Topics Identified for an Information Security Awareness Program

The previous section identified potential threats originating from social networking sites, which also confirmed the need to address the topic of social networking as part of an information security awareness program. Subsequently, Sections 5.2 and 5.3 focused on the threats originating from shared resources as seen in Internet Cafés and social networking sites. This resulted in the identification of a need of an information security awareness program targeting novice computer users.

Another outcome from the work conducted is the identification of topics that address the needs of end-users. It should be noted that a wide variety of topics exists within the realm

of cybersecurity. For example, computer security topics include but are not limited to the following: social engineering, denial of service attack, cross site scripting, session hijacking, password cracking, malware, identity theft, scams, phishing attacks, physical attacks, cookie hijacking, hoaxes, spam, network scanning, Intrusion Detection Systems (IDS), Intrusion Prevention System (IPS), security policies, incident response, laptop security, access controls, encryption and decryption, mobile security, evil twin attacks, pharming and browser hijacking. Not all these topics are applicable to the traditional end-user, who does not have an Information Technology (IT) background. The selection of the information security awareness topics applicable to the end-user that frequent the Internet are discussed next.

A web browser is the software tool used by the conventional end-user to access the Internet (Judson 1996). The mere use of the web browser would expose the end-user to threats originating from email, social networking sites and web site. Cybercriminals have several attacks they could conduct from email, social networking sites and website.

Section 5.2 identified threats which could triggered when using a web browser. These threats include but are not limited to the following: phishing, social engineering, scams, cyberbullying, physical harm, spreading false or negative information, illegal online gambling and identify theft. Social networking was identified as a threat in Section 5.3.

All these threats are considered in the identification of a list of topics to be included in a security awareness program. An attack tree is used to develop a comprehensive overview of the threats targeting Internet users. Schneier (1999) described an attack tree as a way of thinking to describe the security of a system. It represents the attacks as a tree structure, where the root node is the focus of the attack and the leaf nodes are the attacks which could be performed to achieve the final goal of successfully exploiting the root node.

The first node to consider is the computer used by the end-user. The computer consists of hardware and software components. The physical security of the computer hardware is not considered for this study. The computer hardware cannot be directly affected from an attack originating from the Internet and the measures required to secure the physical components against attacks originating from the Internet are too advanced for novice users. These include but are not limited to removing malware from the basic input/output system (BIOS) and load balancing of the computer processer in the event of a denial of service attack. The software consists of the operating system and other software. The

operating system can be protected against potential threats by downloading and installing updates, while the rest of the system is protected with the use of anti-malware tools which include antivirus (AV) software.

Threats originating from a network are mitigated with the use of a firewall. However, in Chapter 2 it was shown that these measures are not always effective. The end-user uses the web browser as a gateway to the Internet. The web browser is added to the attack tree as this is the next threat vector that could be used to target end-users. As web browsers are also software, the same methods used to protect software would be implemented to mitigate threats to the web browser. It should be noted that web browsers also make use of third party software to enhance the end user experience (Barth, Felt, Saxena &

Boodman 2010). Examples of third party software are Acrobat Reader, Java and Acrobat Flash. All web browsers and third party software should be updated regularly to mitigate the threat that targets web browsers.

Web browsers are mostly used for sending of emails, visiting websites and networking with other users on social networking sites. These computer uses are aligned with the uses identified in Sections 5.2 and 5.3. These three uses are added to the web browser node within the attack tree and mapped against threats as identified in Sections 5.2 and 5.3.

From a practical point of view, accessing the majority of services on the Internet requires authentication. Thus, password management is added to the threats identified in Section 5.2. Also, the threats originating from social networking sites (as identified in Section 5.3) are added to the listing of threats. For example, evil twin attacks, cyberbullying, fake profiles and privacy were identified as threats against end users as these threats originate from social networking sites.

Email services could be used by cybercriminals to target unsuspecting users with spam, scams, phishing and malware. Most of the messages received via this medium are designed to entice the user to open the email or click on a link, and thus social engineering is added. In addition, users who frequent websites are also exposed to threats including malware and phishing. These threats targeting end users are mapped against the attack vector, which subsequently results in an attack tree as depicted in Figure 5-8.

Figure 5-8: End User Attack Tree (Source: Own)

All the topics identified through the use of the attack tree were grouped together into high level categories which encompasses the threats identified. The following categories which cover all the topics were considered for the information security awareness program to be used within this study: information security awareness framework. This chapter addressed the application of the