Lynn Futcher

Guidelines for secure software development

It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of trust in the security and quality of these applications is crucial to their ultimate success. Information security has therefore become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. The aim of this paper is to provide guidance to software designers and developers by defining a set of guidelines for secure software development. The guidelines established are based on various internationally recognised standards and best practices and some of the processes developed by many key role players.

SecSDM: A Model for Integrating Security into the Software Development Life Cycle

Most traditional software development methodologies do not explicitly include a standardised method for incorporating information security into their life cycles. It is argued that security considerations should provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. Therefore, to build more secure software applications, an improved software development process is required. The Secure Software Development Model (SecSDM), as described in this paper, is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.

Human aspects of information security in organisations

Information is core to the well-being of any modern-day organisation. In order to satisfactorily protect this important asset, human, organisational and technological aspects play a core integrative role in information security. Both technological and organisational control aspects are critically important, but both of these are closely related to people. Information security technology cannot guarantee the safety of information assets in organisations. A range of human aspects also need to be taken into consideration. Nader Sohrabi Safa, Rossouw von Solms and Lynn Futcher of the Nelson Mandela Metropolitan University, South Africa show that, while people are often the weakest link, through cooperation and coordination they can also be a source of great strength in developing effective and efficient defences.

Information security education in South Africa

Purpose – The purpose of this paper is to argue that information security should be regarded as a critical cross‐field outcome (CCFO). This could assist in narrowing the evident “information security gap” that currently exists in undergraduate information technology/information systems/computer science (IT/IS/CS) curricula at South African universities.Design/methodology/approach – This paper briefly reviews existing literature relating to outcomes‐based education in South Africa with a specific focus on CCFOs. A literature review was also carried out to determine existing approaches to education in information security. A survey was carried out to establish the extent to which information security is currently incorporated into the IT/IS/CS curricula at South African universities and a discussion group was used to provide insight into the current situation at undergraduate level.Findings – Education in information security has matured much more rapidly in postgraduate than in undergraduate programmes at ...

Mobile device usage in higher education institutions in South Africa

Cyber security threats are on the rise as the use of personally owned devices are increasing within higher education institutions. This is due to the rapid adoption of the Bring Your Own Device (BYOD) trend. In 2014, 92% of students used laptops globally for academic purposes, 44% used tablets, and 68% used smart phones. In addition, 89% of higher education institutions in the United States and United Kingdom allow students, faculty and non-academic staff to access their network using personally owned mobile devices. A great concern is that although BYOD is widely accepted in higher education institutions, security is somewhat lacking. In addition, cyber-security threats have switched their focus to mobile devices. Therefore, the number of new mobile vulnerabilities reported each year has increased. Furthermore, in 2014, 10% of global cyber security breaches took place in the education sector with a total of 31 breaches resulting in the exposure of 1,359,190 identities. This placed the educational sector at the top of the list with the third most cyber-security breaches in 2014, behind the healthcare and retail sectors. A literature survey, together with a single explanatory case study involving a higher education institution in South Africa were used to determine typical mobile device usage in an academic context. As a result of completing the study, it is clear that there is a high demand for the use of BYOD in higher education institutions in South Africa and that BYOD is vital to the academic success of its students. This paper discusses mobile device usage in higher education institutions in South Africa. In addition, it provides some key factors for higher education institutions to consider when dealing with the increased demand for BYOD usage.

A Risk-Based Approach to Formalise Information Security Requirements for Software Development

A primary source of information security problems is often an excessively complex software design that cannot be easily or correctly implemented, maintained nor audited. It is therefore important to establish risk-based information security requirements that can be converted into information security specifications that can be used by programmers to develop security-relevant code. This paper presents a risk-based approach to formalise information security requirements for software development. Based on a formal, structured risk management model, it focuses on how to establish information security requirements to ensure the protection of the information assets implicated. In this way it hopes to provide some educational guidelines on how risk assessment can be incorporated in the education of software developers.

Factors Influencing Smartphone Application Downloads

Mobile applications are increasingly being downloaded in modern society. Despite providing many benefits to potential users, many such applications pose security risks to their users including the leaking of personal information. When applications provide features that fulfil the users’ needs, smartphone users often neglect to consider security when downloading applications. This paper explores whether students consider relevant Security Factors when selecting an application to download. A Smartphone Simulation Exercise and related questions were used to determine students’ reported behaviour regarding smartphone application downloads. The findings suggest that many students do not consider relevant Security Factors important when downloading applications and, therefore, need to be educated in this regard.

South African Computing Educators’ Perspectives on Information Security Behaviour

With the growing dependency of users on computers, technology and the internet, the protection of information and information systems is of utmost importance. Current computing graduates will become tomorrow’s users and protectors of information and information systems. It is, therefore, essential that higher education institutions provide adequate information security education to enable these graduates to protect information and related information systems. This information security education should, preferably, be a part of their formalized studies. This paper discusses the opinions and experiences of computing educators regarding the extent to which information security is currently integrated within computing curricula and the current information security behaviour of computing students and educators. A total of twenty educators, from six South African higher education institutions, all universities, voluntarily participated in this study. Results indicated that there was limited information security integration within computing curricula at these higher education institutions. This could potentially negatively impact the information security behaviour of computing graduates. However, since behaviour is complex in nature, this paper briefly suggests various factors that could positively influence the information security behaviour of computing students and should be taken into consideration by computing educators.

Information Security Education for a Global Digital Society

The goal of the Joint Task Force on Cybersecurity Education is to develop comprehensive curricular guidance in cybersecurity that will support future program development and associated educational efforts. This workshop is to present the current draft of the proposed guidelines and obtain feedback that can be incorporated into the next version. In 2016, the professional computing societies ACM, IEEE-CS, AIS SIGSEC, and IFIP WG 11.8 assembled a Joint Task Force on Cybersecurity Education. The goal of this working group is to develop cybersecurity curricular guidelines for programs that emphasize different areas of specialization. The intent is that these guidelines can drive curricula, with each curriculum being tailored for the specific discipline and goals while ensuring that professionals (or prospective professionals) obtain the knowledge and skills they need. The model consists of four parts: knowledge areas, cross-cutting concepts that span, or underlie, the knowledge areas; disciplinary lenses that provide the views of the knowledge areas and cross-cutting concepts based upon the discipline; and application areas, which help define the coverage for each knowledge areas. The Joint Task Force is seeking community feedback to improve the current draft curricular guidelines. Two workshops have been held; the third, and the first international one, is this workshop. As other nations and communities have differing needs and educational environments, comments from those communities will be invaluable in making the guidelines as useful to all as possible. Thus, this workshop will explore the current guidelines, their goals, the organization, and how the guidelines might be used. We will invite the audience to provide insights, identify problems their institutions might have in using the guidelines, and propose changes and additions that will improve the guidelines. 1 http://www.csec2017.org. Acknowledgements. We gratefully acknowledge the work of the Joint Task Force on Cybersecurity Education in developing these guidelines, and the valuable contributions of participants in our 15 community engagement efforts. This workshop is based upon work supported by the National Science Foundation under Grant No. DGE-1623104, the National Security Agency’s CNAP Curriculum Development effort (RFI-2017-00022), the Education Board of the ACM, and Intel Corporation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, the National Security Agency, the ACM Education Board, or Intel Corporation. X M. Bishop et al.

Cybersecurity Curricular Guidelines

The goal of the Joint Task Force on Cybersecurity Education is to develop comprehensive undergraduate curricular guidance in cybersecurity that will support future program development and associated educational efforts. This effort is a collaboration among the ACM, the IEEE Computer Society, the AIS Special Interest Group on Security and Privacy (SIGSEC), the IFIP WG 11.8, and the Cyber Education Project. In January 2017, the Joint Task Force released a draft of those guidelines. This paper describes the framework underlying the guidelines, examines one set of topics, and then places this work in the context of an exemplary curriculum on cybersecurity education.