THE NEED FOR EFFECTIVE INFORMATION SECURITY

AWARENESS PRACTICES IN OMAN HIGHER EDUCATIONAL

INSTITUTIONS

Mr. Rajasekar Ramalingam

Mr. Shimaz Khan

Mr. Shameer Mohammed

Ministry of Higher Education,Sur College of Applied Sciences,

Department of Information Technology,Post Box: 484 Post Code: 411, Sultanate of Oman

Symposium on Communication, Information Technology and Biotechnology: Current Trends and Future Scope, Sur College of Applied Sciences, Ministry

of Higher education, Sultanate of Oman, 12th and 13th May, 2015

1

PRESENTATION PATH

Introduction

Internet usage in Oman

IT Security incidents in Oman

Proposed work

Key findings

Effective usage

Organization network awareness

Threat awareness

Password management

Content awareness

Security practices awareness

ITSACAS Approach

Conclusion2

1. INTRODUCTION

Internet technology & Mobile Technology.

Online transactions and electronic data transfer.

In the late 1990s: Melissa and Code Red

Information security - received attention globally.

Since then: Spam emails, Identity theft, Data leakage,

Phishing, Adware, Intrusion etc.,

Considerable impact on the information assets of

organization / individuals.

Cybercrime incidents – increases globally.

Sultanate of Oman is also a victim.

3

2. INTERNET USAGE IN OMAN

According to the World Internet usage statistics news:

Internet users:

Oman constitutes - 2.1% of worldwide internet users.

2,139,540 - internet users (December 31st, 2013)

Card usage in Oman:

2008 – 1.9 million

2012 – 3.3 million

2013 – 3.6 million

2017 – 4.4 million (Forecast)

Increase in internet usage and online transactions -increases the number of cybercrime incidents in Oman.

ITA (2012 & 13) - Significant increase in the number of cybercrime incidents in Oman. 4

3. IT SECURITY INCIDENTS IN OMAN

As per the ITA annual report (2012 and 2013):

Increase of 13.5% reported incidents.

200% increase of Malware incidents.

10,84,369 malicious attempts were prevented & analyzed.

19,171 malicious attempts against government networks

were identified & prevented.

25,827 vulnerabilities were discovered.

9,41,079 malicious wares were analyzed.

6,59,090 web violations were analyzed and prevented.

15,855 security attacks discovered & handled - OCERT.

5

6Figure 1: Number and classification of incidents – 2012

(Source: ITA Annual report 2012)

7

Figure 2: The Malware statistics for each month in 2012 – OCERT

(Source: ITA Annual report 2012)

4. PROPOSED WORK

Survey

Education institutions in Oman

To investigate the level of information security awareness.

Entities: Students, Technical staff and Academic staff.

ISAIM – Proposed model – Survey

The survey attracted 173 respondents.

Results were correlated and analyzed.

The areas of weakness were identified.

ITSACAS approach – increase security awareness.

8

4.1 INFORMATION SECURITY AWARENESS

IDENTIFICATION MODEL (ISAIM)

The proposed model - 6 key elements.

9

Security Practice

Effective Usage

Organization

Awareness

Threats Awaren

ess

Protection

Awareness

Content Awaren

ess

10

ISAIM

Demographics

Internet Usage

Organization’s network knowledge

Security Practices

Email security

Password managem

ent

Security threats

experience

11

S# Name of the Educational Institution S# Name of the Educational Institution

1 Al Buraimi University College 10 Sohar College of Applied Sciences

2 Higher College of Technology

(Muscat)

11 Nizwa College of Technology

3 Ibra College of Technology 12 Oman College of Management Technology

4 Salalah College of Technology 13 Al Sharqiyah University

5 Sur College of Applied Sciences 14 German University of Technology in Oman

6 Waljat College of Applied Sciences 15 Ibri College of Applied Sciences

7 Majan University College 16 Sultan Qaboos University

8 College of Applied Sciences, Rustaq 17 Caledonian College of Engineering

9 Sohar University 18 College of applied sciences – Salalah

5. EFFECTIVE USAGE - KEY FINDINGS

12

Age Group 18 to 29 – 34%

Educational Qualification 35% - Graduates

38% - Masters

23% - PhD

Academic staff. 54%

Smart phone device 70%

Purpose of using Internet Emailing

Educational References

Net Banking

Internet usage 27% - 2 to 3 Hrs. / Day

14% - More than 7 Hrs. / Day

6. ORGANIZATION AWARENESS – KEY FINDINGS

13

Yes No Don’t

Know

Does your organization practice any IS-MS

Standard(ISO 27001)

39.4% 21.9% 38.7%

Does your organization use local firewall 88.4% 3.9% 7.7%

Does your organization use a IDS. 41.3% 10.3% 48.4%

Does your organization use DMZ 22.9% 13.1% 64.1%

Does your organization uses any AV

Software

92.9% 3.9% 3.2%

14

Yes No Do not

know

Does your organization have a written

security policy

44.5% 17.1% 38.4%

Does your organization have any

reporting mechanism for security issues

37% 25.3% 37.7%

Did you ever reported to your

organization about any security issues?

32.2% 67.8%

7. THREAT AWARENESS – KEY FINDINGS

15

Yes No Do not

know

Have you ever been attacked through the

Internet

55.7% 38.9% 5.4%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

Viruses Spam Adware Phishing Intrusions Passwordtheft

Other

If yes, please choose the type of attack you have experienced, Check that apply:

160.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

35.0%

40.0%

Lose of personaldata

Lose of money System Crash Block of anyaccount

Other

If you have been attacked, choose the loss that you faced:

71%

12%

4%13%

Number of Security Attacks

1 - 3 4 - 6 7 - 10 Above 10

8. PASSWORD MANAGEMENT AWARENESS

17

3% 3%

19%

56%

19%

Frequency of changing the password

Daily Once in weak Once in month Once the application insists Never

Choosing 17.6% uses same password for all web

applications

Construct 16.3% using personal information

Managing 7.9% uses password management tools

21% Write it and keep it safe

Changing 19.3% Never change password

56.4% Once Application insists

9. CONTENT AWARENESS

18

32% interested in opening an email from the unknown

source.

39% No email policy in the institution.

23% Email policies - I do not know & I could not

understand.

84% Do not reveal their personal information.

3% Willing to provide their bank details.

19

Confident in organization’s protection against information security risk?

Answer Options Response Percent

Very confident 26.6%

Confident 34.7%

Somewhat confident 24.2%

No confident 14.5%

Does you organization conducted any security awareness program?

Answer Options Response Percent

Yes 44.4%

No 55.6%

How many information security training programs do you attended in the past 12

month?

Answer Options Response Percent

1 to 3 29.1%

4 to 6 4.7%

More than 6 7.1%

None 59.1%

10. SECURITY PRACTICE AWARENESS

20

Identify

Plan

Educate

Measure

11. The ITSACAS approach

C1: Information Security awareness training

C2: Security awareness using social media

C3: Security awareness using posters

C4: Creating awareness on IT law

C5: Promoting the usage of security tools

C6: Security awareness through interactive

media

• Monitor

• Evaluate

• Target group.

• Approach

• Team

• Tools

• Schedule

• Timeline

• Resource utilization

• Technical assistance

12. Conclusion IT security awareness - an essential / foundational element.

To assure the nation’s information assets are protected.

Found several important issues that need to be addressed.

Basic knowledge on security exist.

As an individual, the knowledge of information security awareness is considerably

better but as an institution, information security awareness should be improved

Still not aligned to the security practices.

Urgency on the part of the government, other professional bodies and the educational

institution to educate users about the information security needs of an institution.

Implementing awareness training programs will solve the problems to some extend.

21

13. REFERENCES [1] http://www.prweb.com

[2] http://www.internetworldstats.com/stats.htm, Miniwatts Marketing Group, 2010 Internet World Stats.

[3] A framework of anti-phishing measures aimed at protecting the online consumer's identity, Butler, The

electronic library, 25, 517-533.

[4] http://localazon.com/pro/oman-online-retail-sales-report/ , Oman Online Retail Sales Report.

[5]https://timetric.com/research/report/VR0938MR/, Emerging Opportunities in Oman’s Cards and

Payments Industry

[6] Information Technology Authority – Oman, Annual Report- 2012-2013.

[7] Mishandling of Classified Information. In: PRESIDENT, E. O. O. T. (Ed.). Washington, D.C., Lew, J.J.,

Wikileaks

[8] Phishing Websites Detection based on Phishing Characteristics in the Webpage Source Code,

MonaGotaishAlkhozae

[9] http://en.wikipedia.org/wiki/AdWords

[10] Md. Shafiqul Islam, Syed AhsiqurRehman, Anomaly Intrusion Detection System in wireless Networks

:Security threats and existing approaches, International Journal of Advanced Science and Technology ,

Vol 36, November 2011.

[11] Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance: An Empirical

Study of Rationality-Based Beliefs and Information Security Awareness’, MIS Quarterly, vol. 34, no. 3, pp.

523-A7.

[12]http://www.fiercecio.com/story/colleges-and-universities-among-highest-risk-data-breaches/2014-08-

21

[13] Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of organizational

information security measures’, Information Management & Computer Security, vol. 16, no. 4, pp. 377-

397.

22

23

Thank You