Module 8 Administering Security

Network Security Philadelphia Universityl

Ahmad Al-Ghoul 2010-2011 1

Module 8Module 8 Administering Security

MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]



Contents Personal Computer Security Management Contributors to Security Problems Security Measures Protection of Files Access Control Mechanisms for PCs Risk Analysis THEORETICAL FRAMEWORK Reacting to Threats CULTURE AND RISK STAKEHOLDER MODEL RISK COMMUNICATION TRUST AND CONFIDENCE VS CREDIBILITY INSTITUTIONAL CREDIBILITY Risk Perception, Trust and Credibility



Personal Computer Security Management

Security problems for personal computers are more serious than on mainframe computers– people issues

– hardware and software issues

lack of sensitivity– users do not appreciate security risks associated with

the use of PCs

lack of tools– hw and sw tools are fewer and less sophisticated than in

the mainframe environment



Contributors to Security Problems

Hardware vulnerabilities– limited protection of one memory space – every user can execute every instruction– can read and write every memory location– the operating system may declare certain files

as “system” files, but it can not prevent the user from accessing them

– operating system designers have failed to take advantage of hardware protection




Low awareness of the problem– analogous to a calculator

no unique responsibility– if the machine is shared, nobody takes full responsibility

for maintenance, supervision and control few hw controls

– few PCs take advantage of hw features no audit trail environmental attacks physical access

– unattended machines care of media components

– diskettes, etc.




No backups questionable documentation high portability combination of duties

– lack of checks and balances



Security Measures

Procedures: Do not leave PCs unattended in an exposed

environment if they contain sensitive info do not leave printers unattended if they are

printing sensitive output secure media as carefully as you would a

confidential report perform periodic back-ups practice separation of authority



Security Measures

Hardware Controls: Secure the equipment consider using add-on security boardsSoftware Controls: use all sw with full understanding of its potential

threats do not use sw from dubious resources be suspicious of all results maintain periodic complete backups of all system

resources



Protection of Files

Access control features encryption copy protection no protection



Access Control Mechanisms for PCs

Motivations for access control: Outside interference two users one machine network access errors untrusted software separation of applications

25060



Features of PC Access Control Systems

Transparent encryption– some systems automatically encrypt files so

that their contents will not be evident time of day checking

– allowing access during certain times automatic timeout

– the system automatically terminates the session machine identification

– unique serial no can be read by the application



Risk Analysis

RISK Possibility of suffering harm or loss, a

factor, course or element involving uncertain danger



THEORETICAL FRAMEWORK

Important parameter in designing security systems is the COST

RISK ASSESSMENT

Risk perception– psychological theory of risk: how the general

public reacts to uncertainities of danger, and how this general reaction affects individual behaviour.

– cultural theory of risk: Risk perception differs depending on the social group & belief system an individual belongs to (Douglas 1970)



Reacting to Threats

RISK PERCEPTION

THREAT

RESPONSE

Passive Reaction

communication



Reacting to Threats

RISK PERCEPTION

Organisation Structure

RISKMANAGEMENT

Externaldanger

Shared Meaning and Trust



CULTURE AND RISK

Risk behaviour is a function of how human beings, individually and in groups, perceive their place in the world.

It is important to understand the role of culture in stakeholder interaction in order to understand cultural biases in risk perception.



STAKEHOLDER MODEL

Stakeholders– Users: information user

– Suppliers: information provider and systems developer

– Others: systems manager

Each stakeholder group has a differing perceptions of same risk.

Stakeholders can be grouped within themselves depending on the social groups they belong to rather than roles they assume.



STAKEHOLDER MODEL

Individuals have different cultural biases and have different perceptions of risk– computer privacy and security rules are

different in different countries– Singapore, Japan, US, Canada

Grouping stakeholders is not enough for designing IS.



RISK COMMUNICATION

It is important to know the cultural backgrounds of the stakeholders– how they perceive risks– how they communicate risks– risk communication theory– risk communication model



RISK COMMUNICATION

Past:– risk communication as one way to general

public from government…– efforts to improve risk communication– to get the message across by describing the

magnitude and balance of the attendant costs and benefits



RISK COMMUNICATION

The costs and benefits are equally distributed across a society

People do not agree about which events or actions do the most harm or which benefits are more worth seeking.



RISK COMMUNICATION

US National Research Counsil (1989)

Risk communication is an interactive process of exchange of information and opinion among individuals, groups and institutions. It involves multiple messages about the nature of the risk and other messages, not strictly about risk, that express concerns, opinions and reactions to risk messages or to legal and institutional arrangements for risk management.



RISK COMMUNICATION

Risk Communication– risks posed to stakeholders on the web are

technological hazards– classical risk communication model:

• sources

• transmitters

• receivers



CULTURE

Sources

Scientists

Agencies

Interest Groups

Eyewitnesses

Portrayal of Event with symbols, signals and

images by the Sources

Transmitters

Media

Institutions/Agencies

Interest Groups

Opinion Leaders

Receivers

General Public

Affected Organisations/Institutions

Social Groups

Other target audience

Risk

Event

feed

back

Two-way interaction



Initial Information

HEARCULTURE

SOCIAL FASHIONPERSONAL VALUES

RELATED ATTITUDES

INFLUENCES

Appeal Do not Appeal

UNDERSTAND

BELIEVE

PERSONALIZE

RESPOND

New Information



Communication The recipient hears the information and then screens it based on

social fashion, personal values, attitudes under the influence from peer groups– cultural forces before understanding the message

Believing involves acceptance that the understanding is correct – the risk is real

Personalisation– the risk event will affect the receiver

Response– decision to take action for protection from risk

Credibility of information sources and transmitters is a key issue in risk communication



TRUST AND CONFIDENCE VS CREDIBILITY

Trust is an important ingredient in any trade transaction

Trust acts as the mitigating factor for the risks assumed by one party on the party in the trade

As trust increases the risks either reduce or become manageable by the trusting party

Existence of trust also reduces the transaction cost in a trade



INSTITUTIONAL CREDIBILITY

The social climate pre-sets the conditions under which an institution has to operate to gain and maintain trust

in a positive climate people invest more in trust institutions

in a negative climate people tend to caution and seek to have more control



Risk Perception, Trust and Credibility

Hypothesis:– once trust and credibility exist in a relationship among the

stakeholders during risk communication, stakeholders do not get involved in the analysis of risk factors individually, and

– information systems security becomes less important to people when dealing with a trustworthy and credible institution.

Personality of the communicator with attributes of ability and integrity are also important in establishing trust.

Overall; message, communicator, institution, and the social context are the major factors in establishing trust within an organization.



Risk Perception, Trust and Credibility

Inferential analysis:– inverse correlation between trust and security

on the internet– the higher the trust placed on an organization

the lower was the security concern.

Module 8 Administering Security

Documents

Transcript of Module 8 Administering Security