Users’ perceptions regarding password policies
- Authors: Fredericks, Damian Todd
- Date: 2018
- Subjects: Computers -- Access control , Computer networks -- Security measures Computer security
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/30205 , vital:30896
- Description: Information is considered a valuable asset to most organisations and is often exposed to various threats which exploit its confidentiality, integrity and availability (CIA). Identification and Authentication are commonly used to help ensure the CIA of information. This research study specifically focused on password-based authentication. Passwords are used to log into personal computers, company computers, email accounts, bank accounts and various software systems and mobile applications. Passwords act like a protective barrier between a user and their personal and company information, and remain the most cost-effective and most efficient method to control access to computer systems. An extensive content analysis was conducted regarding the security of passwords, as well as users’ password management coping strategies. It was determined that very little research has been conducted in relation to users’ perceptions towards password policies. The problem identified by this research is that organisations often implement password policy guidelines without taking into consideration users’ perceptions regarding such guidelines. This could result in users adopting various password management coping strategies. This research therefore aimed to determine users’ perceptions with regard to current password-related standards and best practices (password policy guidelines). Standards and best practices such as ISO/IEC 27002 (2013), NIST SP 800-118 (2009), NIST SP 800-63-2 (2013), NIST SP 800-63B (2016) and the SANS Password Protection Policy (2014b) were studied in order to determine the common elements of password policies. This research argued that before organisations implement password policy guidelines, they need to determine users’ perceptions towards such guidelines. It was identified that certain human factors such as human memory, attitude and apathy often cause users to adopt insecure coping strategies such as Reusing Passwords, Writing Down Passwords and Not Changing Passwords. This research included a survey which took the form of a questionnaire. The aim of the survey was to determine users’ perceptions towards common elements of password policies and to determine the coping strategies users commonly adopt. The survey included questions related to the new NIST SP 800-63B (2016) that sought to determine users’ perceptions towards these new NIST password policy iii guidelines. Findings from the survey indicated that respondents found the new NIST guidelines to be helpful, secure and easier to adhere to. Finally, recommendations regarding password policies were presented based on the common elements of password policies and users’ perceptions of the new NIST password guidelines. These recommendations could help policy makers in the implementation of new password policies or the revision of current password policies.
- Full Text:
- Date Issued: 2018
- Authors: Fredericks, Damian Todd
- Date: 2018
- Subjects: Computers -- Access control , Computer networks -- Security measures Computer security
- Language: English
- Type: Thesis , Masters , MIT
- Identifier: http://hdl.handle.net/10948/30205 , vital:30896
- Description: Information is considered a valuable asset to most organisations and is often exposed to various threats which exploit its confidentiality, integrity and availability (CIA). Identification and Authentication are commonly used to help ensure the CIA of information. This research study specifically focused on password-based authentication. Passwords are used to log into personal computers, company computers, email accounts, bank accounts and various software systems and mobile applications. Passwords act like a protective barrier between a user and their personal and company information, and remain the most cost-effective and most efficient method to control access to computer systems. An extensive content analysis was conducted regarding the security of passwords, as well as users’ password management coping strategies. It was determined that very little research has been conducted in relation to users’ perceptions towards password policies. The problem identified by this research is that organisations often implement password policy guidelines without taking into consideration users’ perceptions regarding such guidelines. This could result in users adopting various password management coping strategies. This research therefore aimed to determine users’ perceptions with regard to current password-related standards and best practices (password policy guidelines). Standards and best practices such as ISO/IEC 27002 (2013), NIST SP 800-118 (2009), NIST SP 800-63-2 (2013), NIST SP 800-63B (2016) and the SANS Password Protection Policy (2014b) were studied in order to determine the common elements of password policies. This research argued that before organisations implement password policy guidelines, they need to determine users’ perceptions towards such guidelines. It was identified that certain human factors such as human memory, attitude and apathy often cause users to adopt insecure coping strategies such as Reusing Passwords, Writing Down Passwords and Not Changing Passwords. This research included a survey which took the form of a questionnaire. The aim of the survey was to determine users’ perceptions towards common elements of password policies and to determine the coping strategies users commonly adopt. The survey included questions related to the new NIST SP 800-63B (2016) that sought to determine users’ perceptions towards these new NIST password policy iii guidelines. Findings from the survey indicated that respondents found the new NIST guidelines to be helpful, secure and easier to adhere to. Finally, recommendations regarding password policies were presented based on the common elements of password policies and users’ perceptions of the new NIST password guidelines. These recommendations could help policy makers in the implementation of new password policies or the revision of current password policies.
- Full Text:
- Date Issued: 2018
Information security assurance model for an examination paper preparation process in a higher education institution
- Authors: Mogale, Miemie
- Date: 2016
- Subjects: Computer security -- Management -- Examinations , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/8509 , vital:26377
- Description: In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS.
- Full Text:
- Date Issued: 2016
- Authors: Mogale, Miemie
- Date: 2016
- Subjects: Computer security -- Management -- Examinations , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/8509 , vital:26377
- Description: In today’s business world, information has become the driving force of organizations. With organizations transmitting large amounts of information to various geographical locations, it is imperative that organizations ensure the protection of their valuable commodity. Organizations should ensure that only authorized individuals receive, view and alter the information. This is also true to Higher Education Institutions (HEIs), which need to protect its examination papers, amongst other valuable information. With various threats waiting to take advantage of the examination papers, HEIs need to be prepared by equipping themselves with an information security management system (ISMS), in order to ensure that the process of setting examination papers is secure, and protects the examination papers within the process. An ISMS will ensure that all information security aspects are considered and addressed in order to provide appropriate and adequate protection for the examination papers. With the assistance of information security concepts and information security principles, the ISMS can be developed, in order to secure the process of preparing examination papers; in order to protect the examination papers from potential risks. Risk assessment form part of the ISMS, and is at the centre of any security effort; reason being that to secure an information environment, knowing and understanding the risks is imperative. Risks pertaining to that particular environment need to be assessed in order to deal with those appropriately. In addition, very important to any security effort is ensuring that employees working with the valuable information are made aware of these risks, and can be able to protect the information. Therefore, the role players (within the examination paper preparation process (EPPP)) who handle the examination papers on a daily basis have to be equipped with means of handling valuable information in a secure manner. Some of the role players’ behaviour and practices while handling the information could be seen as vulnerabilities that could be exploited by threats, resulting in the compromise in the CIA of the information. Therefore, it is imperative that role players are made aware of their practices and iv behaviour that could result in a negative impact for the institution. This awareness forms part and is addressed in the ISMS.
- Full Text:
- Date Issued: 2016
Enabling e-learning 2.0 in information security education: a semantic web approach
- Authors: Goss, Ryan Gavin
- Date: 2009
- Subjects: Data protection , Computers -- Access control , Electronic data processing -- Security measures , Electronic data processing departments -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9771 , http://hdl.handle.net/10948/909 , Data protection , Computers -- Access control , Electronic data processing -- Security measures , Electronic data processing departments -- Security measures
- Description: The motivation for this study argued that current information security ed- ucation systems are inadequate for educating all users of computer systems world wide in acting securely during their operations with information sys- tems. There is, therefore, a pervasive need for information security knowledge in all aspects of modern life. E-Learning 2.0 could possi- bly contribute to solving this problem, however, little or no knowledge currently exists regarding the suitability and practicality of using such systems to infer information security knowledge to learners.
- Full Text:
- Date Issued: 2009
- Authors: Goss, Ryan Gavin
- Date: 2009
- Subjects: Data protection , Computers -- Access control , Electronic data processing -- Security measures , Electronic data processing departments -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9771 , http://hdl.handle.net/10948/909 , Data protection , Computers -- Access control , Electronic data processing -- Security measures , Electronic data processing departments -- Security measures
- Description: The motivation for this study argued that current information security ed- ucation systems are inadequate for educating all users of computer systems world wide in acting securely during their operations with information sys- tems. There is, therefore, a pervasive need for information security knowledge in all aspects of modern life. E-Learning 2.0 could possi- bly contribute to solving this problem, however, little or no knowledge currently exists regarding the suitability and practicality of using such systems to infer information security knowledge to learners.
- Full Text:
- Date Issued: 2009
Towards a user centric model for identity and access management within the online environment
- Authors: Deas, Matthew Burns
- Date: 2008
- Subjects: Computers -- Access control , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9780 , http://hdl.handle.net/10948/775 , Computers -- Access control , Computer networks -- Security measures
- Description: Today, one is expected to remember multiple user names and passwords for different domains when one wants to access on the Internet. Identity management seeks to solve this problem through creating a digital identity that is exchangeable across organisational boundaries. Through the setup of collaboration agreements between multiple domains, users can easily switch across domains without being required to sign in again. However, use of this technology comes with risks of user identity and personal information being compromised. Criminals make use of spoofed websites and social engineering techniques to gain illegal access to user information. Due to this, the need for users to be protected from online threats has increased. Two processes are required to protect the user login information at the time of sign-on. Firstly, user’s information must be protected at the time of sign-on, and secondly, a simple method for the identification of the website is required by the user. This treatise looks at the process for identifying and verifying user information, and how the user can verify the system at sign-in. Three models for identity management are analysed, namely the Microsoft .NET Passport, Liberty Alliance Federated Identity for Single Sign-on and the Mozilla TrustBar for system authentication.
- Full Text:
- Date Issued: 2008
- Authors: Deas, Matthew Burns
- Date: 2008
- Subjects: Computers -- Access control , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9780 , http://hdl.handle.net/10948/775 , Computers -- Access control , Computer networks -- Security measures
- Description: Today, one is expected to remember multiple user names and passwords for different domains when one wants to access on the Internet. Identity management seeks to solve this problem through creating a digital identity that is exchangeable across organisational boundaries. Through the setup of collaboration agreements between multiple domains, users can easily switch across domains without being required to sign in again. However, use of this technology comes with risks of user identity and personal information being compromised. Criminals make use of spoofed websites and social engineering techniques to gain illegal access to user information. Due to this, the need for users to be protected from online threats has increased. Two processes are required to protect the user login information at the time of sign-on. Firstly, user’s information must be protected at the time of sign-on, and secondly, a simple method for the identification of the website is required by the user. This treatise looks at the process for identifying and verifying user information, and how the user can verify the system at sign-in. Three models for identity management are analysed, namely the Microsoft .NET Passport, Liberty Alliance Federated Identity for Single Sign-on and the Mozilla TrustBar for system authentication.
- Full Text:
- Date Issued: 2008
A critical review of the IFIP TC11 Security Conference Series
- Authors: Gaadingwe, Tshepo Gaadingwe
- Date: 2007
- Subjects: Database security , Data protection , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9795 , http://hdl.handle.net/10948/507 , Database security , Data protection , Computers -- Access control
- Description: Over the past few decades the field of computing has grown and evolved. In this time, information security research has experienced the same type of growth. The increase in importance and interest in information security research is reflected by the sheer number of research efforts being produced by different type of organizations around the world. One such organization is the International Federation for Information Processing (IFIP), more specifically the IFIP Technical Committee 11 (IFIP TC11). The IFIP TC11 community has had a rich history in producing high quality information security specific articles for over 20 years now. Therefore, IFIP TC11 found it necessary to reflect on this history, mainly to try and discover where it came from and where it may be going. Its 20th anniversary of its main conference presented an opportunity to begin such a study of its history. The core belief driving the study being that the future can only be realized and appreciated if the past is well understood. The main area of interest was to find out topics which may have had prevalence in the past or could be considered as "hot" topics. To achieve this, the author developed a systematic process for the study. The underpinning element being the creation of a classification scheme which was used to aid the analysis of the IFIP TC11 20 year's worth of articles. Major themes were identified and trends in the series highlighted. Further discussion and reflection on these trends were given. It was found that, not surprisingly, the series covered a wide variety of topics in the 20 years. However, it was discovered that there has been a notable move towards technically focused papers. Furthermore, topics such as business continuity had just about disappeared in the series while topics which are related to networking and cryptography continue to gain more prevalence.
- Full Text:
- Date Issued: 2007
- Authors: Gaadingwe, Tshepo Gaadingwe
- Date: 2007
- Subjects: Database security , Data protection , Computers -- Access control
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9795 , http://hdl.handle.net/10948/507 , Database security , Data protection , Computers -- Access control
- Description: Over the past few decades the field of computing has grown and evolved. In this time, information security research has experienced the same type of growth. The increase in importance and interest in information security research is reflected by the sheer number of research efforts being produced by different type of organizations around the world. One such organization is the International Federation for Information Processing (IFIP), more specifically the IFIP Technical Committee 11 (IFIP TC11). The IFIP TC11 community has had a rich history in producing high quality information security specific articles for over 20 years now. Therefore, IFIP TC11 found it necessary to reflect on this history, mainly to try and discover where it came from and where it may be going. Its 20th anniversary of its main conference presented an opportunity to begin such a study of its history. The core belief driving the study being that the future can only be realized and appreciated if the past is well understood. The main area of interest was to find out topics which may have had prevalence in the past or could be considered as "hot" topics. To achieve this, the author developed a systematic process for the study. The underpinning element being the creation of a classification scheme which was used to aid the analysis of the IFIP TC11 20 year's worth of articles. Major themes were identified and trends in the series highlighted. Further discussion and reflection on these trends were given. It was found that, not surprisingly, the series covered a wide variety of topics in the 20 years. However, it was discovered that there has been a notable move towards technically focused papers. Furthermore, topics such as business continuity had just about disappeared in the series while topics which are related to networking and cryptography continue to gain more prevalence.
- Full Text:
- Date Issued: 2007
- «
- ‹
- 1
- ›
- »