Search results

1 – 10 of over 2000
Article
Publication date: 29 March 2013

Tran Khanh Dang and Tran Tri Dang

By reviewing different information visualization techniques for securing web information systems, this paper aims to provide a foundation for further studies of the same topic…

1087

Abstract

Purpose

By reviewing different information visualization techniques for securing web information systems, this paper aims to provide a foundation for further studies of the same topic. Another purpose of the paper is to discover directions in which there is a lack of extensive research, thereby encouraging more investigations.

Design/methodology/approach

The related techniques are classified first by their locations in the web information systems architecture: client side, server side, and application side. Then the techniques in each category are further classified based on attributes specific to that category.

Findings

Although there is much research on information visualization for securing web browser user interface and server side systems, there are very few studies about the same techniques on web application side.

Originality/value

This paper is the first published paper reviewing extensively information visualization techniques for securing web information systems. The classification used here offers a framework for further studies as well as in‐depth investigations.

Details

International Journal of Web Information Systems, vol. 9 no. 1
Type: Research Article
ISSN: 1744-0084

Keywords

Article
Publication date: 23 November 2012

Swapan Purkait

Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and…

5908

Abstract

Purpose

Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and the industry. The purpose of this study is to examine the available phishing literatures and phishing countermeasures, to determine how research has evolved and advanced in terms of quantity, content and publication outlets. In addition to that, this paper aims to identify the important trends in phishing and its countermeasures and provides a view of the research gap that is still prevailing in this field of study.

Design/methodology/approach

This paper is a comprehensive literature review prepared after analysing 16 doctoral theses and 358 papers in this field of research. The papers were analyzed based on their research focus, empirical basis on phishing and proposed countermeasures.

Findings

The findings reveal that the current anti‐phishing approaches that have seen significant deployments over the internet can be classified into eight categories. Also, the different approaches proposed so far are all preventive in nature. A Phisher will mainly target the innocent consumers who happen to be the weakest link in the security chain and it was found through various usability studies that neither server‐side security indicators nor client‐side toolbars and warnings are successful in preventing vulnerable users from being deceived.

Originality/value

Educating the internet users about phishing, as well as the implementation and proper application of anti‐phishing measures, are critical steps in protecting the identities of online consumers against phishing attacks. Further research is required to evaluate the effectiveness of the available countermeasures against fresh phishing attacks. Also there is the need to find out the factors which influence internet user's ability to correctly identify phishing websites.

Details

Information Management & Computer Security, vol. 20 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 13 June 2016

Timothy Kelley and Bennett I. Bertenthal

Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes…

Abstract

Purpose

Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes ignore it. This study aims to assess users’ knowledge of security warnings communicated via browser indicators and the likelihood that their online decision-making adheres to this knowledge.

Design/methodology/approach

Participants from Amazon’s Mechanical Turk visited a series of secure and insecure websites and decided as quickly and as accurately as possible whether it was safe to login. An online survey was then used to assess their knowledge of information security.

Findings

Knowledge of information security was not necessarily a good predictor of decisions regarding whether to sign-in to a website. Moreover, these decisions were modulated by attention to security indicators, familiarity of the website and psychosocial stress induced by bonus payments determined by response times and accuracy.

Practical implications

Even individuals with security knowledge are unable to draw the necessary conclusions about digital risks when browsing the web. Users are being educated through daily use to ignore recommended security indicators.

Originality/value

This study represents a new way to entice participants into risky behavior by monetizing both speed and accuracy. This approach could be broadly useful as a way to study risky environments without placing participants at risk.

Details

Information & Computer Security, vol. 24 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 7 November 2008

Rui Zhou

The aim of this research is to enable web‐based tracking and guiding by integrating location‐awareness with the Worldwide Web so that the users can use various location‐based…

Abstract

Purpose

The aim of this research is to enable web‐based tracking and guiding by integrating location‐awareness with the Worldwide Web so that the users can use various location‐based applications without installing extra software.

Design/methodology/approach

The concept of web‐based tracking and guiding is introduced and the relevant issues are discussed regarding location‐aware web systems, location determination, location‐dependent content query and personalized presentation. The framework of the web‐based tracking and guiding system – the Web‐Based Guide is proposed, and its prototypical implementation is presented. The main design principles are making use of existing web technologies, making use of available and cheap devices, general‐purpose and lightweight client‐side, and good scalability.

Findings

The paper presents the general‐purpose and modular framework of the Web‐Based Guide, which consists of the Location Server, the Content Server, the Guiding Web Server and the clients which are standard web browsers extended with the Location Control. With such a framework, location‐based applications can offer the services on the web.

Research limitations/implications

The performance of the system should be evaluated and improved, such as the number of the concurrent sessions that the system can sustain, and the workload on the system when in the tracking mode.

Originality/value

The paper proposes a framework for personalized tracking and guiding systems on the web, which can be used in campuses, museums, national parks and so on.

Details

Campus-Wide Information Systems, vol. 25 no. 5
Type: Research Article
ISSN: 1065-0741

Keywords

Article
Publication date: 5 October 2015

Vijaya Geeta Dharmavaram

The purpose of the paper is to assess the precautionary measures adopted by the popular websites in India, and, thus, find out how vulnerable the Indian Web users are to this form…

Abstract

Purpose

The purpose of the paper is to assess the precautionary measures adopted by the popular websites in India, and, thus, find out how vulnerable the Indian Web users are to this form of attack. Today almost all work is done through the Internet, including monetary transactions. This holds true even for developing countries like India, thus making secure browsing a necessity. However, an attack called “clickjacking” can help Internet scammers to carry out fraudulent tasks. Even though researchers had proposed different techniques to face this threat, it remains a question on how effectively they are deployed in practice.

Design/methodology/approach

To carry out the study, top 100 Indian and global websites in India were identified and were divided into static and dynamic websites based on the level of interaction they offer to the users. These websites were checked to see whether they offer any basic protection against clickjacking and, if so, which defence technique is used. A comparison between Indian websites and global websites is done to see where India stands in terms of providing security.

Findings

The results show that 86 per cent of Indian websites offer no protection against clickjacking, in contrast to 51 per cent of global websites. It is also observed that in the case of dynamic websites, only 18 per cent of Indian websites offer some form of protection, when compared to 63 per cent of global websites. This is quite alarming, as dynamic websites such as social networking and banking websites are the likely candidates for clickjacking, resulting in serious consequences such as identity and monetary theft.

Originality/value

In this paper, vulnerability of Indian websites to clickjacking is presented, which was not addressed before. This will help in creating awareness among the Indian Web developers as well as the general public, so that precautionary measures can be adopted.

Details

Journal of Money Laundering Control, vol. 18 no. 4
Type: Research Article
ISSN: 1368-5201

Keywords

Article
Publication date: 4 March 2014

Eyong B. Kim

The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training…

4277

Abstract

Purpose

The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT).

Design/methodology/approach

Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided.

Findings

College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources.

Practical implications

Universities can assess their ISAT for students based on the findings of this study.

Originality/value

If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

Details

Information Management & Computer Security, vol. 22 no. 1
Type: Research Article
ISSN: 0968-5227

Keywords

Article
Publication date: 2 September 2014

Issam Kouatli

The purpose of this paper is to classify and categorize the vulnerability types emerged with time as information technology (IT) systems evolved. This comparative study aims to…

1987

Abstract

Purpose

The purpose of this paper is to classify and categorize the vulnerability types emerged with time as information technology (IT) systems evolved. This comparative study aims to compare the seriousness of the old well-known vulnerabilities that may still exist with lower possibility of happening with that of new technologies like cloud computing with Mobility access. Cloud computing is a new structure of IT that is becoming the main part of the new model of business environment. However, issues regarding such new hype of technology do not come without obstacles. These issues have to be addressed before full acceptability of cloud services in a globalized business environment. Businesses need to be aware of issues of concerns before joining the cloud services. This paper also highlights these issues and shows the comparison table to help businesses with appropriate decision-making when joining the cloud.

Design/methodology/approach

A historical review of emerged vulnerabilities as IT systems evolved was conducted, then these vulnerabilities were categorized into eight different categories, each of which composed of multiple vulnerability types. Simple scoring techniques were used to build a “risk” analysis table where each vulnerability type was given a score based on availability of matured solution and the likeliness of happening, then in case of vulnerability type, another score was used to derive the impact of such vulnerability. The resulted weighted score can be derived from the multiplication of likeliness to happen score with that of its impact in case it did happen. Percentage of seriousness represented by the percentage of the derived weighted score of each of the vulnerabilities can then be concluded. Similar table was developed for issues related to cloud computing environment in specific.

Findings

After surveying the historical background of IT systems and emerged vulnerabilities as well as reviewing the common malicious types of system vulnerabilities, this paper identifies 22 different types of vulnerability categorized in eight different categories. This comparative study explores amount of possible vulnerabilities in new technology like cloud computing services. Specific issues for cloud computing were also explored and a similar comparative study was developed on these issues. The result of the comparative study between all types of vulnerabilities since the start of IT system development till today’s technology of cloud computing, shows that the highest percentage vulnerability category was the one related to mobility access as mobile applications/systems are relatively newly emerged and do not have a matured security solution(s).

Practical implications

Learning from history, one can conclude the current risk factor in dealing with new technology like cloud computing. Businesses can realize that decision to join the cloud requires thinking about the issues mentioned in this paper and identifying the most vulnerability types to try to avoid them.

Originality/value

A new comparative study and new classification of vulnerabilities demonstrated with risk analysis using simple scoring technique.

Article
Publication date: 3 August 2020

Fayez Ghazai Alotaibi, Nathan Clarke and Steven M. Furnell

The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used…

Abstract

Purpose

The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time consuming. This paper aims to propose an approach that attempts to propose a system for improving security management and awareness for home users.

Design/methodology/approach

The proposed system is capable of creating and assigning different security policies for different digital devices in a user-friendly fashion. These assigned policies are monitored, checked and managed to review the user’s compliance with the assigned policies to provide bespoke awareness content based on the user’s current needs.

Findings

A novel framework was proposed for improving information security management and awareness for home users. In addition, a mock-up design was developed to simulate the proposed approach to visualise the main concept and the functions which might be performed when it is deployed in a real environment. A number of different scenarios have been simulated to show how the system can manage and deal with different types of users, devices and threats. In addition, the proposed approach has been evaluated by experts in the research domain. The overall feedback is positive, constructive and encouraging. The experts agreed that the identified research problem is a real problem. In addition, they agreed that the proposed approach is usable, feasible and effective in improving security management and awareness for home users.

Research limitations/implications

The proposed design of the system is a mock-up design without real data. Therefore, implementing the proposed approach in a real environment can provide the researcher with a better understanding of the effectiveness and the functionality of the proposed approach.

Practical implications

This study offers a framework and usable mock-up design which can help in improving information security management for home users.

Originality/value

Improving the security management and awareness for home users by monitoring, checking and managing different security controls and configurations effectively are the key to strengthen information security. Therefore, when home users have a good level of security management and awareness, this could protect and secure the home network and subsequently business infrastructure and services as well.

Details

Information & Computer Security, vol. 29 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 8 July 2021

Tanya McGill and Nik Thompson

Information technology users often fail to adopt necessary security and privacy measures, leading to increased risk of cybercrimes. There has been limited research on how…

Abstract

Purpose

Information technology users often fail to adopt necessary security and privacy measures, leading to increased risk of cybercrimes. There has been limited research on how demographic differences influence information security behaviour and understanding this could be important in identifying users who may be more likely to have poor information security behaviour. This study aims to investigate whether there are any gender differences in security and privacy behaviours and perceptions, to identify potential differences that may have implications for protecting users’ privacy and securing their devices, software and data.

Design/methodology/approach

This paper addresses this research gap by investigating security behaviours and perceptions in the following two studies: one focussing on information security and one on information privacy. Data was collected in both studies using anonymous online surveys.

Findings

This study finds significant differences between men and women in over 40% of the security and privacy behaviours considered, suggesting that overall levels of both are significantly lower for women than for men, with behaviours that require more technical skill being adopted less by female users. Furthermore, individual perceptions exhibited some gender differences.

Originality/value

This research suggests that potential gender differences in some security and privacy behaviours and perceptions should be taken into account when designing information security education, training and awareness initiatives for both organisations and the broader community. This study also provides a strong foundation to explore information security individual differences more deeply.

Details

Information & Computer Security, vol. 29 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 13 March 2017

Aggelos Kiayias, Thomas Zacharias and Bingsheng Zhang

This paper aims to investigate the importance of auditing for election privacy via issues that appear in the state-of-the-art implementations of e-voting systems that apply…

Abstract

Purpose

This paper aims to investigate the importance of auditing for election privacy via issues that appear in the state-of-the-art implementations of e-voting systems that apply threshold public key encryption (TPKE) in the client such as Helios and use a bulletin board (BB).

Design/methodology/approach

Argumentation builds upon a formal description of a typical TPKE-based e-voting system where the election authority (EA) is the central node in a star network topology. The paper points out the weaknesses of the said topology with respect to privacy and analyzes how these weaknesses affect the security of several instances of TPKE-based e-voting systems. Overall, it studies the importance of auditing from a privacy aspect.

Findings

The paper shows that without public key infrastructure (PKI) support or – more generally – authenticated BB “append” operations, TPKE-based e-voting systems are vulnerable to attacks where the malicious EA can act as a man-in-the-middle between the election trustees and the voters; hence, it can learn how the voters have voted. As a countermeasure for such attacks, this work suggests compulsory trustee auditing. Furthermore, it analyzes how lack of cryptographic proof verification affects the level of privacy that can be provably guaranteed in a typical TPKE e-voting system.

Originality/value

As opposed to the extensively studied importance of auditing to ensure election integrity, the necessity of auditing to protect privacy in an e-voting system has been mostly overlooked. This paper reveals design weaknesses present in noticeable TPKE-based e-voting systems that can lead to a total breach of voters’ privacy and shows how auditing can be applied for providing strong provable privacy guarantees.

Details

Information & Computer Security, vol. 25 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of over 2000