Digital Commons Network^™

Rbac Attack Exposure Auditor. Tracking User Risk Exposure Per Role-Based Access Control Permissions, Adelaide Damrau

Undergraduate Honors Theses

Access control models and implementation guidelines for determining, provisioning, and de-provisioning user permissions are challenging due to the differing approaches, unique for each organization, the lack of information provided by case studies concerning the organization’s security policies, and no standard means of implementation procedures or best practices. Although there are multiple access control models, one stands out, role-based access control (RBAC). RBAC simplifies maintenance by enabling administrators to group users with similar permissions. This approach to managing user permissions supports the principle of least privilege and separation of duties, which are needed to ensure an organization maintains acceptable user access …

An Application Risk Assessment Of Werner Enterprises, Nathan Andres

Theses/Capstones/Creative Projects

Risk assessments provide a systematic approach to identifying potential risks that could negatively impact an organization’s operations, financial performance, and reputation. Using a risk assessment, companies can evaluate potential risks and vulnerabilities, prioritize them based on their potential impact, and develop strategies to manage and address these risks effectively.

Werner Enterprises Inc. is a nationally known trucking company headquartered in Omaha, Nebraska. Our cybersecurity capstone project motivation was to partner with Werner to produce an assessment of known application risks in a functional way that can be repeated for all of Werner’s applications. To achieve this, we created a risk …

Automated Privacy Protection For Mobile Device Users And Bystanders In Public Spaces, David Darling

Graduate Theses and Dissertations

As smartphones have gained popularity over recent years, they have provided usersconvenient access to services and integrated sensors that were previously only available through larger, stationary computing devices. This trend of ubiquitous, mobile devices provides unparalleled convenience and productivity for users who wish to perform everyday actions such as taking photos, participating in social media, reading emails, or checking online banking transactions. However, the increasing use of mobile devices in public spaces by users has negative implications for their own privacy and, in some cases, that of bystanders around them.

Specifically, digital photography trends in public have negative implications for …

Trust Models And Risk In The Internet Of Things, Jeffrey Hemmes

Regis University Faculty Publications

The Internet of Things (IoT) is envisaged to be a large-scale, massively heterogeneous ecosystem of devices with varying purposes and capabilities. While architectures and frameworks have focused on functionality and performance, security is a critical aspect that must be integrated into system design. This work proposes a method of risk assessment of devices using both trust models and static capability profiles to determine the level of risk each device poses. By combining the concepts of trust and secure device fingerprinting, security mechanisms can be more efficiently allocated across networked IoT devices. Simultaneously, devices can be allowed a greater degree of …

Cyber Risk Assessment And Scoring Model For Small Unmanned Aerial Vehicles, Dillon M. Pettit

Theses and Dissertations

The commercial-off-the-shelf small Unmanned Aerial Vehicle (UAV) market is expanding rapidly in response to interest from hobbyists, commercial businesses, and military operators. The core commercial mission set directly relates to many current military requirements and strategies, with a priority on short range, low cost, real time aerial imaging, and limited modular payloads. These small vehicles present small radar cross sections, low heat signatures, and carry a variety of sensors and payloads. As with many new technologies, security seems secondary to the goal of reaching the market as soon as innovation is viable. Research indicates a growth in exploits and vulnerabilities …

On The Responsibility For Uses Of Downstream Software, Marty J. Wolf, Keith W. Miller, Frances S. Grodzinsky

Computer Ethics - Philosophical Enquiry (CEPE) Proceedings

In this paper we explore an issue that is different from whether developers are responsible for the direct impact of the software they write. We examine, instead, in what ways, and to what degree, developers are responsible for the way their software is used “downstream.” We review some key scholarship analyzing responsibility in computing ethics, including some recent work by Floridi. We use an adaptation of a mechanism developed by Floridi to argue that there are features of software that can be used as guides to better distinguish situations where a software developer might share in responsibility for the software’s …

Impact Of Framing And Base Size Of Computer Security Risk Information On User Behavior, Xinhui Zhan

Masters Theses

"This research examines the impact of framing and base size of computer security risk information on users' risk perceptions and behavior (i.e., download intention and download decision). It also examines individual differences (i.e., demographic factors, computer security awareness, Internet structural assurance, self-efficacy, and general risk-taking tendencies) associated with users' computer security risk perceptions. This research draws on Prospect Theory, which is a theory in behavioral economics that addresses risky decision-making, to generate hypotheses related to users' decision-making in the computer security context. A 2 x 3 mixed factorial experimental design (N = 178) was conducted to assess the effect of …

The Design And Evaluation Of A User-Centric Information Security Risk Assessment And Response Framework, Manal Alohali, Nathan Clarke, Steven Furnell

Research outputs 2014 to 2021

Abstract: The risk of sensitive information disclosure and modification through the use of online services has increased considerably and may result in significant damage. As the management and assessment of such risks is a well-known discipline for organizations, it is a challenge for users from the general public. Users have difficulties in using, understanding and reacting to security-related threats. Moreover, users only try to protect themselves from risks salient to them. Motivated by the lack of risk assessment solutions and limited impact of awareness programs tailored for users of the general public, this paper aims to develop a structured approach …

A Privacy Gap Around The Internet Of Things For Open-Source Projects, Brian Cusack, Reza Khaleghparast

Australian Information Security Management Conference

The Internet of Things (IoT) is having a more important role in the everyday lives of people. The distribution of connectivity across social and personal interaction discloses personalised information and gives access to a sphere of sensitivities that were previously masked. Privacy measures and security to protect personal sensitivities are weak and in their infancy. In this paper we review the issue of privacy in the context of IoT open-source projects, and the IoT security concerns. A proposal is made to create a privacy bubble around the interoperability of devices and systems and a filter layer to mitigate the exploitation …

Creating An Operational Security Management Structure For Inimical Environments: Papua New Guinea As A Case Study, William J. Bailey

Australian Security and Intelligence Conference

Security is a necessary cost for businesses wishing to operate in the developing economy of Papua New Guinea. The country continues to face levels of crime and violence out of proportion to other East Asian countries; which deters many would be investors. However, the potential in PNG is vast and eagerly sought after despite the high costs required to operate without harm, therefore, it is necessary manage the security situation. Experience from similar countries has shown by using optimal security management systems and structures it is possible to work safely, securely and effectively, but this requires a comprehensive security, threat …

Cybersecurity Vulnerabilities In Medical Devices: A Complex Environment And Multifaceted Problem, Patricia A.H. Williams, Andrew J. Woodward

Research outputs 2014 to 2021

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This …

Judging Dread: A Quantitative Investigation Of Affect, Psychometric Dread And Risk Consequence, Melvyn Griffiths

Theses: Doctorates and Masters

Risk is generally understood as a product of the likelihood and consequence of an event. However, the way in which estimations of consequences are formed is unclear due to the complexities of human perception. In particular, the influence of Affect, defined as positive or negative qualities subjectively assigned to stimuli, may skew risk consequence judgements. Thus a clearer understanding of the role of Affect in risk consequence estimations has significant implications for risk management, risk communication and policy formulation.

In the Psychometric tradition of risk perception, Affect has become almost synonymous with the concept of Dread, despite Dread being measured …

Investigating The Determinants Of Disaster Recovery Technology Investment Choice In Small And Medium-Sized Enterprises, Faranak Afshar

CCE Theses and Dissertations

Due to the importance of small and medium-sized enterprises (SMEs) as drivers of economic growth, it is essential to explore the security issues impacting SMEs' success and failure. One of the main security risks that could significantly impair the operability of the organizations is the permanent loss of data due to man-made and/or natural disasters and interruptions. Research has shown that SMEs are not taking disaster preparedness for their computer and networking systems as seriously as they should. This dissertation is an attempt to explain the process of a risky choice, specifically the decision maker's choice of not investing in …

Mapping The Consensual Knowledge Of Security Risk Management Experts, David J. Brooks

David J Brooks Dr.

The security industry comprises of diverse and multidisciplined practitioners, originating from many disciplines. It has been suggested that the industry has an undefined knowledge structure, although security experts contain a rich knowledge structure. There has also been limited research mapping security expert knowledge structure, reducing the ability of tertiary educators to provide industry focused teaching and learning. The study utilized multidimensional scaling (MDS) and expert interviews to map the consensual knowledge structure of security experts in their understanding of security risk. Security risk concepts were extracted and critiqued from West Australian university courses. Linguistic analysis categorised the more utilized security …

Multi-Stakeholder Case Prioritization In Digital Investigations, Joshua I. James

Journal of Digital Forensics, Security and Law

This work examines the problem of case prioritization in digital investigations for better utilization of limited criminal investigation resources. Current methods of case prioritization, as well as observed prioritization methods used in digital forensic investigation laboratories are examined. After, a multi-stakeholder approach to case prioritization is given that may help reduce reputational risk to digital forensic laboratories while improving resource allocation. A survey is given that shows differing opinions of investigation priority between Law Enforcement and the public that is used in the development of a prioritization model. Finally, an example case is given to demonstrate the practicality of the …

Security Risks And Protection In Online Learning: A Survey, Yong Chen, Wu He

Distance Learning Faculty & Staff Publications

This paper describes a survey of online learning which attempts to determine online learning providers' awareness of potential security risks and the protection measures that will diminish them. The authors use a combination of two methods: blog mining and a traditional literature search. The findings indicate that, while scholars have identified diverse security risks and have proposed solutions to mitigate the security threats in online learning, bloggers have not discussed security in online learning with great frequency. The differences shown in the survey results generated by the two different methods confirm that online learning providers and practitioners have not considered …

Success Of Agile Environment In Complex Projects, Abbass Ghanbary, Julian Day

Australian Information Warfare and Security Conference

This paper discusses the impact of agile methodology in complex and modular interrelated projects based on the authors’ practical experience and observations. With the advancement of Web technologies and complex computer systems, business applications are able to transcend boundaries in order to fully meet business requirements and comply with the legislation, policies and procedures. The success of software development as well as software deployment of these complex applications is dependent upon the employed methodology and project management. This is so because employed methodology plays an important position in capturing and modeling of business requirements and project management helps to ensure …

Securing Voip: A Framework To Mitigate Or Manage Risks, Peter James, Andrew Woodward

Australian Information Security Management Conference

In Australia, the past few years have seen Voice over IP (VoIP) move from a niche communications medium used by organisations with the appropriate infrastructure and capabilities to a technology that is available to any one with a good broadband connection. Driven by low cost and no cost phone calls, easy to use VoIP clients and increasingly reliable connections, VoIP is replacing the Public Switch Telephone Network (PSTN) in a growing number of households. VoIP adoption appears to be following a similar path to early Internet adoption, namely little awareness by users of the security implications. Lack of concern about …

The Information Security Ownership Question In Iso/Iec 27001 – An Implementation, Lizzie Coles-Kemp, Richard E. Overill

Australian Information Security Management Conference

The information security management standard ISO/IEC 27001 is built on the notion that information security is driven by risk assessment and risk treatment. Fundamental to the success of risk assessment and treatment is the decision making process that takes risk assessment output and assigns decisions to this output in terms of risk treatment actions. It is argued that the effectiveness of the management system lies in its ability to make effective, easytoimplement and measurable decisions. One of the key issues in decision making is ownership. In this paper two aspects of information security ownership are considered: ownership of the asset …

Mapping The Consensual Knowledge Of Security Risk Management Experts, David J. Brooks

Australian Information Warfare and Security Conference

The security industry comprises of diverse and multidisciplined practitioners, originating from many disciplines. It has been suggested that the industry has an undefined knowledge structure, although security experts contain a rich knowledge structure. There has also been limited research mapping security expert knowledge structure, reducing the ability of tertiary educators to provide industry focused teaching and learning. The study utilized multidimensional scaling (MDS) and expert interviews to map the consensual knowledge structure of security experts in their understanding of security risk. Security risk concepts were extracted and critiqued from West Australian university courses. Linguistic analysis categorised the more utilized security …

Alphaco: A Teaching Case On Information Technology Audit And Security, Hüseyin Tanriverdi, Joshua Bertsch, Jonathan Harrison, Po-Ling Hsiao, Ketan S. Mesuria, David Hendrawirawan

Journal of Digital Forensics, Security and Law

Recent regulations in the United States (U.S.) such as the Sarbanes-Oxley Act of 2002 require top management of a public firm to provide reasonable assurance that they institute internal controls that minimize risks over the firm’s operations and financial reporting. External auditors are required to attest to the management’s assertions over the effectiveness of those internal controls. As firms rely more on information technology (IT) in conducting business, they also become more vulnerable to IT related risks. IT is critical for initiating, recording, processing, summarizing and reporting accurate financial and non-financial data. Thus, understanding IT related risks and instituting internal …