Usability and Security

More documents

Recommendations

Info

2.2.1 DefinitionsLike usability, we have seen that information security in the literature has been used broadly and isdefined in different ways:• Preservation of confidentiality, integrity and availability of information 8 ;• Information Security refers to the processes and methodologies which are designed andimplemented to protect print, electronic, or any other form of confidential, private and sensitiveinformation or data from unauthorized access, use, misuse, disclosure, destruction, modification, ordisruption 9 ;• The term “information security” means protecting information and information systems fromunauthorized access, use, disclosure, disruption, modification, or destruction 10 ;• Simply put, information security describes all measures taken to prevent unauthorized use ofelectronic data whether this unauthorized use takes the form of disclosure, alteration, substitution,or destruction of the data concerned 11 .2.2.2 Definition usedFor the uniformity we use the ISO definition of information security in this thesis which is defined as the:“preservation of confidentiality, integrity and availability of information 8 ”. These three aspects are furtherdefined as:• Confidentiality: the property that information is not made available or disclosed to unauthorizedindividuals, entities, or processes;• Integrity: the property of safeguarding the accuracy and completeness of assets;• Availability: the property of being accessible and usable upon demand by an authorized entity.2.2.3 Security requirementsMany information systems have not been designed to be secure. The security that can be achieved throughtechnical means is limited and should be supported by appropriate management and procedures.Identifying which controls should be in place requires careful planning and attention to detail. To establishthese security requirements, organizations can refer to different sources 8 . Once source is derived fromassessing risks in the organization by means of a risk assessment. Another source is the legal, statutoryand regulatory requirements that an organization has to satisfy. A further source is the particular set ofprinciples, objectives and business requirements for information processing that an organization hasdeveloped to support its operations.2.2.4 Risk assessmentRisk assessments include the systematic approach of estimating the magnitude of risks (risk analysis) andthe process of comparing the estimated risks against risk criteria to determine the significance of the risks8 . Performing a risk analysis within an organization can be done by means of a standardized approach or a6
custom approach 12 . An example of a standardized approach is by means of the code of practice forinformation security management. The use of this method is simple, standardized and the results can becompared to the norm. We can divide the approach in the following categories 12 :• Quick scan, by means of external standard questionnaires. The starting point is compliance withgenerally accepted standards;• Baseline checklist, where checklists are used to verify if the own baseline requirements are met. Thebaseline is a system of the internal security measures of the entire organization.A custom approach is a more profound approach where controls can be determined in detailed. In additionit gives the organization a profound understanding of the dependencies and vulnerabilities of their ITenvironment. We can distinguish between a qualitative and a quantitative risk analyses 12 . An example of aqualitative risk analyses is the so called “Afhankelijkheids- en Kwetsbaarheidsanalyse” (A&K-analyse),where four logical steps (“1) inventarisatie, 2) afhankelijkheidsanalyse, 3) kwetsbaarheidsanalyse en 4)resultaat”) are performed to map out the dependencies and vulnerabilities. The business requirements arethe central point and are translated to define the requirements of the information systems that support thebusiness processes 13 .The most profound form of risk analyses is the quantitative risk analysis which methodically follows asimilar approach as the qualitative risk analyses. This form however seeks quantification where risk isdefined as: risks = probability of an incident × losses per accident 12 .2.2.5 Security risks and controlsSecurity requirements are identified by a methodical assessment of security risks. Expenditure on controlsneeds to be balanced against the business harm likely to result from security failures. The results of therisk assessment will help to guide and determine the appropriate management action and priorities formanaging information security risks and for implementing controls selected to protect against these risks.Risk assessment should be repeated periodically to address any changes that might influence the riskassessment results 8 .Once security requirements and risks have been identified and decisions for the treatment of risks havebeen made, appropriate controls should be selected and implemented to ensure risks are reduced to anacceptable level. Controls can be classified in preventative controls, detective controls, repressive controlsand corrective controls 12 and can be selected from a standard or from other control sets 8 . New controls canalso be designed to meet specific needs as appropriate 8 . The selection of security controls is dependentupon organizational decisions based on the criteria for risk acceptance, risk treatment options, and thegeneral risk management approach applied to the organization, and should also be subject to all relevantnational and international legislation and regulations.7
Page 1 and 2: Usability and SecurityUniversity: V
Page 3 and 4: ACKNOWLEDGMENTSThis thesis covers t
Page 5 and 6: IntroductionThe developments in Inf
Page 7 and 8: idging the gap between theory and p
Page 9: 2.1.3 Usability componentsIn order
Page 13: put usability and security amongst
Page 16 and 17: Security aspects:• Confidentialit
Page 18 and 19: ambiguous. Controlled answers offer
Page 20 and 21: 3.3.3 TokensIn this paragraph the t
Page 22 and 23: Security aspects:• Confidentialit
Page 24 and 25: The strengths, weaknesses and usabi
Page 26 and 27: conclude that the most efficient bi
Page 28 and 29: e guessed, which results in a low s
Page 30 and 31: To answer our main research questio
Page 32 and 33: AppendixInterview with Martin Wijnm
Page 34 and 35: Sources1 ISO 9241-11, Part 11: Guid

Usability and Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?