1 / 30

Module 8 Administering Security

Module 8 Administering Security. MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com. Contents.

charmaine-efrain
Download Presentation

Module 8 Administering Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 8Administering Security • MModified by :Ahmad Al Ghoul • PPhiladelphia University • FFaculty Of Administrative & Financial Sciences • BBusiness Networking & System Management Department • RRoom Number 32406 • EE-mail Address: ahmad4_2_69@hotmail.com Ahmad Al-Ghoul 2010-2011

  2. Contents • Personal Computer Security Management • Contributors to Security Problems • Security Measures • Protection of Files • Access Control Mechanisms for PCs • Risk Analysis • THEORETICAL FRAMEWORK • Reacting to Threats • CULTURE AND RISK • STAKEHOLDER MODEL • RISK COMMUNICATION • TRUST AND CONFIDENCE VS CREDIBILITY • INSTITUTIONAL CREDIBILITY • Risk Perception, Trust and Credibility Ahmad Al-Ghoul 2010-2011

  3. Personal Computer Security Management • Security problems for personal computers are more serious than on mainframe computers • people issues • hardware and software issues • lack of sensitivity • users do not appreciate security risks associated with the use of PCs • lack of tools • hw and sw tools are fewer and less sophisticated than in the mainframe environment Ahmad Al-Ghoul 2010-2011

  4. Contributors to Security Problems • Hardware vulnerabilities • limited protection of one memory space • every user can execute every instruction • can read and write every memory location • the operating system may declare certain files as “system” files, but it can not prevent the user from accessing them • operating system designers have failed to take advantage of hardware protection Ahmad Al-Ghoul 2010-2011

  5. Contributors to Security Problems • Low awareness of the problem • analogous to a calculator • no unique responsibility • if the machine is shared, nobody takes full responsibility for maintenance, supervision and control • few hw controls • few PCs take advantage of hw features • no audit trail • environmental attacks • physical access • unattended machines • care of media components • diskettes, etc. Ahmad Al-Ghoul 2010-2011

  6. Contributors to Security Problems • No backups • questionable documentation • high portability • combination of duties • lack of checks and balances Ahmad Al-Ghoul 2010-2011

  7. Security Measures Procedures: • Do not leave PCs unattended in an exposed environment if they contain sensitive info • do not leave printers unattended if they are printing sensitive output • secure media as carefully as you would a confidential report • perform periodic back-ups • practice separation of authority Ahmad Al-Ghoul 2010-2011

  8. Security Measures Hardware Controls: • Secure the equipment • consider using add-on security boards Software Controls: • use all sw with full understanding of its potential threats • do not use sw from dubious resources • be suspicious of all results • maintain periodic complete backups of all system resources Ahmad Al-Ghoul 2010-2011

  9. Protection of Files • Access control features • encryption • copy protection • no protection Ahmad Al-Ghoul 2010-2011

  10. 25060 Access Control Mechanisms for PCs Motivations for access control: • Outside interference • two users one machine • network access • errors • untrusted software • separation of applications Ahmad Al-Ghoul 2010-2011

  11. Features of PC Access Control Systems • Transparent encryption • some systems automatically encrypt files so that their contents will not be evident • time of day checking • allowing access during certain times • automatic timeout • the system automatically terminates the session • machine identification • unique serial no can be read by the application Ahmad Al-Ghoul 2010-2011

  12. Risk Analysis • RISK • Possibility of suffering harm or loss, a factor, course or element involving uncertain danger Ahmad Al-Ghoul 2010-2011

  13. THEORETICAL FRAMEWORK • Important parameter in designing security systems is the COST RISK ASSESSMENT • Risk perception • psychological theory of risk: how the general public reacts to uncertainitiesof danger, and how this general reaction affects individual behaviour. • cultural theory of risk:Risk perception differs depending on the social group & belief system an individual belongs to (Douglas 1970) Ahmad Al-Ghoul 2010-2011

  14. Reacting to Threats THREAT RESPONSE communication RISK PERCEPTION Passive Reaction Ahmad Al-Ghoul 2010-2011

  15. Reacting to Threats RISK MANAGEMENT External danger RISK PERCEPTION Organisation Structure Shared Meaning and Trust Ahmad Al-Ghoul 2010-2011

  16. CULTURE AND RISK • Risk behaviour is a function of how human beings, individually and in groups, perceive their place in the world. • It is important to understand the role of culture in stakeholder interaction in order to understand cultural biases in risk perception. Ahmad Al-Ghoul 2010-2011

  17. STAKEHOLDER MODEL • Stakeholders • Users: information user • Suppliers: information provider and systems developer • Others: systems manager • Each stakeholder group has a differing perceptions of same risk. • Stakeholders can be grouped within themselves depending on the social groups they belong to rather than roles they assume. Ahmad Al-Ghoul 2010-2011

  18. STAKEHOLDER MODEL • Individuals have different cultural biases and have different perceptions of risk • computer privacy and security rules are different in different countries • Singapore, Japan, US, Canada • Grouping stakeholders is not enough for designing IS. Ahmad Al-Ghoul 2010-2011

  19. RISK COMMUNICATION • It is important to know the cultural backgrounds of the stakeholders • how they perceive risks • how they communicate risks • risk communication theory • risk communication model Ahmad Al-Ghoul 2010-2011

  20. RISK COMMUNICATION • Past: • risk communication as one way to general public from government… • efforts to improve risk communication • to get the message across by describing the magnitude and balance of the attendant costs and benefits Ahmad Al-Ghoul 2010-2011

  21. RISK COMMUNICATION • The costs and benefits are equally distributed across a society • People do not agree about which events or actions do the most harm or which benefits are more worth seeking. Ahmad Al-Ghoul 2010-2011

  22. RISK COMMUNICATION US National Research Counsil (1989) Risk communication is an interactive process of exchange of information and opinion among individuals, groups and institutions. It involves multiple messages about the nature of the risk and other messages, not strictly about risk, that express concerns, opinions and reactions to risk messages or to legal and institutional arrangements for risk management. Ahmad Al-Ghoul 2010-2011

  23. RISK COMMUNICATION • Risk Communication • risks posed to stakeholders on the web are technological hazards • classical risk communication model: • sources • transmitters • receivers Ahmad Al-Ghoul 2010-2011

  24. CULTURE Risk Event Transmitters Media Institutions/Agencies Interest Groups Opinion Leaders Two-way interaction Sources Scientists Agencies Interest Groups Eyewitnesses Portrayal of Event with symbols, signals and images by the Sources Receivers General Public Affected Organisations/Institutions Social Groups Other target audience feedback Ahmad Al-Ghoul 2010-2011

  25. Initial Information HEAR CULTURE SOCIAL FASHION PERSONAL VALUES RELATED ATTITUDES INFLUENCES Appeal Do not Appeal UNDERSTAND BELIEVE New Information PERSONALIZE RESPOND Ahmad Al-Ghoul 2010-2011

  26. Communication • The recipient hears the information and then screens it based on social fashion, personal values, attitudes under the influence from peer groups • cultural forces before understanding the message • Believing involves acceptance that the understanding is correct • the risk is real • Personalisation • the risk event will affect the receiver • Response • decision to take action for protection from risk • Credibility of information sources and transmitters is a key issue in risk communication Ahmad Al-Ghoul 2010-2011

  27. TRUST AND CONFIDENCE VS CREDIBILITY • Trust is an important ingredient in any trade transaction • Trust acts as the mitigating factor for the risks assumed by one party on the party in the trade • As trust increases the risks either reduce or become manageable by the trusting party • Existence of trust also reduces the transaction cost in a trade Ahmad Al-Ghoul 2010-2011

  28. INSTITUTIONAL CREDIBILITY • The social climate pre-sets the conditions under which an institution has to operate to gain and maintain trust • in a positive climate people invest more in trust institutions • in a negative climate people tend to caution and seek to have more control Ahmad Al-Ghoul 2010-2011

  29. Risk Perception, Trust and Credibility • Hypothesis: • once trust and credibility exist in a relationship among the stakeholders during risk communication, stakeholders do not get involved in the analysis of risk factors individually, and • information systems security becomes less important to people when dealing with a trustworthy and credible institution. • Personality of the communicator with attributes of ability and integrity are also important in establishing trust. • Overall; message, communicator, institution, and the social context are the major factors in establishing trust within an organization. Ahmad Al-Ghoul 2010-2011

  30. Risk Perception, Trust and Credibility • Inferential analysis: • inverse correlation between trust and security on the internet • the higher the trust placed on an organization the lower was the security concern. Ahmad Al-Ghoul 2010-2011

More Related