the need for effective information security awareness practices
Post on 23-Jan-2018
80 Views
Preview:
TRANSCRIPT
THE NEED FOR EFFECTIVE INFORMATION SECURITY
AWARENESS PRACTICES IN OMAN HIGHER EDUCATIONAL
INSTITUTIONS
Mr. Rajasekar Ramalingam
Mr. Shimaz Khan
Mr. Shameer Mohammed
Ministry of Higher Education,Sur College of Applied Sciences,
Department of Information Technology,Post Box: 484 Post Code: 411, Sultanate of Oman
Symposium on Communication, Information Technology and Biotechnology: Current Trends and Future Scope, Sur College of Applied Sciences, Ministry
of Higher education, Sultanate of Oman, 12th and 13th May, 2015
1
PRESENTATION PATH
Introduction
Internet usage in Oman
IT Security incidents in Oman
Proposed work
Key findings
Effective usage
Organization network awareness
Threat awareness
Password management
Content awareness
Security practices awareness
ITSACAS Approach
Conclusion2
1. INTRODUCTION
Internet technology & Mobile Technology.
Online transactions and electronic data transfer.
In the late 1990s: Melissa and Code Red
Information security - received attention globally.
Since then: Spam emails, Identity theft, Data leakage,
Phishing, Adware, Intrusion etc.,
Considerable impact on the information assets of
organization / individuals.
Cybercrime incidents – increases globally.
Sultanate of Oman is also a victim.
3
2. INTERNET USAGE IN OMAN
According to the World Internet usage statistics news:
Internet users:
Oman constitutes - 2.1% of worldwide internet users.
2,139,540 - internet users (December 31st, 2013)
Card usage in Oman:
2008 – 1.9 million
2012 – 3.3 million
2013 – 3.6 million
2017 – 4.4 million (Forecast)
Increase in internet usage and online transactions -increases the number of cybercrime incidents in Oman.
ITA (2012 & 13) - Significant increase in the number of cybercrime incidents in Oman. 4
3. IT SECURITY INCIDENTS IN OMAN
As per the ITA annual report (2012 and 2013):
Increase of 13.5% reported incidents.
200% increase of Malware incidents.
10,84,369 malicious attempts were prevented & analyzed.
19,171 malicious attempts against government networks
were identified & prevented.
25,827 vulnerabilities were discovered.
9,41,079 malicious wares were analyzed.
6,59,090 web violations were analyzed and prevented.
15,855 security attacks discovered & handled - OCERT.
5
4. PROPOSED WORK
Survey
Education institutions in Oman
To investigate the level of information security awareness.
Entities: Students, Technical staff and Academic staff.
ISAIM – Proposed model – Survey
The survey attracted 173 respondents.
Results were correlated and analyzed.
The areas of weakness were identified.
ITSACAS approach – increase security awareness.
8
4.1 INFORMATION SECURITY AWARENESS
IDENTIFICATION MODEL (ISAIM)
The proposed model - 6 key elements.
9
Security Practice
Effective Usage
Organization
Awareness
Threats Awaren
ess
Protection
Awareness
Content Awaren
ess
10
ISAIM
Demographics
Internet Usage
Organization’s network knowledge
Security Practices
Email security
Password managem
ent
Security threats
experience
11
S# Name of the Educational Institution S# Name of the Educational Institution
1 Al Buraimi University College 10 Sohar College of Applied Sciences
2 Higher College of Technology
(Muscat)
11 Nizwa College of Technology
3 Ibra College of Technology 12 Oman College of Management Technology
4 Salalah College of Technology 13 Al Sharqiyah University
5 Sur College of Applied Sciences 14 German University of Technology in Oman
6 Waljat College of Applied Sciences 15 Ibri College of Applied Sciences
7 Majan University College 16 Sultan Qaboos University
8 College of Applied Sciences, Rustaq 17 Caledonian College of Engineering
9 Sohar University 18 College of applied sciences – Salalah
5. EFFECTIVE USAGE - KEY FINDINGS
12
Age Group 18 to 29 – 34%
Educational Qualification 35% - Graduates
38% - Masters
23% - PhD
Academic staff. 54%
Smart phone device 70%
Purpose of using Internet Emailing
Educational References
Net Banking
Internet usage 27% - 2 to 3 Hrs. / Day
14% - More than 7 Hrs. / Day
6. ORGANIZATION AWARENESS – KEY FINDINGS
13
Yes No Don’t
Know
Does your organization practice any IS-MS
Standard(ISO 27001)
39.4% 21.9% 38.7%
Does your organization use local firewall 88.4% 3.9% 7.7%
Does your organization use a IDS. 41.3% 10.3% 48.4%
Does your organization use DMZ 22.9% 13.1% 64.1%
Does your organization uses any AV
Software
92.9% 3.9% 3.2%
14
Yes No Do not
know
Does your organization have a written
security policy
44.5% 17.1% 38.4%
Does your organization have any
reporting mechanism for security issues
37% 25.3% 37.7%
Did you ever reported to your
organization about any security issues?
32.2% 67.8%
7. THREAT AWARENESS – KEY FINDINGS
15
Yes No Do not
know
Have you ever been attacked through the
Internet
55.7% 38.9% 5.4%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Viruses Spam Adware Phishing Intrusions Passwordtheft
Other
If yes, please choose the type of attack you have experienced, Check that apply:
160.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
Lose of personaldata
Lose of money System Crash Block of anyaccount
Other
If you have been attacked, choose the loss that you faced:
71%
12%
4%13%
Number of Security Attacks
1 - 3 4 - 6 7 - 10 Above 10
8. PASSWORD MANAGEMENT AWARENESS
17
3% 3%
19%
56%
19%
Frequency of changing the password
Daily Once in weak Once in month Once the application insists Never
Choosing 17.6% uses same password for all web
applications
Construct 16.3% using personal information
Managing 7.9% uses password management tools
21% Write it and keep it safe
Changing 19.3% Never change password
56.4% Once Application insists
9. CONTENT AWARENESS
18
32% interested in opening an email from the unknown
source.
39% No email policy in the institution.
23% Email policies - I do not know & I could not
understand.
84% Do not reveal their personal information.
3% Willing to provide their bank details.
19
Confident in organization’s protection against information security risk?
Answer Options Response Percent
Very confident 26.6%
Confident 34.7%
Somewhat confident 24.2%
No confident 14.5%
Does you organization conducted any security awareness program?
Answer Options Response Percent
Yes 44.4%
No 55.6%
How many information security training programs do you attended in the past 12
month?
Answer Options Response Percent
1 to 3 29.1%
4 to 6 4.7%
More than 6 7.1%
None 59.1%
10. SECURITY PRACTICE AWARENESS
20
Identify
Plan
Educate
Measure
11. The ITSACAS approach
C1: Information Security awareness training
C2: Security awareness using social media
C3: Security awareness using posters
C4: Creating awareness on IT law
C5: Promoting the usage of security tools
C6: Security awareness through interactive
media
• Monitor
• Evaluate
• Target group.
• Approach
• Team
• Tools
• Schedule
• Timeline
• Resource utilization
• Technical assistance
12. Conclusion IT security awareness - an essential / foundational element.
To assure the nation’s information assets are protected.
Found several important issues that need to be addressed.
Basic knowledge on security exist.
As an individual, the knowledge of information security awareness is considerably
better but as an institution, information security awareness should be improved
Still not aligned to the security practices.
Urgency on the part of the government, other professional bodies and the educational
institution to educate users about the information security needs of an institution.
Implementing awareness training programs will solve the problems to some extend.
21
13. REFERENCES [1] http://www.prweb.com
[2] http://www.internetworldstats.com/stats.htm, Miniwatts Marketing Group, 2010 Internet World Stats.
[3] A framework of anti-phishing measures aimed at protecting the online consumer's identity, Butler, The
electronic library, 25, 517-533.
[4] http://localazon.com/pro/oman-online-retail-sales-report/ , Oman Online Retail Sales Report.
[5]https://timetric.com/research/report/VR0938MR/, Emerging Opportunities in Oman’s Cards and
Payments Industry
[6] Information Technology Authority – Oman, Annual Report- 2012-2013.
[7] Mishandling of Classified Information. In: PRESIDENT, E. O. O. T. (Ed.). Washington, D.C., Lew, J.J.,
Wikileaks
[8] Phishing Websites Detection based on Phishing Characteristics in the Webpage Source Code,
MonaGotaishAlkhozae
[9] http://en.wikipedia.org/wiki/AdWords
[10] Md. Shafiqul Islam, Syed AhsiqurRehman, Anomaly Intrusion Detection System in wireless Networks
:Security threats and existing approaches, International Journal of Advanced Science and Technology ,
Vol 36, November 2011.
[11] Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance: An Empirical
Study of Rationality-Based Beliefs and Information Security Awareness’, MIS Quarterly, vol. 34, no. 3, pp.
523-A7.
[12]http://www.fiercecio.com/story/colleges-and-universities-among-highest-risk-data-breaches/2014-08-
21
[13] Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of organizational
information security measures’, Information Management & Computer Security, vol. 16, no. 4, pp. 377-
397.
22
top related