Real-time risk analysis : a modern perspective on network security with a prototype
- Authors: Venter, Hein S.
- Date: 2012-08-16
- Subjects: Internet - Security measures. , Computer networks - Security measures. , Risk assessment - Data processing.
- Type: Thesis
- Identifier: uj:9571 , http://hdl.handle.net/10210/5995
- Description: M.Sc. , The present study was undertaken in a bid within the realm of the existing Internet working environment to meet the need for a more secure network-security process in terms of which possible risks to be incurred by Internet users could be identified and controlled by means of the appropriate countermeasures in real time. On launching the study, however, no such formal risk-analysis model has yet been developed specifically to effect risk analysis in real time. This, then, gave rise to the development of a prototype specifically aimed at the identification of risks that could pose a threat to Internet users' private data — the so-called "Real-time Risk Analysis" (RtRA) prototype. In so doing, the principal aim of the study, namely to implement the RtRA prototype, was realised. Following, an overview of the research method employed to realise the objectives of the study. Firstly, background information on and the preamble to the issues and problems to be addressed were provided, as well as a well-founded motivation for the study. The latter included theoretical studies on current network security and Transmission Control Protocol/Internet Protocol (TCP/IP). Secondly, the study of existing TCP/IP packet-intercepting tools available on the Internet brought deeper insight into how TCP/IP packets are to be intercepted and handled. In the third instance, the most recent development in network security — firewalls — came under discussion. The latter technology represents a "super-developed" TCP/IP packet-intercepting tool that implements the best known security measures. In addition, the entire study was based on firewall technology and the model that was developed related directly to firewalls. Fourthly, a prototype, consisting of three main modules, was implemented in a bid to prove that RtRA is indeed tenable and practicable. In so doing, the second module of the prototype, namely the real-time risk-identification and countermeasure-execution module, was given special emphasis. The modus operandi of the said prototype was then illustrated by means of a case study undertaken in a simulated Internet working environment. The study culminated in a summation of the results of and the conclusions reached on the strength of the research. Further problem areas, which could become the focal points of future research projects, were also touched upon.
- Full Text:
- Authors: Venter, Hein S.
- Date: 2012-08-16
- Subjects: Internet - Security measures. , Computer networks - Security measures. , Risk assessment - Data processing.
- Type: Thesis
- Identifier: uj:9571 , http://hdl.handle.net/10210/5995
- Description: M.Sc. , The present study was undertaken in a bid within the realm of the existing Internet working environment to meet the need for a more secure network-security process in terms of which possible risks to be incurred by Internet users could be identified and controlled by means of the appropriate countermeasures in real time. On launching the study, however, no such formal risk-analysis model has yet been developed specifically to effect risk analysis in real time. This, then, gave rise to the development of a prototype specifically aimed at the identification of risks that could pose a threat to Internet users' private data — the so-called "Real-time Risk Analysis" (RtRA) prototype. In so doing, the principal aim of the study, namely to implement the RtRA prototype, was realised. Following, an overview of the research method employed to realise the objectives of the study. Firstly, background information on and the preamble to the issues and problems to be addressed were provided, as well as a well-founded motivation for the study. The latter included theoretical studies on current network security and Transmission Control Protocol/Internet Protocol (TCP/IP). Secondly, the study of existing TCP/IP packet-intercepting tools available on the Internet brought deeper insight into how TCP/IP packets are to be intercepted and handled. In the third instance, the most recent development in network security — firewalls — came under discussion. The latter technology represents a "super-developed" TCP/IP packet-intercepting tool that implements the best known security measures. In addition, the entire study was based on firewall technology and the model that was developed related directly to firewalls. Fourthly, a prototype, consisting of three main modules, was implemented in a bid to prove that RtRA is indeed tenable and practicable. In so doing, the second module of the prototype, namely the real-time risk-identification and countermeasure-execution module, was given special emphasis. The modus operandi of the said prototype was then illustrated by means of a case study undertaken in a simulated Internet working environment. The study culminated in a summation of the results of and the conclusions reached on the strength of the research. Further problem areas, which could become the focal points of future research projects, were also touched upon.
- Full Text:
Information security in health-care systems: a new approach to IT risk management
- Authors: Smith, Elmé
- Date: 2012-08-16
- Subjects: Information technology - Security measures , Information resources management , Computer security , Health facilities management
- Type: Thesis
- Identifier: uj:9451 , http://hdl.handle.net/10210/5884
- Description: Ph.D. , The present study originated from a realisation about the unique nature of the medical domain and about the limitations of existing risk-management methodologies with respect to incorporating the special demands and salient features of the said domain. A further incentive for the study was the long-felt need for proper Information Technology (IT) risk management for medical domains, especially in the light of the fact that IT is playing an ever-greater part in the rendering of health-care services. This part, however, introduces new information-security challenges every day, especially as far as securing sensitive medical information and ensuring patients' privacy are concerned. The study is, therefore, principally aimed at making a contribution to improving IT risk management in the medical domain and, for this reason, culminates in an IT risk-management model specifically developed for and propounded in the medical domain. While developing this model, special care was taken not only to take into consideration the special demands of the said domain when assessing IT risks but also that it would be suited to the concepts, terminology and standards used in and applied to this domain every day. The most important objectives of the study can be summarised as follows: A thorough investigation into modern trends in information security in the medical domain will soon uncover the key role IT is playing in this domain. Regrettably, however, this very trend also triggers a steep increase in IT riskincidence figures, which, in this domain, could often constitute the difference between life and death. The clamant need for effective risk-management methods to enhance the information security of medical institutions is, therefore, self-evident. After having explored the dynamic nature of the medical domain, the requirements were identified for a risk-management model aimed at effectively vi managing the IT risks to be incurred in a typical medical institution. Next, a critical evaluation of current risk-assessment techniques revealed that a fresh approach to IT risk management in medical domains is urgently necessary. An IT risk-management model, entitled "RiMaHCoF" (that is, "Risk Management in Health Care — using Cognitive Fuzzy techniques"), was developed and propounded specifically for the medical domain hereafter. The proposed model enhances IT risk management in the said domain in the sense that it proceeds on the assumption that the patient and his/her medical information constitute the primary assets of the medical institution.
- Full Text:
- Authors: Smith, Elmé
- Date: 2012-08-16
- Subjects: Information technology - Security measures , Information resources management , Computer security , Health facilities management
- Type: Thesis
- Identifier: uj:9451 , http://hdl.handle.net/10210/5884
- Description: Ph.D. , The present study originated from a realisation about the unique nature of the medical domain and about the limitations of existing risk-management methodologies with respect to incorporating the special demands and salient features of the said domain. A further incentive for the study was the long-felt need for proper Information Technology (IT) risk management for medical domains, especially in the light of the fact that IT is playing an ever-greater part in the rendering of health-care services. This part, however, introduces new information-security challenges every day, especially as far as securing sensitive medical information and ensuring patients' privacy are concerned. The study is, therefore, principally aimed at making a contribution to improving IT risk management in the medical domain and, for this reason, culminates in an IT risk-management model specifically developed for and propounded in the medical domain. While developing this model, special care was taken not only to take into consideration the special demands of the said domain when assessing IT risks but also that it would be suited to the concepts, terminology and standards used in and applied to this domain every day. The most important objectives of the study can be summarised as follows: A thorough investigation into modern trends in information security in the medical domain will soon uncover the key role IT is playing in this domain. Regrettably, however, this very trend also triggers a steep increase in IT riskincidence figures, which, in this domain, could often constitute the difference between life and death. The clamant need for effective risk-management methods to enhance the information security of medical institutions is, therefore, self-evident. After having explored the dynamic nature of the medical domain, the requirements were identified for a risk-management model aimed at effectively vi managing the IT risks to be incurred in a typical medical institution. Next, a critical evaluation of current risk-assessment techniques revealed that a fresh approach to IT risk management in medical domains is urgently necessary. An IT risk-management model, entitled "RiMaHCoF" (that is, "Risk Management in Health Care — using Cognitive Fuzzy techniques"), was developed and propounded specifically for the medical domain hereafter. The proposed model enhances IT risk management in the said domain in the sense that it proceeds on the assumption that the patient and his/her medical information constitute the primary assets of the medical institution.
- Full Text:
The application of artificial intelligence within information security.
- Authors: De Ru, Willem Gerhardus
- Date: 2012-08-17
- Subjects: Artificial intelligence , Computer security , Fuzzy logic , Information resources management , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:2641 , http://hdl.handle.net/10210/6087
- Description: D.Phil. , Computer-based information systems will probably always have to contend with security issues. Much research have already gone into the field of information security. These research results have yielded some very sophisticated and effective security mechanisms and procedures. However, due to the ever increasing sophistication of criminals, combined with the ever changing and evolving information technology environment, some limitations still exist within the field of information security. Recent years have seen the proliferation of products embracing so-called artificial intelligence technologies. These products are in fields as diverse as engineering, business and medicine. The successes achieved in these fields pose the question whether artificial intelligence has a role to play within the field of information security. This thesis discusses limitations within information security and proposes ways in which artificial intelligence can be effectively applied to address these limitations. Specifically, the fields of authentication and risk analysis are identified as research fields where artificial intelligence has much to offer. These fields are explored in the context of their limitations and ways in which artificial intelligence can be applied to address these limitations. This thesis identifies two mainstream approaches in the attainment of artificial intelligence. These mainstream approaches are referred to as the "traditional" approach and the "non-traditional" approach. The traditional approach is based on symbolic processing, as opposed to the non-traditional approach, which is based on an abstraction of human reasoning. A representative technology from each of these mainstream approaches is selected to research their applicability within information security. Actual working prototypes of artificial intelligence techniques were developed to substantiate the results obtained in this research.
- Full Text:
- Authors: De Ru, Willem Gerhardus
- Date: 2012-08-17
- Subjects: Artificial intelligence , Computer security , Fuzzy logic , Information resources management , Electronic data processing departments - Security measures
- Type: Thesis
- Identifier: uj:2641 , http://hdl.handle.net/10210/6087
- Description: D.Phil. , Computer-based information systems will probably always have to contend with security issues. Much research have already gone into the field of information security. These research results have yielded some very sophisticated and effective security mechanisms and procedures. However, due to the ever increasing sophistication of criminals, combined with the ever changing and evolving information technology environment, some limitations still exist within the field of information security. Recent years have seen the proliferation of products embracing so-called artificial intelligence technologies. These products are in fields as diverse as engineering, business and medicine. The successes achieved in these fields pose the question whether artificial intelligence has a role to play within the field of information security. This thesis discusses limitations within information security and proposes ways in which artificial intelligence can be effectively applied to address these limitations. Specifically, the fields of authentication and risk analysis are identified as research fields where artificial intelligence has much to offer. These fields are explored in the context of their limitations and ways in which artificial intelligence can be applied to address these limitations. This thesis identifies two mainstream approaches in the attainment of artificial intelligence. These mainstream approaches are referred to as the "traditional" approach and the "non-traditional" approach. The traditional approach is based on symbolic processing, as opposed to the non-traditional approach, which is based on an abstraction of human reasoning. A representative technology from each of these mainstream approaches is selected to research their applicability within information security. Actual working prototypes of artificial intelligence techniques were developed to substantiate the results obtained in this research.
- Full Text:
A new perspective and a framework for software generation
- Authors: De la Harpe, Margaretha
- Date: 2012-08-17
- Subjects: Computer software - Development , Software engineering
- Type: Thesis
- Identifier: uj:2645 , http://hdl.handle.net/10210/6090
- Description: M.Sc. , The following questions led to this study: Why are there still so many approaches to the software generation process without one single approach taking the lead? Not only are there several methodologies available for the software generation process, but a methodology is not in use for long before it is replaced by an improved version or even another methodology. This is as a result of continuing further development and research. Sometimes the new methodology is not necessarily an improvement, but a paradigm shift. An example of this is object-orientation which followed shortly after the introduction of CASE as an alternative to software generation. Why are users to a large extent still dissatisfied and disillusioned with the software generation process even though they are more involved with it than before? User are more involved in the software generation process as a result of the availability of sophisticated tools, as well as joint sessions with the developer during the analysis and design stages of the software generation process. Yet, despite this, software systems in most cases still do not perform according to users' expectations. Why did the use of formal methodologies, based on successful techniques of the engineering field, only result in a limited improvement of the quality, control and operationalization of the software system? The cost of maintenance is still very high in relation to the total cost of generating a software system. The same degree of success attained in, say, the engineering field, could not be achieved [AND I]. Why is there a simultaneous movement towards incremental approaches and formal methods although these approaches are really moving in opposite directions? The incremental approach is based on obtaining quick results through prototyping without necessarily following a formal methodology [AND2]. Formal methods, on the other hand, attempt to formalize the software generation process through mathematical transformations. The advantage of using these mathematical transformations is that automation and verification of processes can be achieved [McC1]. Both these approaches show promising results, but the incremental approach might suit the developer better and is already used widely by practitioners. Why is it so difficult to find the correct methodology for generating a software system? The selection of an appropriate methodology is extremely difficult because of the variety of methodologies, technologies and hardware available. Some methodologies are also used for only a limited period because of rapid advances in technology. Why do sophisticated and user-friendly tools not succeed in simplifying the software generation process? Despite sophisticated tools such as CASE, where the user of these tools is guided through the different steps of the methodology, these tools have not succeeded in delivering the results expected by industry. The problems experienced during the software generation process are investigated. In order to distinguish between different approaches to software generation, is it necessary to place different approaches in relation to one another by considering the different elements of each. The characteristics and constraints of the software generation process must also be considered. All the issues pertaining to the software generation process will be discussed in terms of the problem statement.
- Full Text:
- Authors: De la Harpe, Margaretha
- Date: 2012-08-17
- Subjects: Computer software - Development , Software engineering
- Type: Thesis
- Identifier: uj:2645 , http://hdl.handle.net/10210/6090
- Description: M.Sc. , The following questions led to this study: Why are there still so many approaches to the software generation process without one single approach taking the lead? Not only are there several methodologies available for the software generation process, but a methodology is not in use for long before it is replaced by an improved version or even another methodology. This is as a result of continuing further development and research. Sometimes the new methodology is not necessarily an improvement, but a paradigm shift. An example of this is object-orientation which followed shortly after the introduction of CASE as an alternative to software generation. Why are users to a large extent still dissatisfied and disillusioned with the software generation process even though they are more involved with it than before? User are more involved in the software generation process as a result of the availability of sophisticated tools, as well as joint sessions with the developer during the analysis and design stages of the software generation process. Yet, despite this, software systems in most cases still do not perform according to users' expectations. Why did the use of formal methodologies, based on successful techniques of the engineering field, only result in a limited improvement of the quality, control and operationalization of the software system? The cost of maintenance is still very high in relation to the total cost of generating a software system. The same degree of success attained in, say, the engineering field, could not be achieved [AND I]. Why is there a simultaneous movement towards incremental approaches and formal methods although these approaches are really moving in opposite directions? The incremental approach is based on obtaining quick results through prototyping without necessarily following a formal methodology [AND2]. Formal methods, on the other hand, attempt to formalize the software generation process through mathematical transformations. The advantage of using these mathematical transformations is that automation and verification of processes can be achieved [McC1]. Both these approaches show promising results, but the incremental approach might suit the developer better and is already used widely by practitioners. Why is it so difficult to find the correct methodology for generating a software system? The selection of an appropriate methodology is extremely difficult because of the variety of methodologies, technologies and hardware available. Some methodologies are also used for only a limited period because of rapid advances in technology. Why do sophisticated and user-friendly tools not succeed in simplifying the software generation process? Despite sophisticated tools such as CASE, where the user of these tools is guided through the different steps of the methodology, these tools have not succeeded in delivering the results expected by industry. The problems experienced during the software generation process are investigated. In order to distinguish between different approaches to software generation, is it necessary to place different approaches in relation to one another by considering the different elements of each. The characteristics and constraints of the software generation process must also be considered. All the issues pertaining to the software generation process will be discussed in terms of the problem statement.
- Full Text:
Information security with specific reference to browser technology
- Authors: Prinsloo, Jacobus Johannes
- Date: 2012-08-28
- Subjects: World Wide Web , Internet - Security measures
- Type: Thesis
- Identifier: uj:3329 , http://hdl.handle.net/10210/6730
- Description: M.Comm. , The present study was undertaken in the realm of the Internet working environment, with its focus on measures by which to secure executable code in the Web-browsing environment. The principal aim of this study was to highlight the potential security risks that could be incurred while a user is browsing the World Wide Web. As a secondary objective, the researcher hoped, by means of a prototype and the process of real-time risk analyses, to alert the general Internet user population to these risks. The main objective of the prototype was to provide a framework within which users could be warned of potentially dangerous actions effected by executing code in their browsing environments in real time. Following, an overview of the research methodology employed to realise the objectives of this study. The study commenced with an introduction to the Internet and, along with that, to the World Wide Web. In the course of the introduction, the researcher took a closer look at a number of risks associated with this environment. In sketching the Internet environment and its associated risks, the researcher also provided ample motivation for the study. After having established the clamant need to secure the Web-browsing environment, a conceptual model was expounded. This model would later form the basis for the Real-time Risk Analyser prototype to be presented. In order, however, to justify further research into and development of the said RtRA prototype, it was necessary first to evaluate existing browsing technologies. A formal approach was followed to draw a comparison between the existing browsers. The said comparison also served to uncover some of the shortcomings of these browsers in terms of the security features they support. Since the focal point of this study was to be the various ways in which to secure executable code on the Internet, it was decided to launch an investigation into Java, as it probably is the most familiar executable code used in the Web browsing environment. The Java Security Model was, therefore, thoroughly researched in a bid to determine possible ways in which to monitor executable Java code. After having investigated the browsing environment and after having determined possible ways of performing real-time risk analyses, a prototype was developed that could monitor executable Java code in a browsing environment. Following, the prototype was put through its paces in a hypothetical scenario. The study culminated in a summary of the results of and the conclusions about the research study. Further problem areas that could become the focal points of future research projects were also touched upon.
- Full Text:
- Authors: Prinsloo, Jacobus Johannes
- Date: 2012-08-28
- Subjects: World Wide Web , Internet - Security measures
- Type: Thesis
- Identifier: uj:3329 , http://hdl.handle.net/10210/6730
- Description: M.Comm. , The present study was undertaken in the realm of the Internet working environment, with its focus on measures by which to secure executable code in the Web-browsing environment. The principal aim of this study was to highlight the potential security risks that could be incurred while a user is browsing the World Wide Web. As a secondary objective, the researcher hoped, by means of a prototype and the process of real-time risk analyses, to alert the general Internet user population to these risks. The main objective of the prototype was to provide a framework within which users could be warned of potentially dangerous actions effected by executing code in their browsing environments in real time. Following, an overview of the research methodology employed to realise the objectives of this study. The study commenced with an introduction to the Internet and, along with that, to the World Wide Web. In the course of the introduction, the researcher took a closer look at a number of risks associated with this environment. In sketching the Internet environment and its associated risks, the researcher also provided ample motivation for the study. After having established the clamant need to secure the Web-browsing environment, a conceptual model was expounded. This model would later form the basis for the Real-time Risk Analyser prototype to be presented. In order, however, to justify further research into and development of the said RtRA prototype, it was necessary first to evaluate existing browsing technologies. A formal approach was followed to draw a comparison between the existing browsers. The said comparison also served to uncover some of the shortcomings of these browsers in terms of the security features they support. Since the focal point of this study was to be the various ways in which to secure executable code on the Internet, it was decided to launch an investigation into Java, as it probably is the most familiar executable code used in the Web browsing environment. The Java Security Model was, therefore, thoroughly researched in a bid to determine possible ways in which to monitor executable Java code. After having investigated the browsing environment and after having determined possible ways of performing real-time risk analyses, a prototype was developed that could monitor executable Java code in a browsing environment. Following, the prototype was put through its paces in a hypothetical scenario. The study culminated in a summary of the results of and the conclusions about the research study. Further problem areas that could become the focal points of future research projects were also touched upon.
- Full Text:
Information security in a distributed banking environment, with specific reference to security protocols.
- Authors: Van Buuren, Suzi
- Date: 2012-08-22
- Subjects: Banks and banking - Security measures , Intranets (Computer networks) - Security measures , Internet - Security measures , Computer networks - Security measures
- Type: Thesis
- Identifier: uj:3063 , http://hdl.handle.net/10210/6484
- Description: M.Comm. , The principal aim of the present dissertation is to determine the nature of an electronicbanking environment, to determine the threats within such an environment and the security functionality needed to ward off these threats. Security solutions for each area at risk will be provided in short. The main focus of the dissertation will fall on the security protocols that can be used as solutions to protect a banking system. In the dissertation, indication will also be given of what the security protocols, in their turn, depend on to provide protection to a banking system. There are several security protocols that can be used to secure a banking system. The problem, however, is to determine which protocol will provide the best security for a bank in a specific application. This dissertation is also aimed at providing a general security framework that banks could use to evaluate various security protocols which could be implemented to secure a banking system. Such framework should indicate which security protocols will provide a bank in a certain banking environment with the best protection against security threats. It should also indicate which protocols could be used in combination with others to provide the best security.
- Full Text:
- Authors: Van Buuren, Suzi
- Date: 2012-08-22
- Subjects: Banks and banking - Security measures , Intranets (Computer networks) - Security measures , Internet - Security measures , Computer networks - Security measures
- Type: Thesis
- Identifier: uj:3063 , http://hdl.handle.net/10210/6484
- Description: M.Comm. , The principal aim of the present dissertation is to determine the nature of an electronicbanking environment, to determine the threats within such an environment and the security functionality needed to ward off these threats. Security solutions for each area at risk will be provided in short. The main focus of the dissertation will fall on the security protocols that can be used as solutions to protect a banking system. In the dissertation, indication will also be given of what the security protocols, in their turn, depend on to provide protection to a banking system. There are several security protocols that can be used to secure a banking system. The problem, however, is to determine which protocol will provide the best security for a bank in a specific application. This dissertation is also aimed at providing a general security framework that banks could use to evaluate various security protocols which could be implemented to secure a banking system. Such framework should indicate which security protocols will provide a bank in a certain banking environment with the best protection against security threats. It should also indicate which protocols could be used in combination with others to provide the best security.
- Full Text:
A prototype design for RBAC in a workflow environment
- Authors: Cholewka, Damian Grzegorz
- Date: 2012-02-13
- Subjects: Data protection , Workflow , Computer security , Computer access control
- Type: Thesis
- Identifier: uj:2044 , http://hdl.handle.net/10210/4394
- Description: M.Sc. , Role-based access control (RBAC) associates roles with privileges and users with roles. These associations are, however, static in that changes are infrequent and explicit. In certain instances this does not reflect business requirements. Access to an object should be based not only on the identity of the object and the user, but also on the actual task that must be performed. Context-sensitive access control meets the requirements in that it also considers the actual task, i.e. the context of the work to be done, when deciding whether an access should be granted or not. Workflow technology provides an appropriate environment for establishing the context of work. This dissertation discusses the implementation of a context-sensitive access control mechanism within a workflow environment. Although the prototype represents scaled-down workflow functionality, it illustrates the concept of context-sensitive access control. Access control was traditionally aimed at physically controlling access to a computer terminal. Large doors were put in place and time was divided between users who needed to work on a terminal. Today, however, physical means of restraining access have to a large extent given way to logical controls. Current access control mechanisms frequently burden the end-users with unnecessary security-related tasks. A user may, for example, be expected to assume a specific role at the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can automatically play the most senior role that they can hold and consequently receive the permissions associated with that role. The user is therefore trusted to implement the security policy and not misuse granted privileges. It is also possible for an end-user to bypass security functionality inadvertently- end-users do not always remember to do the correct thing. End-users are furthermore not necessarily adequately educated in security principles and may thus regard security-related tasks as hampering the tasks that they regard as being more important.
- Full Text:
- Authors: Cholewka, Damian Grzegorz
- Date: 2012-02-13
- Subjects: Data protection , Workflow , Computer security , Computer access control
- Type: Thesis
- Identifier: uj:2044 , http://hdl.handle.net/10210/4394
- Description: M.Sc. , Role-based access control (RBAC) associates roles with privileges and users with roles. These associations are, however, static in that changes are infrequent and explicit. In certain instances this does not reflect business requirements. Access to an object should be based not only on the identity of the object and the user, but also on the actual task that must be performed. Context-sensitive access control meets the requirements in that it also considers the actual task, i.e. the context of the work to be done, when deciding whether an access should be granted or not. Workflow technology provides an appropriate environment for establishing the context of work. This dissertation discusses the implementation of a context-sensitive access control mechanism within a workflow environment. Although the prototype represents scaled-down workflow functionality, it illustrates the concept of context-sensitive access control. Access control was traditionally aimed at physically controlling access to a computer terminal. Large doors were put in place and time was divided between users who needed to work on a terminal. Today, however, physical means of restraining access have to a large extent given way to logical controls. Current access control mechanisms frequently burden the end-users with unnecessary security-related tasks. A user may, for example, be expected to assume a specific role at the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can automatically play the most senior role that they can hold and consequently receive the permissions associated with that role. The user is therefore trusted to implement the security policy and not misuse granted privileges. It is also possible for an end-user to bypass security functionality inadvertently- end-users do not always remember to do the correct thing. End-users are furthermore not necessarily adequately educated in security principles and may thus regard security-related tasks as hampering the tasks that they regard as being more important.
- Full Text:
Inligtingsekerheid, met spesifieke verwysing na risiko-ontleding in mediese-inligtingstelsels
- Authors: Halgreen, Lize-Mari
- Date: 2012-09-11
- Subjects: Information storage and retrieval systems - Medical care , Medical informatics
- Type: Thesis
- Identifier: uj:9985 , http://hdl.handle.net/10210/7379
- Description: M.Comm. , The present study was undertaken in a bid to meet an urgent need uncovered in medical-information systems (MIS) for a formal process whereby risks posing a threat to patients in medical institutions could be identified and controlled by means of the appropriate security measures. At the time of the study, however, no such formal risk-analysis model had yet been developed specifically for application in MIS. This gave rise to the development of RAMMO, a riskanalysis model specifically aimed at the identification of risks threatening the patient in his or her capacity as an asset in a medical institution. The author, therefore, managed to achieve her object with the study, namely to initiate a riskanalysis model that could be applied to medical environments. Following, an overview of the research method used in order to achieve the objectives of the study: Firstly, background information regarding the issues and problems to be addressed was obtained, and they provided the well-founded motivation for the study. Secondly, the development and importance of MIS in medical environments came under consideration, as well as the applicability of information security in an MIS. In the third instance, general terms and concepts used in the risk-management process were defined, by means of which definitions existing risk-analysis models were investigated and critically evaluated in a bid to identify a model that could be applied to a medical environment. Fourthly, a conceptual or draft design was suggested for a risk-analysis model developed specifically for medical environments. In doing so, the first two stages of the model, namely risk identification and risk assessment, were given special emphasis. The said model was then illustrated by means of a practical application in a general hospital in South Africa. The study culminated in a summation of the results of and the conclusions reached on the strength of the research. Further problem areas were also touched upon, which could become the focus of future research projects.
- Full Text:
- Authors: Halgreen, Lize-Mari
- Date: 2012-09-11
- Subjects: Information storage and retrieval systems - Medical care , Medical informatics
- Type: Thesis
- Identifier: uj:9985 , http://hdl.handle.net/10210/7379
- Description: M.Comm. , The present study was undertaken in a bid to meet an urgent need uncovered in medical-information systems (MIS) for a formal process whereby risks posing a threat to patients in medical institutions could be identified and controlled by means of the appropriate security measures. At the time of the study, however, no such formal risk-analysis model had yet been developed specifically for application in MIS. This gave rise to the development of RAMMO, a riskanalysis model specifically aimed at the identification of risks threatening the patient in his or her capacity as an asset in a medical institution. The author, therefore, managed to achieve her object with the study, namely to initiate a riskanalysis model that could be applied to medical environments. Following, an overview of the research method used in order to achieve the objectives of the study: Firstly, background information regarding the issues and problems to be addressed was obtained, and they provided the well-founded motivation for the study. Secondly, the development and importance of MIS in medical environments came under consideration, as well as the applicability of information security in an MIS. In the third instance, general terms and concepts used in the risk-management process were defined, by means of which definitions existing risk-analysis models were investigated and critically evaluated in a bid to identify a model that could be applied to a medical environment. Fourthly, a conceptual or draft design was suggested for a risk-analysis model developed specifically for medical environments. In doing so, the first two stages of the model, namely risk identification and risk assessment, were given special emphasis. The said model was then illustrated by means of a practical application in a general hospital in South Africa. The study culminated in a summation of the results of and the conclusions reached on the strength of the research. Further problem areas were also touched upon, which could become the focus of future research projects.
- Full Text:
- «
- ‹
- 1
- ›
- »