Hein S. Venter, Martin S. Olivier and Jan H.P. Eloff
It is well‐known that the primary threat against misuse of private data about individuals is present within the organisation; proposes a system that uses intrusion detection…
Abstract
It is well‐known that the primary threat against misuse of private data about individuals is present within the organisation; proposes a system that uses intrusion detection system (IDS) technologies to help safeguard such private information. Current IDSs attempt to detect intrusions on a low level whereas the proposed privacy IDS (PIDS) attempts to detect intrusions on a higher level. Contains information about information privacy and privacy‐enhancing technologies, the role that a current IDS could play in a privacy system, and a framework for a privacy IDS. The system works by identifying anomalous behaviour and reacts by throttling access to the data and/or issuing reports. It is assumed that the private information is stored in a central networked repository. Uses the proposed PIDS on the border between this repository and the rest of the organisation to identify attempts to misuse such information. A practical prototype of the system needs to be implemented in order to determine and test the practical feasibility of the system. Provides a source of information and guidelines on how to implement a privacy IDS based on existing IDSs.
Details
Keywords
Reinhardt A. Botha and Jan H.P. Eloff
Workflow systems are often associated with business process re‐engineering (BPR). This paper argues that the functional access control requirements in workflow systems are rooted…
Abstract
Workflow systems are often associated with business process re‐engineering (BPR). This paper argues that the functional access control requirements in workflow systems are rooted in the scope of a BPR project. A framework for access control in workflow systems is developed. The framework suggests that existing role‐based access control mechanisms can be used as a foundation in workflow systems. The framework separates the administration‐time and the run‐time aspects. Key areas that must be investigated to meet the functional requirements imposed by workflow systems on access control services are identified.
Details
Keywords
Estee van der Walt and Jan Eloff
This paper aims to describe requirements for a model that can assist in identity deception detection (IDD) on social media platforms (SMPs). The model that was discovered…
Abstract
Purpose
This paper aims to describe requirements for a model that can assist in identity deception detection (IDD) on social media platforms (SMPs). The model that was discovered demonstrates the usefulness of the requirements. The aim of the model is to identify humans lying about their identity on SMPs.
Design/methodology/approach
The requirements of a model for IDD will be determined through a literature study combined with a study that identifies currently available identity related metadata on SMPs. This metadata refers to the attributes that describe a user account on an SMP. The aim is to restrict IDD to be only based on these types of attributes, as opposed to or combined with the contents of a single or multiple communications.
Findings
Data science experiments were conducted and in particular supervised machine learning models were discovered that indeed detects identity deception on SMPs with an area under the receiver operator characteristics curve (ROC-AUC) of 75.5 per cent.
Originality/value
SMPs allow any user to easily communicate with their friends or the general public at large. People can now be targeted at great scale, most often for malicious purposes. The reality is that many of these cyber-attacks involve some form of identity deception, where the attackers lie about who they are. Much focus to date has been on the identification of non-human deceptive accounts. This paper focuses on deceptive human accounts that target vulnerable individuals on SMPs.
Details
Keywords
‘A MAP OF THE WORLD that does not include Utopia is not worth glancing at’ wrote Oscar Wilde. ‘It leaves out the one country at which humanity is always landing. And when it lands…
Abstract
‘A MAP OF THE WORLD that does not include Utopia is not worth glancing at’ wrote Oscar Wilde. ‘It leaves out the one country at which humanity is always landing. And when it lands there it looks out and, seeing a better country, sets sail again. Progress is the realization of Utopias’.
Malicious activities conducted by disgruntled employees via an email platform can cause profound damage to an organization such as financial and reputational losses. This threat…
Abstract
Purpose
Malicious activities conducted by disgruntled employees via an email platform can cause profound damage to an organization such as financial and reputational losses. This threat is known as an “Insider IT Sabotage” threat. This involves employees misusing their access rights to harm the organization. Events leading up to the attack are not technical but rather behavioural. The problem is that owing to the high volume and complexity of emails, the risk of insider IT sabotage cannot be diminished with rule-based approaches.
Design/methodology/approach
Malicious human behaviours that insiders within the insider IT sabotage category would possess are studied and mapped to phrases that would appear in email communications. A large email data set is classified according to behavioural characteristics of these employees. Machine learning algorithms are used to identify occurrences of this insider threat type. The accuracy of these approaches is measured.
Findings
It is shown in this paper that suspicious behaviour of disgruntled employees can be discovered, by means of machine intelligence techniques. The output of the machine learning classifier depends mainly on the depth and quality of the phrases and behaviour analysis, cleansing and number of email attributes examined. This process of labelling content in isolation could be improved if other attributes of the email data are included, such that a confidence score can be computed for each user.
Originality/value
This research presents a novel approach to show that the creation of a prototype that can automate the detection of insider IT sabotage within email systems to mitigate the risk within organizations.
Details
Keywords
Jan-Halvard Bergquist, Samantha Tinet and Shang Gao
The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden.
Abstract
Purpose
The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden.
Design/methodology/approach
To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality.
Findings
This study resulted in an information classification model that is tailored to the specific needs of Swedish municipalities. In addition, a set of steps for tailoring an information classification model to suit a specific public organization are recommended. The findings also indicate that for a successful information classification it is necessary to educate the employees about the basics of information security and classification and create an understandable and unified information security language.
Practical implications
This study also highlights that to have a tailored information classification model, it is imperative to understand the value of information and what kind of consequences a violation of established information security principles could have through the perspectives of the employees.
Originality/value
It is the first of its kind in tailoring an information classification model to the specific needs of a Swedish municipality. The model provided by this study can be used as a tool to facilitate a common ground for classifying information within all Swedish municipalities, thereby contributing the first step toward a Swedish municipal model for information classification.
Details
Keywords
Janne Merete Hagen, Eirik Albrechtsen and Jan Hovden
The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.
Abstract
Purpose
The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.
Design/methodology/approach
A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.
Findings
Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.
Originality/value
Provides insight into the non‐technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.
Details
Keywords
This study analyses and discusses the application and constitutionality of the general onus of proof provision (section 82 of the Income Tax Act 58 of 1962 [the “Act”]), the…
Abstract
This study analyses and discusses the application and constitutionality of the general onus of proof provision (section 82 of the Income Tax Act 58 of 1962 [the “Act”]), the presumption in favour of the State when criminal sanctions are applied to an offending taxpayer (section 104(2) of the Act) and the mechanics for imposing administrative sanctions in terms of section 76(1)(b) of the Act. The conclusion reached is that the reverse onus presumption, as provided for in terms of section 104(2) of the Act, is unconstitutional. It is penal in nature and offends against the constitutional right of an accused to a fair trial (sections 35(3) of the Constitution of the Republic of South Africa Act, 108 of 1996 [the “Constitution”]). The section 36 limitation of rights clause of the Constitution does not save it. Section 76(1)(b) of the Act read in conjunction with the deeming provision of section 76(5) of the Act, is inextricably linked to the section 82 general reverse onus provision of the Act. Hence, when these three sections are applied together, they create a reverse onus that, prima facie, violates the right to just administrative action (section 33 of the Constitution). Regarding the general reverse onus burden as provided for in terms of section 82 of the Act, the conclusion reached is that it is reasonable and justifiable in an open and democratic society and can therefore be regarded as constitutional.
Details
Keywords
The purpose of this study is to identify how the privacy policy can be framed for protection of personal data and how the latest judgement of full bench of Supreme Court of India…
Abstract
Purpose
The purpose of this study is to identify how the privacy policy can be framed for protection of personal data and how the latest judgement of full bench of Supreme Court of India has dealt with right to privacy in India.
Design/methodology/approach
The study uses the latest Supreme Court judgement on right to privacy and historical cases on right to privacy in India. This paper uses Indian Constitution as a source of Information for study along with case laws and judgements of different courts in India.
Findings
This paper tries to find if personal data privacy is a fundamental right in India. In addition, the paper provides recommendations to different concerned authorities on protecting personal information in online platform.
Research limitations/implications
This study deals with privacy issues so far as Indian citizens are concerns and does not focus on other countries. Moreover, the study tries to understand the issue of fundamental rights from Indian Constitution perspective. In addition, the recommendations provided to the policymakers and other authorities of India have wide implications for formulation of new policy and management of personal data, so that it should not go to wrong hands and the personal data and privacy is protected of the citizens.
Practical implications
Millions of people put their personal information in online platform. In addition, there are few government initiatives in India such as Aadhaar card where the biometric information is taken from the residents of India, and in many cases, the personal data are compromised under various circumstances. As the personal data of the citizens are in question, thus the study has direct practical implication mainly for all the citizens whose personal data are available in online platform.
Social implications
This study has social implication as it dealt with the “personal data” of the citizens of India. As the paper discusses the issue of protection of personal data in the context of right to privacy, thus this study has a direct social impact so far as online citizen of India is concerned.
Originality/value
This paper is timely, original and discusses the contemporary issue of online data privacy and fundamental right in India. This paper is a useful resource for the researchers, policymakers and online users who deal with personal data-, right to privacy and data privacy policy-related areas.
Details
Keywords
Garret Murray, Malin Falkeling and Shang Gao
The purpose of this paper is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware.
Abstract
Purpose
The purpose of this paper is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware.
Design/methodology/approach
A systematic mapping study was carried out to investigate the trends in studies into the human aspects of ransomware, identify challenges encountered by researchers and propose directions for future research. For each of the identified papers from this study, the authors mapped the year of publication, the type of paper, research strategy and data generation method, types of participants included, theories incorporated and lastly, the authors mapped the challenges encountered by the researchers.
Findings
Fifty-nine papers published between 2006 and 2022 are included in the study. The findings indicate that literature on the human aspects of ransomware was scarce prior to 2016. The most-used participant groups in this area are students and cybersecurity professionals, and most studies rely on a survey strategy using the questionnaire to collect data. In addition, many papers did not use theories for their research, but from those that did, game theory was used most often. Furthermore, the most reported challenge is that being hit with ransomware is a sensitive topic, which results in individuals and organisations being reluctant to share their experiences.
Research limitations/implications
This mapping study reveals that the body of literature in the area of human aspects of ransomware has increased over the past couple of years. The findings highlight that being transparent about ransomware attacks, when possible, can help others. Moreover, senior management plays an important role in shaping the information security culture of an organisation, whether to have a culture of transparency or of secrecy.
Originality/value
This study is the first of its kind of systematic mapping studies contributing to the body of knowledge on the human aspects of ransomware.