See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/327784045
Bring your own device: a survey of threats and security management models
Article in International Journal of Electronic Business · January 2018
DOI: 10.1504/IJEB.2018.10016225
CITATIONS
READS
0
1,788
2 authors:
Fabricio Rolando Rivadeneira
Glen Dario Rodriguez
Universidad Laica Eloy Alfaro de Manabí (ULEAM)
Universidad Nacional de Ingeniería (Peru)
6 PUBLICATIONS 2 CITATIONS
45 PUBLICATIONS 272 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
incorporation of gamification elements View project
Information Security and Digital Forensics View project
All content following this page was uploaded by Glen Dario Rodriguez on 07 June 2019.
The user has requested enhancement of the downloaded file.
SEE PROFILE
Int. J. Electronic Business, Vol. X, No. Y, XXXX
Bring Your Own Device (BYOD): a Survey of Threats
and Security Management Models.
Fabricio R. Rivadeneira Zambrano*
Universidad Laica Eloy Alfaro de Manabí
Chone 130704, Ecuador
Email: frolando.rivadeneira@uleam.edu.ec
*Corresponding author
Glen D. Rodríguez Rafael.
Facultad de Sistemas e Informatica,
Universidad Nacional Mayor de San Marcos,
Lima, 15081, Peru
Email: grodriguezr@unmsm.edu.pe
Abstract: Bring Your Own Device (BYOD) is used by many organizations for the benefits
offered by allowing the use of mobile devices to perform business tasks, but the following
questions should be analyzed if any organization want to adopt a BYOD environment: What
threats do currently face mobile devices that are being used in BYOD environments? What are
the characteristics of the security models proposed until now in order to manage BYOD? Are
there integral security models with the minimum requirements in order to take full advantage of
BYOD? What are the basic controls that should be taken into account for designing security
policies in a business with a BYOD environment? What are the main differences between
security on BYOD environments vs. security on corporate owned mobile device environments,
regarding how easy is to meet security needs? By giving answers to these questions, we will be
able to have a clear vision of what it takes to adopt BYOD in an organization, its advantages,
disadvantages and the changes that the organization needs to make in order to eliminate security
problems that come along with BYOD. The employees have absolute control of the use and
installation/uninstallation of applications on the mobile device; in security matters this fact is still
the weakest link, and in the majority of the companies it is barely given attention; but in BYOD
environments the employees must be the main firewall in order to avoid security problems.
Keywords: BYOD; Security Risk; Security Policies; Security Management Models; Social
Engineering; Mobile Security.
Reference to this paper should be made as follows: Author(s) (2017) ‘Bring Your Own Device
(BYOD): a Survey of Threats and Security Management Models’, Int. J. Electronic Business,
Vol. X, No. Y, pp.000–000.
Biographical notes: Fabricio Rivadeneira was born in Chone, Ecuador (1975), professor at the
University Laica Eloy Alfaro de Manabí. He got a degree on System Engineering by ULEAM
and a Master on Project Management (2009) by ULEAM. Currently he is in the Doctoral
program of System Engineering at UNMSM, Peru. His research interest is security on mobile
environments.
Glen D. Rodriguez Rafael received his BS in System Engineering from Universidad Nacional de
Ingenieria, Lima, Peru, in 1994, ME in Information and Computer Science Engineering from
Toyohashi University of Technology, Toyohashi, Japan in 2001, and Dr.Eng. in Electronic and
Information Engineering at Toyohashi University of Technology, Toyohashi, Japan in 2004.
From 2006, he has been a Lecturer and later a Professor at Universidad Nacional de Ingenieria,
Lima, Peru. From 2008 until 2013, he has been involved in the Cubesat project of this university
as responsible for the ground station. His research interests are evolutionary algorithms, software
testing, search based software engineering, parallel processing, mobile communications and
information security
1
Introduction
BYOD, is a trend that most companies are beginning to
adopt, (Boon and Sulaiman, 2015) estimate that 200 million
Copyright © 201x Inderscience Enterprises Ltd.
of the 360 million users employ their personal devices for
work-related tasks, due to the benefits they present such as:
customer satisfaction since it creates an increase in
productivity. This is validated by (Page, 2013) who
manifests that 80% of companies that allow a BYOD
240
F.R. Rivadeneira and G.D. Rodríguez
program have seen an increase in productivity. Another
benefit is that companies don’t have to cope with the
devices’ or data plan’s cost. It also makes more time
available for management because employees will always
seek to acquire the latest mobile innovation on the market.
On the implementation of BYOD environments not
everything is benefits; companies also face several
disadvantages in the security field such as challenges on
how to manage employee-owned devices (it should
distinguish the employee-owned devices from the devices of
the organization and manage them separately). Another
challenge is that most devices are owned by employees, the
IT team cannot have complete control over these devices
and applications that are installed; (Hemdi and Deters,
2016) determined in a study that 60% of workers in
businesses allowing BYOD were found to use at least
one free file-sharing application, and 55% of those did
not tell their IT departments about such use; any intrusion
not authorized by the department of IT could cause a risk of
privacy leak on the employees’ side; another disadvantage
is that the devices are always turned on and connected, due
to this reason the vulnerability of malicious attacks increase
along the different channels of communication, the situation
becomes even worse when we consider that the wireless
connection channels in a smart device can be attacked more
easily than the wired channels. The lack or little
enforcement
of BYOD policies is another of the
disadvantages that organizations have; policies are an
important piece in the control of security problems and each
organization must create a policy that suits their needs;
BYOD needs a large number of policies to control and
secure company data.
BYOD is a tendency that companies won’t ignore and in
a short period of time most organizations will allow their
employees to use their mobile devices to carry out the
company’s activities. The following research questions are
asked in order to obtain some insight of how to take the
maximum advantage of the BYOD program:
• What are the threats that mobile devices currently face
while being used in a BYOD environments?
• What are the characteristics of security models in order
to manage BYOD?
• Are there integral safety models with the minimum
requirements to take full advantage of BYOD?
• What are the basic controls that should be taken into
account for designing security policies in companies
with a BYOD environment?
• What are the main differences between security on
BYOD environments vs. security on corporate owned
mobile device environments, regarding how easy is to
meet security needs?
The adaption of BYOD environments has spread rapidly
and continues to transform the way people and
organizations work. The use of mobile devices for both
personal and work activities opens up new security threats.
This article aims to give a panoramic view of BYOD
environments, what their security risks are, what security
management models have been proposed, the policies for
the use of BYOD in corporate settings and future work that
must be done in order to improve the awareness of the
employees so they can become the first security barrier.
2
Background
BYOD is an acronym for "bring your own device," a phrase
used for a scheme based on the idea of allowing employees
to take their own mobile electronic communication device
and use it in the workplace to perform the tasks of the
organization. The scheme is primarily driven by consumer
preference rather than corporate initiative. However, BYOD
has potential benefits for both parties (Bell, 2013). The
Bring Your Own Device phenomenon, means that
employees, business partners and customers are increasingly
accessing information using a web browser on a device not
owned or managed by the organization, this has resulted in
security implications for data leakage, data theft and
regulatory compliance (Morrow, 2012).
BYOD is a scheme that a company adopts, allowing its
employees to bring in and use their own private mobile
devices for their job. What this means is that, this one
device would not only carry the individuals personal data
but also their workplace data (Gladyng, 2013). Employees
can have access to their company’s data at their workplace
and they can also have access to the data outside the
company’s environment (Olalere, et al., 2015). This
enterprise IT policy allows you to use your own devices to
access sensitive corporate data at work through the
company's IT infrastructure.
BOYD is a movement that existed since individuals
began to bring their own particular USB flash drive, or
installed their personally preferred programs in order to
accomplish the tasks that had been assigned to them. In such
cases, over the years, the security of the organizational
resources and data has been achieved through a variety of
technological innovations. These include controlling of the
desktop
environment
by
implementing
different
technologies; for instance, the use of central software-based
policy controls, restriction of the installation of applications,
disabling USB ports, and the monitoring of desired
workstations. (Zahadat, et al., 2015).
It is considered that the moment in which the BYOD
phenomenon appeared was with the arrival of the Apple
iPhone in 2007, which led to a revolution in the field of
consumer technology. Senior executives, condemned for
years to serious and functional terminals like the
BlackBerry, they found a light, tactile, funny device, and
they wanted to take it to the office. In 2009, the BYOD
concept began to be considered when Intel recognized the
importance of employees using their own devices to access
corporate and network resources, but it was until 2011 when
software sellers such as Citrix System shared perceptions
about this new trend (Gajar, et al., 2013).
Since then, the mobility revolution has not stopped,
observing the proliferation of smartphones and tablets with
advanced functionalities in the personal environment of
workers. One of the first companies to support the BYOD
model was IBM, as they recognized the increase in
employees who used their smartphones or personal tablets
in the workplace. IBM offers different solutions divided into
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
"technology solutions" and "services", and almost all focus
mainly on the management of devices in the system.
(Cuevas, et al., 2015).
According to the study by (Lawrence and Francoise,
2014) in the RSA Conference, the adoption of BYOD in
several countries had increased. The study determined that
in India 85% of employees use smartphones to perform
work activities, followed by China with 76%, Brazil with
71%, USA 55%, Canada 47%, UK 38% and Russia 5%.
This study also showed that the rate of use of personal
computers in the same countries are: Brazil 56%, India
55%, China 54%, Canada and USA 47%, U.K. 38% and
Russia 10%. This is proof that there has been an increase of
mobile devices such as Smartphones for performing work
activities.
(Dhingra, 2016) mentions some stats of BYOD as shown
below:
• It is predicted that by 2017, 50% of employers will
require their employees to use their own device for
work purposes.
• By 2018, more than 70% of professionals will carry out
their work on smart personal devices.
• By 2018, there will be more than 1 billion devices used
in BYOD programs around the world.
• Only 30% of companies have approved BYOD
policies.
• 90% of IT professionals express concern about sharing
content through mobile devices.
• 85% of organizations allow employees to bring their
own devices to work.
• More than 50% of the organizations rely on users to
personally protect their devices.
• 53% of information users utilize their own personal
devices for work; install unsupported software; or use
unsupported Internet based services like Dropbox,
Skype, Twitter, or Facebook to help them do their jobs.
• The popularity of the smart devices generates
opportunities for mobile app stores, which in 2016 will
reach 310 billion downloads and 74 billion dollars in
revenue.
2.1
Benefits.
The BYOD implementation offers benefits to the employees
and also to the organizations, among the benefits we have:
Improved employee mobility.- According to the survey
performed by (Schulze, 2016) 61% of employees prefer to
use BYOD because it allows them to be connected from
anywhere and at any time allowing them to perform their
job tasks.
Employee Satisfaction. - allows employees you to use
your favorite mobile device creating an innovative way to
work. Employees are currently dependent on their mobile
devices and are accustomed to their use and management,
allowing them to work in a collaborative and interactive
way.. According to the survey of (Schulze, 2016) 56% of
employees use BYOD for this benefit.
241
Increased employee productivity. - This benefit is aimed
more at the organization because having employees who can
be connected from anywhere, anytime, and satisfied, this
improves productivity.
Cost Reduction.- This benefit is also oriented towards
the organization because it helps reduce the costs of
acquiring devices, and license fees for applications who
require it, because it is assumed by the employees, the
companies can use this savings to provide added value, plus
IT services to employees (Boon and Sulaiman, 2015).
Less device support. - As the ownership of the device is
transferred to the employee, the IT team can spend less time
supporting end users (Pell, 2013).
But everything is not a benefit by adopting BYOD, and
due to this reason it creates a "unique set of challenges for
IT professionals", as it "redefines the relationship between
employees and the IT organization" (Lebek, et al., 2013)
which will be further discussed in section 3.
2.2
BYOD approaches.
For (Boon and Sulaiman, 2015) there are different
approaches for BYOD, which can be: giving managed
enterprise devices to the employee; adding employee’s
owned devices to enterprise devices; replacing employee’s
owned devices to enterprise devices. The most important
objective of BYOD is to provide effective solution to allow
users to enjoy the IT services not just limited to enterprise
owned devices and working hours. Hence, it should allow
anything required to perform work-related tasks are
available in any devices, in private times and accessible in
anywhere either connected remotely by Internet or WLAN
in workplace.
Gajar, et al., 2013) present the following implementation
strategies for corporate mobile management:
Here is your own device (HYOD): In this concept,
devices are provided by the organization. There is total
control in the device by the company. The company will
provide complete support for the device, from the
installation to the configuration and device settings.
Choose your own device (CYOD): In this type of
strategy, the organization offers a series of devices, from
which an employee can choose his own device to use. The
policies aren’t as strict as it was the case of having your own
device and the user has authority to install some specific
applications and software. CYOD is a strategy, while still
embracing the fundamentals of 'consumerization', reduces
the number devices an employee can choose to access
corporate data. In contrast to BYOD, all aspects of the
purchase and device maintenance are assigned to the
employer and not the employee (Pell, 2013).
Bring your own device (BYOD): The employee buys his
device or the organization offers financial help to buy their
own device in which they want to work in the consumer
market. Here the policies are weaker and the organization
has less control over the device. The user can do what they
want and install as many applications as they want, only if
they are complying with the policies of the organization.
On your own device (OYOD): The end user can bring
any device which isn’t supported by the organization. The
242
F.R. Rivadeneira and G.D. Rodríguez
user has the responsibility to administer the device. No
policies are needed to be followed.
3
Threats of Mobile Devices in BYOD
Environments.
Most organizations are totally dependent on their IT systems
for capture, store, process and distribute company
information. This has grown rapidly with the advent of
BYOD. Information security is and has always been a
discipline for mitigate the risks that affect the
confidentiality, integrity and availability of an organization's
IT resources. This discipline has been forced to expand with
the arrival of BYOD, but not necessarily in a predictable
and coherent way. Many organizations aren’t even aware
BYOD is used in their networks; of which many have little
to no technologies and / or policies to address BYOD
(Zahadat, et al., 2015). Studies show that 89% of employees'
mobile devices are connected to a business network; only
10% of these companies know that these devices are even
accessing their network, a cause of concern when
companies are storing vital and confidential data there. In
addition, recent surveys indicate that 34% of mobile device
users store sensitive data on their devices; this fact affects
companies, since a company cannot be sure these sensitive
data aren’t directly related to their business. These security
issues are posed by many of today's devices (Page, 2013).
With the problems raised by the adaption of BYOD, this
paper intends to give an answer to the research question:
What are the threats facing the Mobile devices that are
currently used in BYOD environments? The threats to
companies who implement BYOD, in most cases are the
same vectors of attack performed on desktop computers but
improved, targeted to exploit vulnerabilities and limitations
of mobile devices; another of the threats compromising
mobile devices is a guided and persistent attack, not
launched at random or large number of people, on the
contrary, targeting an specific device. This type of attacks,
with appropriate techniques, enough time and the growing
exploit of emergent technologies (social networks, cloud
computing, among others), can achieve their goal. Among
the threats are:
• Advanced Persistent Threat (APT) is often based on a
common initial vector of attack; it is a clever and
stealthy threat used by a group of highly motivated
perpetrators with the resources to extract and filter
important sensitive data from organizations. ATP
usually involves a prolonged duration method using
covert surveillance in the detection of vulnerabilities, in
order to infiltrate through exploitation vulnerabilities
weaknesses. ATP is often difficult to detect because its
ability to bypass traditional security defenses such as
host firewall, intrusion detection system and other
security systems (Bann, et al., 2015). ATP operations
can take a long time (months or years) to examine and
filter sensitive data from the target without triggering
any detection.
• Social Engineering. It is the art of getting user
information to obtain knowledge about the information
system. Instead of technical attacks on systems, social
•
•
engineers address human beings with access to
information, manipulating them to disclose sensitive
information (Krombholz, et al., 2015). For (Algarni, et
al., 2013) social engineering poses a real threat to many
organizations, companies, governments and individuals.
Sites such as social networks have been identified as
some of the most common means of engineering attack
due to factors that reduce the ability to detect the tricks
of social engineers. 1 in 12 people browse Facebook
while they are at work, either from their own device or
from the company's computer (Orzeszek, 2013).
Attackers can take advantage of social networking sites
in many ways. One way to do this is by establishing a
group that appears to be of public interest, directed to
system administrators or network engineers; by this
way the attackers gain administrators’ trust and can get
valuable information and even the credentials of a key
system in an organization (Kelley and Havilland, 2015).
Malware. Since 2011, the number of mobile malware
families has increased by 58%; malware has increased
more than 10 times between July 2012 and January
2014. These alarming figures suggest that malware
remains the most dangerous and persistent threat for
corporate information. In the context of BYOD,
existing security vulnerabilities in employees' mobile
devices are exploited by malware to steal confidential
information, sabotage networks, or divert financial
transactions. In addition, since the creation of BYOD,
IT departments have lost control of mobile devices,
which means that accidental malware infections cannot
be detected (Flores, et al., 2016). This threat has
become even more versatile and frightening, as it could
hide behind a user’s typical activity on the internet.
They are diversifying and specializing in away from the
traditional infection of links and malicious email
attachments, especially in online social networking
(OSN) domains and mobile devices. For example, there
are social media methods that exploit the functions of
OSN to spread malware through typical activities such
as offering fake gift cards or misleading OSN users to
share attractive videos, websites or messages included
in the malware (Dang-Pham and Pittayachawan, 2015).
Operating System Fragmentation. Google has declared
that only 1.2% of active Android smartphones run the
latest version of Android; this fragmentation causes
support problems and when a IT department allows its
users to bring several types of phones. Several versions
of the same operating system (ex.: Android) on your
network increases the risk and seriousness of security
breaches. Even if only one type of phone is allowed
with one version of the operating system, problems will
arise if the phone/version combination is never updated
by the provider. The IT department will now have to
manage and secure a wide range of devices, including
smartphones and tablets with different operating
systems that have access to corporate data.
Manufacturers constantly bring new software updates
with new features to change the look, feel or
performance of the device, and often a new version of
the operating system changes everything that was
previously safe in the previous version. The new
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
•
•
•
software also has to be adapted to specific device
hardware (radio controllers, Wifi, Bluetooth) and even
on devices that are apparently similar (Rose, 2013). The
Android platform suffers from vulnerabilities that allow
hackers to perform malware attacks, denial of services,
web-launch attacks, create undercover channels, and
privilege attacks (Rose, 2013). Depending on the level
of internal support that IT departments give to the
growing and uncontrolled range of mobile devices
available, these may not be compatible with security
measures of configurations or applications with the
consequence of mobile hardware and operating system
fragmentation. It may prevent the minimum security
requirements can be met to protect the corporate
information.
Theft or loss. Employees take their mobile devices to
many places, which puts them at a greater risk of losing
their device or to have it stolen; when this happens the
user immediately loses use of the device. This could
cause problems such as losing important calls, inability
to handle urgent jobs or other troubles. When the
device is lost or data is stolen, the degree of loss
depends on what data and how it is stored in the device.
In the BYOD environment, a lot of personal and
organizational data is stored in BYOD equipment,
which causes a serious threat (Tu and Yuan, 2012).
According to (Hemdi and Deters, 2016) millions of cell
phones and smartphones are lost or stolen every year. It
is believed approximately 22% of the total number of
mobile devices produced will be lost or stolen during
their lifetime, and more than 50% of them will be never
recovered.
App Store. For (Arabo and Pranggono, 2013) there are
some Android applications that when downloaded from
a third-party market (not the Android market) are able
to access the root functionality of devices ("rooted")
and to turn them into Botnet soldiers without the
explicit consent of the user. The lack of security control
over the applications that appear in various markets of
android apps lead to attack via malware and Botnets. It
was reported recently that Google Play store which has
more than 700,000 apps just passed 15 billion
downloads. (Arabo and Pranggono, 2013)
Security Certificates. According to (Vallina, et al.,
2014) the key component of today's Internet security is
the Transport Layer Security (TLS). This protocol
provides endpoint authentication using the X.509
infrastructure. Trusted certificate authorities sign server
certificates. Customers can verify these certificates by
using a trusted list of CA certificates that are shipped
with their browser or operating system. Because CAs
can sign certificates for any site on the Internet, they
form one of the weakest links in the global trust
hierarchy. When a CA is compromised, the attacker (or
the enforcing entity) can obtain certificates that
habilitate TLS interception attacks on any target
domain. Digital certificates remain a trusted source of
authenticating computers over the Internet, provided
they have been issued by a trusted certification
authority. In fact, mobile devices don’t come with
factory-preloaded AC credentials only, they also allow
•
243
users to add their own or delete existing ones. Given
this, corporate information can be compromised if a
naive employee has been persuaded to add a fake CA to
a mobile device or if an attacker has supplanted a
trusted corporate digital certificate.
BYOD policies and laws. Political gaps is the base of
the majority of safety and security breaches and BYOD
is no exception. For example, corporations normally
require complex passwords on desktop and laptop
computers, but they do not enforce this policy on
BYOD equipment, allowing a simple 4-digit access
code on BYOD devices. (Zahadat, et al., 2015). User
failure to comply with security policies is increasingly
cited as a key security issue in organizations, if users
fail to comply with security policies, security measures
become ineffective (Puhakainen and Siponen, 2010).
4
Characteristics of Security Models for
Managing BYOD.
This section gives an answer to the following question:
What are the characteristics of the security models proposed
to manage BYOD? After reviewing the literature, the
following security models were found; they are presented
along with their most relevant characteristics related to
BYOD environments.
• Mobile Device Management (MDM) remotely
supervises the state of mobile devices in order to
control their functions. An MDM consists of two main
components: an MDM agent which is an application
that is installed on the mobile device and it sends status
and data to the MDM server; and a MDM server which
manages received data and consequently causes
commands on registered mobile device to lock down,
control, encrypt, and enforce policies for them (Eslahi,
et al., 2014). Most existing commercial BYOD security
solutions consist of mobile device management systems
(MDMs) (eg Mobile Iron1, IBM MobileFirst Protect2,
Huawei BYOD3, etc.). The security controls provided
by an MDM solution usually address the behavior of
the device as a whole, for example by applying a
blacklist of unwanted applications, but these controls
are often too thick to capture the actual security policy
of a complex organization (Armando, et al., 2016).
• Mobile Application Management (MAM). MAM system
is a solution used by IT administrators to remotely
install, update, delete, audit and track related business
applications on mobile devices. MDM is different
because it controls mobile devices in the hardware
layer; mobile application management systems monitor
and control certain applications with reference to
policies and requirements of the organization. MAM
features include: Remote Application Provisioning,
Remote elimination and configuration of application,
Remote Application Updates and Backups, Whitelist
and Application Blacklist (Tewari, et al., 2015).
• Mobile Information Management (MIM): This is the
technique that secures corporate information instead of
mobile devices; the main objective of MIM is to
preserve business information in a central location
244
•
•
F.R. Rivadeneira and G.D. Rodríguez
(such as a private cloud) and securely share them
between different endpoints and platforms. MIM only
allows a limited number of trusted applications to
control and manage encrypted corporate data.
Virtualization: BYOD demands a new approach to the
corporate network and the integration of technologies
for its support, one of those technologies is
virtualization. Virtualization helps organizations
implement BYOD environments by centralizing
security and access policies for all of their IT users,
allowing mitigation of risks across the board. Because
the server, desktop and BYOD interactions are
virtualized, it is possible to build a good security
umbrella around all these assets.
Desktop virtualization models are low cost, they
centralize resources, data and security management and
reduce or eliminate the need to transmit data onto
mobile devices, thus reducing the possibility of data
leakage occurrences (Downer & Bhattacharya, 2015).
Virtualization is a software and / or hardware
environment emulation method that runs on the
superior layer of another system. This simulated
environment is called a virtual machine. The virtual
machine is logically equivalent to a physical machine,
and the reason for the widespread application of
virtualization is the ability to run multiple virtual
machines on just one single physical. Within
virtualization we have the hypervisor which is the
hardware platform virtualization software that allows
multiple operating systems on a single device. This
virtualization type is available on some Android
devices because the platform is open. The hypervisor is
used to run two or more instances of the operating
system, giving the ability to run personal applications
and services from a primary partition and enterprise
services / applications on the virtualized operating
system. There are two types of hypervisors. Type 1
hypervisors run directly on system hardware with
multiple virtual systems that use virtual resources
provided by the hypervisor. Type 2 hypervisors run on
a host operating system that provides virtualization
services, such as / O device support and memory
management, where you run virtual systems using the
virtual resources provided by the hypervisor. (Jaramillo,
et al., 2014).
Application Containers for Mobile Devices:
Containerization provides administrators with the
ability to create secure containers on the device within
which all applications and data in the organization are
found. By applying this method, data can be shared
exclusively between applications that are inside the
secure container. This method allows the
implementation of the security policy of the
organization over predetermined secure containers
without affecting the functionality and the private part
of the device data (Perakovic, et al., 2014). There are
three major types of containers according to (Yadav, et
al., 2015): 1) Application-specific containers, also
called pin-in SDK packages, make changes to the
exterior of the user interface, and sometimes customers
do not like it. 2) Neutral application containers use an
application wrapper process to provide security
measures that do not form part of the application source
code. The application wrapper can be deployed in a
short period of time because this container doesn’t
require the change of the original application code. This
gives users the layout of the original application and
consistency for personal space and industry. 3)
Integrated containers allow security and optimization of
business productivity through the use of tools and
applications designed for their integration into the
operating system.
According to the comparative study (Perakovic, et al.,
2014), the most suitable method is the neutral
application container. Due to an uncomplicated
application packaging process, it doesn’t change the
exterior of the application user interface and at the same
time it does not change in the source code.
•T-dominance. It interprets and measures the
security representativeness (is measured by the unique
traits of smartphones: co-location communication
channels in addition to the cellular links, readily
available connectivity information, and regular
mobility/connectivity pattern of users in the enterprise
environment.) with a temporal-spatial structural
property. It is a distributed algorithm that is executed in
distributed form in individual smartphones, solidly
preserving that property. It is called T-dominance
algorithm, where T is a time limit. Each BYOD
smartphone runs the T-dominance algorithm and, based
on potentially obsolete information from nearby
smartphones, estimates its security representativeness.
If a smartphone is considered representative, it becomes
an agent. The algorithm doesn’t need central
coordination, which reduces maintenance overhead for
enterprise IT management, and is less intrusive for
BYOD employees. After executing the algorithm for a
while, the whole set of BYOD smartphones will be
dominated by the agents: each smartphone is an agent
or very likely it is close to an agent with a delay that
doesn’t exceed T. It is a more intrusive and costly
defense mechanism than other methods. Priority based
deployment T dominance provides an adjustable
equilibrium (through T) between the security provision
and the intrusion / cost mechanism (Peng, et al., 2013).
Properties for an algorithm that implements Tdominance-based prioritized defense deployment:
Property 1 (Correctness). The T-dominance
structural property is maintained by the algorithm.
Property 2 (Localization). An agent makes its
activation/deactivation decisions based on its own
status and the connectivity logs from other smartphones
it co-locates with.
Property 3 (Temporal robustness). Property 1 is
achieved even if the connectivity logs obtained from
other smartphones during Wi-Fi co-location is outdated.
T-dominating agents play a specific role in the
deployment of prioritized defense. In the patching
priority, the agents resemble the high-risk population
(prior to immunization) and the deposit of vaccines
(after immunization) in human epidemiology. An agent
makes their activation / deactivation decisions based on
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
•
•
their own status and the connectivity logs of other
smartphones they are on.
Cisco BYOD. It is a Cisco proprietary solution for a
highly managed IT business structure. The architecture
of the Cisco BYOD solution is based on the Cisco
Borderless Network Architecture and assumes the best
practices that apply to the network infrastructure
designs for campus, branch offices, Internet
deployments and home-office deployments. The Cisco
BYOD architecture shows critical components to
enable secure access to any device, easy access to
network, and centralized application of enterprise usage
policies. This robust architecture supports a multitude
of devices, such as employee ownership, business
owners, or guest users attempting to access the network
locally or from remote locations. The Cisco BYOD
Smart solution helps maximize business value by
providing a high quality user experience, security
information and easy attendance. This solution stands
out among other approaches that enable the
implementation of BYOD by the following: superior
technology in every layer, full view of workspace,
validated design with comprehensive support,
integration with third parties, complete services, and
seamless experience with any connection method
(Hallock, et al., 2013).
Brian’s BYOD Model: The use of personal devices to
access corporate applications and data, shows what
happens when there is a conflict between usability and
security. Users speak to themselves, and chose their
preferred program by selecting the tools they find are
the most suitable for their work. And because these are
personal property devices that follow the owner, issues
of device security and remote access should also be
addressed. (Tokuyoshi, 2013), security is addressed by
using the following guidelines:
1) Protecting network traffic: Remote devices
connecting to arbitrary networks may place corporate
data at risk. Without some protection in place to secure
network traffic, the information is about as private as a
postcard, open to anyone to read if they make the effort
to look.
2) Protecting the content of the traffic from
vulnerabilities and exploits: Managed devices have the
benefit of endpoint protection standards that provide a
line of defense against malicious content. Unmanaged
devices may or may not meet those standards, and may
not be adequately protected before getting on the
network. There are two issues that come into play: first,
the endpoint may need better security to protect against
dangerous content; and second, network security
measures can play a larger role in protecting the device
as well.
3) Enforcing application policy: Organizations have
applications they need to protect, and want to ensure
that there are appropriate controls in place for who may
access them and from where. Perhaps the organization
wants to place restrictions on which users may access
the data center applications. Perhaps there are
restrictions that must be in place to ensure that only
corporate issued laptops may access the datacenter.
•
•
245
These types of controls ensure that the protection
around the datacenter adequately models who and what
can access it, and provides an appropriate level of
access for a particular device.
4) Enforcing device policy: The mobile device’s
operating system may have a number of security
features, but the ability to ensure that it is being used
properly is something that is not easily prescribed when
it’s not corporate owned. An increasing number of
organizations are undertaking measures to make
devices policy compliant with enterprise needs through
the use of technology such as Mobile Device
Management (MDM). This can take an unmanaged
device and make it an employee-owned managed
device.
5) Protecting data on the device: Should BYOD
devices be allowed to contain enterprise data? What
measures are in place to secure that data, or destroy the
data in the event of a lost or stolen device? Some see
this as a containment issue, such as using partitioning
and application containers to limit the scope of where
the data goes. Some see this as a matter of data
protection, such as data-level or device level
encryption. Another approach is to first consider what
applications (and data) the device should be allowed to
access in the first place, such as using virtualization to
remotely access an application or desktop without
putting the application data itself on the device.
BRADFORD'S BYOD Model. The process uses the
Network Sentry tool from Bradford Networks; it
provides access to the corporate network and personal
devices according to the rules that are defined. The
Network Sentry policy engine is used to define access
to the network in a very specific way to meet the needs
of different users and groups. Network Sentry is used to
enforce those policies, provide visibility to all network
access, and allow policies to be modified if necessary.
It is an approach that shifts the focus from the
traditional control to a flexible policy-based network
provision that can support personal mobile devices.
Employees can be productive in their preferred devices
without compromising the organizational security
(Bradford, 2013).
BYOD Security Framework (BSF). This framework has
been designed to achieve three objectives. First, spatial
isolation is necessary in order for the personal space
and corporate space to separate from each other, and to
allow policies to be implemented for each of them
individually. Second, corporate data protection is
necessary so that unauthorized access to this data can
become unworkable. This is achieved by encrypting all
corporate data stored on the BYOD device. Finally, the
application of the security policy must be applied so
that devices could be able to comply with the
requirements of the company. BSF defines two entities:
the business side and the device side. The first side is
composed of all corporate resources such as company
servers, Internet gateways and corporate data. On this
side, a network access control mechanism (NAC) is
responsible for providing access control when BYOD
devices attempt to access these resources. This access is
246
•
F.R. Rivadeneira and G.D. Rodríguez
authorized or denied based on corporate policies. In
addition, the NAC has to differentiate between personal
space requests and corporate space requests, which is
achieved through the implementation of certificates for
each of them. To manage corporate policies, a security
policy database is deployed. These policies include
information on how to handle the access request when
dealing with a user space on a BYOD device, which
devices are allowed to access the network, and the
connection parameters. Finally, mobile devices are
managed by integrating an MDM solution, which is
based on the policy database and applies these policies
to BYOD devices (Wang, et al., 2014).
Remote Mobile Display (RMS): This framework meets
all the goals of a safe BYOD environment. To do this,
the enterprise provides the employee with a virtual
machine (VM) with a running mobile operating system,
which is located in the enterprise network. The
employee connects via the mobile device, an RMS
implementation is provided using commonly available
software for an x86 architecture. RMS modifies the
BSF architecture by moving the corporate space located
on the mobile device to the corporate network. In
addition, RMS adds a new component called Corporate
Space Manager, which is used to manage access to
mobile virtual machines located in the corporate
network. Finally, RMS uses the Virtual Network
Computing (VNC) protocol which in return relies on
the Remote Framebuffer (RFB) protocol to allow the
user to access their own corporate space. Like in BSF,
RMS presents a BYOD side and an enterprise side.
RMS uses two elements called Corporate Space
Manager (CSM) and VNC to allow the user to access
the business space. The VNC protocol is based on the
RFB protocol, the RMS system consists of a BYOD
device and an Enterprise side. The BYOD side accesses
the corporate space, located in the corporate network
through the VNC client residing on the device. On the
enterprise side, it contains a security policy
enforcement entity that enforces enterprise policies.
RMS uses its CSM as a proxy server to inspect the
contents of VNC packets and performs actions based on
the content. The employee has access to corporate
resources through the VNC application, thus solving
the problem of storing corporate data on user devices.
However, this system also has its limitations. The VNC
protocol has a cryptographically weak password and
doesn’t protect the observation or data stream
manipulation. In addition, Unicode text transfer is not
compatible with the RFB protocol (Gimenez, 2015).
Table # 1: Security Management in BYOD Environments
Security Model
Mobile Device Management
(MDM)
Mobile Application
Management (MAM).
Mobile Information
Management (MIM)
Virtualization
Application Containers for
Devices
Characteristic
Mobile devices are connected to the corporate network through an encrypted
channel.
It authenticate devices by exchanging certificates from server certified
organizations. With the help of Access Server, MDM can define the correct
access.
It continuously synchronize and backups organizational stored data from devices
and to devices through the synchronization server.
Lock devices, enforce policies on the device and even delete remote and local
data.
Monitors and controls certain applications according to the policies and
requirements of the organization.
Whitelist and blacklist applications.
Application updates and backups.
Remote elimination and configuration of the application.
Remote application provisions
Preserves company information in a central location.
Allows a limited number of trusted applications to control and manage encrypted
corporate data.
Maintain the desktop within the data center.
Streamline the licensing process and reduce licensing liability risks that may go
along with BYOD.
Meets a company's backup, recovery and compliance needs, preventing
employees from storing unique enterprise data on their devices and in cloudbased applications.
Easier management for the IT department. IT doesn't need to manage a large
number of devices, allowing them to focus on data and application management.
Data can be shared exclusively between applications within the secure container.
Provides users with access to all of the organization's data through a single sign
on (SSO).
If some data is compromised, the entire container or that particular application
can be deleted
Assigns the use of various security systems, such as direct renewal or updating of
content to secure containers
Application Level
Technical
Technical
Technical
Technical
Technical
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
T-dominance
Cisco BYOD
Brian’s BYOD Model
10-step process for
BRADFORD'S BYOD
model
BYOD Security Framework
(BSF)
Remote Mobile Display
(RMS)
By using strategic sampling, agents resemble traditional Internet honeypots for
intrusion detection.
The T-dominance structural property is maintained by the algorithm
T-dominating agents play a specific role in the deployment of prioritized defense.
In the patching priority, the agents resemble the high-risk population (prior to
immunization) and the deposit of vaccines (after immunization) in human
epidemiology
An agent makes their activation / deactivation decisions based on their own
status and the connectivity logs of other Smartphones they are on.
Ensure compliance with corporate access policies on any device.
Know what users and devices are connected to the networks.
Minimize the amount of IT resources needed to incorporate new personal devices
into the network.
Workspace productivity applications
Collaborate with any device.
Manages and protect devices and their workspace.
Provide access from anywhere with a seamless connection transfer.
Apply policies to grant access to information, depending on who requests it and
what device to use.
Take the workspace into the device.
Protect network traffic from authorized and unauthorized access.
Protect the traffic content from vulnerabilities through the encryption
mechanism.
Enforce application policy by allowing authorized access for authorized users
and authorized devices.
Device policy enforcement by allowing only security-compatible devices to
access the system.
Data Protection in the device against offline access, theft or malicious acts.
Determine what mobile devices are allowed to access
Determine what OS versions are allowed, only approved and secure OS versions.
Determine what applications are required for security settings configuration.
Determine what groups of employees can use these devices and implement user
device policies.
Determine what network access will be assigned based on who, what, where and
when conditions.
Educate users before purchasing devices for BYOD through communication
policies.
Inventory for reliable and unreliable devices, for administration and for forensic
purposes.
Inventory for trusted and untrusted users
Controlled network access based on risk posture = access provision to the
network.
Assessment and continuous vulnerability correction.
Spatial isolation is necessary for personal space and corporate space to separate
from each other, and to allow policies to be implemented for each of them
individually
Corporate data protection is necessary so that unauthorized access to this data
can become unfeasible, which is achieved by encrypting all corporate data stored
in the BYOD device
Application of the security policy should be applied so that the devices meet the
requirements of the company.
Defines two entities: the business side and the device side.
Mobile devices are managed by integrating an MDM solution, which is based on
the policy database and applies these policies to BYOD devices
Modifies the BSF architecture by moving the corporate space located on the
mobile device to the corporate network.
Provides the employee with a virtual machine (VM) that runs a mobile operating
system,
Adds a new component called Corporate Space Manager, which is used to
manage access to mobile virtual machines located on the corporate network
It uses the Virtual Network Computing (VNC) protocol which in turn is based on
the Remote Framebuffer (RFB) protocol to allow the user to access their own
corporate space
247
Technical
Technical
Technical
Technical
Technical
Technical
248
F.R. Rivadeneira and G.D. Rodríguez
5
Integral Security Model for Managing
BYOD.
Are there integral security models with the minimum
requirements to maximize the advantages of BYOD?
According to the revised literature, there isn’t a model that
allows Integral management of security in BYOD
environments. This is supported by the previous section
describing the security model characteristics and it can be
concluded that each Security Model is designed to partially
manage threats which affect BYOD environments, but there
is not an integral model that tries to manage both the
Technical and Human factors in BYOD environments. In
addition some models do not provide a confidence and
satisfaction degree when using it, causing it to not take
maximum advantage of the benefits that BYOD offers.
Cisco proposes an integral model but is based only on
technical solutions, it does not manage the human part and
leaves aside some other considerations of other models.
Below are the guidelines that must be taken into account
to planning and design an Integral Safety Model and to
make the most out of BYOD.
 Establish close coordination across multiple disciplines
and among stakeholders, supported at the highest levels
of government (Zahadat, et al., 2015).

Understand the business environment, who the users
are and what resources they access. (Zahadat, et al.,
2015).
 BYOD standards in order to ensure BYOD devices are
able to support functional and security requirements.
Organizations should establish requirements that are
aligned with the organization's missions, goals and
objectives (Zahadat, et al., 2015).
 Device Management system (MDM). This must
provide control of applications, data and configuration
parameters for mobile devices, and the device is
provisioned using Over-The-Air (OTA) or other
enrollment process. During provisioning, the device is
installed with any configurations, settings, software,
and certificates necessary to prepare the device for
BYOD (Zahadat, et al., 2015).
 Manage assets, encompasses the full range of processes
and technologies from which BYOD devices are
registered and approved, configuration controlled, and
managed. Asset management includes activities to
formally approve users and devices into the BYOD
program, register devices, install required software,
configurations, and applications to meet organizational
requirements, and to manage the relationship between
the organization, the user, and the device throughout
the BYOD cycle (Zahadat, et al., 2015).
 Controlling the Network Environment. A purpose built
network will permit BYOD devices to access required
organization resources while retaining strategic
intersection points where protective, detective, and
reactive security controls can be placed. Some
technological solutions that are capable of performing
the required functions include: firewalls, access-control
lists, virtual local area networks (VLANs), zoning,
VPN, and application wrapping (Zahadat, et al., 2015).



Governance. Organizational planners will need to
identify the policies, processes, and procedures used to
operate and monitor the organization’s BYOD program.
Governance should include statutory, regulatory, legal,
security, environmental, and operational requirements.
It is critical to understand the limitations of mobile
security technology in order to comprehend, which
aspects of the BYOD security program are technically
enforceable and which are relying solely on policy for
enforcement (Zahadat, et al., 2015).
Network Access Control, establishing and enforcing
network access control (NAC) policies for businessowned Windows laptops can be extended to implement
policies for personal ownership devices (Orans, 2012),
a NAC combination and mobile device management
enforces policies in a BYOD environment. Devices are
not managed by MDM agents and should be limited to
internet access only, or placed in a limited access area
in which they can access an applications subset and
network resources according to the user / group role.
(Harris, et al., 2013) mention that security awareness
and training for most employees is desirable; awareness
of the security problem and training to acquire security
skills. Security professionals in charge of protecting
information systems need a superior level: education,
meaning that expertise is developed for professionals
working within the security discipline.
An obstacle for the introduction of enterprise software
applications on mobile devices is that you can present your
own security issues and compatibility of IT departments.
The tendency for employees to use their own mobile phones
and smartphones, in particular, is unstoppable and the user
is essentially taking control of the company's security
program, a situation that should be addressed by developing
relevant security policies and /or updating existing company
policies to help protect both the company’s network and
legal rights to reduce and liability risks (Bell, 2013). The
next step after applying all technical controls is to design
BYOD policies among the organization's employees, which
is discussed in the next section.
6
Basic Controls for Designing Security
Policies for BYOD Environments.
For (Putri and Hovav, 2014), security information policy
only studied resources that were owned by an organization
so that organizations could have full control of their
resources. In BYOD, resources aren´t owned by the
organization. The devices used to carry out the work are
property of the employees. However, access resources are
owned by the organization, for example network and
information. Any attempt to control an employees' personal
device could create a perceived threat to their freedom in
using their own device. Security policy can be perceived as
a burden and an obstacle to employees’ work because it
restricts the way they use their own devices. 31% of the
companies surveyed by SANS saying that they do not have
policies in place to handle BYOD and a further 26% stating
that they only “sort of” have policies, it is possible to see
how unsecure mobile devices are infiltrating corporate
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
networks. Only 14% of companies feeling that the policies
that they do have in place are very thorough and 49%
feeling that their policies catch some basic threats or none at
all. It can be seen that policies are a large issue that
companies need to be addressing. (Gladyng, 2013).
For (Shumate and Ketel, 2014) BYOD policies are an
integral part of the control and mitigation of the security
problems, although they are often neglected by many
companies as indicated in the SANS survey. Each
organization must create a policy that suits their unique
needs and situations. This policy must be updated on a
regular basis, at least once a year. As technology changes
the policy with respect to this technology type must also
change. The change in the mobile industry is even faster
than in the IT industry in general. The controls that manage
mobile devices need to be updated to address the new risks
that could eventually be created by these changes. With this,
the answer to the fourth research question begins. What are
the basic controls that should be taken into account for the
design of security policies in companies with a BYOD
environment? According to (Madzima, et al., 2014) Policies
have always been regarded as the good starting points for
gaining and exerting control on an enterprise for they
provide the framework for formalizing guidelines for
BYOD adoption and the use of employees owned devices.
When designing, implementing and executing a policy, an
enterprise would know what to do in the event that a device
is lost, an employee resigns from the company, and also
how to manage data and network access for all the BYOD
devices. A good policy should neither be overly restrictive
on how employees may use their device nor overly relaxed
to the extent of granting the enterprise access to the
employee’s personal data. Up next are the basic controls for
designing general policies that all organizations must take
into account, to serve as a starting point in the design of a
specific BYOD policy.
Policies of the Organization:
• Audit Devices. This involves establishing all the
devices you use to manage corporate data, including
those owned by your employee (Puhakainen and
Siponen, 2010).
• Amnesty. The company's IT staff must tell employees
what personal property devices they must bring in order
to be added to company networks and security features
(Puhakainen and Siponen, 2010).
• Adding security. The company's IT staff must configure
all employee-owned devices to meet the company's
security requirements (Puhakainen and Siponen, 2010).
• Employee profiles. It is suggested that in order to
successfully classify employees, the following profiles
should be taken into consideration: Standard user,
advanced user, professional user, guest user (Vignesh
and Asha, 2015).
• Acceptable use policies. Clearly define what is allowed
in term of use of internet and particularly social media
with it fast becoming a popular avenue of attack by
social engineers (Mott, 2013).
Mobile Device User Policies:
• Password. All devices must have a password to access
the device, which must be changed frequently, to create
a password you must avoid consecutive numbers and
249
data related to the employee. According to (Allam, et
al., 2014), Cisco, in a study conducted in 2013, found
that nearly 40% of smartphone users do not have a
password enabled on their device.
• Antivirus and Anti-malware. Use these solutions to
protect the device against malware and viruses, it is
also necessary to activate the automatic update of these
applications so that the mobile device is always
protected (Downer & Bhattacharya, 2015).
• Sensitive Data. Avoid accessing and processing
sensitive data over public wireless networks that don’t
have a password or encryption. (Mott, 2013).
• Lost or stolen devices. The following must be taken
into account: What will the process be for notification
by employees? What are the steps to eliminate access to
the corporate network? What steps will be taken to
eliminate the data stored on the device? Companies
must have a plan in place to handle the lost or stolen
device (Tewari, et al., 2015).
• Encrypt the external memory card. Memory slots are
available on most mobile devices; external memory
cards can be stolen which results in data breach, and
therefore there must be encryption software to encrypt
the external memory card (Vignesh and Asha, 2015).
• GPS lock. It is a lock based on location that can be
applied through GPS; the data can be decrypted and
accessed only from a specific geographical area, such
as the workplace or home (Vignesh and Asha, 2015).
(Madzima, et al., 2014) suggest that the BYOD policy
should provide evidence of employee knowledge and
agreement for the use of their personal devices to carry out
the work of the company. It is also important that the
company's BYOD policy covers areas of potential conflict
between employees and employers
7
BYOD Security vs Corporate owned device
Security
In corporate owned device environments, security
management of the device is managed by the IT department.
The IT Department decides what is installed and what is not
installed, the device model and the version of the OS
installed; it restricts the ability to install applications and
access internet sites. In BYOD environments the device is
owned by the employees, therefore they are the ones in
charge of the security management; the IT department can
apply some preventive, corrective and technical measures of
mobile security management, but it is the employee who has
full control of the device. In table 2, a comparison between
BYOD security and corporate owned device security is
shown, focusing in the ease of meeting security needs.
250
F.R. Rivadeneira and G.D. Rodríguez
Table # 2: Difference between BYOD security and Mobile security
#
1
2
3
4
5
6
7
8
9
10
11
Security Features
Manage extra
applications installed by
users
Manage devices that are
accessing the corporate
network
Separation between
private and business
spheres
Social Network Access
Management
Malware application
management
Ensure that mobile
devices are homogeneous
Ensure that all OS
versions on mobile
devices are
homogeneous.
Complexity of user
support
Device Management in
the event of theft or loss
Enforcement of policies
and laws
Predisposition of users to
training
Ease of
compliance in
BYOD
12
Manage the termination
of the employee's
relationship with the
company
Prevent and mitigate
social engineering attacks
Prevent and mitigate
Advanced Persistent
Threat (APT)
Ensure the privacy of
company data
Low
High
High
Low
High
Low
Low
High
13
Low
Ease of
Compliance
in corporate
owned device
High
Low
High
15
Low
High
Low
High
Low
High
Low
High
Low
High
Table 3 shows the coverage performed by the different
BYOD security models according to the characteristics
presented in table # 2. According to table # 3, it can be
concluded that the BYOD models are focused on technical
solutions, but in the characteristics where the employee has
absolute control of the mobile device there is no model that
allows to manage the security. For example, the use of
social networks by employees can not be managed, which
could easily lead to a social engineering attack or Advanced
Persistent Threat (APT).
High
Low
Low
High
Low
High
Low
High
14
Table # 3: Coverage of BYOD Security Models
Security Model
Mobile
Device
Management (MDM)
Mobile Application
Management (MAM).
Mobile Information
Management (MIM)
Virtualization
Application
Containers
for
Devices
T-dominance
Cisco BYOD
Brian’s BYOD Model
10-step process for
BRADFORD'S
BYOD model
BYOD
Security
Framework (BSF)
Remote
Mobile
Display (RMS)
8
01
02
03
X
X
X
X
X
X
X
X
X
X
X
X
X
X
04
05
Security Features (see table#2)
06
07
08
09
10
11
X
X
X
X
X
X
X
X
Future Work
There are a number of solutions to mitigate the security
risks that are associated with BYOD, from the MDM,
MAM, MIM, Application Containers, Virtualization, but
these partially solve the risks, and if they eventually solve
one, a new gap will eventually open. By reviewing the
literature we notice that an integral model hasn’t been
X
15
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
14
X
X
X
X
X
13
X
X
X
X
12
considered and a future work would be precisely to design
an Integral Model for the security management in BYOD
environments in order to allow to take full advantage of this
trend.
When organizations allow their employees to use their
mobile devices to perform work tasks, it is likely that by
allowing this there is an increase in the use of social
networks while on the job, the danger is that employees can
Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models.
share company data on social networking sites often with
the best of intentions, such as for supportive purposes.
Nearly a third of IT departments suffered data loss in the
2011, while 60% of them suffered two or three data loss,
each with an estimated average cost of 2 to 5% of total
revenue the company (Caldwell, 2012). A future work
would be mechanisms to mitigate the loss of data through
social networks in BYOD environments.
Applying security policies in BYOD environments is
vital to maximize this trend’s benefits of this trend, and to
mitigate the security risks associated with it, some
companies make known these policies through a document
with 20-pages waiting that employees understand it, when
in some cases it was written for regulators, lawyers and
auditors, These documents must be written with language
appropriate to the target audience, and explain the
consequences of noncompliance. According to (Caldwell,
2012), “Training programmes should not be developed by
techies they should be eveloped by marketers” in this way
it will be possible to training employees better with respect
to the security policies, also must be taken into account that
people learn in different ways. User awareness is key and
awareness training should be part of every corporate
security program, so another future work would be to create
awareness programs that allow BYOD employees to apply
security policies in a natural way and easily detect the
attacks you may be experiencing.
9
Conclusions
BYOD has become a good strategy that companies use due
to their great benefits; companies like CISCO and others
create technical solutions and implement policies to help
mitigate the risks that comes with implementing this
strategy. From the review of current literature on security, it
has been found that there are numerous technological
strategies to address the information about the risks of
security but one main factor has been left out and that is the
human factor.
With the study of the literature regarding BYOD, the
following questions could be answered:
• What are the threats that mobile devices currently face
while being used in a BYOD environments? The
following threats were found: Advanced Persistent
Threat (ATP), Social Engineering, Malware, Operating
System Fragmentation, Theft or Loss, Application
Store, False Security Certificates, Policies and BYOD
Laws.
• What are the characteristics of security models in order
to manage BYOD? We found 12 security models for
BYOD environments, of which 11 are based on the
technical management of the mobile device and its
connections. Only the BYOD Policy Management
Model has characteristics oriented to the human factor.
• Are there integral safety models with the minimum
requirements to take full advantage of BYOD?
According to the revised literature, there is no model
that allows a comprehensive management of security in
BYOD environments, because each security model is
designed to manage some of the threats that affect
BYOD, but there is no integral model that tries to
•
•
9
251
prevent both the technical and human factors by which
mobile devices can be compromised.
What are the basic controls that should be taken into
account for designing security policies in companies
with a BYOD environment? The basic controls that
should be considered for the design of BYOD policies
are classified into organization policies’ controls, such
as: audit devices, amnesty, security addition, employee
profiles, acceptable use policies; and mobile device
user policies’ controls such as: password, antivirus and
anti-malware, sensitive data, lost or stolen devices,
encryption of external memory card, GPS lock. These
controls serve as a starting point for designing a
specific BYOD policy for any organization.
What are the main differences between security on
BYOD environments vs. security on corporate owned
mobile device environments, regarding how easy is to
meet security needs? There is 15 security features that
show a complete mistmatch between the ease of
compliance in BYOD vs. ease of compliance in
corporate owned mobile devices. There are 11 features
that are easier to meet in corporate owned mobile
devices than in BYOD. Most research regarding mobile
security has been done with the traditional corporate
owned device environment in mind, therefore,
additional research into BYOD security management
and models is needed.
References
Algarni, A., Xu, Y., Chan, T., and Tian, Y.-C. (2013). Social
engineering in social networking sites: Affect-based
model. 8th International Conference for Internet
Technology and Secured Transactions (ICITST-2013).
Allam, S., Flowerday, S. V., and Flowerday, E. (2014).
Smartphone information security awareness: A victim of
operational pressures. Computers & Security, pp.56-65.
Arabo, A., and Pranggono, B. (2013). Mobile Malware and Smart
Device Security: Trends, Challenges and Solutions. 19th
International Conference on Control Systems and
Computer Science.
Armando, A., Costa, G., Merlo, A., Verderame, L., and Wrona, K.
(2016). Developing a NATO BYOD security policy.
International Conference on Military Communications
and Information Systems (ICMCIS), pp.1-6.
Bann, L. L., Mahinderjit, M., and Samsudin, A. (2015). Trusted
Security Policies for Tackling Advanced Persistent
Threat via Spear Phishing in BYOD Environment.
Procedia Computer Science, pp.129–136.
Bell, M. (2013). Considerations When Implementing a BYOD
Streategy. The Role of IS Assurance & Security
Management, pp.19-21.
Boon, G. L., and Sulaiman, H. (2015). A Review on
Understanding of BYOD Issues, Frameworks and
Policies. The 3rd National Graduate Conference
(NatGrad2015), Universiti Tenaga Nasional, Putrajaya
Campus, 272-277.
Bradford, N. (2013). Ten Steps to Secure BYOD. White Paper.
Caldwell, T. (2012). Training – the weakest link. Computer Fraud
& Security, pp.8-14.
Cuevas, P. d., A.M, M., J.J, M., P.A, C., P., G.-S., & A, F and.-A.
(2015). Corporate security solutions for BYOD: A novel
user-centric and self-adaptive system. Computer
Communications, pp.83–95.
252
F.R. Rivadeneira and G.D. Rodríguez
Dang-Pham, D., and Pittayachawan, S. (2015). Comparing
intention to avoid malware across contexts in a BYODenabled Australian university: A Protection Motivation
Theory approach. Computers & Security, pp.281–297.
Dhingra, M. (2016). Legal Issues in Secure Implementation of
Bring Your Own Device (BYOD) . Procedia Computer
Science.
Downer, K., and Bhattacharya, M. (2015). BYOD Security: A
New Business Challenge. Conference: Proceedings of
The 5th International Symposium on Cloud and Service
Computing (SC2 2015), IEEE CS Press.
Eslahi, M., Naseri, M. V., Hashim, H., Tahir, N., and Saad, E. H.
(2014). BYOD: Current State and Security Challenges.
Computer Applications and Industrial Electronics
(ISCAIE), 2014 IEEE Symposium on.
Flores, D. A., Jhumka, A., and Qazi, F. (2016). Bring Your Own
Disclosure: Analysing BYOD Threats to Corporate
Information. Conference: 15th IEEE International
Conference on Trust, Security and Privacy in Computing
and Communications (IEEE TrustCom-16), At Tianjin,
China.
Gajar, P. K., Ghosh, A., and Rai, S. (2013). Bring Your Own
Device (Byod): Security Risks And Mitigating
Strategies. Journal of Global Research in Computer
Science, pp.62-70.
Gimenez, S. M. (04 de 2015). Remote Mobile Screen (RMS): An
Approach For Secure Byod Environments. Computer
Science and Engineering: Theses, Dissertations, and
Student
Research.
http://digitalcommons.unl.edu/computerscidiss/86/?
utm_source=digitalcommons.unl.edu
%2Fcomputerscidiss
%2F86&utm_medium=PDF&utm_campaign=PDFCover
Pages
Gladyng, C. (2013). BYOD: Can It Harm Your Business? The
Role of IS Assurance & Security Management, 31-33.
Hallock, Z., Johnston, J., Macias, F., Saville, R., and Tenneti, S.
(2013). Cisco Bring Your Own Device (BYOD). CISCO.
Harris, M. A., Patten, K., and Regan, E. (2013). The Need for
BYOD Mobile Device Security Awareness and Training.
Proceedings of the Nineteenth Americas Conference on
Information Systems, Chicago, Illinois.
Hemdi, M., and Deters, R. (2016). Data Management in Mobile
Enterprise Applications. Procedia Computer Science,
pp.418 – 423.
Jaramillo, D., Newhook, R., and Nassar, N. (2014). Techniques
and real world experiences in mobile device security.
SOUTHEASTCON 2014, IEEE.
Kelley, P., and Haviland, J. (2015). Leveraging Social Networks
and BYOD for Reverse Social Engineering Attacks on
Corporate Networks. Academia.edu.
Krombholz, K., Hobel, H., Huber, M., and Weippl, E. (2015).
Advanced social engineering attacks. Journal of
Information Security and Applications, pp.113–122.
Lawrence, D., and Francoise, G. (2014). Practical Legal Aspects of
BYOD. RSA Conference.
Lebek, B., Degirmenci, K., and Breitner, M. H. (2013).
Investigating the Influence of Security, Privacy, and
Legal Concerns on Employees' Intention to Use BYOD
Mobile Devices. Proceedings of the Nineteenth
Americas Conference on Information Systems, Chicago,
Illinois.
Madzima, K., Moyo, M., and Abdullah, H. (2014). Is Bring Your
Own Device an institutional information security risk for
small-scale business organisations? Information Security
for South Africa.
Morrow, B. (2012). BYOD security challenges: control and protect
your most sensitive data. Network Security, 5–8.
View publication stats
Mott, G. (2013). Social Engineering and how it Affects Your
Business. The Role Of Is Assurance & Security
Management.
Olalere, M., Taufik, M., Mahmod, R., and Abdullah, A. (2015). A
Review of Bring Your Own Device on Security Issues.
SAGE Open.
Orans, L. (2012). Securing BYOD With Network Access Control,
a Case Study. SANS Institute.
Orzeszek, M. (2013). Social Engineering and Business Practice.
The Role of IS Assurance & Security Management,
pp.87-89.
Page, L. (2013). The Trade Offs for Bring Your Own Devices.
THE Role Of Is Assurance & Security Management,
pp.91-94.
Pell, L. C. (2013). BYOD: Implementing the Right Policy. The
Role Of Is Assurance & Security Management, pp.95-98.
Peng, W., Li, F., Han, K. J., Zou, X., and Wu, J. (2013). Tdominance: Prioritized Defense Deployment for BYOD
Security. IEEE Conference on Communications and
Network Security (CNS).
Perakovic, D., Husnjak, S., and Cvitić, I. (2014). Comparative
analysis of enterprise mobility management systems in
BYOD environment. Conference: Research Conference
In Technical Disciplines RCITD, At Zilina, Slovak
Republic.
Puhakainen, P., and Siponen, M. (2010). Improving Employees’
Compliance Through Information Systems Security
Training: An Action Research Study. MIS Quarterly,
pp.757-778.
Putri, F. F., and Hovav, A. (2014). Employees’ Compliance with
BYOD Security Policy: Insights from Reactance,
Organizational Justice, and Protection Motivation
Theory. Association for Information Systems.
Rose, C. (2013). BYOD: An Examination Of Bring Your Own
Device In Business. Review of Business Information
Systems, pp.65-69.
Schulze, H. (2016). Byod & Mobile Security. SPOTLIGHT
REPORT.
Shumate, T., and Ketel, M. (2014). Bring Your Own Device:
Benefits,
risks
and
control
techniques.
SOUTHEASTCON 2014, IEEE.
Tewari, A., Nagdev, P., and Kiran, I. (2015). BYOD:Usability.
International Journal of Computer Science and
Information Technologies (IJCSIT), 2081-2814.
Tokuyoshi, B. (2013 ). The security implications of BYOD.
Network Security, pp.12-13.
Tu, Z., and Yuan, Y. (2012). Understanding User's Behaviors in
Coping with Security Threat of Mobile Devices Loss and
Theft . 45th Hawaii International Conference on System
Sciences.
Vallina, N., Amann, J., Kreibich, C., Weaver, N. and Paxson, V.
(2014). A Tangled Mass: The Android Root Certificate
Stores. Proceedings of the 10th ACM International on
Conference on emerging Networking Experiments and
Technologies, pp.141-148.
Vignesh, U., and Asha, S. (2015). Modifying Security Policies
Towards BYOD. Procedia Computer Science, 511-516.
Wang, Y., Wei, J., and Vangury, K. (2014). Bring your own device
security issues and challenges. Conference: 2014 IEEE
11th Consumer Communications and Networking
Conference (CCNC).
Yadav, S., Ganguly, U., Suman, S., and Puri, P. (2015). Threats
and Vulnerabilities of BYOD and Android. International
Journal of Research, pp.997-1003.
Zahadat, N., Paul, B., Timothy, B., and Olson, B. A. (2015).
BYOD security engineering: A framework and its
analysis. Computers & Security, pp.81-99.