Search results

1 – 10 of 61
Article
Publication date: 3 August 2020

Fayez Ghazai Alotaibi, Nathan Clarke and Steven M. Furnell

The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used…

Abstract

Purpose

The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time consuming. This paper aims to propose an approach that attempts to propose a system for improving security management and awareness for home users.

Design/methodology/approach

The proposed system is capable of creating and assigning different security policies for different digital devices in a user-friendly fashion. These assigned policies are monitored, checked and managed to review the user’s compliance with the assigned policies to provide bespoke awareness content based on the user’s current needs.

Findings

A novel framework was proposed for improving information security management and awareness for home users. In addition, a mock-up design was developed to simulate the proposed approach to visualise the main concept and the functions which might be performed when it is deployed in a real environment. A number of different scenarios have been simulated to show how the system can manage and deal with different types of users, devices and threats. In addition, the proposed approach has been evaluated by experts in the research domain. The overall feedback is positive, constructive and encouraging. The experts agreed that the identified research problem is a real problem. In addition, they agreed that the proposed approach is usable, feasible and effective in improving security management and awareness for home users.

Research limitations/implications

The proposed design of the system is a mock-up design without real data. Therefore, implementing the proposed approach in a real environment can provide the researcher with a better understanding of the effectiveness and the functionality of the proposed approach.

Practical implications

This study offers a framework and usable mock-up design which can help in improving information security management for home users.

Originality/value

Improving the security management and awareness for home users by monitoring, checking and managing different security controls and configurations effectively are the key to strengthen information security. Therefore, when home users have a good level of security management and awareness, this could protect and secure the home network and subsequently business infrastructure and services as well.

Details

Information & Computer Security, vol. 29 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 28 August 2019

Adéle Da Veiga, Ruthea Vorster, Fudong Li, Nathan Clarke and Steven M. Furnell

The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish…

Abstract

Purpose

The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance.

Design/methodology/approach

An insurance industry multi-case study within the online insurance services environment was conducted. Personal information of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act and Protection of Personal Information Act.

Findings

The results demonstrate that not all the insurance organisations honored the selected opt-out preference for receiving direct marketing material. This was evident in direct marketing material that was sent from the insurance organisations in the sample to both the SA and UK consumer profiles who opted out for it. A total of 42 unsolicited third-party contacts were received by the SA consumer profiles, whereas the UK consumer profiles did not receive any third-party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations.

Research limitations/implications

As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant.

Originality/value

Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicates the positive role that data protection legislation plays in a county like the UK, with a more mature stance toward compliance with data protection legislation.

Article
Publication date: 1 June 2021

Ram Herkanaidu, Steven M. Furnell and Maria Papadaki

The purpose of this study is to determine effective online safety awareness education for young people in less developed countries. The research followed an explanatory mixed…

Abstract

Purpose

The purpose of this study is to determine effective online safety awareness education for young people in less developed countries. The research followed an explanatory mixed methods design starting with an online survey (quantitative element) and then interesting or anomalous findings were followed up with one-on-one interviews (qualitative element). The data gathered on the online habits and views of young people were fed into the Young People Online Model. It was also used to create online safety workshops. The standout issue from this research is the prevalence of cyberbullying, and this was used as the core theme. They were carried out using the action-research approach, whereby after each workshop, the facilitators would reflect and analyse and suggest improvements for the next one.

Design/methodology/approach

The majority of online safety awareness education programmes have been developed in and for advanced countries. In less developed countries, there are fewer programmes as well as a lack of research on the factors that influence the online behaviour of young people online. The Young People Online Education Framework seeks to address this and provide educators, researchers and policymakers an evidence driven construct for developing education programmes informed by issues affecting young people in their respective country/region.

Findings

The framework was applied in Thailand. As there were very few previous studies, original research was conducted via surveys and interviews. It was found that a high proportion of young people had experienced negative interactions online with cyberbullying the main concern. This was confirmed during the workshop phase indicating the need for more research and workshops. There is a plan to continue the research in Thailand, and it is hoped that other researchers will make use of the framework to extend its scope and application.

Originality/value

A novel feature of this framework is the cultural mask. The cultural context of learners is often overlooked in education, especially when education programmes are imported from other countries. This research contends that effective learning strategies and programmes will have a better chance to succeed if the cultural makeup of the target audience is considered and that all topics and activities are parsed through the cultural mask element of the framework.

Details

Information & Computer Security, vol. 29 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 1 October 2002

Chukwuma U. Ngini, Steven M. Furnell and Bogdan V. Ghita

Previous studies have identified significant disparity in the levels of Internet access availability in different countries, particularly in developing nations. This paper…

4312

Abstract

Previous studies have identified significant disparity in the levels of Internet access availability in different countries, particularly in developing nations. This paper presents the findings of an investigation into Internet connectivity and usage in different countries, in an attempt to determine the extent of Internet access, and whether the availability of such technology is considered to be beneficial. This research considers indicators such as available technology infrastructure and access costs, in order to identify the varying limitations that may be faced in different countries across continents. In addition, the opinions of individuals were sought regarding their typical access methods and level of Internet access, typical services utilised, and the general impact Internet has had upon their activities. A Web‐based questionnaire was used to elicit comments from 152 respondents from 19 countries, yielding preliminary statistical data to enable the assessment of Internet usage in different countries.

Details

Internet Research, vol. 12 no. 4
Type: Research Article
ISSN: 1066-2243

Keywords

Article
Publication date: 20 March 2009

Taimur Bakhshi, Maria Papadaki and Steven Furnell

The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation.

2164

Abstract

Purpose

The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation.

Design/methodology/approach

An e‐mail‐based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security‐aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation.

Findings

In spite of a short window of operation for the experiment, the results revealed that 23 per‐cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online.

Research limitations/implications

After running for approximately 3.5 h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended.

Practical implications

Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial.

Originality/value

This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e‐mail‐based social engineering study that was conducted amongst staff within a cooperating organisation.

Details

Information Management & Computer Security, vol. 17 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 29 March 2011

Yair Levy, Michelle M. Ramim, Steven M. Furnell and Nathan L. Clarke

Concerns for information security in e‐learning systems have been raised previously. In the pursuit for better authentication approaches, few schools have implemented students'…

Abstract

Purpose

Concerns for information security in e‐learning systems have been raised previously. In the pursuit for better authentication approaches, few schools have implemented students' authentication during online exams beyond passwords. This paper aims to assess e‐learners' intention to provide multibiometric data and use of multibiometrics during online exams.

Design/methodology/approach

Based on data collected from 163 e‐learners from two institutions, the authors compared such measures when provided by their university versus by a third‐party service vendor. The multibiometrics discussed included fingerprint, face, and voice recognition.

Findings

The results show a clear indication by the learners that they are significantly more willing to provide their biometric data and intend to use multibiometrics when provided by their university compared with same services provided by a third‐party vendor.

Research limitations/implications

Research implications include the need for better understanding of multibiometrics implementations in educational settings.

Practical implications

The findings are profound for vendors of multibiometrics as they must adjust their approach when implementing such technologies at higher educational institutions, rather than simply opt to license the use of such solutions and to host them.

Originality/value

This study helps higher educational institutions better understand that learners do not appear to object to the use of multibiometrics technologies during online exams, rather the way in which such technologies are implemented and managed on‐campus.

Details

Campus-Wide Information Systems, vol. 28 no. 2
Type: Research Article
ISSN: 1065-0741

Keywords

Article
Publication date: 23 March 2010

M.Z. Jali, S.M. Furnell and P.S. Dowland

The purpose of this paper is to assess the usability of two image‐based authentication methods when used in the web‐based environment. The evaluated approaches involve clicking…

Abstract

Purpose

The purpose of this paper is to assess the usability of two image‐based authentication methods when used in the web‐based environment. The evaluated approaches involve clicking secret points within a single image (click‐based) and remembering a set of images in the correct sequence (choice‐based).

Design/methodology/approach

A “one‐to‐one” usability study was conducted in which participants had to complete three main tasks; namely authentication tasks (register, confirm and login), spot the difference activity and provide feedback.

Findings

From analysing the results in terms of timing, number of attempts, user feedback, accuracy and predictability, it is found that the choice‐based approach is better in terms of usability, whereas the click‐based method performed better in terms of timing and is rated more secure against social engineering.

Research limitations/implications

The majority of participants are from the academic sector (students, lecturers, etc.) and had up to seven years' IT experience. To obtain more statistically significant results, it is proposed that participants should be obtained from various sectors, having a more varied IT experience.

Practical implications

The results suggest that in order for image‐based authentication to be used in the web environment, more work is needed to increase the usability, while at the same time maintaining the security of both techniques.

Originality/value

This paper enables a direct comparison of the usability of two alternative image‐based techniques, with the studies using the same set of participants and the same set of environment settings.

Details

Information Management & Computer Security, vol. 18 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 23 November 2010

Shamal Faily and Ivan Fléchais

The purpose of this paper is to identify the key cultural concepts effecting security in multi‐organisational systems and align these with design techniques and tools.

688

Abstract

Purpose

The purpose of this paper is to identify the key cultural concepts effecting security in multi‐organisational systems and align these with design techniques and tools.

Design/methodology/approach

A grounded theory model of security culture was derived from the related security culture literature and empirical data from an e‐Science project. Influencing concepts were derived from these and aligned with recent work on techniques and tools for usable secure systems design.

Findings

Roles and responsibility, sub‐cultural norms and contexts, and different perceptions of requirements were found to be influencing concepts towards a culture of security. These concepts align with recent work on personas, environment models, and related tool support.

Originality/value

This paper contributes a theoretically and empirically grounded model of security culture. This is also the first paper explicitly aligning key concepts of security culture to design techniques and tools.

Details

Information Management & Computer Security, vol. 18 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 1 May 2000

Steven M. Furnell and Paul S. Dowland

The detection and prevention of authorised activities, by both external parties and internal personnel, is an important issue within IT systems. Traditional methods of user…

Abstract

The detection and prevention of authorised activities, by both external parties and internal personnel, is an important issue within IT systems. Traditional methods of user authentication and access control do not provide comprehensive protection and offer opportunities for compromise by various classes of abuser. A potential solution is provided in the form of intrusion detection systems, which are able to provide proactive monitoring of system activity and apply automatic responses in the event of suspected problems. This paper presents the principles of intrusion monitoring and then proceeds to describe the conceptual architecture of the Intrusion Monitoring System (IMS), an approach that is the focus of current research and development by the authors. The main functional elements of the IMS architecture are described, followed by thoughts regarding the practical implementation and the associated advantages (and potential disadvantages) that this would deliver. It is concluded that whilst an IMS‐type approach would not represent a total replacement for conventional controls, it would represent an effective means to complement the protection already provided.

Details

Information Management & Computer Security, vol. 8 no. 2
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 23 November 2010

Hennie Kruger, Lynette Drevin and Tjaart Steyn

The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and…

2421

Abstract

Purpose

The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program.

Design/methodology/approach

A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents' behavior. Two different class groups of students at a university were used as a sample.

Findings

The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed.

Originality/value

The paper introduces a new approach to evaluate people's information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

Details

Information Management & Computer Security, vol. 18 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

1 – 10 of 61