Biblio

This research covers the problem related to user behavior and its relationship with the protection of computer assets in terms of confidentiality, integrity, and availability. The main objective was to evaluate the relationship between the dimensions of awareness, compliance and appropriation of the information security culture and the asset protection variable, the ISCA diagnostic instrument was applied, and social engineering techniques were incorporated for this process. The results show the levels of awareness, compliance and appropriation of the university that was considered as a case study, these oscillate between the second and third level of four levels. Similarly, the performance regarding asset protection ranges from low to medium. It was concluded that there is a significant relationship between the variables of the investigation, verifying that of the total types of incidents registered in the study case, approximately 69% are associated with human behavior. As a contribution, an information security culture model was formulated whose main characteristic is a complementary diagnostic process between surveys and social engineering techniques, the model also includes the information security management system, risk management and security incident handling as part of the information security culture ecosystem in an enterprise.

Various communication protocols are currently used in the Internet of Things (IoT) devices. One of the protocols that are already standardized by ISO is MQTT protocol (ISO / IEC 20922: 2016). Many IoT developers use this protocol because of its minimal bandwidth requirement and low memory consumption. Sometimes, IoT device sends confidential data that should only be accessed by authorized people or devices. Unfortunately, the MQTT protocol only provides authentication for the security mechanism which, by default, does not encrypt the data in transit thus data privacy, authentication, and data integrity become problems in MQTT implementation. This paper discusses several reasons on why there are many IoT system that does not implement adequate security mechanism. Next, it also demonstrates and analyzes how we can attack this protocol easily using several attack scenarios. Finally, after the vulnerabilities of this protocol have been examined, we can improve our security awareness especially in MQTT protocol and then implement security mechanism in our MQTT system to prevent such attack.

Phishing continues to remain a lucrative market for cyber criminals, mostly because of the vulnerable human element. Through emails and spoofed-websites, phishers exploit almost any opportunity using major events, considerable financial awards, fake warnings and the trusted reputation of established organizations, as a basis to gain their victims' trust. For many years, humans have often been referred to as the `weakest link' towards protecting information. To gain their victims' trust, phishers continue to use sophisticated looking emails and spoofed websites to trick them, and rely on their victims' lack of knowledge, lax security behavior and organizations' inadequate security measures towards protecting itself and their clients. As such, phishing security controls and vulnerabilities can arguably be classified into three main elements namely human factors (H), organizational aspects (O) and technological controls (T). All three of these elements have the common feature of human involvement and as such, security gaps are inevitable. Each element also functions as both security control and security vulnerability. A holistic framework towards combatting phishing is required whereby the human feature in all three of these elements is enhanced by means of a security education, training and awareness programme. This paper discusses the educational factors required to form part of a holistic framework, addressing the HOT elements as well as the relationships between these elements towards combatting phishing. The development of this framework uses the principles of design science to ensure that it is developed with rigor. Furthermore, this paper reports on the verification of the framework.