Module 8
Administering Security
MModified by :Ahmad Al Ghoul
PPhiladelphia University
FFaculty Of Administrative & Financial Sciences
BBusiness Networking & System Management Department
RRoom Number 32406
EE-mail Address: ahmad4_2_69@hotmail.com
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
1
Contents














Personal Computer Security Management
Contributors to Security Problems
Security Measures
Protection of Files
Access Control Mechanisms for PCs
Risk Analysis
THEORETICAL FRAMEWORK
Reacting to Threats
CULTURE AND RISK
STAKEHOLDER MODEL
RISK COMMUNICATION
TRUST AND CONFIDENCE VS CREDIBILITY
INSTITUTIONAL CREDIBILITY
Risk Perception, Trust and Credibility
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
2
Personal Computer Security Management
 Security problems for personal computers are
more serious than on mainframe computers
– people issues
– hardware and software issues
 lack of sensitivity
– users do not appreciate security risks associated with
the use of PCs
 lack of tools
– hw and sw tools are fewer and less sophisticated than in
the mainframe environment
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
3
Contributors to Security Problems
 Hardware vulnerabilities
– limited protection of one memory space
– every user can execute every instruction
– can read and write every memory location
– the operating system may declare certain files
as “system” files, but it can not prevent the user
from accessing them
– operating system designers have failed to take
advantage of hardware protection
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
4
Contributors to Security Problems
 Low awareness of the problem






– analogous to a calculator
no unique responsibility
– if the machine is shared, nobody takes full
responsibility for maintenance, supervision and control
few hw controls
– few PCs take advantage of hw features
no audit trail
environmental attacks
physical access
– unattended machines
care of media components
– diskettes, etc.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
5
Contributors to Security Problems
 No backups
 questionable documentation
 high portability
 combination of duties
– lack of checks and balances
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
6
Security Measures
Procedures:
 Do not leave PCs unattended in an exposed
environment if they contain sensitive info
 do not leave printers unattended if they are
printing sensitive output
 secure media as carefully as you would a
confidential report
 perform periodic back-ups
 practice separation of authority
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
7
Security Measures
Hardware Controls:
 Secure the equipment
 consider using add-on security boards
Software Controls:
 use all sw with full understanding of its potential
threats
 do not use sw from dubious resources
 be suspicious of all results
 maintain periodic complete backups of all system
resources
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
8
Protection of Files
 Access control features
 encryption
 copy protection
 no protection
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
9
25060
Access Control Mechanisms for PCs
Motivations for access control:
 Outside interference
 two users one machine
 network access
 errors
 untrusted software
 separation of applications
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
10
Features of PC Access Control Systems
 Transparent encryption
– some systems automatically encrypt files so
that their contents will not be evident
 time of day checking
– allowing access during certain times
 automatic timeout
– the system automatically terminates the session
 machine identification
– unique serial no can be read by the application
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
11
Risk Analysis
 RISK
 Possibility of suffering harm or loss, a
factor, course or element involving
uncertain danger
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
12
THEORETICAL FRAMEWORK
 Important parameter in designing security
systems is the COST
RISK ASSESSMENT
 Risk perception
– psychological theory of risk: how the general
public reacts to uncertainities of danger, and how this
general reaction affects individual behaviour.
– cultural theory of risk: Risk perception differs
depending on the social group & belief system an
individual belongs to (Douglas 1970)
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
13
Reacting to Threats
THREAT
communication
RISK PERCEPTION
Network Security
Philadelphia
Universityl
RESPONSE
Passive Reaction
Ahmad Al-Ghoul 2010-2011
14
Reacting to Threats
RISK
MANAGEMENT
Organisation
Structure
Network Security
Philadelphia
Universityl
RISK
PERCEPTION
External
danger
Shared Meaning and
Trust
Ahmad Al-Ghoul 2010-2011
15
CULTURE AND RISK
 Risk behaviour is a function of how human
beings, individually and in groups, perceive
their place in the world.
 It is important to understand the role of
culture in stakeholder interaction in order to
understand cultural biases in risk
perception.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
16
STAKEHOLDER MODEL
 Stakeholders
– Users: information user
– Suppliers: information provider and systems developer
– Others: systems manager
 Each stakeholder group has a differing perceptions
of same risk.
 Stakeholders can be grouped within themselves
depending on the social groups they belong to
rather than roles they assume.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
17
STAKEHOLDER MODEL
 Individuals have different cultural biases
and have different perceptions of risk
– computer privacy and security rules are
different in different countries
– Singapore, Japan, US, Canada
 Grouping stakeholders is not enough for
designing IS.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
18
RISK COMMUNICATION
 It is important to know the cultural
backgrounds of the stakeholders
–
–
–
–
how they perceive risks
how they communicate risks
risk communication theory
risk communication model
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
19
RISK COMMUNICATION
 Past:
– risk communication as one way to general
public from government…
– efforts to improve risk communication
– to get the message across by describing the
magnitude and balance of the attendant costs
and benefits
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
20
RISK COMMUNICATION
 The costs and benefits are equally
distributed across a society
 People do not agree about which events or
actions do the most harm or which benefits
are more worth seeking.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
21
RISK COMMUNICATION
US National Research Counsil (1989)
Risk communication is an interactive process of
exchange of information and opinion among
individuals, groups and institutions. It involves
multiple messages about the nature of the risk and
other messages, not strictly about risk, that
express concerns, opinions and reactions to risk
messages or to legal and institutional
arrangements for risk management.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
22
RISK COMMUNICATION
 Risk Communication
– risks posed to stakeholders on the web are
technological hazards
– classical risk communication model:
• sources
• transmitters
• receivers
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
23
CULTURE
Risk
Event
Transmitters
Sources
Scientists
Agencies
Two-way
interaction
Portrayal of Event
with symbols,
signals and
images by the
Sources
Institutions/Agencies
Interest Groups
Opinion Leaders
feedback
Interest Groups
Eyewitnesses
Media
Receivers
General Public
Affected
Organisations/Institutions
Social Groups
Network Security
Philadelphia
Universityl
Other target audience
Ahmad Al-Ghoul 2010-2011
24
Initial
Information
HEAR
CULTURE
SOCIAL FASHION
PERSONAL VALUES
RELATED
ATTITUDES
INFLUENCES
Appeal
Do not Appeal
UNDERSTAND
BELIEVE
New
Information
PERSONALIZE
RESPOND
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
25
Communication
 The recipient hears the information and then screens it based on




social fashion, personal values, attitudes under the influence
from peer groups
– cultural forces before understanding the message
Believing involves acceptance that the understanding is correct
– the risk is real
Personalisation
– the risk event will affect the receiver
Response
– decision to take action for protection from risk
Credibility of information sources and transmitters is a key issue
in risk communication
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
26
TRUST AND CONFIDENCE VS CREDIBILITY
 Trust is an important ingredient in any trade
transaction
 Trust acts as the mitigating factor for the risks
assumed by one party on the party in the trade
 As trust increases the risks either reduce or
become manageable by the trusting party
 Existence of trust also reduces the transaction cost
in a trade
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
27
INSTITUTIONAL CREDIBILITY
 The social climate pre-sets the conditions under
which an institution has to operate to gain and
maintain trust
 in a positive climate people invest more in trust
institutions
 in a negative climate people tend to caution and
seek to have more control
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
28
Risk Perception, Trust and Credibility
 Hypothesis:
– once trust and credibility exist in a relationship among the
stakeholders during risk communication, stakeholders do
not get involved in the analysis of risk factors individually,
and
– information systems security becomes less important to
people when dealing with a trustworthy and credible
institution.
 Personality of the communicator with attributes of ability and
integrity are also important in establishing trust.
 Overall; message, communicator, institution, and the social
context are the major factors in establishing trust within an
organization.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
29
Risk Perception, Trust and Credibility
 Inferential analysis:
– inverse correlation between trust and security
on the internet
– the higher the trust placed on an organization
the lower was the security concern.
Network Security
Philadelphia
Universityl
Ahmad Al-Ghoul 2010-2011
30