Dzairol Adzriem Bin Din
-
Upload
patricia-hamilton -
Category
Documents
-
view
4 -
download
2
description
Transcript of Dzairol Adzriem Bin Din
-
UNIVERSITI TEKNOLOGI MALAYSIA
DECLARATION OF THESIS / POSTGRADUATE PROJECT PAPER AND COPYRIGHT
Authors full name: Dzairol Adzriem Bin Din
Date of birth : 21st October 1986
Title : EDUCATIONAL AND TRAINING MODEL OF
SECURITY AWARENESS ON MOBILE
DEVICE FOR STUDENTS
Academic Session : 2011/2012(3)
I declare that this thesis is classified as:
I acknowledged that Universiti Teknologi Malaysia reserves the right as
follows:
1. 1. The thesis is the property of Universiti Teknologi Malaysia.
2. 2. The Library of Universiti Teknologi Malaysia has the right to
make copies for the purpose of research only.
3. 3. The Library has the right to make copies of the thesis for
academic exchange.
Certified by:
SIGNATURE SIGNATURE OF SUPERVISOR
861021-09-5075 DR.NORAFIDA BINTI ITHNIN
(NEW IC NO. /PASSPORT NO) NAME OF SUPERVISOR
Date : 27 AUGUST 2012 Date : 27 AUGUST 2012
NOTES : * If the thesis is CONFIDENTAL or RESTRICTED, please attach with the
letter from the organization with period and reasons for
confidentiality or restriction.
CONFIDENTIAL (Contains confidential information under the Official Secret Act 1972)*
RESTRICTED (Contains restricted information as specified by the organization where research was
done)*
OPEN ACCESS I agree that my thesis to be published as online open access (full text)
-
I hereby declare that I have read this project report an in my
opinion this project report is sufficient in terms of scope and quality for the
award of the degree of Master of Computer Science (Information Security)
Signature : ...................................................
Name of Supervisor : DR. NORAFIDA ITHNIN
Date : AUGUST 27, 2012
-
EDUCATIONAL AND TRAINING MODEL OF SECURITY AWARENESS ON
MOBILE DEVICES FOR STUDENTS
DZAIROL ADZRIEM BIN DIN
A project report submitted in partial fulfillment of the
requirements for the award of the degree of
Master of Computer Science (Information Security)
Faculty of Computer Science and Information Systems
Universiti Teknologi Malaysia
AUGUST 2012
-
ii
I declare that this project entitled Educational and Training Model of Security
Awareness on Mobile Device for Students is the result of my own research except
as cited in the references. The project report has not been accepted for any degree
and is not currently submitted in candidature of any other degree.
Signature : ....................................................
Name : Dzairol Adzriem Bin Din
Date : August 27, 2012
-
iii
Alhamdulillah thank you to Allah. Because of Him, I manage to reach at
this level. I lovingly dedicate this project to my beloved family, especially to my Dad
and Mom for instilling me the importance of hard work and higher education. Not
forgotten for your financial and moral support till your son got to complete this
study. Thank you so much.
I also dedicate this to my respected supervisor, Dr. Norafida Ithnin who gives
me knowledge, advices and encouragement towards the project.
Dear fellows friends, thanks for your kindness and moral support. Always
helping each other and motivate each other. Thank you so much. Those sweet
memories we all together will never be forget.
-
iv
ACKNOWLEDGEMENT
Bismillahirrahmanirrahim
In the name of Allah, the Most Gracious,
the Most Merciful and the Most Compassionate.
Alhamdulillah, all praise to Allah for the strengths and His blessing to
completing this research and thesis writing. My special appreciation goes to my
supervisor, Dr.Norafida Ithnin, who supervises in term of giving a useful knowledge
and constant support. Her invaluable help in constructive comments and suggestions
throughout the study have contributed to the success of my research. Not forgotten,
to express my appreciation to all lecturers of computer science faculty and dearest
UTMs students who contributed to this research finding and also for their co-
operations.
Sincere thanks dedicate to all my lovely friends, especially Dunia ScS
friends and Information Security Classmate for their moral support and kindness
during my study. All the sweet memories will never forget and thanks for the
friendship and brotherhood.
Last but not least, deepest gratitude goes to my beloved parents; Mr. Din B.
Sabu and Mrs. Zainab Bt. Omar and also the rest of my family for their endless love,
prayers, encouragement, spiritual and financial help and support. To those who
indirectly contributed to this research, your kindnesses are highly appreciated. Thank
you so much.
Sincerely: Dzairol Adzriem , 2012
-
v
ABSTRACT
Nowadays technology has rapidly evolving. In mobile device technology, since it
has become a vital part of daily human life, the developers keep upgrading devices and
software to perform better. Smartphone has replaced cellular phone and it is widely use
due to the advance technology offered in the device. More similarity functions and features
of smartphone with computer are turning smartphones to be exposed to numerous security
threats such as malicious code (including virus, worm and Trojan) and other
vulnerabilities. Students often obsess in having an advance technology device but
unfortunately they lack of security awareness on their devices. Lack of security education
and feeling the device is secure enough has lead them to ignore to apply security features
to the device. Due to this matter, a study was conducted towards UTMs student by
distributing pre-survey question to identify their current state of awareness, concern and
knowledge of the technology. The result found that they still at low level of awareness
concern and necessarily to undergo for a proper education and training. Process Model of
educational and training of security awareness on mobile device has been designed to
guide ICT units to conducting the program. By implementing the course or program more
or less will increase the students security knowledge to be more aware to secure their
device from any unauthorized access.
-
vi
ABSTRAK
Teknologi semasa pesat berkembang untuk lebih maju. Dalam teknologi peranti
mudah alih, semenjak ia telah menjadi sebahagian penting dalam kehidupan manusia
seharian, pemaju berlumba-lumba menaik taraf peranti mudah alih kepada prestasi yang
lebih baik. Telefon pintar (Smartphone) telah menggantikan telefon bimbit dan ia telah
digunakan secara meluas disebabkan oleh kemajuan teknologi yang ditawarkan. Memiliki
sepenuhnya fungsi seakan-akan dan ciri-ciri telefon pintar dengan komputer membuat
peranti tersebut lebih terdedah kepada pelbagai ancaman keselamatan seperti Malicios
Code (termasuk juga virus, worm dan trojan) dan beberapa kelemahan yang lain.
Pelajar sering kali taksub dalam mempunyai teknologi yang canggih akan tetapi
kebiasaannya tahap kesedaran mereka amatlah kurang terhadap peranti mudah alih yang
dimiliki. Kekurangan pendidikan keselamatan dan berasakan peranti mereka sudah cukup
selamat menyebabkan para pelajar mengabaikan dalam menggunakan ciri-ciri keselamatan
kepada peranti mudah alih. Oleh kerana itu, kajian ini telah dijalankan kepada pelajar
UTM dengan mengedarkan soalan pra-kajian bagi mengenal pasti keadaan semasa tahap
kesedaran dan pengetahuan teknologi berkaitan. Keputusan didapati bahawa mereka masih
berada pada tahap kesedaran yang rendah dan seharusnya mereka perlu untuk menjalani
pendidikan dan latihan yang sepatutnya. Proses model pendidikan dan latihan kesedaran
keselamatan pada peranti mudah alih telah digubal untuk dijadikan panduan kepada unit
ICT untuk menjalankan program tersebut kepada pelajar. Dengan melaksanakan program
kursus, sedikit sebanyak akan meningkatkan kadar pengetahuan keselamatan pelajar untuk
menjadikan mereka lebih berhati-hati dalam mengelakkan peranti mudah alih mereka
daripada diakses tanpa kebenaran.
-
vii
TABLE OF CONTENT
CHAPTER TITLE PAGE
DECLARATION ii
DEDICATION iii
ACKNOWLEDGEMENTS iv
ABSTRACT v
ABSTRAK vi
TABLE OF CONTENTS vii
LIST OF TABLES xi
LIST OF FIGURES xii
LIST OF ABBREVIATION xiv
LIST OF APPENDIX xv
1 INTRODUCTION
1.1 Introduction 1
1.2 Problem Background 2
1.3 Problem Statement 3
1.4 Project Aims 5
1.5 Objectives 5
1.6 Project Scope 5
1.7 Significance of the Project 6
1.8 Report Organization 7
2 LITERATURE REVIEW
2.1 Introduction 9
2.2 Information Security Awareness 9
-
viii
2.3 Component of Security Awareness 10
2.3.1 Awareness 11
2.3.2 Training 12
2.3.3 Education 12
2.4 Current Stage of Security Awareness 12
2.5 Mobile Device Technology 18
2.5.1 Categories of Mobile Device 18
2.5.2 Mobile Application 20
2.5.3 Mobile Device Security and Threat/Attack 22
2.6 Existing Framework / Model / Guidelines / Slogans for
Security Awareness
27
2.6.1 The Continuum (A Role and Performance
Model)
28
2.6.2 NIST-SP800-50, Model 1: Centralized
Program Management Model
30
2.6.3 NIST-SP800-50, Model 2: Partially
Decentralized Program Management Model
31
2.6.4 NIST-SP800-50, Model 3: Fully
Decentralized Program Management Model
32
2.6.5 IS Security Awareness Sequential Model 33
2.6.6 Full E-Awareness Model (E-AM) 34
2.6.7 Framework for Evaluating ICT Security
Awareness
35
2.6.8 Southern African Cyber Security Awareness
Framework
36
2.6.9 Awareness Model by [SecurityResearch.at] 38
2.6.10 Japanese National Information Security
Center Slogan
39
2.6.11 Awareness Noticeboard 40
2.6.12 Security Awareness Maturity Model 41
2.6.13 Four Factor Influence Awareness 42
2.6.14 Summary of Existing Framework / Model /
Guideline
44
2.7 Current Technique of Designing, Developing and
Implementing Awareness Program
47
-
ix
2.8 Summary 48
3 RESEARCH METHODOLOGY
3.1 Introduction 50
3.2 Operational Framework 50
3.2.1 Phase 1: Information Gathering 53
3.2.2 Phase 2: Design 54
3.2.3 Phase 3: Validation 55
3.3 Survey Technique Explanation 56
3.3.1 Pre-Study and Observation 57
3.3.2 Questionnaire 57
3.3.3 Statistical Method 58
3.4 Summary 59
4 DESIGN IMPLEMENTATION PROCESS
4.1 Introduction 60
4.2 Mapping Process 60
4.2.1 Relationship Table Description 62
4.3 Selection of Elements/Components/Features 64
4.4 Model Draft Design 69
4.4.1 Draft Model Summary Description 70
4.4.2 Details Model Description 72
4.5 Summary 75
5 ANALYSIS AND RESULT
5.1 Introduction 76
5.2 Targeted Experts Validation 76
5.3 First Stage Validation Model Process 77
5.4 Second Stage Validation Model Process 78
5.4.1 Validation of Model Design 78
5.4.2 Validation Script Questionnaire 79
5.4.3 New Model Draft 81
5.5 Supported Expert Witness 82
-
x
5.5.1 Analysis on Expert Witness Validation Result 83
5.6 Educational and Training Model of Security Awareness
on Mobile Device
87
5.6.1 Details Model Description 88
5.6.2 Summary of Model Description 92
5.7 Summary 95
6 CONCLUSION
6.1 Introduction 96
6.2 Research Achievement 96
6.3 Research Challenges and Constraints 98
6.4 Future Work 99
6.5 Summary 99
REFERENCES
100
APPENDIX 104
-
xi
LIST OF TABLE
TABLE NO. TITLE PAGE
2.1 Matrix Table Who Needs Awareness 17
2.2 Example of Mobile Application 21
2.3 Recent Threats and Solution 24
2.4 Matrix Table of Threats 25
2.5 Matrix Table of Application Versus Threats 26
2.6 Matrix Table of Features 45
3.1 Activities Summarization Table 52
4.1 Result of Students Feeling to Their Devices 62
4.2 Result of Attending Course or Program 64
4.3 Matrix Table of Selected Features 65
4.4 Result of Students Responds Towards the
Education and Training
67
4.5 Result of Joining Class 67
4.6 Result of Information Security Awareness as
Compulsory Course
68
4.7 Summary of Description Model 70
5.1 Details of Validator 77
5.2 Expert Witness Validation Result on Section A 83
5.3 Expert Witness Validation Result on Section B 84
5.4 Expert Witness Validation Result on Section C 85
5.5 Expert Witness Validation Result on Section D 85
5.6 Expert Witness Validation Result on Section E 86
5.7 Expert Witness Validation Result on Section F 86
5.8 Summarization of Model Description 93
-
xii
LIST OF FIGURE
FIGURE NO. TITLE PAGE
2.1 Statistic of Smartphone 13
2.2 Statistic of Mobile Malware Arise 14
2.3 TechRepublic Survey Result 14
2.4 Survey Result Study on Password Usage 15
2.5 Survey Result Study on Antivirus Software Usage 16
2.6 Survey Result Toward Security Feeling on Mobile
Device
16
2.7 List of Mobile Malware 23
2.8 List of Mobile Protection Software 23
2.9 List of Top Threats by Semantec 27
2.10 Information Security Learning Continuum 29
2.11 Centralized Program Management Model 30
2.12 Partially Decentralized Program Management
Model
31
2.13 Fully Decentralized Program Management Model 32
2.14 IS Security Awareness Sequential Model 33
2.15 The Full E-Awareness Model (E-AM) 34
2.16 Framework for Evaluating ICT Security
Awareness
35
2.17 Southern African Cyber Security Awareness
Framework
36
2.18 Model by (DI.Mag. Andreas Tomek,
SecurityResearch.at)
38
2.19 Slogans by Japanese National Information
Security Center
39
-
xiii
2.20 Noticeboard by (Dr. Gary Hinson PhD MBA
CISSP, 2012)
40
2.21 Security Awareness Maturity Model 42
2.22 Four Factor Influence Awareness 43
2.23 Approach for an Effective Information Security
Awareness Program
47
3.1 Operational Framework 51
4.1 Relationship Table 61
4.2 Security Awareness Knowledge Result 63
4.3 Pre-Model Design 69
5.1 New Drafted Model 82
5.2 Final Design 88
-
xiv
LIST OF ABBREVIATION
GPS Global Positioning System
ICT Information Communications Technology
IM Instant Messaging
IS Information System
IT Information Technology
LAN Local Area Network
MMS Multimedia Messaging Service
NIST National Institute of Standards and Technology
OS Operating System
PC Personal Computer
PDA Personal Digital Assistant
SMS Short Message Service
UTM Universiti Teknologi Malaysia
-
xv
LIST OF APPENDIX
NO. TITLE PAGE
1 Appendix A 104
2 Appendix B 111
3 Appendix C 117
4 Appendix D 121
-
CHAPTER 1
INTRODUCTION
1.1 Introduction
The word security towards people will appoint with something that related to a
degree of protection against the danger, damage, loss, harm and crime. Security becomes a
form of protection structures and processes that provide to improve the security mechanism
as its condition. Besides, every work that we are on will require a security and safety.
Safety First is the most common message on signboard that been placed at the
construction sites and workstation which highly expose to death risk. This alone shows us
that the security issues are crucial as fatal injury and big loss will take place whenever
people being insignificant during their duty.
Since Information Technology is in high demand technology and widely used by
human being in this century, security issues in this area also rapidly increase as current
issue happened which mentioned in online media web Utusan Malaysia date on 24 Jun
2011. In that article, Vice President Cyber Security Responsive Service; Adli Abd Wahid
said, mostly the internet user in Malaysia doesnt know a right way to secure their
computer and their data. Furthermore, they not even alert or know what actually firewall
work is for. He advised to all users should learn security education (IT) to prevent security
breaches that happened to Malaysian Government Websites on the date before.
-
2
Security awareness is important and a must needs to any organization. Information
security management is terms of technical and procedural controls that protect information
assets with respect to confidentiality, integrity and availability. However, many of these
controls miss their effectiveness when staff/employees act in a security-negative manner
which refer to, they do not aware the risk of their current insecure behavior and they set
aside the organizations policy and standards because it is more convenient to work like
that. Hence, by implementing effective security will depend on creating an information
security-positive environment, which the staff/employees understand and act accordingly
to behave supposedly.
1.2 Problem Background
Mobile devices nowadays are widely used by all human beings in the entire world.
Its revolution has been updated year by year to satisfy a good services and application to
human life. Mobile device makes human life at ease level as everything is just under the
users fingertip. As simple as one click button will show all the information needed
instantly. Besides, with a thousand of applications that provided by the function of each
device which collaborate with the provider of the service, for example, people can manage
to pay a bill, to transfer an amount, to book a flight ticket and even can manage or view
their share market just by using their mobile device.
Mobile devices such as cellular phone, PDA (Personal Digital Assistant),
Smartphone and Tablet PC are exposed to various security threats like malicious code
which included virus, worm and Trojan horses), vulnerabilities of mobile device, attacks
on network communication, data or information robbery and damage also a mobile spam
(Kim and Leem, 2005).
With rising up amount of information being sent and communicate through
wireless channels, new threats also increase. Later, information security will become a
-
3
critical issues to mobile devices and be a great concern to mobile devices users, just like
what computer users do today (Bouwman, et al., 2006; Malloy, et al., 2002).
It has been realized that information is not just a technology problem, and in a
recent years it becomes a hot topic to study the human factors in information security in the
field of cyberspace (Hassel and Wiedenbeck, 2004; McCauley-Bell and Crumpton, 1998;
Proctor et al., 2000). Since security issues related to mobile devices are different from that
which related to computer. As example, mobile device might be infected with virus
through the instant messages; users conducting mobile commerce may perceive security
also differently from conduct e-commerce through computers or laptop; and personal
privacy related to mobile devices also different.
Till now, security and privacy awareness of mobile internet usage has drawn few
attentions in research and industry (Maurer, 2010). With the raise number of users that
employ those devices for security sensitive tasks like internet banking, therefore security
and privacy mechanism for mobile devices should be considered in the future.
1.3 Problem Statement
Many organizations have work hard to protect their asset from any harm, damage,
loss, stealing, etc. Some of them have spent over thousand to have such strong security
mechanism to protect their belongings. By installing a good security mechanism is not
enough while security awareness among the employee/staff still at low level. The intruders
may use social engineering in order to get pass through the security tools which been
applied. Even some of professional also does not aware at all in their action in working.
Awareness often overlooked neither organization nor people around the world.
They mostly are focusing on having an advance technology and depending on expert to
-
4
monitor the security issues while information security awareness is the root state whereby
people will aware on their security mission (Siponen, 2000).
In this study, the problem statements have been identified. Usually students are
obsessed to advance technology such as smartphone or others pocket size gadget whereby
it was providing a multiple and various functions that complement with the requirement in
their life style. Besides, as mentioned by (Androulidakis, 2010) the security of mobile
devices is proven not to be sufficient enough in many research papers. The advance and
modern mobile devices, specifically smartphones are vulnerable to various security risks.
By adopting the mobile devices without any security knowledge or lack of
awareness concern by thinking that the device is secure enough will lead the students being
exposed to those mobile device vulnerabilities and risk. This may harm their devices and
personal information might be stolen. Therefore information security education should
become a priority to be implemented to educational institution like United State was done
in a past few year (Hentea, 2005). In addition, the researcher also stated that there are some
aspects of security education model need a few attentions or make a review for changes.
Here are the lists of problems question that needs to be concern in doing this study,
define as below:
i. Which level of student most at high-risk for security threat and lack of
awareness?
ii. Does security awareness education course and training program should be
held in University?
iii. Which aspects of current existing model that require some customization or
modification?
iv. How does the propose model can increase the awareness among the
students?
-
5
1.4 Project Aim
The aims of this study are to identify the current stage of awareness among the
different level of student and their field either at low level, intermediate or high level and
to propose a design of security awareness model that suit to UTM campus students.
Anyhow in order to raise up the security awareness concern between the organization and
the student which can motivate them to alert or aware any of vulnerabilities and attack
from any invader that may harm such an important or valuable data or information which
can cause damage or loss toward the organization or individually.
1.5 Objectives
In this project, there are three objectives that need to be achieved in this project.
There are as follows:
i. To identify current state of security awareness on mobile device user
(UTMs student) before and after undergoes training or has a proper
education in Security Awareness Course or Program.
ii. To design an appropriate model of Information Security Awareness to
raise up awareness concern among students
iii. To validate the model which been proposed and analyze the validation
result.
1.6 Project Scope
Scope of the project includes as the following areas:
i. The study focus on UTM campus as a target organization.
ii. The students of UTMs are the target respondents.
-
6
iii. Survey will be done to a different faculty and different level of
respondents.
iv. Survey result will signify the current stage of awareness concern among
the mobile device user.
v. Generate the data and design the appropriate model to the ICT unit of
UTMs as a guideline to implement educational course or training
program to students.
1.7 Significance of the Project
Significance of doing this study is mainly to suggest for the organization to follow
the model that will be suggest. Security education and awareness program are crucial
although by combining both would take a lot of time and energy. Experts generally agreed
that people are the most common greatest source of IT security problems. Statistics
consistently show that the majority of security breaches are caused by insiders, and the
damage they levy on their organizations can be much more severe than anything wrought
by hackers on the other side of the world (J.Pescatore, 2002).
Many, if not most, insider breaches are caused neither by disgruntled employees
nor by students intent on doing harm. The sources are often as follows reason:
i. People are not aware of the security threats.
ii. People are wrongly relying on someone else to deal with them.
iii. People are not adequately skilled to address them.
iv. People simply feel they have more important things to do and neglect to aware
those things.
-
7
1.8 Report Organization
This project study consists of four chapters in project 1. Every chapter is organizes
accordingly to a different work that involved in the study. The detailed organization of this
report is described in the following section of paragraphs:
Chapter 1 of this report consists overview of the study, problem background of the
project, problem statement, objectives of the project, scope of the project and significance
of this study.
Chapter 2 of this report covers recent review of the literature review that related to
the study area which is information security, security awareness and mobile device that
relate to each topic. Its will discuss the previous researcher work in scope security issues
and its problem.
Chapter 3 explain the technique of method that to be use in the study and also
operational framework been describe in details phase by phase that will represent the flow
of all task in doing the study.
Chapter 4 is discussing on design implementation process. Its consist the
processes on how the elements and the features been selected in order to developing the
propose design model. Besides, matrix table also been map to each other to build a
relationship to be a strong support for model design.
Chapter 5 will discuss on analysis and the result of the finding from the students
survey feedback. The result of the validation process of the model also explained as to be
the finalized result of the design model.
-
8
Chapter 6 is the final chapter which consists of discussion on conclusion to the
project. It does discuss on research achievement, challenge and constraint of doing the
research and future recommendation towards the study. Lastly summarization of the
research project will all conclude in this chapter.
-
CHAPTER 2
LITERATURE REVIEW
2.1 Introduction
The purpose of this chapter is to investigate or probe the area of interest in the
research study. It will assist the researcher to understand thoroughly in their scope. This
chapter briefly discusses about the previous studies of researches done in Information
Security Awareness and its related study that to raise the awareness among people.
Variation and evolution of mobile devices technology also explained in this chapter
together with its vulnerabilities. Besides, a few frameworks, models and guidelines of
security awareness training program were compared to each other to synthesis ideas to
propose a suitable one for this study. All the ideas from previous studies contribute to a
solution design which is discussed in the next chapter.
2.2 Information Security Awareness
What is the definition of information security? Do most people are aware of this
term? Information security defines as protecting information and information systems from
unauthorized accesses, uses, disclosures, disruptions, modifications, perusals, inspections,
recordings or destructions. The term information security, computer security and
information assurance are frequently incorrectly been used interchangeably. These fields
-
10
are interrelated often and share the common goals of protecting the confidentiality,
integrity and availability of information. However, there are some subtle differences
between them. These differences lie primarily in the approach to the subject, the
methodologies used, and the areas of concentration. Information security is concerned with
the confidentiality, integrity and availability of data regardless of the form of the data may
take either electronic, print, or in other forms.
Where else, Security Awareness is the knowledge and attitude of members in an
organization possesses regarding the protection of the physical and more importantly the
information assets of that organization. Security Awareness is a critical part of an
organization's information security program; it is the human knowledge and behaviors that
the organization uses to protect itself against information security risks. (Androulidakis,
2010) stated that users who not receive proper training education on cyber security at
school are often lack of security awareness and proper etiquette. Human are like
computers, who stores, and processes and transfer information. As result, many attackers
today target the user, in bypassing most security controls and using techniques such as
social engineering to achieve information they intended. Awareness, not just technology, is
key factors in an organization's goal to:
i. Reduce risk
ii. Protect its reputation
iii. Improve governance
iv. Be compliant
2.3 Component of Security Awareness
An organization has the right to protect itself against unauthorized disclosures; it
also has an obligation to provide training to its employees to guide them as to what is
approved and what is not, also appropriate behaviors in order to pertain in handling
information.
-
11
(Peltier, 2005), argues the learning for security awareness has three component
aspects or other word elements; they are as follows:
i. Awareness, which is used to stimulate, motivate, and remind the audience
what is expected of them.
ii. Training, the process that teaches a skill or the use of a required tool.
iii. Education, the specialized, in-depth schooling required to support the
tools or as a career development process.
In developing an information security awareness training regime, the organizations
human resources department should work in conjunction with the IT department to ensure
that the training adequately addresses the topic area and also conforms to relevant laws and
regulations (Coe, 2003)
2.3.1 Awareness
Security awareness efforts are designed to change behavior or reinforce good
security practices. Awareness is defined in NIST Special Publication 800-16 as follows:
Awareness is not training. The purpose of awareness presentations is simply to focus
attention on security. Awareness presentations are intended to allow individuals to
recognize IT security concerns and respond accordingly. In awareness activities, the
learner is the recipient of information, whereas the learner in a training environment has a
more active role. Awareness relies on reaching broad audiences with attractive packaging
techniques. Training is more formal, having a goal of building knowledge and skills to
facilitate the job performance.
-
12
2.3.2 Training
Security Awareness Training is designed to educate users on the appropriate use,
protection and security of information, individual user responsibilities and ongoing
maintenance necessary to protect the confidentiality, integrity, and availability of
information assets, resources, and systems from unauthorized access, use, misuse,
disclosure, destruction, modification, or disruption. The long term benefits to an
organization from a successful security awareness program include enhanced awareness,
increased security and improved online productivity for employees and the company as
whole.
2.3.3 Education
Security awareness education can help user to ensure the proper handling of
sensitive information which is to protect ones secret data. An organization staff may
handle sensitive data as part of their daily routine but the need to ensure staffs fully
understand the security risks surrounding their duties is imperative. By educating the
employees, suppliers, partners and customers, we reduce the chances of an organization in
becoming a victim of today's data security threats. Moreover, by education, staff can carry
out actions accurately if security bleach does occur. In addition, a number of industry and
regulatory compliance initiatives requires an organization to institute a formal security
awareness program for employees.
2.4 Current Stage of Security Awareness
From observation in previous research papers shows that security awareness is still
at low level and often overlooked by people. As mention by (McConnell and Hamilton,
2002), because of poor security awareness and training, Information Technology
-
13
workplace mostly are not well prepared to handle an attack such as new viruses, worms
and denial of service.
Since internet has been a part of human life, many activities relate to our routine
influenced by the technology. People are nowadays mostly depends on internet in work
site, business and even personal matters. Those who lack of security awareness will easily
be exposed to the threat or attack. Teenagers are mostly exposed to computer attack as
statistics shows over 90% are initiated by them. In this situation, security education is very
important to be taught at early age at school (Hentea, 2005).
Nowadays, with the growing technology, the advancement of applications and
functions in mobile phone makes peoples daily life become easier because mobile devices
can be easily been brought along in our pockets. However, we may not notice that we are
actually facing a new security risk at the same time. Mentioned by (Mikko Hypponen,
2006), since cellular phone evolved to smartphone which able do as computer performance
where by, allow the user to install a software application from outsource of cellular
network operator, the devices have created new vulnerabilities which are mobile malware.
Figures 2.1 and 2.2 illustrate the statistics where while smartphone users are increasing, in
the same time the mobile malware are growing up as well.
Figure 2.1: Statistic of Smartphone (Mikko Hypponen, 2006).
-
14
Figure 2.2: Statistic of Mobile Malware Arise (Mikko Hypponen, 2006),
Furthermore, previous study conducted by (Loraine Lawson, 2000) who launched a
TechRepublics informal survey which conclude that many companies are lack of
awareness on mobile device. He explained that majority of the respondents said that their
companies do not have a security policy which addresses mobile devices and they do not
take measure to secure their mobile devices. Figure 2.3 shows the respondents feedbacks
from the survey.
Figure 2.3: TechRepublic Survey Result (Loraine Lawson, 2000)
-
15
In addition, from (Androulidakis, 2011) study towards students in Budapest has
result in a negative finding. Only a few students which are 24.5 % uses passwords on a
screen-saver mode out of hundred percent as presented in Figure 2.4. This will enable their
mobile device are ready to be manipulated by unauthorized personnel. Applying a PIN to
mobile devices is not enough to protect the device from an attacker. Within few minutes,
an attack can take place which attackers download specific software (malware) to the
device without the knowledge of its owner.
Figure 2.4: Survey Result Study on Password Usage (Androulidakis, 2011).
Besides, from the study it reveals that the students in Budapest are lack of security
knowledge and have a different mind-set. Figure 2.5 has proved that 44% do not even
know whether antiviruses for mobile phone do exist, while another 19% of the users do
have knowledge on the existing antiviruses product but do not install them to their mobile
device. Only 12.3% out of them are using it. Comparing to the PC users nowadays seems
everyone installed an antivirus to their PC even the product is free. This has shown that the
security feeling on mobile device in turn those to overlook in regards to security practices
as presented in Figure 2.6.
-
16
Figure 2.5: Survey Result Study on Antivirus Software Usage (Androulidakis, 2011)
Figure 2.6: Survey Result Towards Security Feeling on Mobile Phones (Androulidakis,
2011)
-
17
As conclusion, security awareness level is currently not at satisfactory level. Even
though nowadays mobile devices users has alert to turn off their Bluetooth while not using
it (Androulidakis, 2011), but the vulnerabilities doesnt come from that particular part
only. Therefore security awareness course and program is needed in school, universities,
government and private organization as mentioned by (Aloul, 2010).
Table 2.1: Matrix Table Who Needs Awareness
Current Study/Finding (Who needs awareness)
Authors
Sta
ff /
Wo
rker
/
Em
plo
yee
s
Stu
den
t
A perspective on Achieving Information Security Awareness (Hentea, n.d.)
The Need for Effective Information Security Awareness (Aloul, 2010)
Self-Awareness before Networking (Hasan & Hussin, 2010)
Information Security Awareness in Higher Education: An Exploratory Study (Rezgui
& Marks, 2008)
A Video Game for Cyber Security Training and Awareness (Cone, Irvine,
Thompson, & Nguyen, 2007)
Value-Focused Assessment of ICT Security Awareness in an Academic Environment
(Drevin, Kruger, & Steyn, 2007)
Promoting Digital Forensics Awareness through the University of Alaska Fairbanks
ASSERT Center (Nance, Hay, & Hecker, 2007)
Differences in Users State of Awareness and Practices Regarding Mobile Phone Security Among EU Countries (Androulidakis, n.d.)
A Comparative Study of Information Security Awareness in Higher Education Based
on The Concept of Design Theorizing (Marks & Ph, 2009)
Mobile Phone Security and Practices of Sudents in Budapest (Androulidakis, 2011)
Bluetooth Usage Among Students as an Indicator of Security Awareness and Feeling
(Androulidakis & Kandus, 2011a)
Mobile Phone Downloading Among Student : The Status and Its effect on Security
(Androulidakis & Kandus, 2011b)
Constructivist Approach to Information Security Awareness in The Middle East
(Boujettif & Wang, 2010)
Five Dimensions of Information Security Awareness (Siponen, 2001)
Towards Interface Specification and Design Guidelines to Raise User Awareness of
Application Security (Macdonald & Smith, n.d.)
-
18
In matrix Table 2.1 shows that seven out of fifteen researchers suggest the
awareness course or program should be implemented only to student and three out of
fifteen researchers said to employees or staffs. The rest, which is five of the researchers,
mentioned that the awareness program should be applied to both student and employee.
Clearer view as presented below:
i. Students : 7 out of 15 researchers suggested
ii. Employees / staff : 3 out of 15 researchers suggested
iii. Both (Student & Staff) : 5 out of 15 researchers suggested
2.5 Mobile Device Technology
What is mobile device? Mobile device refers to as a handheld device or in other
word handheld computer. Mobile devices usually come with a touch or non-touch display
screen and sometimes possibly attach with other accessories like mini keyboard, mini
external speaker, and etc. There are many types of mobile device; the most common are
mobile phones, smartphones, PDAs, pagers and Personal Navigation Devices.
Smartphones and PDAs are most preferred mobile devices which offer all the
conveniences of a personal computer with very small form factor. EDAs (Enterprise
Digital Assistants) are commonly used by businessman because it best suit for their
business purposes.
2.5.1 Categories of Mobile Devices
The term mobile device is used to mean a wide range of consumer electronics.
Usually mobile device is used to describe the devices that can connect to the Internet.
However, digital cameras and standard MP3 players are classified as mobile devices as
well. The categories of mobile devices include the following devices, as well as others:
-
19
i. Personal Digital Assistant (PDA)
PDAs are handheld devices that combine elements of computing, telephone/fax,
Internet and networking in a single device. A typical PDA can function as a cellular phone,
fax sender, Web browser and personal organizer. Unlike portable computers, most PDAs
began as pen-based, using a stylus rather than a keyboard for input. Moreover some PDAs
are incorporated with handwriting recognition features. Some PDAs can also react to voice
input by using voice recognition technologies. There are many different types of PDAs, but
most models work with either Palmtop software or a special version of Microsoft Windows
called Windows Mobile. All models can interface with a laptop or desktop system, though
optional accessories may be required. Synchronization between computer and PDA is one
of the most popular features of this digital device.
A PDA might also incorporate cellular phone functionality and wireless local area
network (LAN) capability. Connect to the Internet to check email, send messages, or watch
the stock market. With flash card capability, a PDA can store, access, and transfer virtually
any kind of data, including maps, spreadsheets, presentations, and dockets.
ii. Smartphones
A smartphone is a high-end mobile phone built on a mobile computing platform,
with more advanced computing ability and connectivity than a contemporary feature
phone. Smartphones combine both mobile phone and handheld computers into a single
device. Today's models also serve to combine the functions of portable media players, low-
end compact digital cameras, pocket video cameras, and GPS navigation units. Modern
smartphones typically also include high-resolution touch screens, web browsers that can
access and properly display standard web pages rather than just mobile-optimized sites,
and high-speed data access via Wi-Fi and mobile broadband.
-
20
The most common mobile operating systems (OS) used by modern smartphones
include Apple's iOS, Google's Android, Microsoft's Windows Mobile and Windows
Phone, Nokia's Symbian, RIM's BlackBerry OS, and embedded Linux distributions such as
Maemo and MeeGo. Such operating systems can be installed on many different phone
models, and typically each device can receive multiple OS software updates over its
lifetime.
iii. Tablet PC
A tablet PC is a wireless, portable personal computer with a touch screen interface.
The tablet form factor is typically smaller than a notebook computer but larger than a smart
phone. A convertible tablet typically has a display that rotates 180 degrees and can be
folded to close, screen up, over the integrated keyboard. Convertible models may allow
user input through a variety of methods in addition to the hardware keyboard, including
natural handwriting with a stylus or digital pen and typing through a screen-based software
keyboard. A slate tablet, such as an IPad, has electronics integrated into the touch screen
unit and lacks a hardware keyboard. However, external keyboards are available for slate
tablets, some of which function as docks for the devices. Beside, some of the tablet even
can make a call such as Samsung galaxy tab.
2.5.2 Mobile Application
Revolution of mobile devices has come to advance when many applications was
added to the normal function of mobile phone before. There are many mobile application
provided, such as SMS/MMS clients, internet browser, music players, and others, which
are pre-installed on mobile phone whereas others may be provisioned or will configured on
sales. In addition, users can download the applications over the wireless network and
install them instantly or can be loaded into the mobile operators store. Mobile applications
-
21
have evolved to the point that they now give users rich and fast services on the go. Table
2.2 shows some example of mobile applications widely used (source from: Mobile
Marketing Association, Sept. 2008).
Table 2.2: Example of mobile application (source from: Mobile Marketing Association,
Sept. 2008).
Mobile Application Type
Communication E-mail clients
IM clients
Mobile web and internet
browser
News/Information
clients
Social Network Client
Games Puzzle/Strategy
Action/Adventure
Sports
Multimedia Graphics/Image view
Presentation viewers
Video and Audio
Players
Streaming player
Productivity Calendars
Calculators
Diary
Notepad/memo/word processors
Banking/Finance
Travel GPS/maps
Translator
Currency converter
Weather
Utilities Profile manager
Address book
Task manager
Call manager
File manager
-
22
2.5.3 Mobile Device Security and Threat/Attack
The growth of technology simply turns human life at ease. Mobile devices become
such an important gadget that helps people in their daily life. The devices which been
connected to the network are exposed to security issues. For mobile phone network,
security should be an issue which is critical to end users and service providers from various
perspectives. In other word, consumers need to be assured levels of trust to embrace
wireless service. As mention in article of National Cyber Security Awareness week, (June
2010), by Australian Government said, since the number of users use the mobile phone,
computer game consoles, Wi-Fi and other devices that access to the internet is increasing, a
better cyber security over those devices also become much more important.
In the index reports of The 2009 Australian Mobile Phone Lifestyle, stated that
21% of respondents commonly surf the website on their mobile phone at least once a day.
The 25% of respondent reported use their mobile phone for banking purpose.
There are many type of risk in security issues. Some can be classified as physical
attack and some can be a logic attack. Physical attack similar to something physical such as
the device has been stolen, break down, and etc. While logic attack is something that is
related to a computer programming which manages to harm, damage, steal data, through
the network. Its spreading easily to those who are not aware while connecting to the
network or internet without people knowing it. Figure 2.7 are the list of example top
ranking of mobile phone by (Mikko Hypponen, 2006) in his article. Figure 2.8, are the list
of mobile protection from those malware.
-
23
Figure 2.7: List of Mobile Malware (Mikko Hypponen, 2006).
Figure 2.8: List of Mobile Protection Software (Mikko Hypponen, 2006)
-
24
Jamie de Guerre, (CTIA 2008) stated a report of the threat and the solution by a
recent year presented in Table 2.3. He identified the threat from a year 2005 to future
expectation. Its seem it dramatically increase from year to year.
Table 2.3: Recent Threat and Solution (Jamie de Guerre, CTIA 2008)
In matrix Table 2.4 presented the researchers study regarding the list of mobile
threat. From observation could be made, malware becomes the first rank whereby many
researchers studies has found that malware broadly goes to mobile. Thus, include a virus,
worm and Trojan horse. Seems the mobile devices ability is equal to a normal PC, they
turn to be attractive to malware developer to take a place. Mobile devices currently have
the same vulnerabilities with PC but even worst due to them have various operating system
to different brand not likes a PC.
The matrix Table 2.5 presents applications of the mobile devices versus with the
mobile threats. In previous researchers studies has found that the malware can be
exploited and spread to the whole entire of the mobile applications. Once the malware
software is installed to the devices, it will control and explore by itself to gain personal
data.
-
Table 2.4: Matrix Table of Threat
Mobile Threat
Authors
Mal
war
e /
Mal
icio
us
Co
de
Vir
us
Wo
rm
Sp
am
Den
ied
of
Ser
vic
e
Dat
a S
tole
n /
th
eft
/ L
ost
Ph
ish
ing
Sp
yw
are
So
ftw
are
Pir
acy
So
cial
Eng
inee
rin
g
Mo
bil
e H
ijac
kin
g
Ap
pli
cati
on
Att
ack
Jail
bre
kin
g
Tro
jan
Sn
arfi
ng
Malware goes Mobile (Hypponen, 2006) Mobile Phone Vulnerabilities: A New Generation of Malware (Jamaluddin, Zotou,
Member, & Coulton, n.d.)
Cyber Threats to Mobile Phones (Ruggiero & Foote, 2011) Exploitation and Threat Analysis of Open Mobile Devices (Liu, Zhang, Yan, &
Chen, 2009)
Mobile Phone Security, Special Edition (Alpha Omega Group, 2010) Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones (Mulliner,
2009)
Towards Dynamic Malware Analysis to Increase Mobile Device Security (Becher
& Freiling, n.d.)
Intrusion Detection for Mobile Devices Using the Knowledge-Based, Temporal
Abstraction Method (Shabtai, Kanonov, & Elovici, 2010)
Users Perceptions on Mobile Device Security Awareness in Malaysia (Sabeeh, 2011)
Differences in Users State of Awareness and Practices Regarding Mobile Phone Security Among EU Countries (Androulidakis, 2010.)
A Secure Energy-Efficient M-Banking Application for Mobile Devices (Cano &
Domenech-Asensi, 2011)
A Survey of Mobile Malware in the Wild (Felt, Finifter, Chin, Hanna, & Wagner,
2011)
Application Lockbox for Mobile Device Security (Luo & Kang, 2011)
Mobile Phones: The Next Frontier for Hackers? (Leavitt, 2004)
-
26
Table 2.5: Matrix Table of Application versus Threat
Mobile Threats
Mobile Application Type Mal
war
e
Vir
us
Wo
rm
Sp
am
Den
ial
of
Ser
vic
e
Dev
ice
Lost
/Sto
len
Ph
ish
ing
Sp
yw
are
So
ftw
are
Pir
acy
So
cial
En
gin
eeri
ng
Mobil
e H
ijac
kin
g
Ap
pli
cati
on A
ttac
k
Jail
bre
akin
g
Tro
jan
Sn
arfi
ng
Communication E-mail clients
IM clients
Mobile web and internet browser
News/Information clients
Social Network Client
SMS / MMS
Bluetooth
Games Puzzle/Strategy, Action/adventure, Sports and etc.
Multimedia Graphics/Image
Downloading Application
Video and Audio
Streaming player
Productivity Calendars
Diary
Notepad/memo/word processors
Banking/Finance
Travel GPS/maps
Utilities Profile manager
Address book
Task manager
Call manager
File manager
-
27
Lastly in Figure 2.9 illustrates top six threats to mobile device by Symantec
organizations. In the picture, it is briefly explain on those six threats which mostly
occurred as reported to them.
Figure 2.9: List of Top Threats by Symantec (Enterprise IT News Wednesday, 21
December 2011 00:36)
2.6 Existing Framework /Models /Guidelines /Slogans for Security Awareness
Program
A study on the existing framework, model and guideline for security awareness is
important in order to get an idea the way they conduct and in order to suit to an
organization. Some of the model may have the similarity in certain part of the model itself,
-
28
just a few modifications was made to enhance the previous one. Those models have a one
objective which is to increase the level of awareness among the staff in an organization.
2.6.1 The Continuum (A role and performance model)
The model is role-based presented in Figure 2.10. It defines the information
security learning needed as a person assumes different roles within an organization and
different responsibilities in relation to information systems. This document uses the model
to identify the knowledge, skills, and abilities an individual needs to perform the
information security responsibilities specific to each of his or her roles in the organization.
The model illustrates the following concepts:
i. Basic Security Awareness is explicitly required for employees, including
contractor employees who are involved in any way with information systems.
In todays environment this typically means all individuals within the
organization.
ii. Awareness Training (Basics and Literacy), is a transitional stage between
Basic Awareness and Role-based Training. It provides the foundation for
subsequent specialized or role-based training by providing a universal baseline
of key security terms and concepts.
iii. Role-based Training becomes focused on providing the knowledge, skills,
and abilities specific to an individuals roles and responsibilities relative to
information systems. At this level, training recognizes the differences between
beginning, intermediate, and advanced skill requirements.
iv. The Education level focuses on developing the ability and vision to perform
complex multi-disciplinary activities and the skills needed to further the
information security profession and to keep pace with threats and technology
changes.
-
29
v. The Professional Development is intended to ensure that users, from beginner
to the career security professional, possess a required level of knowledge and
competence necessary for their roles. Professional development validates skills
through certification and advanced education such undergraduate and graduate
studies and degrees.
Figure 2.10: Information Security Learning Continuum (Wilson, Hash, & Division, 2003)
-
30
2.6.2 NIST-SP800-50 Model 1: Centralized Program Management Model
(Centralize Policy, Strategy, and Implementation).
Figure 2.11 presents Model 1, Central Authority is responsible on budget of the IT
security awareness and training program for the entire organization. All the directives are
coordinate by this security awareness authority. The central authority is to develop the
training strategy, training plan together with the training material to help the needs of
assessment to determine the strategy. Both CIO and IT Security Program manager are
located at central authority. Two way communications need to be established between the
central authorities with the organization units.
This centralized program management model is often deployed by agencies that:
i. Are relatively small or have a high degree of structure and central management of
most IT functions;
ii. Have, at the headquarters level, the necessary resources, expertise, and knowledge
of the mission(s) and operations at the unit level; or
iii. Have a high degree of similarity in mission and operational objectives across all of
its components.
Figure 2.11: Centralized Program Management Model (Wilson et al., 2003)
-
31
2.6.3 NIST-SP800-50 Model 2: Partially Decentralized Program Management
Model (Centralized Policy and Strategy; Distributed Implementation
Figure 2.12 presents Model 2, security awareness and training policy and strategy
are defined by a central authority, but implementation is delegated to line management
officials in the organization. Awareness and training budget allocation, material
development, and scheduling are the responsibilities of these officials.
This partially decentralized program management model is often deployed by agencies
that:
i. Are relatively large or have a fairly decentralized structure with clear
responsibilities assigned to both the headquarters (central) and unit levels;
ii. Have functions that are spread over a wide geographical area; or
iii. Have organizational units with diverse missions, so that awareness and training
programs may differ significantly, based on unit-specific needs.
Figure 2.12: Partially Decentralized Program Management Model (Wilson et al., 2003)
-
32
2.6.4 NIST-SP800-50 Model 3: Fully Decentralized Program Management Model.
(Centralized Policy, Distribute Strategy and Implementation)
Figure 2.13 presents Model 3, the central security awareness and training authority
(CIO/IT security program manager) disseminates broad policy and expectations regarding
security awareness and training requirements, but give responsibilities for executing the
entire program to other organizational units. This model normally uses a series of
distributed authority directives, driven from the central authority. This normally means
creation of a subsystem of CIOs and IT security program managers subordinate to the
central CIO and IT security officer.
This fully decentralized program management model is often deployed by agencies
that:
i. Are relatively large;
ii. Have a much decentralized structure with general responsibilities assigned to the
headquarters (central) and specific responsibilities assigned to unit levels;
iii. Have functions that are spread over a wide geographical area; or
iv. Have quasi-autonomous organizational units with separate and distinct missions, so
that awareness and training programs may need to differ greatly.
Figure 2.13: Fully Decentralized Program Management Model (Wilson et al., 2003)
-
33
2.6.5 IS Security Awareness Sequential Model
Figure 2.14 is the combination the idea of Yacine Rezgui, Adam Mark and P.
Pihakainen (2006) to produce the sequential model. From their finding, it is found that the
application of design theorizing in general and application of training, campaigning, and
reward and punishment as effective tools in achieving IS security awareness. They believe
that the combined use of the three IS security awareness approaches will yield better
results than the independent use of these approaches. In fact, Pihakainen (2006) states that
the three IS security awareness approaches (training, campaigning, reward and
punishment) can be used independently
Figure 2.14: IS Security Awareness Sequential Model (Marks & Ph, 2009)
-
34
2.6.6 Full E-Awareness Model (E-AM)
Figure 2.15 shows the E-Awareness model proposed by E. Kritzinger and S.H. Von
Solm (2010). The first component of the model is the awareness component, called the E-
Awareness Portal (E-AP). The main function of the E-AP is to provide up to date content
regarding information security risks within the home user environment. This component
will address the information security awareness content. The aim is therefore to introduce
home users to relevant information security issues such as what information security is,
why it is important and how to use it. It is important to understand that those users who
will use this portal have limited or no information security background.
Figure 2.15: The Full E-Awareness Model (E-AM) (E. Kritzinger and S.H. Von Solm,
2010).
-
35
2.6.7 Framework for Evaluating ICT Security Awareness
Figure 2.16 present a framework for evaluating security awareness by (HA. Kruger,
et al., 2006). The purpose of the framework is to address an effective manner when
implementing and evaluating the ICT awareness training program. It also helps in focus
questions or aspect to be measured in developing tools as example survey questions. The
framework was to assist the management team to deal with a task of awareness training
program. The framework was developed jointly in an academic environment and at private
enterprise and it forms a part of ongoing research process. All stakeholders are necessary
to ensure the focus areas. Value focused approach (VFA) take into account stakeholders
wishes, concerns, problems and values pertaining to information security awareness to
identify the focus areas. Then employees being surveyed to determine their awareness
level based components presents in the framework which are behavior, knowledge and
attitude. These three components become a basis to be used to develop a model.
Figure 2.16: Framework for Evaluating Security Awareness (Science, 2006)
-
36
2.6.8 Southern African Cyber Security Awareness Framework
The framework for CSAP (depicted in Figure 2.17) provides a basis for organizing
such campaigns within a country. The national cyber security policies, legislation,
procedures, laws and standards should serve as the foundation where CSAPs will be built
upon (Y. Rezgui and A. Marks, 2008)
Figure 2.17: Southern African Cyber Security Awareness Framework (Leenen, et al.,
2011)
The CSAP framework further suggests that Planning, Designing, Implementation
and Evaluation processes should be continuous. Since the cyber security awareness
-
37
programs are cyclic processes, the four processes should also use the same cyclic pattern
(B.D. Cone, C.E. Irvine, M.F. Thompson and T.D. Nguyen, 2008). The following
components constitute the process of formulating cyber security awareness programs:
i. Security Awareness Goals and Objectives: this must be defined in terms of
the national legislation, laws, policies and standards as well as continental
policies and agreements.
ii. Identify Current Training Needs: see Figure 2.17
iii. Obtain Support: see Figure 2.17
iv. Identify Intended Audience: these are the target trainees, to whom cyber
security awareness program will be delivered (e.g. community citizens, IT
employees, non-IT employees, students, learner, etc.).
v. Define Topics to be covered: the list of topics must be evaluated in terms of
relevance to each targeted audience.
vi. Establish Security Policy: this policy will state the governance of all
security related assets, devices, and infrastructures to assist in governing all
cyber security related gadgets.
vii. Define Delivery Methods to be used: this includes the way in which the
CSAP will be presented to different audiences (e.g. primary learner: use
cyber security posters and drawings, employees: use emailing system,
company newsletter, seminars, etc.).
viii. Develop a Strategy for Implementation: this should be decided on all levels
and the entire program should be evaluated for possible loopholes (e.g. the
programs implementation should start from the grade zero, in schools; or
the arrangement of the seminars in the workplace, that is, which group
attends it first in order to avoid disturbing all the company duties).
-
38
2.6.9 Awareness Model by [SecurityResearch.at]
The human factor is one of the imminent security risks within an organization.
Every single employees awareness of security issues is a basic necessity for a proper
quality level of information security. Well-trained employees will provide timely detection
of social attacks and will contribute significantly to the companys overall security
standard.
The security awareness trainings focus on different target audiences, such as
management, IT administrators and users. Security awareness trainings might encompass
the following elements to conquer some of the most important risk factors in organization.
The securityresearch.at has come out with a model as presented in Figure 2.18 to be
use by an organization as to guide them.
Figure 2.18: Model by (DI.Mag. Andreas Tomek, securityresearch.at)
-
39
2.6.10 Japanese National Information Security Center Slogan
Figure 2.19 presented the slogan Aware, Secure, Continue was adopted in
February, which is Information Security Awareness Month. This short and simple slogan
expressing the essence of information security measures was used in various programs and
activities throughout the month by an organization in Japan. The slogans alert the staff to
mind each their step to be more secure. It also helps as a guideline to the worker.
Figure 2.19: Slogans by Japanese National Information Security Center (NISC, 2011-
2012)
-
40
2.6.11 Awareness Noticeboard
Noticeboard presented in Figure 2.20 is creative product that contributes to
awareness, training and educational (ATE) activities. In Special Publication 800-50 and the
earlier 800-16, NIST explains:
i. Awareness involves guiding and motivating people on appropriate behaviors;
ii. Training helps people develop specific skills;
iii. Education provides a broad basis through explaining conceptual frameworks and
factual information.
Figure 2.20: Noticeboard by (Dr Gary Hinson PhD MBA CISSP, 2012)
Noticeboard includes elements from all three but its primary aim is to raise
awareness, provide information and guidance to the identified audience groups (staff,
managers and IT professionals) and motivate them to change their behaviors. It is
important to emphasize security awareness supplements, rather than replaces, technical
security controls. Security awareness is just one of several essential security measures.
-
41
Noticeboard supports the three Es by helping customers:
i. Establish the requirements for information security, the rules as defined
in policy, and raise awareness of the need for compliance;
ii. Educate employees on their information security obligations and the potential
consequences of ignoring them, through an ongoing awareness program; and
iii. Enforce the rules by promoting suitable compliance activities, coupled with
controls to identify and minimize information security near-misses as well as
actual incidents (learning from others mistakes is even more valuable than learning
from our own because we dont suffer the impacts of failure, only the benefits of
enhanced security awareness).
2.6.12 Security Awareness Maturity Model
One of the biggest challenges in security awareness is its lack of maturity. Many
fields within information security have developed and matured over the years with entire
frameworks built around them, fields such as penetration testing, system hardening secure
software development and digital forensics. However no framework or maturity model for
awareness. The Security Awareness Maturity Model is an important first step to help
address this. Developed by consensus from over twenty different organizations, this model
in Figure 2.21 can helps organizations identify how mature (or immature) their program is
and where they can take it.
-
42
Figure 2.21: Security Awareness Maturity Model (Ispitzner, 2012)
2.6.13 Factor of Influence Awareness
The four factors shown in Figure 2.22 were identified from the matrix analysis of
factors that influence information security, from the perspective of awareness and its
measurement. These factors are the main points of understanding, taken from the previous
articles, research, and dissertations of several authors. The next paragraph will explain how
these factors relate to information security awareness.
-
43
Figure 2.22: Four Factor Influence Awareness (Kamal, Fakeh, Zulhemay, Shahibi, & Ali,
2012)
Policy is a reference for employees. It is a tool for management to guide their
subordinates, by educating them based on what the policy states. Education is a
communication between user and educator. Education can influence the knowledge of the
end user. Knowledge of technology is important, as information is organized and
communicated using technology. For example, before users receive education about
malicious software, they simply take the installed programs for granted, and click any links
they want, in received emails. However, by educating them about how harmful these links
can be, because of malicious programs and fraudulent links, they are then made more
aware. This is how education relates to the knowledge of technology and interrelated
items. Knowledge can change human behavior. By having knowledge, users can act
appropriately. They know how to act when something occurs, by making the right decision
for a situation, and in a time that can avoid inappropriate events in the workplace.
-
44
2.6.14 Summary of Existing Framework/Model/Guidelines
As a conclusion, the selection of existing framework/model element has been
transform into a matrix table to give a clear view of selection being made. Its also to make
easier to mapping of each component or elements before can make a selection. The Table
2.6 presented the analysis of the component/elements that been map to each other.
-
45
Table 2.6: Matrix Table of Features
The Elements / Features / Component / Studies
Authors
Po
licy
Aw
are
nes
s
Ed
uca
tio
n
Tra
inin
g
Gu
idel
ines
Ev
alu
ati
on
/ A
sses
smen
t
Mo
tiv
ati
on
(B
eha
vio
r &
Att
itu
de)
En
forc
emen
t
To
ols
Ap
pli
cati
on
Ca
mp
aig
n
Pu
nis
hm
ent
/ R
ewa
rd
Pro
ced
ure
s
Kn
ow
led
ge
of
Tec
hn
olo
gy
NIST-SP800-50 (Wilson et al., 2003)
A Framework for Evaluating ICT Security Awareness (HA Kruger, L Drevin,
T Steyn)
Cyber Security for Home Users: A new way of protection through awareness
enforcement (Kritzinger & von Solms, 2010)
Setting up an Effective Information Security Awareness Programme (Maeyer,
n.d.)
Information Security Awareness Amongst Academic Librarian (Kamal et al.,
2012)
A Comparative Study of Information Security Awareness in Higher Education
Based on The Concept of Design Theorizing (Marks & Ph, 2009)
Developing Security Education and Awareness Programs (Payne, 2003)
NIST-SP800-124 Guidelines on Cell Phone and PDA Security (Jansen &
Scarfone, n.d.)
(Chapter 17 Information Security Awareness Chapter Objectives 17 . 1 Ensuring Employees Understand Their Role in Security 17 . 3 Information
Security Awareness Elements, n.d.)
-
46
Information Security Management: An Information Security Retrieval and
Awareness Model for Industry (Kritzinger & Smith, 2008)
A Prototype for Assessing Information Security Awareness (Kruger &
Kearney, 2006)
An Overview of International Cyber-Security Awareness Raising and
Educational Initiatives (Street & Park, 2011)
Proceedings of the First IFIP TC9 / TC11 Southern African Cyber Security
Awareness Workshop 2011 Gaborone, Botswana 12 May 2011 (Leenen et al.,
2011)
Information Security Awareness in Higher Education: An Exploratory Study
(Rezgui & Marks, 2008)
IT Security Awareness and Training: Changing the Culture of State
Government (Awareness, May, & Your, 2007)
-
47
2.7 Current Technique of Designing, Developing and Implementing the
Awareness Program
There are many current techniques of designing, developing and implementing the
awareness program in organizations. Some of the organizations use a model or guideline
from the NIST suggestion which suit to them, and some are none. Probably depend on
their own policy of their organization. One of the examples in Figure 2.23 shows an
approach for an effective information security awareness program.
Figure 2.23: Approach for an Effective Information Security Awareness Program
(Maeyer, 2007)
-
48
The key phases in this approach are:
i. Set clear, defined and measurable objectives and goals for security awareness
that addresses the problems of security-negative behavior.
ii. Scope and design the security awareness program by creating a formal project.
The program can contain one or more awareness campaigns. Each campaign should
have its own specific goal to change a specific aspect of security-negative behavior.
After developing the awareness plan organizational buy-in needs to be sought and
secured.
iii. Develop the security awareness campaigns that support the business needs of the
organization and are relevant to the organizations culture.
iv. Implement the security awareness campaigns that deliver the awareness
messages in a meaningful way to the employees. Employees should get the feeling
that the messages were developed specifically for them.
v. Measure the effectiveness of the campaigns so that effective activities can be
repeated, if necessary, and other activities can be revised. Monitoring compliance
and effectiveness should lead to continuous improvement. After all, for security
awareness you never can do enough.
2.8 Summary
This chapter briefly presents the issues of Information Security Awareness based
from previous researchers. Various sub-topic been discussed in this chapter to cover all the
needs of the study. The current level of public awareness is vital in order to further the
study. Mobile threat which correlate with the awareness also been discussed to support the
findings. With those review on the sub-topic, it will contribute to a useful idea for the next
-
49
chapter. All the information in literature review will use in proposing the operational
framework of the study.
-
CHAPTER 3
METHODOLOGY
3.1 Introduction
Methodology is one of the important parts in a project or in a research. It is
discussed the flow of technique being used in the studies in order to achieve the goals of
the project. The technique or method will be explained in details in this chapter in a sub
topic. The operational framework describes overall picture of the project flows and the
summarize table explain the activities to match with the research objectives. Explanation
of phases in operational framework will be detailed up in this chapter.
3.2 Operational Framework
In this operational framework, it is divided into three phases which are phase 1
(information gathering), phase 2 (design) and phase 3 (validation). Each phase is related to
each other as to achieve the objective which been stated in chapter 1. Those phases will be
well organized step by step to give a clear flow process of the research. Figure 3.1, shows
the operational framework. Table 3.1, presents the summary of each activities which
applied to the studies to meet the project objective.
-
51
Figure 3.1: Operational Framework
NO
Additional
ideas from
the survey
result
Applied
selected
existing
elements.
Confirm Model
Design
LITERATURE REVIEW
Analyze on Existing
Framework, Model and
Guideline
Output:
Matrix table comparison.
Elements and features of existing framework
and model to be
applied.
PRE-STUDY
Output:
Current level of attitude, behavior and
awareness concern
toward Information
Security Awareness.
Distribute
Questionnaire to
Students
representative of each
Faculty in UTMs
DESIGN SOLUTION
Pre-Design Model of
Information Security
Awareness on Mobile
Device
VALIDATION DONE BY: CICT of UTM Support by others Expert witnesses:
ICT of UTHM
IT Department of Ministry of Women, Family and Community Development
Validate
the Design
Model
YES
PHASE 1
PHASE 2
PHASE 3
-
52
Table 3.1: Activities Summarization Table
Objective Activity Result
1. To identify current state of
security awareness on
mobile device user
(UTMs students) before
undergoes training or has
a proper education in
Security Awareness
Course or Program.
1. Made a review on previous
research paper and studied an
existing framework, model
and guideline of security
awareness.
2. Review current issues and
current statistic of Information
Security awareness.
3. Pre-study (Informal or indirect
interview to close friends).
4. Observation on students
surrounding attitude and
behavior.
5. Distribute pre online basic
questionnaire of Information
Security Awareness on mobile
device to UTMs students via
Facebook.
6. Analyze the existing
framework, model and
feedback of the questionnaire.
1. List of framework,
model and guideline.
2. Current attitude and
behavior of the
students on security
awareness concern.
3. Current level of
awareness among
UTMs students.
4. Matrix table
comparison and threat
to a mobile device.
5. Statistic of the
questionnaire result.
2. To design an appropriate
model of Information
Security Awareness to
raise up awareness
concern among students
1. Selection of the elements in
existing framework and model
to propose a new appropriate
model.
2. Reanalyze the pre-design
model.
3. Design a second phase
questionnaire which more
details and focus target
1. Conceptual framework
design (Pre-design
model).
2. Statistic of a new
feedback data.
3. Current level and
attitude of every detail
on students
background of study
-
53
respondents.
4. Distribute to each faculty that
can contribute to three
representative of each faculty.
5. Analyze feedback of the
questionnaire.
6. Alter the pre-design model
which suitable and map to the
new data.
toward the Information
Security Awareness on
Mobile Device.
4. Additional and
alteration of features
and elements to the
pre-design model.
3. To analyze, evaluate and
validate the model which
been proposed
1. Design validation
questionnaire.
2. Dealing with head of CICT
from UTM and others support
expert witnesses.
3. Distribute questionnaires to
each representative of expert
witnesses mentioned to support
validation process model.
4. Analyze feedback if there any
changes to be apply.
5. Finalize the model.
1. Feedback of the
validation and
approval to the model.
2. Enhancement if any.
3. Security Awareness
Model on Mobile
Device.
3.2.1 Phase 1 (Information Gathering)
On phase 1 which is gathering information done with an analysis on existing
previous researchers frameworks, models and guidelines of Information Security
Awareness. Besides, current issues and statistic related to Information Security Awareness
on mobile device has been reviewed in order to support the literature review of the study.
From those activities, useful information has been presented in matrix table, while
prediction to current level of awareness concern among UTMs student could be decide.
-
54
In addition, to confirm the initial state of security awareness concern on mobile
device toward the students, pre-study has been done by doing online preliminary survey in
Project 1 but that was only a few basic questions to random respondent of UTMs student.
Then the extended survey design as attached in Appendix A was distributed accordingly
using manual technique to a representative of faculty which a few faculties been selected to
represent the whole particular faculty in UTMs. Those representative faculties was
divided into three categories domain. There are as follows:
i. Faculty of Engineering Represent for all engineering faculties such as
mechanical, electrical, chemical, civil and etc.
ii. Faculty of Science Represent for faculty of computer science, faculty of
science & mathematic, geo-information, and built environment.
iii. Faculty of Management Represent for faculty of management and faculty
of education.
The result of the survey was converted to a statistical view to give a clear picture
review which been discussed in the next chapter. Feedback from the questionnaire,
contribute to current level of attitude, behavior and awareness knowledge and concern
toward Information Security Awareness on Mobile Device among the students from a
different background of studies. Hence, these results become an additional ideas to be
mapping with literature review study to propose the design solution in phase 2.
3.2.2 Phase 2 (Propose Design)
The design model of the information security awareness has been done at this
phase. At first, during the sketch of the model design, considering which existing elements
from the framework and model are suitable for a new model and applicable with the
students current level of awareness knowledge and concern. Selection of each element and
the features of existing framework or model were important in order to match with
students current level of awareness.
-
55
Somehow, most of the existing framework and model were more toward to
staff/worker in organization, by the way, new propose design model was based on the
combination of an analysis from the literature review and the pre-study section. Resu