www.ijsernet.org Page 1
EVALUATION MODEL FOR INFORMATION SECURITY ON MOBILE
COMPUTING SYSTEMS IN UNIVERSITIES
Daniel Otanga
Franklin Wabwoba
ABSTRACT
This paper is underpinned by the development process of design where the evaluation model and tool were developed. The security evaluation model and an evaluation tool for mobile computing developed will be handy in helping university managers in making informed decisions that will guide day to day management of information system security for mobile computing in universities. The model has the ability to help universities to determine the extent to which their use of mobile computing application is safe, hence determine when there is need for enhancement of existing security approaches to mobile computing in universities and mitigate on the future of security for the systems. In order not to re-invent the wheel the paper began model development by reviewing key security evaluation concept as established by other researchers and a study conducted in six public and two private universities in Kenya.
Keywords: Information System, Evaluation Model, Information Security, Evaluation Model,
Mobile Computing,
Background Information on security evaluation
The field of information security has a rich tradition of system evaluation models, which can be used to assess and predict the current and future system behavior when considering random failures (Sallhammar, 2007). It wasalso observed that, malicious behavior is rarely considered as a possible fault source in these models by most researchers. In order to be trustworthy, a system needs to be both dependable and secure. These two distinguished research fields share many similarities but are also fundamentally different in several aspects, thus the reason why they have tended to be treated in separate frameworks and evaluated by models developed by separate research communities (Sallhammar, 2007). Generally trustworthiness is a product of a systems ability to maintain confidentiality provides accurate information and be available
www.ijsernet.org Page 2 Security, dependability and trust are three conditions that are frequently grouped with user behavior and awareness (Sheila et al., 2015). A framework model that takes care of these three conditions is ideal for a given organization. According to Savola, (2009) there is need to integrate dependability and security to establish a generic and unambiguous trust model. From the above discussion then security encompasses the attributes of confidentiality, integrity and availability. These three attributes therefore form a critical component of any good mobile security application model.
The model frameworks considered for this study includes; Stochastic Models for Combined Security and Dependability Evaluation, a hierarchical framework model of mobile security, Evaluation Models of CC (Common Criteria) based on Information Security System, Security Evaluation Model based on the Score of Security Mechanisms and NIST guidelines among others
A stochastic model is a model that involves probabilities, or randomness, associated with time and events. When using such a model, a stochastic process will represent the system behavior. The stochastic model can be depicted as a state transition diagram, which describes all relevant operational system states and the possible transitions between these states. However this model does not measure the state of the system security, a module that needs to be taken care by the proposed model.
According to Nicol,et al,(2004) Stochastic assumptions are needed to describe systems that have yet to be built, and for systems whose specific vulnerabilities remain unknown. In such cases Nicol (2004) noted that it is appropriate to make stochastic assumptions about the introduction and discovery of vulnerabilities, about attacker behavior, about system behavior (in terms of the effects the exploited vulnerabilities have on it, and in terms of system’s responses to attacks), and about transient periods of vulnerability, and to solve (or simulate) the model for stochastic measures, This models similarly fails to have a component that can be used to determine the level of security in information systems that is being addressed by the proposed model framework.
www.ijsernet.org Page 3 The CC (Common Criteria) permits comparability between the results of independent security evaluations.
However, it is recognized that significant security can often be achieved through or supported by administrative measures such as organizational, personnel, physical, and procedural controls. The proposed model, considered the various IT requirement from the CC model to incorporate in the proposed model framework.
A NIST classification of security mechanisms constitutes three categories these include; Management, Operational or Technical. The framework models aforementioned do not consider measuring the state of security of a particular information system. This is confirmed by Sheila et al. (2015) where in their paper they observed that currently no established conceptual foundation for developing and measuring mobile users’ security.
Based on the foregoing discussion the study initially modified the stochastic model as shown in figure 1 to illustrate the overall concept that would build into development of a security .
Figure 1Overall Concept
Figure 1 shows the system overview to be evaluated, and its operational environment is also described by the model. According to the proposed model overview, there are applications that run within the system probably from mobile devices and also the security objectives to be observed together with the evaluation tool (developed by the study) that continuously surveys the system and gives the state of security levels.
Model development process
To determine the key components of the proposed model framework, the study used Pearson correlation as shown in table 5.1 and also considered the findings as discussed in chapter four. Information
System Security
Objectives
System Applications
Evaluation tool (developed from the study)
www.ijsernet.org Page 4
Table 1 Models’ components Pearson correlation table
Any formal training to enable you operate the existing systems?
Level of education
Area of specialization
Does the existence of security policy have an impact
Does your University have a documented
security policy?
Have you read and understood your institutions information
systems security policy? Any formal training to enable you
operate the existing systems ?
Pearson
Correlation 1 .259
** -.358** .215* .213* .240*
Sig. (2-tailed) .010 .000 .033 .034 .017
N 99 99 99 99 99 99
Level of education Pearson
Correlation .259
** 1 -.275** .050 .003 -.187
Sig. (2-tailed) .010 .006 .621 .975 .063
N 99 99 99 99 99 99
Area of specialization Pearson
Correlation -.358
** -.275** 1 .080 -.159 -.147
Sig. (2-tailed) .000 .006 .431 .117 .147
N 99 99 99 99 99 99
Does the existence of security policy have an impact
Pearson
Correlation .215
* .050 .080 1 .284** .266**
Sig. (2-tailed) .033 .621 .431 .004 .008
N 99 99 99 99 99 99
Does your University have a documented security policy?
Pearson
Correlation .213
* .003 -.159 .284** 1 .595**
Sig. (2-tailed) .034 .975 .117 .004 .000
N 99 99 99 99 99 99
Have you read and understood your institutions information systems security policy?
Pearson
Correlation .240
* -.187 -.147 .266** .595** 1
Sig. (2-tailed) .017 .063 .147 .008 .000
N 99 99 99 99 99 99
www.ijsernet.org Page 5 Based on the findings in table 4.8, a majority of respondents (49.5%) said that there was no formal training to enable users safely operates the existing security systems. At the same time from table 5.1 there was a correlation between formal training to enable one to operate existing systems and level of education at 0.01 confidence level (2 tailed) meaning that the level of education for users is enhanced through formal training to enable them safely implement security policy. There is also a correlation between formal training to enable one to operate existing systems and existence of security policy in the university at 0.05 confidence level (2 tailed). The existence of security policy determines the kind of training needs requirements for the staff to utilize the security policy within the university. This necessitates the need to incorporate Training and education in the model framework as key components, which will in turn ensure that the users safely operate systems in the current technological advancement.
The findings on table 1 also show a correlation between the existence of security policy and its impact on information system security at 0.01 confidence level (2 tailed), it implies that the existence of the security policy when well implemented safeguards the information systems in university. The findings of table 5.1 also show that there is a correlation between reading and understanding institutional information policy and the policy impact on information system security at 0.01 confidence level (2 tailed). This means that staff understanding of the system security policy helps them to effectively utilize the policy to safeguard information systems in universities. These two components are related to governance and awareness issues. This tends to suggest that governance and awareness have an impact on the level of security in mobile application systems. Need for awareness is further seen in table 4.12 where lack of technology awareness was ranked the top most barriers towards security management.
The findings from this study table 4.8 shows that 47.5% of respondents have not read and understood the university’s system security policy meaning that there is an awareness problem a component that will be taken care by the proposed model framework. There is a correlation between the well documented security policy in the university and the impact of security policy on information system in the university.
www.ijsernet.org Page 6 information and the necessary tools to respond to various situations and be able to take action when called upon to do so.
From findings in table 4.12, it was established that lack of support from senior management was ranked as the third top most barrier to security management within universities. This therefore calls for its incorporation in a model regarding mobile computing security to ensure management involvement and provision of necessary resources. Management responsibilities is to ensure that, formal training is conducted, security policy is developed for the university and adhered to, and staffs are made aware of existence of security policy, and user skills are in line with current technology as far as security of systems in mobile computing is concerned.
The findings from table shows that (63.6%) of the respondents were clear that security needs of a university differ depending on information systems and their devices. This therefore calls for technical operation to be undertaken by technically trained staff. This is further emphasized by the significance observed in table 5.1 with regard to area of specialization training. With this in mind it becomes necessary then to consider technical training of staff and technical operations within a model that ensures mobile computing evaluation and a tool.
Enforcement of policies was ranked as the second top most barriers to security management within universities as shown in table 4.12. At the same time resources were also cited as a barrier to information security in universities from the same table. According to findings in table 4.11 most of the sources of the security challenges arise from within the organization (57%). From table 4.15 it can be observed that trainees do not receive training on information security policies and standards as attributed by 61.6% of respondents who agreed to the fact or did not know whether it ever existed.
All the points above points to issues of governance, hence the need to incorporate it in any model to ensure security within information system evaluation and models. Risk assessment is done with a view of identifying risks at different levels within the university so as to prioritize security planning (Cowan, 2003). Saffady, (2005) observed that governance stresses the need for security practitioners to document, maintain, review and update the university’s risk policies and procedures as well as preparation of reports via interactive university’s web page or any other workable way so as to publicize security initiatives and create awareness among employees and users of various systems in the university.
www.ijsernet.org Page 7 This user skill which is also a key component in the proposed model was derived from the respondents from different departments as shown in table 4.2. This is a clear indicator to consider specialized training as a component within security model development as well as evaluation tool.
From the findings in table 4.15, 42.6% of the respondents agreed that there are response procedures in the universities in the event system breaches occur. The component on security awareness has to be incorporated in the model framework to enable staff respond appropriately to security alerts. This can be well taken care of within a security awareness and knowledge component.
Based on the above discussion, it can be observed that technical operations, governance and education play a key component in evaluation of security. On this basis the study proposed the model in figure 5.2 for evaluation tool development.
Figure 2 Framework for model components
As shown in figure 5.2 the framework model shows that there are various mobile computing applications that run on the University information systems. These mobile applications are controlled by user, and system administrators. The systems being used are prone to attacks and are likely to fail in some instances. The system administrators and users are bound to follow existing security policies to guide them in their operations. The users are required to undergo training to be able to interpret the security policy and understand systems operations of the current system. There are various security approaches that system users apply to safeguard their systems. The system evaluation model and tool are meant to determine the effectiveness of
Administrators Actions
User Behavior
Systems failure
Attacks
Information Systems
System Evaluation
(Evaluation tool)
Security Policy
Security Approaches
Security Objectives
Security Measures Mobile computing
Applications
System Security Level Education
Training
Governance
Observable
Te
chn
ica
l o
p
erati
o
n
www.ijsernet.org Page 8 security approaches applied, users and administrators actions on the information system and how it affects the security level of the system. The security objectives which include confidentiality, integrity and availability were considered as the major security objectives to determine the overall security level of the information system in the universities.
Proposed Model for secure mobile computing application
Findings on user’s preference with regard to Confidentiality, Integrity and Availability of a system were as given in table
Table Respondents view on security objectives
Item Percentage preference
Availability 14.44
Confidentiality 53.33
Integrity 32.22
From table 5.2, it is clear that users rank confidentiality the topmost within an information system (53.33%) it is followed by integrity (32.22%) and lastly availability of a system (14.44%).
Based on foregoing discussion and evaluation framework in fig 5.2 the study proposed the model in fig 5.3 as a model for ensuring secure mobile computing application in combination with the findings on the respondents prioritization on the components of trustworthiness of a system ( Confidentiality, Integrity & Availability).
Mobile Applications Systems
Training and education
www.ijsernet.org Page 9
Figure 5. 2model for ensuring secure mobile computing applications in fully automated
environment
Applicability of the security evaluation model
The proposed Model for ensuring secure mobile computing applications in fully automated environment was examined for completeness and usability using validation and verification. Verification and Validation are independent processes that are used together for checking that models, frameworks, products, service or system meets requirements and specifications and that it fulfills its intended purpose.
The process entails seeking experts and stakeholders’ views regarding the suitability of the model and seeks their approval. Verification is intended to check that a product, service or system meets a set of design specifications. The ultimate goal of validation process is to ensure that the models conform to their specifications and meet the expectations of the customers.
Validation of the proposed evaluation model
The goal of validation process is to ensure that models developed address the objectives and provide accurate information about the domain being modeled. Validation is an iterative process of identification of model limitations and implementation of improvements (Lloyds, 2014). Validation is an evaluation based on the functional specifications implicit or explicit. It involves research participants who determine whether the researcher’s interpretation of a meaning and events agrees with their own.
Expert validation involves sharing findings with others who have expertise in the area being researched. The DOD (2009) report defined Validation as a process of determining the degree to which a model or simulation. The evaluation model for ensuring secure mobile computing applications in fully automated environment was validated by an expert group of nineteen out of twenty five that were targeted, through a focused group forum. A set of interview questions were developed and administered to experts who gave their views about the proposed evaluation model. Where applicable the feedback received was applied to the proposed evaluation model.
Verification of the evaluation model
www.ijsernet.org Page 10 Secure mobile computing applications model validation and verification
Validation process demonstrates that the model has a reasonable representation of the actual system. Verification techniques are general while validation is more specific to the model and the expected system. The model to be developed was to evaluate the level of security in information systems and therefore was to represent different parts of the system at various levels of abstraction. Interview questions (see appendix F) were prepared for suggested model validity and administered to twenty five experts out of which nineteen gave their views on the proposed evaluation model.
Table 5.3 shows the results from the expert’s views on the proposed evaluation model.
Table 5. 2Experts view on the proposed model
Descriptive Statistics Yes No Total
percent Does training and education have a role in secure mobile
computing
100.0 0 100.0
Training and education plays a role on management's
decision making and support provisions 78.9
21.1 100.0
Does training and education have influence on governance mechanisms and security awareness
84.2 15.8 100.0
Training and education has affects governance which
influences user security awareness 84.2
15.8 100.0
Training and education influences technical operations security training on actualizing a secure mobile computing
environment 78.9
21.1 100.0
Security awareness and knowledge has an influence on
user skills in actualizing a secure mobile computing 100.0 0 100.0 Does user skills, security policy, technical security
training, management decisions influences objectives for mobile computing
100.0
0 100.0
The evaluation model gives true representations of the
components of a secure mobile application systems 73.7
26.3 100.0
www.ijsernet.org Page 11 a role on management’s decision making and support provision that has influence on realizing a secure mobile computing.
Governance is a process of coordinating activities to achieve a specific task, the model contains a governance component which 84.2% of the experts were in agreement that training and education has an influence on governance mechanisms that has an impact on management security awareness and knowledge in actualizing a secure mobile computing environment. The study also sought to establish the expert’s views on whether training and education as a key component in the proposed evaluation model had an impact on user security awareness and knowledge in actualizing a secure mobile computing environment. Majority of the experts’ 84.2% agreed with this statement while only 15.8% did not agree with the statement.
The study also sought to establish from the experts on whether training and education was vital for technical security training in actualizing a secure mobile computing environment. The findings show that 78.9% of the experts agree that training and education was vital for technical security training while 21.1% disagreed. Agencies and organizations cannot protect the integrity, confidentiality and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them” (NIST 800-16). This means that the technical security training component in the proposed model had a key role within the proposed model.
The study also sought to find out whether training and education was vital for technical operations implementation which was one of the components in the proposed model. Based on the results, 78.9% of the experts agreed that training and education and governance are vital for technical security implementation to actualize secure mobile computing environment. According to Erkan, (2007), a well trained staff can often compensate for weak technical procedural safeguards.
The component of Security awareness and knowledge in the proposed evaluation model had 100% supports from the experts. Training of employees is crucial to perform security awareness. The study also wanted to establish if the component of security awareness had an influence on user skills in actualizing a secure mobile computing environment, all the nineteen experts who respondent agreed that security awareness and knowledge had an impact on user’s skills in actualizing a secure mobile computing environment. The experts were all in agreement that training and education, governance, user skills, security policy development, security awareness and knowledge, technical security training, management decisions and support, and technical operations influences security objectives (Confidentiality, integrity and availability) of a mobile computing applications and systems hence its security level.
www.ijsernet.org Page 12 environment in a university. Though majority of the experts as shown in the table 5.2 supported the components as incorporated in the evaluation model, only 26.3% of the respondent had different views about what the model should contain. Some of the experts however suggested some additional components which they felt should have been captured. Some of the experts suggested additional components such as durability aspect in accordance to ACID properties, usability, technology used, accountability as a system security level, user views/concerns, system security backup, and some kind of tests for the system
The study carefully scrutinized the additional views from the experts and noted that some of their views had been captured in the proposed model, such components include; technical operations, a component that brings on board aspects of tests, systems backup, and usability or technology. However other suggested components though had some issues related to security, they could not directly affect the overall functions of the proposed evaluation model.
Conclusion
The security gaps that were seen affecting the level of security in universities and have been addressed by the model framework include training and education for system users, management decision support, security policy development, security awareness on system users, governance that the operationalization of security policies and other activities in universities , technical security training and technical operations. This will also address the three main security objectives (confidentiality, integrity and availability) which form the security pillars for the university’s information systems to ensure they are achieved within the information systems. References
Breier, J. (2014), Security Evaluation Model based on the Score of Security Mechanisms. Information Sciences and Technologies Bulletin of the ACM
Slovakia,Vol. 6, No. 1
Breier J. and L. Hudec.(2012) Information system security assessment method basedon security mechanisms. In Student Research Conference 2012. Vol. 2 : 8th Student Research Conference in Informatics and Information Technologies,
pages 347–354. STU Press
Cowan, J., (2003). Research Design: Qualitatitve, Quantitative, and Mixed Methods Approaches. London: Sage Publications
DOD, (2009) Department of Defense, Instruction 5000.61, M&S VV&A, 2009.
www.ijsernet.org Page 13 Goswami, (2013). Mobile computing; International Journal of Advanced research in Computer Science and Software Engineering
Lloyds (2014) Solvency II model validation guidelines
Mishra, S. (2011). Information Security Effectiveness; Issues in Information Systems. Volume XlL No.1, pp. 246-255, 2011
Nicol D. M. , William H. S,and Kishor S. T, (2004) Model-Based Evaluation: From Dependability to Security
Purtell, T. (2007), A new view on IT risk. Risk Management, VoL54, and no. 10:28
Saffady, W. (2005). Risk analysis and control: Vital to records protection. Information Management journal, Vo1.39, no.5:62-64
Sallhammar,(2007)Stochastic Models for Combined Security and Dependability Evaluation Thesis for the degree of philosophiae doctor
Savola, R.M. (2009) ‘Current and emerging security, trust, dependability and privacy challenges in mobile telecommunication’, proceedings od 2nd International Conference on
Dependability in Athens
