A framework to prepare an information security awareness and training programme for a provincial government department in the Eastern Cape, South Africa.
- Authors: Potelwa, Zandile
- Date: 2022-03
- Subjects: Information technology--Security measures. , Employees--Training of. , Data encryption (Computer science)
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10353/22289 , vital:52016
- Description: Provincial government departments do not have good audit reports on the information security section. The underlying issues are human factors associated with employee interaction with Information and Communication Technology (ICT). The problem to be addressed is how a provincial government needs to focus on employees’ information security awareness so that there is a residual improvement in information security culture to realise unqualified government audits for information security. A case study approach that focused on the provincial government departments in the Eastern Cape Province was used. The primary data was collected using semi-structured interviews containing questions related to information security awareness. Microsoft Teams was used to conduct online semi-structured interviews with 12 provincial government IT staff from two identified provincial departments. The data was analysed using thematic analysis and MS Excel for coding. The findings then were used to determine the outcome of this study which is the framework for preparing an information security awareness programme. The outcome of the study was achieved by condensing the themes that emerged in both the primary and secondary data. The framework was then explained as a way of recommending the importance of preparing information security awareness and training programmes in changing information security behaviour. The derived artefact of this study is an information security awareness framework that can be utilised in a provincial government department to increase the awareness of information security amongst government employees. The contribution of this study is a framework based on the Protection Motivation Theory and the Organisational Culture, to ascertain employees’ actions in relation to information risks and threats; requirements for preparing an information security awareness program for public sector employees and to determine the requirements to be considered when building information security culture in provincial government departments. The proposed framework can then be used to establish an information security culture within the government departments, which will mitigate security risks and threats. The significance of this study as per the constructs of ISA and training show that it can challenge thinking of how ISA can be prepared for not only provincial government but also for state-owned entities or local government. , Thesis (MCom) (Information Systems) -- University of Fort Hare, 2022
- Full Text:
- Date Issued: 2022-03
Exploring the privacy calculus on social networking services from a South African perspective
- Authors: Mathew, Boney George
- Date: 2020
- Subjects: Data encryption (Computer science) , Public key cryptography Online social networks -- Research -- South Africa
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/46163 , vital:39510
- Description: Social Network Services (SNSs) have revolutionized the way we communicate, interact and present ourselves before others. The business model of SNS’S like Facebook is primarily based on SNS’S user self-disclosure of personal information. It is argued that the SNS’S user conducts a cost-benefit analysis before deciding to self-disclose their personal information, and this user behaviour forms the basis of the Privacy Calculus Theory. Enjoyment, Self-Presentation and Relationship Maintenance is considered as the benefits and the Privacy Concerns of the users is considered as the costs of disclosing personal information.As national or regional culture could influence SNS’S user self-disclosure behaviour, it would be advantageous for multinational SNS’S’s like Facebook to understand the perceptions of SNS’S user’s from different nationalities. Currently, no studies have been conducted amongst the South African (SA) SNSs’ users’ self-disclosure behaviour. This research is aimed at understanding the South African SNSs’ users’ perceptions regarding their perceived costs, benefits and selfdisclosure using the Privacy Calculus theory. This study is a replication of a similar study undertaken amongst the United States of America (US) and German SNS’S users. To remain competitive in the market and to sustain the viability of their business model, SNS like Facebook will have to encourage user self-disclosure. Studies have proven that national cultures play an important role on the nature and extent of user disclosure (Krasnova & Veltri, 2010; Lewis, Kaufman, & Christakis, 2008). However, no similar research has been undertaken in South Africa, and currently we do not understand South African SNS users’ self-disclosure behaviour in terms of the privacy calculus theory. The primary objective of this study is to understand the perceptions of South African SNS’S users regarding the perceived benefits, costs, moderating factors and self-disclosure, using the Privacy Calculus Theory. To achieve this objective, we initially undertook a detailed literature review to understand the concept of information privacy, privacy calculus, information privacy policy and legal framework, SNS’S and self-disclosure and the various factors affecting self-disclosure. We then proceeded to validate the theoretical framework by collecting data from two South African universities, namely the Nelson Mandela University (NMU) and Walter Sisulu University (WSU (NMD Campus – Former University of Transkei)), by adopting the same methodology and instrument used in the original study (and the isiXhosa translation). The theoretical framework used for this study is based on the Privacy Calculus theory, which argues that users conduct a cost-benefit calculus before deciding to self-disclose their personal information. This analysis is further influenced by other moderating factors like trust, control and awareness. All these factors have been incorporated into the theoretical framework and the instrument, adapted from the original research was used to collect data from the participants. The data from 239 respondents, who finally qualified for analysis was collated and proceeded with the analysis of that data. The data was analysed in four stages using established statistical tests. The first three phases were used to determine the actual value placed by the users on selfdisclosure, its determinants and moderating factors, and the last phase concentrated on how each of the constructs included in the theoretical framework influenced the other constructs. The results obtained from the analysis provided valuable insights into the self-disclosure behaviour of South African SNS’S users. Entertainment was the primary benefit the students derived from using SNS like Facebook, followed by relationship maintenance and those who enjoyed the platform more tended to Self-Disclose more. Those who tended to derive more benefits from the platform were found to trust the platform and the other users of the network. The theoretical framework was validated and it was determined that privacy paradox exists within the South African SNS’S user community, meaning that even with high privacy concerns, these SNS users are willing to self-disclose their personal information.
- Full Text:
- Date Issued: 2020
Securing software development using developer access control
- Authors: Ongers, Grant
- Date: 2020
- Subjects: Computer software -- Development , Computers -- Access control , Computer security -- Software , Computer networks -- Security measures , Source code (Computer science) , Plug-ins (Computer programs) , Data encryption (Computer science) , Network Access Control , Data Loss Prevention , Google’s BeyondCorp , Confidentiality, Integrity and Availability (CIA) triad
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/149022 , vital:38796
- Description: This research is aimed at software development companies and highlights the unique information security concerns in the context of a non-malicious software developer’s work environment; and furthermore explores an application driven solution which focuses specifically on providing developer environments with access control for source code repositories. In order to achieve that, five goals were defined as discussed in section 1.3. The application designed to provide the developer environment with access control to source code repositories was modelled on lessons taken from the principles of Network Access Control (NAC), Data Loss Prevention (DLP), and Google’s BeyondCorp (GBC) for zero-trust end-user computing. The intention of this research is to provide software developers with maximum access to source code without compromising Confidentiality, as per the Confidentiality, Integrity and Availability (CIA) triad. Employing data gleaned from examining the characteristics of DLP, NAC, and Beyond- Corp—proof-of-concept code was developed to regulate access to the developer’s environment and source code. The system required sufficient flexibility to support the diversity of software development environments. In order to achieve this, a modular design was selected. The system comprised a client side agent and a plug-in-ready server component. The client side agent mounts and dismounts encrypted volumes containing source code. Furthermore, it provides the server with information of the client that is demanded by plug-ins. The server side service provided encryption keys to facilitate the mounting of the volumes and, through plug-ins, asked questions of the client agent to determine whether access should be granted. The solution was then tested with integration and system testing. There were plans to have it used by development teams who were then to be surveyed as to their view on the proof of concept but this proved impossible. The conclusion provides a basis by which organisations that develop software can better balance the two corners of the CIA triad most often in conflict: Confidentiality in terms of their source code against the Availability of the same to developers.
- Full Text:
- Date Issued: 2020
A multi-threading software countermeasure to mitigate side channel analysis in the time domain
- Authors: Frieslaar, Ibraheem
- Date: 2019
- Subjects: Computer security , Data encryption (Computer science) , Noise generators (Electronics)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71152 , vital:29790
- Description: This research is the first of its kind to investigate the utilisation of a multi-threading software-based countermeasure to mitigate Side Channel Analysis (SCA) attacks, with a particular focus on the AES-128 cryptographic algorithm. This investigation is novel, as there has not been a software-based countermeasure relying on multi-threading to our knowledge. The research has been tested on the Atmel microcontrollers, as well as a more fully featured system in the form of the popular Raspberry Pi that utilises the ARM7 processor. The main contributions of this research is the introduction of a multi-threading software based countermeasure used to mitigate SCA attacks on both an embedded device and a Raspberry Pi. These threads are comprised of various mathematical operations which are utilised to generate electromagnetic (EM) noise resulting in the obfuscation of the execution of the AES-128 algorithm. A novel EM noise generator known as the FRIES noise generator is implemented to obfuscate data captured in the EM field. FRIES comprises of hiding the execution of AES-128 algorithm within the EM noise generated by the 512 Secure Hash Algorithm (SHA) from the libcrypto++ and OpenSSL libraries. In order to evaluate the proposed countermeasure, a novel attack methodology was developed where the entire secret AES-128 encryption key was recovered from a Raspberry Pi, which has not been achieved before. The FRIES noise generator was pitted against this new attack vector and other known noise generators. The results exhibited that the FRIES noise generator withstood this attack whilst other existing techniques still leaked out secret information. The visual location of the AES-128 encryption algorithm in the EM spectrum and key recovery was prevented. These results demonstrated that the proposed multi-threading software based countermeasure was able to be resistant to existing and new forms of attacks, thus verifying that a multi-threading software based countermeasure can serve to mitigate SCA attacks.
- Full Text:
- Date Issued: 2019
De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act
- Authors: Mark, Stephen John
- Date: 2018
- Subjects: Data processing , Information technology -- Security measures , Computer security -- South Africa , Data protection -- Law and legislation -- South Africa , Data encryption (Computer science) , Python (Computer program language) , SQL (Computer program language) , Protection of Personal Information Act (POPI)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/63888 , vital:28503
- Description: Encryption of Personally Identifiable Information stored in a Structured Query Language Database has been difficult for a long time. This is owing to block-cipher encryption algorithms changing the length and type of the input data when encrypted, which cannot subsequently be stored in the database without altering its structure. As the enactment of the South African Protection of Personal Information Act, No 4 of 2013 (POPI), was set in motion with the appointment of the Information Regulators Office in December 2016, South African companies are intensely focused on implementing compliance strategies and processes. The legislation, promulgated in 2013, encompasses the processing and storage of personally identifiable information (PII), ensuring that corporations act responsibly when collecting, storing and using individuals’ personal data. The Act comprises eight broad conditions that will become legislation once the new Information Regulator’s office is fully equipped to carry out their duties. POPI requires that individuals’ data should be kept confidential from all but those who specifically have permission to access the data. This means that not all members of IT teams should have access to the data unless it has been de-identified. This study tests an implementation of the Fixed Feistel 1 algorithm from the National Institute of Standards and Technology (NIST) “Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation : Methods for Format-Preserving Encryption” using the LibFFX Python library. The Python scripting language was used for the experiments. The research shows that it is indeed possible to encrypt data in a Structured Query Language Database without changing the database schema using the new Format-Preserving encryption technique from NIST800-38G. Quality Assurance software testers can then run their full set of tests on the encrypted database. There is no reduction of encryption strength when using the FF1 encryption technique, compared to the underlying AES-128 encryption algorithm. It further shows that the utility of the data is not lost once it is encrypted.
- Full Text:
- Date Issued: 2018
Preimages for SHA-1
- Authors: Motara, Yusuf Moosa
- Date: 2018
- Subjects: Data encryption (Computer science) , Computer security -- Software , Hashing (Computer science) , Data compression (Computer science) , Preimage , Secure Hash Algorithm 1 (SHA-1)
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/57885 , vital:27004
- Description: This research explores the problem of finding a preimage — an input that, when passed through a particular function, will result in a pre-specified output — for the compression function of the SHA-1 cryptographic hash. This problem is much more difficult than the problem of finding a collision for a hash function, and preimage attacks for very few popular hash functions are known. The research begins by introducing the field and giving an overview of the existing work in the area. A thorough analysis of the compression function is made, resulting in alternative formulations for both parts of the function, and both statistical and theoretical tools to determine the difficulty of the SHA-1 preimage problem. Different representations (And- Inverter Graph, Binary Decision Diagram, Conjunctive Normal Form, Constraint Satisfaction form, and Disjunctive Normal Form) and associated tools to manipulate and/or analyse these representations are then applied and explored, and results are collected and interpreted. In conclusion, the SHA-1 preimage problem remains unsolved and insoluble for the foreseeable future. The primary issue is one of efficient representation; despite a promising theoretical difficulty, both the diffusion characteristics and the depth of the tree stand in the way of efficient search. Despite this, the research served to confirm and quantify the difficulty of the problem both theoretically, using Schaefer's Theorem, and practically, in the context of different representations.
- Full Text:
- Date Issued: 2018
A control framework for the assessment of information security culture
- Authors: Okere, Irene Onyekachi
- Date: 2013
- Subjects: Data encryption (Computer science) , Business -- Data processing -- Security measures , Computer security
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9818 , http://hdl.handle.net/10948/d1019861
- Description: The modern organisation relies heavily on information to function effectively. With such reliance on information, it is vital that information be protected from both internal (employees) and external threats. The protection of information or information security to a large extent depends on the behaviour of humans (employees) in the organisation. The behaviour of employees is one of the top information security issues facing organisations as the human factor is regarded as the weakest link in the security chain. To address this human factor many researchers have suggested the fostering of a culture of information security so that information security becomes second nature to employees. Information security culture as defined for this research study exists in four levels namely artefacts, espoused values, shared tacit assumptions and information security knowledge. An important step in the fostering of an information security culture is the assessment of the current state of such a culture. Gaps in current approaches for assessing information security culture were identified and this research study proposes the use of a control framework to address the identified gaps. This research study focuses on the assessment of information security culture and addresses 5 research objectives namely 1) to describe information security culture in the field of information security, 2) to determine ways to foster information security culture in an organisation, 3) to demonstrate the gap in current approaches used to assess information security culture, 4) to determine the components that could be used for the assessment of information security culture for each of the culture’s underlying levels and 5) to describe a process for the assessment of information security culture for all four levels. This research study follows a qualitative approach utilising a design science strategy and multi-method qualitative data collection techniques including literature review, qualitative content analysis, argumentation, and modelling techniques. The research methods provide a means for the interpretation of the data and the development of the proposed control framework.
- Full Text:
- Date Issued: 2013