provisions. The literature part initially focuses on concepts involved in general and information security policies, and moves on towards the concepts of information security policy concepts, modules and mechanisms within the healthcare industry literature. The merits and demerits of these concepts will be discussed and an efficient model will be proposed in the discussion part. The paper discusses about finding efficient and effective approaches for formulating, implementing and refining security policies, and in enforcing them with appropriate procedures; and in analysing human behaviours to achieve the objective of achieving EPRs confidentiality. These information security policy modules and mechanisms includes of the Individual Identifiable Micro-data Technique, ETHICS method and Information Assurance policy compliance framework. The premise of this research also provide launch space with opportunities for future research.
-
ItemSecurity risks in teleworking: a review and analysis(The University of Melbourne, 2013)Teleworking as an innovative working practice attracts organizations to apply it throughout whole organizations, with providing plenty of benefits. However, the related information security risks generated in teleworking threaten organizations to implement it. This paper aims to ascertain information security risks arising from teleworking based on literature. The contributions of this paper are addressing most challenging security risks that existed in teleworking for companies to be concerned, providing security controls for avoiding these mentionable risks that are identified, generally discussing which component of the risks are more crucial for the risk control, and indicating intangible security risks not mentioned in literature. These risks are aligned with teleworking business goals.
-
ItemReady, steady telework: information security essentials for the teleworker(The University of Melbourne, 2013)We operate and live in an environment where data communication is dependent on Internet connectivity which is decentralised in nature and is not possible to regulate. Due to technology advances, organisations have allowed remote access to their data via the Internet which allows employees to perform work activities via teleworking. Employees have embraced this method of working and teleworking has become a norm in a large number of organisations today. The problem of teleworking arises as employees are accessing company data outside the organization walls; a potential risk to information leakage whether it be deliberate or unintentional. In this paper the risks associated with teleworking is attributed to physical, technical and document management. To address these risks, Security Education, Training and Awareness (SETA) and information security policies are important. This paper analyses three core information security objectives in context with SETA i.e. Confidentiality, Integrity and Availability. The SETA campaign has neither a goal nor content without a security policy, likewise a security policy cannot be enforced without awareness by those for which it is intended.
-
ItemInformation security strategy and teleworking (in)security(The University of Melbourne, 2013)Mainstream writing of teleworking tends to focus on both the economic and social benefits with little emphasis on information security issues. Information security threats of telework however are identified by most literature as a concern for organisations. This literature review examines the different influences on issues leading to information insecurity within the teleworking environment. By drawing on literature, a strategic model for managing and controlling information security threats in teleworking environment is proposed. Organisations essentially needs to implement security measures or controls from a strategic point of view to include formal and informal controls.