Information security policy : the National Payment System in Libya
Authors
Sherif, EmadIssue Date
2012-05Subjects
G500 Information Systemsinformation security
data security
computer security
security policy
internal threat
external threat
National Payment System
Libya
Metadata
Show full item recordAbstract
Information security officers, practitioners and academics agree that information security policy is the basis of any organisation’s information security. Information security practitioners share and agree that it is rare that information security policy bring out the desirable results. In order to study and analyse this problem, academics have focused on various methods to motivate employees toward policy compliance, however, they have not paid much attention on employees’ expectations and how they perceive the information security policy. Also, employees’ satisfaction and awareness of information security policy is critical as it may improve the security level by decreasing the internal threat risks. In this thesis, analysing organisation’s employees’ expectation about information security policies based on a framework that is formed regarding internal threat motivation, consequences, security behaviour and security countermeasures. Therefore, single case study was adopted in this thesis. The study outcomes along with the case study findings state that organisation’s employees’ expectations toward an information security policy should be paid much attention during forming security regulations and even during implementation of information security policy within organisations. The thesis concludes that employees’ security behaviour is related to their information security background and awareness, as well as, security countermeasures, where if the countermeasures perceived negatively, it may negatively help to increase the risk in terms of internal threat. Finally, security countermeasures must be defined before taking negative actions toward employees, as well as, information security training should be scheduled regularly within organisation and they should be arranged regarding to the organisational groups’ professions.Citation
Sherif, Emad. (2012) 'Information security policy : the National Payment System in Libya'. MSc Thesis. University of Bedfordshire.Publisher
University of BedfordshireType
Thesis or dissertationLanguage
enDescription
A Thesis submitted at the University of Bedfordshire In partial fulfilment for the degree of Master of Science in Information Management and SecurityCollections
The following license files are associated with this item:
Related items
Showing items related by title, author, creator and subject.
-
The state of youth custody - 2016Bateman, Tim; National Association for Youth Justice (National Association for Youth Justice, 2016-10-03)
-
Strategic framework to minimise information security risks in the UAEAlKaabi, Ahmed (University of BedfordshireUniversity of Bedfordshire, 2014-06)The transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work.
-
Methods for developing secure software and environments for small and medium enterprisesPollonais, Sean (University of Bedfordshire, 2007)Information Security covers activity concerned with the protection of data to ensure that information remains available, to those with rightful access, in the condition that it was originally stored or transmitted. The push to interact via electronic data is constantly increasing. Businesses are demanding that software designers find novel ways of facilitating electronic commerce, creating new business models that have only become possible with the development of the Internet. With the increase of traffic in information across the Internet, the risks associated with data have multiplied, matching the global growth in connectivity. Web application security deals with the measures taken to secure software built to promote e-commerce. Because it is necessary to accept user input across the Internet these applications carry a particular set of vulnerabilities that require a more technical approach to their mitigation. The applications themselves are usually composed of modules that interact across trust boundaries which all require hardening. Information Security governance controls how a company secures its data and that of its clients. While there are laws and standards that address the security requirement, applying them to all magnitude of businesses is difficult because the policies are biased towards large organisations in their assumptions of resources. This thesis investigates an international standard that can be used by small businesses to achieve legal compliance and a reasonable level of security. The thesis brings together a method for producing secure web applications and a checklist procedure for improving a company's data protection practices. Both offerings apply to small software production houses where there may be some overlap in role function and the pressure to meet software production deadlines can sometimes lead to a culture where security is seen as an avoidable expense.