Wednesday, May 6, 2020

Human Centred Security and Privacy Research †MyAssignmenthelp.com

Question: Discuss about the Human Centred Security and Privacy Research. Answer: Introduction Every user, business unit and Government is associated with a lot of data and information in the present scenario of digitalization. There are numerous web-based and cloud computing applications that are being used by all of these entities for a variety of different purposes. As a result, there are many security risks and concerns that have emerged which are required to be managed, controlled and dealt with. Victorian Protective Data Security Framework abbreviated as VPDSF is a Victorian Government security initiative that has been brought forward to keep the public sector unit of Victoria safe from all the security occurrences. Public sector units carry out a lot many operations and activities which are open to many security risks. VPDSF has three major elements in terms of the security definition and protocols, assurance model in association with security and many supporting guides and references to move ahead in the direction of security. The report also covers many of the areas f or protection against the security events and threats. There are certain security risks and concerns that have a low likelihood or a low impact. In case of the VIC Government, the data security risks that may take place will have the potential to cause damage to the public and private information sects associated with the public sector unit of Victoria. There are two such security attacks that have a high exposure in association with the VIC Government. Insider threats may be carried out by the internal employees of the various organizations belonging to the public sector unit in Victoria. These internal entities will be aware of the data security policies and mechanisms being applied and may take advantage of the same to cause damage to the properties of the information sets. In addition to the same, there may also be attacks on the information availability with the execution of the flooding attacks (Cpdp, 2016). Risks with Medium Exposure The next category of the attacks is the risks with medium risk exposure. There may be cases of information and data breaches that may take place along with the occurrences which may lead to the leakage of the information in front of the unauthorized entities. The integrity of the information is one of the properties that may get violated with the integrity attacks such as message alteration, media alteration or changes in the properties of the data packets. The access points in the network may be utilized for this purpose which may impact the information present in the databases or the one under transmission as well. Some security risks may lead to the damage to the information properties of personal and sensitive information sets. There are tighter legal policies that are associated with these information sets and the security attack in turn may lead to the emergence of further risks in form of legal risks and regulatory obligations. There are initiatives that VIC Government has taken to provide additional protection to these sensitive data sets and therefore, the likelihood of the occurrence is not very high. Public sector units in VIC Government have many people deployed at various levels in the technical, operational and managerial departments. Due to the presence of so many activities and the need to execute so many different processes, there may be technical or operational errors that may be executed. These may lead to some permanent damage which may not be roll-backed. Such risks are therefore placed in this category (Dang-Pham, 2017). Data and information security attacks that are given shape by the attackers involve a lot many threat agents. There are also different motives and benefits that are involved with each of such occurrence. The case is same with VIC Government that may become victim to many of the information security attacks. These occurrences have been put in two categories on the basis of the motive of the attacker that is involved. These risks may be deliberately caused or may be caused by an accidental step. Deliberate Threats Accidental Threats In these forms of attacks on data and information security, the primary motive of the attack is to cause intentional damage to the contents and properties of the data sets. In these forms of attacks on data and information security, the primary motive of the attack is to not to cause intentional damage to the contents and properties of the data sets. These are cause by an accident. The damage and the outcomes of these attacks can be extremely severe in a negative manner. These attacks may have no or low impact or may also have a permanent damage with a severe impact The time of execution of these attacks is determined in advance and these are planned to be triggered at specific duration. The time of execution of these attacks is not known or planned as they are caused by accident. Flooding attacks such as denial of service and distributed denial of service and other availability attacks (Kaynar, 2016) Malware attacks such as the ones caused by triggering and launch of a virus or worm. Network based security attacks such as man in the middle attacks, eavesdropping attack etc. Information loss or leakage due to an operation error or a deviation from the regular path. Information breaching by an external entity due to exposure of private information. Attacks that are caused by the internal employees of the agencies and organizations can fall in any of these two threat categories. It is because of the reason that there may be certain insiders that may cause deliberate damage by giving shape to the information and data security risks. Insider attacks may also come in the category of the accidental risks and attacks. There may be certain insiders that may cause unintentional damage by giving shape to the information and data security risks due to an accident. Irrespective of the type of the security risk or an attack, it is necessary to control and prevent the same. The VIC Government has also carried out an analysis on the possible deliberate and accidental threats and has therefore, developed measures to prevent and detect these risks. There are also various other organizations and departments that have carried out successful steps and strategies to control these attacks. One such entity is the Department of Homeland security that has successfully controlled the various deliberate and accidental threats and attacks. There is a step by step procedure that was followed in this case. In the initial step, there was an analysis that was carried out to identify and classify the attacks in each of the two categories. In the next step, there were mitigation guidelines and strategies that were developed and identified to put a check on the security occurrences that were identified. It was concluded that the deliberate attacks were intentional and planned in advanced and therefore, they had the potential to cause damage that was severe in most cases as compared to the accidental attacks. There were many security gaps that were highlighted by the Department of Homeland Security in its analysis phase. The department as a result, implemented many automated solutions to resolve the gaps that were discovered. Training sessions were also conducted to improve the knowledge of the insiders. It is recommended for the VIC Government to follow a similar policy such that the security gaps are listed and identified and there are measures developed and implemented in accordance with the same (Korzhik, 2003). Security/Risk Management Execution Possible Challenges and Issues Management of the security risks can be done by adopting different methods and techniques. Some of these methods may include the resources that may be internal in nature while there are certain measures that be taken which may involve the use of external resources and entities. The aim in both the cases will be to put a stop on the security risks and occurrences. In case of the internal methodology, it will be decided to make use of the in-house development processes to give rise to the required security controls and protocols. The security infrastructure in the VIC Government will thereafter make use of all these controls developed. The resources in terms of tools, equipment, processes and human resources that will be used in this methodology will be entirely internal in nature. There are specific set of challenges that are associated with these methods. There may be insufficient skills and inadequate knowledge that may be witnessed which may lead to the compromise of security. The human resources that will be working on the development process will have additional information on the security framework which may be misused by them. There may be technical failures that may lead to breakdown. There may be operational errors that may cause permanent damage. The second methodology that has been recommended in association with the VIC Government is the use and application of the external methods and resources. In this case, the best possible method will be the use of outsourcing process. In this process, the third-parties will be contacted to develop and implement the necessary security protocols. The external method will cost more than the internal method and there may be a number of additional costs involved (Bertino, 2015). There may be deviations that may be observed in terms of the functional and non-functional requirements. The production data and information may be played with. The changes that will be introduced with the adaptation of any of these two processes will be common. These will give rise to a lot many migration challenges in terms of change planning and management of these changes. Comparison of Risks and Uncertainties Risk and uncertainty are the two terms that are often used inter-changeably. However, there is a vast difference between the two terms, their meaning and their results. Risk is a term that refers to the event or an occurrence that is predictable and can therefore be controlled as well. The impacts that a risk may have may be positive but are usually negative in nature. There are many of the data and information security risks that may be executed by the attackers in association with the VIC Government. These risks may have a varying degree of impact as the impact may be low or exactly opposite of it. There are two security attacks that have a high exposure in association with the VIC Government. Insider threats may be carried out by the internal employees of the various organizations belonging to the public sector unit in Victoria. In addition to the same, there may also be attacks on the information availability with the execution of the flooding attacks. There may be cases of information and data breaches that may take place along with the occurrences which may lead to the leakage of the information in front of the unauthorized entities. The integrity of the information is one of the properties that may get violated with the integrity attacks such as message alteration, media alteration or changes in the properties of the data packets. Some of the security events may lead to the emergence of legal and regulatory risks with medium-low impact. Due to the presence of so many activit ies and the need to execute so many different processes, there may be technical or operational errors that may be executed. These may lead to some permanent damage which may not be roll-backed. Such risks are therefore placed in this category of low-impact risks (Pernebekova, 2015). Uncertainties are referred to the occurrences and events that are not predictable and because of the same reason; it is difficult to put any control on these occurrences. One such event may be the changes in the rules defined by the Government in terms of the regulatory processes of legal policies that are set up. With changes in the terms and conditions of these policies, there will be direct impact on the agencies and organizations connected with the same. VIC Government is made up of hundreds of agencies and organizations that adapt these policies in their framework and have developed their security profile accordingly. With such uncertain events, there will be modifications that will become mandatory to be executed which may lead to the violation of security. Risk Control and Mitigation The first approach that has been suggested for VIC Government is the administrative approach that involves the use of advanced measures in the security administration. The overall security status and scenario is based upon the policies and plans that have been implemented in association with the data and information security. It is therefore necessary to have advanced administrative policies and measures in place. This approach suggests the use and implementation of the automated tools for security administration such as security audits, security reviews and inspections. These tools will provide the administrators with an automated process to carry out these activities. The VIC Government shall also make sure that the security administrators have a correct mix of skills and knowledge. The second approach that has been recommended to the VIC Government is the use of technical approach and methods (Joshi, 2017). There are a lot many technical tools that are automated in nature and are built using the latest technology. These tools shall be installed and implemented in the agencies and organizations that are governed by the VIC Government to detect, prevent and control the attacks on the information confidentiality, integrity and availability. These tools will also minimize the occurrence of the network based attacks as the network activities will be captured at a non-stop basis. Physical Security Approach for Risk Mitigation Data and information that is associated with the VIC Government is placed at the data centres, workstations of the employees, cloud databases, server rooms and various other physical and virtual environments (Shamala, 2013). The third approach that has been recommended for the security and risk mitigation is the physical security approach. It will make use of the physical entities at all the access and entry points to manage the access and identity. Out of the three approaches that have been suggested, the one that is recommended is the technical approach. This approach has been recommended as it will provide the VIC Government with the latest technology and tools to deal with the security risks and attacks. Also, there shall be an update on the administrative and physical security that shall also be done to strengthen the security framework (Renaud, 2017). Conclusion The data security risks that may take place in the VIC Government may impact three primary properties of information as confidentiality, availability and integrity. It is required to develop mechanisms to control all of these risks and the use of technical approach towards security will serve the purpose. It will include the latest set of security tools and equipment that will not only identify the security risks but will also lead to the control and prevention of the risks (Elci, 2015). References Bertino, E. (2015). Security and privacy of electronic health information systems. International Journal Of Information Security, 14(6), 485-486. https://dx.doi.org/10.1007/s10207-015-0303-z Cpdp. (2016). Victorian Protective Data Security Framework. Retrieved 28 August 2017, from https://www.cpdp.vic.gov.au/images/content/pdf/data_security/20160628%20VPDSF%20Framework%20June%202016%20v1.0.pdf Dang-Pham, D. (2017). Exploring behavioral information security networks in an organizational context: An empirical case study. Journal Of Information Security And Applications, 34, 46-62. https://dx.doi.org/10.1016/j.jisa.2016.06.002 Elci, A. (2015). Editorial: Special issue on security of information and networks. Journal Of Information Security And Applications, 22, 1-2. https://dx.doi.org/10.1016/j.jisa.2015.06.002 Joshi, C. (2017). Information security risks management framework A step towards mitigating security risks in university network. Journal Of Information Security And Applications, 35, 128-137. https://dx.doi.org/10.1016/j.jisa.2017.06.006 Kaynar, K. (2016). A taxonomy for attack graph generation and usage in network security. Journal Of Information Security And Applications, 29, 27-56. https://dx.doi.org/10.1016/j.jisa.2016.02.001 Korzhik, V. (2003). Hybrid authentication based on noisy channels. International Journal Of Information Security, 1(4), 203-210. https://dx.doi.org/10.1007/s10207-002-0017-x Pernebekova, A. (2015). Information Security and the Theory of Unfaithful Information. Journal Of Information Security, 06(04), 265-272. https://dx.doi.org/10.4236/jis.2015.64026 Renaud, K. (2017). Contemplating human-centred security privacy research: Suggesting future directions. Journal Of Information Security And Applications, 34, 76-81. https://dx.doi.org/10.1016/j.jisa.2017.05.006 Shamala, P. (2013). A conceptual framework of info structure for information security risk assessment (ISRA). Journal Of Information Security And Applications, 18(1), 45-52. https://dx.doi.org/10.1016/j.jisa.2013.07.002

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.