Administering Security - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Administering Security

Description:

Administering Security Personal Computer Security Management Security problems for personal computers are more serious than on mainframe computers people issues ... – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 41
Provided by: Citiba
Category:

less

Transcript and Presenter's Notes

Title: Administering Security


1
Administering Security
2
Personal Computer Security Management
  • Security problems for personal computers are more
    serious than on mainframe computers
  • people issues
  • hardware and software issues
  • lack of sensitivity
  • users do not appreciate security risks associated
    with the use of PCs
  • lack of tools
  • hw and sw tools are fewer and less sophisticated
    than in the mainframe environment

3
Contributors to Security Problems
  • Hardware vulnerabilities
  • limited protection of one memory space
  • every user can execute every instruction
  • can read and write every memory location
  • the operating system may declare certain files as
    system files, but it can not prevent the user
    from accessing them
  • operating system designers have failed to take
    advantage of hardware protection

4
Contributors to Security Problems
  • Low awareness of the problem
  • analogous to a calculator
  • no unique responsibility
  • if the machine is shared, nobody takes full
    responsibility for maintenance, supervision and
    control
  • few hw controls
  • few PCs take advantage of hw features
  • no audit trail
  • environmental attacks
  • physical access
  • unattended machines
  • care of media components
  • diskettes, etc.

5
Contributors to Security Problems
  • No backups
  • questionable documentation
  • high portability
  • combination of duties
  • lack of checks and balances

6
Security Measures
  • Procedures
  • Do not leave PCs unattended in an exposed
    environment if they contain sensitive info
  • do not leave printers unattended if they are
    printing sensitive output
  • secure media as carefully as you would a
    confidential report
  • perform periodic back-ups
  • practice separation of authority

7
Security Measures
  • Hardware Controls
  • Secure the equipment
  • consider using add-on security boards
  • Software Controls
  • use all sw with full understanding of its
    potential threats
  • do not use sw from dubious resources
  • be suspicious of all results
  • maintain periodic complete backups of all system
    resources

8
Protection of Files
  • Access control features
  • encryption
  • copy protection
  • no protection

9
Access Control Mechanisms for PCs
  • Motivations for access control
  • Outside interference
  • two users one machine
  • network access
  • errors
  • untrusted software
  • separation of applications

10
Features of PC Access Control Systems
  • Transparent encryption
  • some systems automatically encrypt files so that
    their contents will not be evident
  • time of day checking
  • allowing access during certain times
  • automatic timeout
  • the system automatically terminates the session
  • machine identification
  • unique serial no can be read by the application

11
Risk Analysis
12
RISK
  • Possibility of suffering harm or loss, a factor,
    course or element involving uncertain danger

13
OPPORTUNITY THREAT
14
THEORETICAL FRAMEWORK
  • Important parameter in designing security systems
    is the COST
  • RISK ASSESSMENT
  • Risk perception
  • psychological theory of risk how the general
    public reacts to uncertainities of danger, and
    how this general reaction affects individual
    behaviour.
  • cultural theory of risk Risk perception differs
    depending on the social group belief system an
    individual belongs to (Douglas 1970)

15
Reacting to Threats
THREAT
RESPONSE
communication
RISK PERCEPTION
Passive Reaction
16
Reacting to Threats
RISK MANAGEMENT
External danger
RISK PERCEPTION
Organisation Structure
Shared Meaning and Trust
17
CULTURAL THEORY
  • When we try to think of the individual in a
    social context, we normally think of the
    corporate group or groups to which they belong.
  • Individuals also have constraining
    classifications within the group hierarchy,
    kinship, race, gender, age...

18
CULTURAL THEORY
Four types of social environment and cultural
biases (Douglas 1970)
Fatalists
Hierarchists
B
C
Grid (Individual)
Individualist
Egalitarians
A
D
Group (Social incorporation)
19
CULTURAL THEORY
  • A competitive, control people, autonomy see
    risks with opportunities
  • B no voluntary risk taking, but accept it as a
    given, no personal autonomy
  • C group is emphasised division of labour,
    specialisation, segregation of duties. Take risks
    iff it is approved by experts hierarchical
    authority
  • D members get their support from the group no
    formal delegation. The group dissolves in the
    absence of strong leadership

Fatalists
Hierarchists
B
C
individual
Individualist
Egalitarians
A
D
group
20
CULTURE AND RISK
  • Risk behaviour is a function of how human beings,
    individually and in groups, perceive their place
    in the world.
  • It is important to understand the role of culture
    in stakeholder interaction in order to understand
    cultural biases in risk perception.

21
STAKEHOLDER MODEL
  • Stakeholders
  • Users information user
  • Suppliers information provider and systems
    developer
  • Others systems manager
  • Each stakeholder group has a differing
    perceptions of same risk.
  • Stakeholders can be grouped within themselves
    depending on the social groups they belong to
    rather than roles they assume.

22
STAKEHOLDER MODEL
Links stakeholder model with the cultural theory
23
STAKEHOLDER MODEL
  • Individuals have different cultural biases and
    have different perceptions of risk
  • computer privacy and security rules are different
    in different countries
  • Singapore, Japan, US, Canada
  • Grouping stakeholders is not enough for designing
    IS.

24
RISK COMMUNICATION
  • It is important to know the cultural backgrounds
    of the stakeholders
  • how they perceive risks
  • how they communicate risks
  • risk communication theory
  • risk communication model

25
RISK COMMUNICATION
  • Past
  • risk communication as one way to general public
    from government
  • efforts to improve risk communication
  • to get the message across by describing the
    magnitude and balance of the attendant costs and
    benefits

26
RISK COMMUNICATION
  • The costs and benefits are equally distributed
    across a society
  • People do not agree about which events or actions
    do the most harm or which benefits are more worth
    seeking.

27
RISK COMMUNICATION
  • US National Research Counsil (1989)
  • Risk communication is an interactive process of
    exchange of information and opinion among
    individuals, groups and institutions. It involves
    multiple messages about the nature of the risk
    and other messages, not strictly about risk, that
    express concerns, opinions and reactions to risk
    messages or to legal and institutional
    arrangements for risk management.

Top-down definition of risk
28
RISK COMMUNICATION
  • Risk Communication
  • risks posed to stakeholders on the web are
    technological hazards
  • classical risk communication model
  • sources
  • transmitters
  • receivers

Certain aspects of risks are intensified or
attenuated
29
CULTURE
Risk Event
Transmitters Media Institutions/Agencies Inte
rest Groups Opinion Leaders
Two-way interaction
Sources Scientists Agencies Interest
Groups Eyewitnesses
Portrayal of Event with symbols, signals and
images by the Sources
Receivers General Public Affected
Organisations/Institutions Social
Groups Other target audience
feedback
30
Initial Information
HEAR
CULTURE SOCIAL FASHION PERSONAL VALUES RELATED
ATTITUDES INFLUENCES
Appeal
Do not Appeal
UNDERSTAND
BELIEVE
New Information
PERSONALIZE
RESPOND
31
Communication
  • The recipient hears the information and then
    screens it based on social fashion, personal
    values, attitudes under the influence from peer
    groups
  • cultural forces before understanding the message
  • Believing involves acceptance that the
    understanding is correct
  • the risk is real
  • Personalisation
  • the risk event will affect the receiver
  • Response
  • decision to take action for protection from risk

32
Communication
  • Credibility of information sources and
    transmitters is a key issue in risk communication

33
TRUST AND CONFIDENCE VS CREDIBILITY
  • Trust is an important ingredient in any trade
    transaction
  • Trust acts as the mitigating factor for the risks
    assumed by one party on the party in the trade
  • As trust increases the risks either reduce or
    become manageable by the trusting party
  • Existence of trust also reduces the transaction
    cost in a trade

34
TRUST
For effective communication of risks it is
critically important that receivers place trust
on the sources and transmitters (Lee 1986)
Five levels of trust analysis framework
35
INSTITUTIONAL CREDIBILITY
  • Confidence in business and economic organisations
    depends on the perceived quality of their
    services, but also on the employment situation,
    the perception of power monopolies in business,
    the observation of allegedly unethical behaviour
    and the confidence in other institutions
  • Confidence in political institutions depends on
    their performance record and openness, but in
    addition on the perception of a political crisis,
    the belief that the government is treating
    everyone fair and equally, the belief in
    functioning of checks and balances, the
    perception of hidden agendas, and the confidence
    in other institutions

36
INSTITUTIONAL CREDIBILITY
  • The more educated people are, the more they
    express confidence in the system, but the more
    they are also disappointed about the performance
    of the people representing the system
  • Political conservatism correlates positively with
    confidence in business and negatively with
    government and public service

37
INSTITUTIONAL CREDIBILITY
  • The social climate pre-sets the conditions under
    which an institution has to operate to gain and
    maintain trust
  • in a positive climate people invest more in trust
    institutions
  • in a negative climate people tend to caution and
    seek to have more control

38
Risk Perception, Trust and Credibility
  • Hypothesis
  • once trust and credibility exist in a
    relationship among the stakeholders during risk
    communication, stakeholders do not get involved
    in the analysis of risk factors individually, and
  • information systems security becomes less
    important to people when dealing with a
    trustworthy and credible institution.

39
Risk Perception, Trust and Credibility
  • Personality of the communicator with attributes
    of ability and integrity are also important in
    establishing trust.
  • Overall message, communicator, institution, and
    the social context are the major factors in
    establishing trust within an organisation.

40
Risk Perception, Trust and Credibility
  • Inferential analysis
  • inverse correlation between trust and security on
    the internet
  • the higher the trust placed on an organisation
    the lower was the security concern.
Write a Comment
User Comments (0)
About PowerShow.com