An Information Security Policy Compliance Reinforcement and Assessment Framework
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology -- Security measures Business -- Data processing -- Security measures Computer networks -- Security measures
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10353/9556 , vital:34445
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%.
- Full Text:
- Date Issued: 2017
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology -- Security measures Business -- Data processing -- Security measures Computer networks -- Security measures
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10353/9556 , vital:34445
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%.
- Full Text:
- Date Issued: 2017
An information security policy compliance reinforcement and assessment framework
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology--Security measures Information resources management--Security measures
- Language: English
- Type: Thesis , Doctoral , Information Systems
- Identifier: http://hdl.handle.net/10353/11554 , vital:39084
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64percent converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21percent.
- Full Text:
- Date Issued: 2017
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology--Security measures Information resources management--Security measures
- Language: English
- Type: Thesis , Doctoral , Information Systems
- Identifier: http://hdl.handle.net/10353/11554 , vital:39084
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64percent converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21percent.
- Full Text:
- Date Issued: 2017
A framework for enhancing trust for improved participation in electronic marketplaces accessed from mobile platforms
- Isabirye, Naomi Nabirye, Von Solms, R
- Authors: Isabirye, Naomi Nabirye , Von Solms, R
- Date: 2016
- Subjects: Information technology -- Economic aspects -- South Africa Agricultural innovations -- South Africa Agricultural systems -- South Africa
- Language: English
- Type: Thesis , Doctoral , DPhil
- Identifier: http://hdl.handle.net/10948/20019 , vital:29053
- Description: Information and communication technologies (ICTs) have been widely researched as a mechanism for improving the socio-economic status of disadvantaged, rural communities. In order to do this numerous technology-based initiatives have been introduced into disadvantaged, rural communities to assist them in various aspects of their lives. Unfortunately, even when the proposed benefit of a particular technology is clearly evident to its initiators, the adoption by the target users is often uncertain. This has also been the case with e-commerce in agriculture. Despite the numerous benefits of e-commerce for agricultural producers, the uptake has been low. Trust is a critical pre-condition for the adoption of e-marketplaces. E-marketplaces expose consumers to the risk of non-delivery or misrepresentation of goods ordered and the misuse of personal information by external parties. Additionally, the time investment needed to make a shift to e-marketplaces and the opinions of important reference groups affects the user’s willingness to trust and depend on an e-marketplace. This study was undertaken to assess the extent to which rural users with limited ICT experience would trust and, consequently, adopt an e-marketplace to support agricultural trade. A pragmatic philosophy was adopted in this study, indicating that the researcher’s view of reality is founded on the practical implications and outcomes that are observed. This study used a Canonical Action Research strategy to design, develop and deploy a voice based e-marketplace to assist the trading activities of a Western Cape based aloe community. The community was allowed to utilise thee-marketplace over a period of eight weeks. Thereafter, interviews were held with the participants to investigate their perceptions of the technology. As a result, a model proposing the factors that must be in place for trust to be achieved in a voice based e-marketplace was proposed. The study found that the trustworthiness of a technology results from the technology’s technical capability to satisfy the needs of its users reliably. Usability and security were found to be important determinants of the trustworthiness of a technology. Furthermore, the requirements elicitation process was found to be central to achieving trust as it defines the necessary criteria for developing secure, usable, functional, and reliable technologies that meet the needs of their users.
- Full Text:
- Date Issued: 2016
- Authors: Isabirye, Naomi Nabirye , Von Solms, R
- Date: 2016
- Subjects: Information technology -- Economic aspects -- South Africa Agricultural innovations -- South Africa Agricultural systems -- South Africa
- Language: English
- Type: Thesis , Doctoral , DPhil
- Identifier: http://hdl.handle.net/10948/20019 , vital:29053
- Description: Information and communication technologies (ICTs) have been widely researched as a mechanism for improving the socio-economic status of disadvantaged, rural communities. In order to do this numerous technology-based initiatives have been introduced into disadvantaged, rural communities to assist them in various aspects of their lives. Unfortunately, even when the proposed benefit of a particular technology is clearly evident to its initiators, the adoption by the target users is often uncertain. This has also been the case with e-commerce in agriculture. Despite the numerous benefits of e-commerce for agricultural producers, the uptake has been low. Trust is a critical pre-condition for the adoption of e-marketplaces. E-marketplaces expose consumers to the risk of non-delivery or misrepresentation of goods ordered and the misuse of personal information by external parties. Additionally, the time investment needed to make a shift to e-marketplaces and the opinions of important reference groups affects the user’s willingness to trust and depend on an e-marketplace. This study was undertaken to assess the extent to which rural users with limited ICT experience would trust and, consequently, adopt an e-marketplace to support agricultural trade. A pragmatic philosophy was adopted in this study, indicating that the researcher’s view of reality is founded on the practical implications and outcomes that are observed. This study used a Canonical Action Research strategy to design, develop and deploy a voice based e-marketplace to assist the trading activities of a Western Cape based aloe community. The community was allowed to utilise thee-marketplace over a period of eight weeks. Thereafter, interviews were held with the participants to investigate their perceptions of the technology. As a result, a model proposing the factors that must be in place for trust to be achieved in a voice based e-marketplace was proposed. The study found that the trustworthiness of a technology results from the technology’s technical capability to satisfy the needs of its users reliably. Usability and security were found to be important determinants of the trustworthiness of a technology. Furthermore, the requirements elicitation process was found to be central to achieving trust as it defines the necessary criteria for developing secure, usable, functional, and reliable technologies that meet the needs of their users.
- Full Text:
- Date Issued: 2016
An information privacy model for primary health care facilities
- Authors: Boucher, Duane Eric
- Date: 2013
- Subjects: Data protection , Privacy, Right of , Medical records -- Access control , Primary health care , Medical care , Caregivers , Community health nursing , Confidential communications , Information technology -- Management
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11139 , http://hdl.handle.net/10353/d1007181 , Data protection , Privacy, Right of , Medical records -- Access control , Primary health care , Medical care , Caregivers , Community health nursing , Confidential communications , Information technology -- Management
- Description: The revolutionary migration within the health care sector towards the digitisation of medical records for convenience or compliance touches on many concerns with respect to ensuring the security of patient personally identifiable information (PII). Foremost of these is that a patient’s right to privacy is not violated. To this end, it is necessary that health care practitioners have a clear understanding of the various constructs of privacy in order to ensure privacy compliance is maintained. This research project focuses on an investigation of privacy from a multidisciplinary philosophical perspective to highlight the constructs of information privacy. These constructs together with a discussion focused on the confidentiality and accessibility of medical records results in the development of an artefact represented in the format of a model. The formulation of the model is accomplished by making use of the Design Science research guidelines for artefact development. Part of the process required that the artefact be refined through the use of an Expert Review Process. This involved an iterative (three phase) process which required (seven) experts from the fields of privacy, information security, and health care to respond to semi-structured questions administered with an interview guide. The data analysis process utilised the ISO/IEC 29100:2011(E) standard on privacy as a means to assign thematic codes to the responses, which were then analysed. The proposed information privacy model was discussed in relation to the compliance requirements of the South African Protection of Personal Information (PoPI) Bill of 2009 and their application in a primary health care facility. The proposed information privacy model provides a holistic view of privacy management that can residually be used to increase awareness associated with the compliance requirements of using patient PII.
- Full Text:
- Date Issued: 2013
- Authors: Boucher, Duane Eric
- Date: 2013
- Subjects: Data protection , Privacy, Right of , Medical records -- Access control , Primary health care , Medical care , Caregivers , Community health nursing , Confidential communications , Information technology -- Management
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11139 , http://hdl.handle.net/10353/d1007181 , Data protection , Privacy, Right of , Medical records -- Access control , Primary health care , Medical care , Caregivers , Community health nursing , Confidential communications , Information technology -- Management
- Description: The revolutionary migration within the health care sector towards the digitisation of medical records for convenience or compliance touches on many concerns with respect to ensuring the security of patient personally identifiable information (PII). Foremost of these is that a patient’s right to privacy is not violated. To this end, it is necessary that health care practitioners have a clear understanding of the various constructs of privacy in order to ensure privacy compliance is maintained. This research project focuses on an investigation of privacy from a multidisciplinary philosophical perspective to highlight the constructs of information privacy. These constructs together with a discussion focused on the confidentiality and accessibility of medical records results in the development of an artefact represented in the format of a model. The formulation of the model is accomplished by making use of the Design Science research guidelines for artefact development. Part of the process required that the artefact be refined through the use of an Expert Review Process. This involved an iterative (three phase) process which required (seven) experts from the fields of privacy, information security, and health care to respond to semi-structured questions administered with an interview guide. The data analysis process utilised the ISO/IEC 29100:2011(E) standard on privacy as a means to assign thematic codes to the responses, which were then analysed. The proposed information privacy model was discussed in relation to the compliance requirements of the South African Protection of Personal Information (PoPI) Bill of 2009 and their application in a primary health care facility. The proposed information privacy model provides a holistic view of privacy management that can residually be used to increase awareness associated with the compliance requirements of using patient PII.
- Full Text:
- Date Issued: 2013
Managing Information Confidentiality Using the Chinese Wall Model to Reduce Fraud in Government Tenders
- Authors: Rama, Sobhana
- Date: 2013
- Subjects: Chinese walls (Communication barriers) -- South Africa , Business logistics -- South Africa , Confidential communications -- South Africa , Conflict of interests -- South Africa , Fraud -- South Africa , Information services -- Government policy -- South Africa , Communication policy -- South Africa , Communication planning -- South Africa , Chinese Wall Model , Information confidentiality , Conflict of Interest , Government tender fraud
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11136 , http://hdl.handle.net/10353/d1006956 , Chinese walls (Communication barriers) -- South Africa , Business logistics -- South Africa , Confidential communications -- South Africa , Conflict of interests -- South Africa , Fraud -- South Africa , Information services -- Government policy -- South Africa , Communication policy -- South Africa , Communication planning -- South Africa , Chinese Wall Model , Information confidentiality , Conflict of Interest , Government tender fraud
- Description: Instances of fraudulent acts are often headline news in the popular press in South Africa. Increasingly, these press reports point to the government tender process as being the main enabler used by the perpetrators committing the fraud. The cause of the tender fraud problem is confidentiality breach of information. This is accomplished, in part, by compromising the tender information contained in the government information system. This results in the biased award of a tender. Typically, the information in the tender process should be used to make decisions about a tender’s specifications, solicitation, evaluation and adjudication. The sharing of said information to unauthorised persons can be used to manipulate and corrupt the process. This in turn corrupts the tender process by awarding a tender to an unworthy recipient. This research studies the generic steps in the tender process to understand how information is used to corrupt the tender process. It proposes that conflict of interest, together with a lack of information confidentiality in the information system, paves the way for possible tender fraud. Thereafter, a system of internal controls is examined within the South African government as well as in foreign countries to investigate measures taken to reduce the breach of confidential information in the tender process. By referring to the Common Criteria Security Model, various critical security areas within the tender process are identified. This measure is assisted with the ISO/IEC 27002 (2005) standard which has guiding principles for the management of confidential information. Thereafter, an information security policy,the Chinese Wall Model will be discussed as a means of reducing instances where conflict of interest may occur. Finally, an adapted Chinese Wall Model, which includes elements of the tender process, is presented as a way of reducing fraud in the government tender process. Finally, the research objective of this study is presented in the form of Critical Success Factors that aid in reducing the breach of confidential information in the tender process. As a consequence, tender fraud is reduced. These success factors have a direct and serious impact on the effectiveness of the Chinese Wall Model to secure the confidentiality of tender information. The proposed Critical Success Factors include: the Sanitisation Policy Document, an Electronic Document Management System, the Tender Evaluation Ethics Document, the Audit Trail Log and the Chinese Wall Model Prosecution Register.
- Full Text:
- Date Issued: 2013
- Authors: Rama, Sobhana
- Date: 2013
- Subjects: Chinese walls (Communication barriers) -- South Africa , Business logistics -- South Africa , Confidential communications -- South Africa , Conflict of interests -- South Africa , Fraud -- South Africa , Information services -- Government policy -- South Africa , Communication policy -- South Africa , Communication planning -- South Africa , Chinese Wall Model , Information confidentiality , Conflict of Interest , Government tender fraud
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11136 , http://hdl.handle.net/10353/d1006956 , Chinese walls (Communication barriers) -- South Africa , Business logistics -- South Africa , Confidential communications -- South Africa , Conflict of interests -- South Africa , Fraud -- South Africa , Information services -- Government policy -- South Africa , Communication policy -- South Africa , Communication planning -- South Africa , Chinese Wall Model , Information confidentiality , Conflict of Interest , Government tender fraud
- Description: Instances of fraudulent acts are often headline news in the popular press in South Africa. Increasingly, these press reports point to the government tender process as being the main enabler used by the perpetrators committing the fraud. The cause of the tender fraud problem is confidentiality breach of information. This is accomplished, in part, by compromising the tender information contained in the government information system. This results in the biased award of a tender. Typically, the information in the tender process should be used to make decisions about a tender’s specifications, solicitation, evaluation and adjudication. The sharing of said information to unauthorised persons can be used to manipulate and corrupt the process. This in turn corrupts the tender process by awarding a tender to an unworthy recipient. This research studies the generic steps in the tender process to understand how information is used to corrupt the tender process. It proposes that conflict of interest, together with a lack of information confidentiality in the information system, paves the way for possible tender fraud. Thereafter, a system of internal controls is examined within the South African government as well as in foreign countries to investigate measures taken to reduce the breach of confidential information in the tender process. By referring to the Common Criteria Security Model, various critical security areas within the tender process are identified. This measure is assisted with the ISO/IEC 27002 (2005) standard which has guiding principles for the management of confidential information. Thereafter, an information security policy,the Chinese Wall Model will be discussed as a means of reducing instances where conflict of interest may occur. Finally, an adapted Chinese Wall Model, which includes elements of the tender process, is presented as a way of reducing fraud in the government tender process. Finally, the research objective of this study is presented in the form of Critical Success Factors that aid in reducing the breach of confidential information in the tender process. As a consequence, tender fraud is reduced. These success factors have a direct and serious impact on the effectiveness of the Chinese Wall Model to secure the confidentiality of tender information. The proposed Critical Success Factors include: the Sanitisation Policy Document, an Electronic Document Management System, the Tender Evaluation Ethics Document, the Audit Trail Log and the Chinese Wall Model Prosecution Register.
- Full Text:
- Date Issued: 2013
Towards an information security awareness process for engineering SMEs in emerging economies
- Authors: Gundu, Tapiwa
- Date: 2013
- Subjects: Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11138 , http://hdl.handle.net/10353/d1007179 , Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Description: With most employees in Engineering Small and Medium Enterprises (SME) now having access to their own personal workstations, the need for information security management to safeguard against loss/alteration or theft of the firms’ important information has increased. These Engineering SMEs tend to be more concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, technical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees controlling them lack adequate information security knowledge. This tends to expose a firm to risk and costly mistakes made by naïve/uninformed employees. This dissertation presents an information security awareness process that seeks to cultivate positive security behaviours using a behavioural intention model based on the Theory of Reasoned Action, Protection Motivation Theory and the Behaviourism Theory. The process and model have been refined and verified using expert review and tested through action research at an Engineering SME in South Africa. The main finding was information security levels of employees within the firm were low, but the proposed information security awareness process increased their knowledge thereby positively altering their behaviour.
- Full Text:
- Date Issued: 2013
- Authors: Gundu, Tapiwa
- Date: 2013
- Subjects: Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11138 , http://hdl.handle.net/10353/d1007179 , Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Description: With most employees in Engineering Small and Medium Enterprises (SME) now having access to their own personal workstations, the need for information security management to safeguard against loss/alteration or theft of the firms’ important information has increased. These Engineering SMEs tend to be more concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, technical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees controlling them lack adequate information security knowledge. This tends to expose a firm to risk and costly mistakes made by naïve/uninformed employees. This dissertation presents an information security awareness process that seeks to cultivate positive security behaviours using a behavioural intention model based on the Theory of Reasoned Action, Protection Motivation Theory and the Behaviourism Theory. The process and model have been refined and verified using expert review and tested through action research at an Engineering SME in South Africa. The main finding was information security levels of employees within the firm were low, but the proposed information security awareness process increased their knowledge thereby positively altering their behaviour.
- Full Text:
- Date Issued: 2013
Digital forensic model for computer networks
- Authors: Sanyamahwe, Tendai
- Date: 2011
- Subjects: Computer crimes -- Investigation , Evidence, Criminal , Computer networks -- Security measures , Electronic evidence , Forensic sciences , Internet -- Security measures
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11127 , http://hdl.handle.net/10353/d1000968 , Computer crimes -- Investigation , Evidence, Criminal , Computer networks -- Security measures , Electronic evidence , Forensic sciences , Internet -- Security measures
- Description: The Internet has become important since information is now stored in digital form and is transported both within and between organisations in large amounts through computer networks. Nevertheless, there are those individuals or groups of people who utilise the Internet to harm other businesses because they can remain relatively anonymous. To prosecute such criminals, forensic practitioners have to follow a well-defined procedure to convict responsible cyber-criminals in a court of law. Log files provide significant digital evidence in computer networks when tracing cyber-criminals. Network log mining is an evolution of typical digital forensics utilising evidence from network devices such as firewalls, switches and routers. Network log mining is a process supported by presiding South African laws such as the Computer Evidence Act, 57 of 1983; the Electronic Communications and Transactions (ECT) Act, 25 of 2002; and the Electronic Communications Act, 36 of 2005. Nevertheless, international laws and regulations supporting network log mining include the Sarbanes-Oxley Act; the Foreign Corrupt Practices Act (FCPA) and the Bribery Act of the USA. A digital forensic model for computer networks focusing on network log mining has been developed based on the literature reviewed and critical thought. The development of the model followed the Design Science methodology. However, this research project argues that there are some important aspects which are not fully addressed by South African presiding legislation supporting digital forensic investigations. With that in mind, this research project proposes some Forensic Investigation Precautions. These precautions were developed as part of the proposed model. The Diffusion of Innovations (DOI) Theory is the framework underpinning the development of the model and how it can be assimilated into the community. The model was sent to IT experts for validation and this provided the qualitative element and the primary data of this research project. From these experts, this study found out that the proposed model is very unique, very comprehensive and has added new knowledge into the field of Information Technology. Also, a paper was written out of this research project.
- Full Text:
- Date Issued: 2011
- Authors: Sanyamahwe, Tendai
- Date: 2011
- Subjects: Computer crimes -- Investigation , Evidence, Criminal , Computer networks -- Security measures , Electronic evidence , Forensic sciences , Internet -- Security measures
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11127 , http://hdl.handle.net/10353/d1000968 , Computer crimes -- Investigation , Evidence, Criminal , Computer networks -- Security measures , Electronic evidence , Forensic sciences , Internet -- Security measures
- Description: The Internet has become important since information is now stored in digital form and is transported both within and between organisations in large amounts through computer networks. Nevertheless, there are those individuals or groups of people who utilise the Internet to harm other businesses because they can remain relatively anonymous. To prosecute such criminals, forensic practitioners have to follow a well-defined procedure to convict responsible cyber-criminals in a court of law. Log files provide significant digital evidence in computer networks when tracing cyber-criminals. Network log mining is an evolution of typical digital forensics utilising evidence from network devices such as firewalls, switches and routers. Network log mining is a process supported by presiding South African laws such as the Computer Evidence Act, 57 of 1983; the Electronic Communications and Transactions (ECT) Act, 25 of 2002; and the Electronic Communications Act, 36 of 2005. Nevertheless, international laws and regulations supporting network log mining include the Sarbanes-Oxley Act; the Foreign Corrupt Practices Act (FCPA) and the Bribery Act of the USA. A digital forensic model for computer networks focusing on network log mining has been developed based on the literature reviewed and critical thought. The development of the model followed the Design Science methodology. However, this research project argues that there are some important aspects which are not fully addressed by South African presiding legislation supporting digital forensic investigations. With that in mind, this research project proposes some Forensic Investigation Precautions. These precautions were developed as part of the proposed model. The Diffusion of Innovations (DOI) Theory is the framework underpinning the development of the model and how it can be assimilated into the community. The model was sent to IT experts for validation and this provided the qualitative element and the primary data of this research project. From these experts, this study found out that the proposed model is very unique, very comprehensive and has added new knowledge into the field of Information Technology. Also, a paper was written out of this research project.
- Full Text:
- Date Issued: 2011
Operational risk model for MSES :impact on organisational information communication technology
- Authors: Bayaga, Anass
- Date: 2011
- Subjects: Risk management -- Statistical methods Computer networks -- Security measures Risk assessment
- Language: English
- Type: Thesis , Masters , M Comm
- Identifier: http://hdl.handle.net/10353/8332 , vital:32270
- Description: The aim of the study was to investigate the impact of Information Communication Technology Operational Risk Management (ICT ORM) on the performance of a Medium Small Enterprise (MSE). The study was based upon a survey design to collect the primary data from 107 respondents using simple random sampling. The research instrument was administered online. A one stage normative model, associative in nature, was developed based upon reviewing previous research and in line with the research findings. The model elicited five factors based upon the multiple regression analysis of the data: principal causes of ORM failure related to ICT; change management requirements and ICT risk; characteristic(s) of information; challenges posed by ORM solutions and evaluation models affecting ICT adoption within MSEs. Based on the methodologies used in this study including factor analysis and multivariate regression analysis, it is recommended that this model be applied to monitor these changes more closely and to measure the changing strategies and the associated factors such as insufficient or improper user participation in systems development process, identified as potential barriers to the effective adoption and implementation of ICT within an MSE.
- Full Text:
- Date Issued: 2011
- Authors: Bayaga, Anass
- Date: 2011
- Subjects: Risk management -- Statistical methods Computer networks -- Security measures Risk assessment
- Language: English
- Type: Thesis , Masters , M Comm
- Identifier: http://hdl.handle.net/10353/8332 , vital:32270
- Description: The aim of the study was to investigate the impact of Information Communication Technology Operational Risk Management (ICT ORM) on the performance of a Medium Small Enterprise (MSE). The study was based upon a survey design to collect the primary data from 107 respondents using simple random sampling. The research instrument was administered online. A one stage normative model, associative in nature, was developed based upon reviewing previous research and in line with the research findings. The model elicited five factors based upon the multiple regression analysis of the data: principal causes of ORM failure related to ICT; change management requirements and ICT risk; characteristic(s) of information; challenges posed by ORM solutions and evaluation models affecting ICT adoption within MSEs. Based on the methodologies used in this study including factor analysis and multivariate regression analysis, it is recommended that this model be applied to monitor these changes more closely and to measure the changing strategies and the associated factors such as insufficient or improper user participation in systems development process, identified as potential barriers to the effective adoption and implementation of ICT within an MSE.
- Full Text:
- Date Issued: 2011
Adoption and use of a learning management system at the University of Fort Hare: environmental factors
- Authors: Xazela, M W H M
- Date: 2010-12
- Subjects: Management information systems , Technology -- Management
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10353/25851 , vital:64498
- Description: Learning Management Systems are adopted and used by institutions of higher learning such as universities, universities of technology and colleges. The acceptance of integrating Learning Management Systems into the traditional classroom method of teaching and learning presents many challenges to academic staff, students, and management at various levels. If such challenges are not addressed they may lead to project failure. If such projects fail, institutions may not realise the returns on their investments as institutions usually allocate many of their resources to start such projects. This study addresses the question of which critical environmental and management success factors are necessary for the successful acceptance of such a technology and what is necessary for such a technology to be used continually. This study examines Information Systems literature, users‘ environmental and management factors, and perceptions in the context of an institution of higher learning to suggest Critical Success Factors for such a project. Critical Success Factors are identified and discussed under the contexts of Management Support, the appointment of a Project Champion, provision of training to project participants, provision of adequate access to computing resources, monitoring and evaluation of the project, the existence of strong communication channels, and creation of positive perceptions about the target technology. Acceptance models such as Technology Acceptance Model and the Expectation Confirmation Model in Information Systems literature are also taken into consideration in coming up with the suggested Critical Success Factors. , Thesis (MA) -- Faculty of Management and Commerce, 2010
- Full Text:
- Date Issued: 2010-12
- Authors: Xazela, M W H M
- Date: 2010-12
- Subjects: Management information systems , Technology -- Management
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10353/25851 , vital:64498
- Description: Learning Management Systems are adopted and used by institutions of higher learning such as universities, universities of technology and colleges. The acceptance of integrating Learning Management Systems into the traditional classroom method of teaching and learning presents many challenges to academic staff, students, and management at various levels. If such challenges are not addressed they may lead to project failure. If such projects fail, institutions may not realise the returns on their investments as institutions usually allocate many of their resources to start such projects. This study addresses the question of which critical environmental and management success factors are necessary for the successful acceptance of such a technology and what is necessary for such a technology to be used continually. This study examines Information Systems literature, users‘ environmental and management factors, and perceptions in the context of an institution of higher learning to suggest Critical Success Factors for such a project. Critical Success Factors are identified and discussed under the contexts of Management Support, the appointment of a Project Champion, provision of training to project participants, provision of adequate access to computing resources, monitoring and evaluation of the project, the existence of strong communication channels, and creation of positive perceptions about the target technology. Acceptance models such as Technology Acceptance Model and the Expectation Confirmation Model in Information Systems literature are also taken into consideration in coming up with the suggested Critical Success Factors. , Thesis (MA) -- Faculty of Management and Commerce, 2010
- Full Text:
- Date Issued: 2010-12
Continuous auditing technologies and models
- Authors: Blundell, Adrian Wesley
- Date: 2007
- Subjects: Auditing , Auditing -- Data processing
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9798 , http://hdl.handle.net/10948/476 , http://hdl.handle.net/10948/d1011922 , Auditing , Auditing -- Data processing
- Description: Continuous auditing is not a totally new concept, but it has not been widely implemented, and has existed mostly as a point of debate amongst the auditing fraternity. This may soon change, as continuous auditing has become a topic of great interest, especially in the last decade. This may be due to a combination of reasons. In the last decade, much of the confidence in auditors’ reports was lost due to corporate governance scandals. This also brought about a greater desire for faster, more reliable reporting on which to base decisions. This desire has been transposed into regulations such as the Sarbanes-Oxley act in the United States, which encourages real-time auditing activities, which would benefit from continuous auditing. A second, possible contributing factor to the heightened interest in continuous auditing is that much of the requisite technology has matured to a point where it can be successfully used to implement continuous auditing. It is the technologies which form the focus of this research. It is therefore, the primary objective of this research to investigate and identify the essential technologies, and identify and define their roles within a continuous auditing solution. To explore this area, three models of continuous auditing are compared according to the roles of the technologies within them. The roots of some auditing technologies which can be adapted to the paradigm of continuous auditing are explored, as well as new technologies, such as XML-based reporting languages. In order to fully explore these technologies, the concepts of data integrity and data quality are first defined and discussed, and some security measures which contribute to integrity are identified. An obstacle to implementing a continuous model is that even with the newly available technologies, the multitudes of systems which are used in organisations, produce data in a plethora of data formats. In performing an audit the continuous auditing system needs to first gather this data and then needs to be able to compare “apples with apples”. Therefore, the technologies which can be used to acquire and standardise the data are identified.
- Full Text:
- Date Issued: 2007
- Authors: Blundell, Adrian Wesley
- Date: 2007
- Subjects: Auditing , Auditing -- Data processing
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9798 , http://hdl.handle.net/10948/476 , http://hdl.handle.net/10948/d1011922 , Auditing , Auditing -- Data processing
- Description: Continuous auditing is not a totally new concept, but it has not been widely implemented, and has existed mostly as a point of debate amongst the auditing fraternity. This may soon change, as continuous auditing has become a topic of great interest, especially in the last decade. This may be due to a combination of reasons. In the last decade, much of the confidence in auditors’ reports was lost due to corporate governance scandals. This also brought about a greater desire for faster, more reliable reporting on which to base decisions. This desire has been transposed into regulations such as the Sarbanes-Oxley act in the United States, which encourages real-time auditing activities, which would benefit from continuous auditing. A second, possible contributing factor to the heightened interest in continuous auditing is that much of the requisite technology has matured to a point where it can be successfully used to implement continuous auditing. It is the technologies which form the focus of this research. It is therefore, the primary objective of this research to investigate and identify the essential technologies, and identify and define their roles within a continuous auditing solution. To explore this area, three models of continuous auditing are compared according to the roles of the technologies within them. The roots of some auditing technologies which can be adapted to the paradigm of continuous auditing are explored, as well as new technologies, such as XML-based reporting languages. In order to fully explore these technologies, the concepts of data integrity and data quality are first defined and discussed, and some security measures which contribute to integrity are identified. An obstacle to implementing a continuous model is that even with the newly available technologies, the multitudes of systems which are used in organisations, produce data in a plethora of data formats. In performing an audit the continuous auditing system needs to first gather this data and then needs to be able to compare “apples with apples”. Therefore, the technologies which can be used to acquire and standardise the data are identified.
- Full Text:
- Date Issued: 2007
- «
- ‹
- 1
- ›
- »