IT-Web Research Proposal Paper on IT Securities and Vulnerabilities

IT Securities and Vulnerabilities

Abstract

Information technology vulnerabilities refer to cyber security risks threatening the security levels maintained to ensure information privacy and confidentiality. Information technology (IT) vulnerabilities include security threats and risks affecting peoples’ and organizations’ data, leading to loss, theft, and damages. IT systems, programs, and applications are diverse in order to offer users with technical and non-technical support. They are however prone to an array of threats and risks affecting security measures implemented to protect data from loss and damages.

The proposal discusses how these vulnerabilities are affecting information technology systems, programs, and applications, leading to socioeconomic, political, and even environmental losses and damages. It focuses on how information technologies are utilized by users for socioeconomic support. Consequently, it emphasizes how innovation and advancing technologies are adversely influencing security measures aimed at mitigating information technology vulnerabilities. Thus, it discusses the various forms of information technology vulnerabilities and the various factors facilitating the vulnerabilities. This enables the provision of various recommendations aimed at mitigating the information technology vulnerabilities.

1.0 Introduction

Information technology is a dominant systems adopted and implemented across global industrial sectors and communities. Technology systems have been advancing as innovators continue facilitating growth and development within the sector across global industries comprising of business ventures, communities, and other sectors to achieve socio-economic augmentation. Technological innovators are influenced by the belief that information technologies facilitate growth and development globally. As a result, they utilize innovated and digitalized programs and systems to ensure the global community utilizes information technology for diverse functions and operations efficiently. Therefore, information technology security can be defined as the use of technological resources like innovated and digitalized systems and programs to perform functions and operations such as storage, communications, networking, convergence, and multimedia processing effectively and efficiently.

Information technology has been utilized to maximize political, social, environmental, and economic gains. Political gains are recorded among groups, organizations, and persons utilizing information technologies to communicate, market, and achieve political mandates aimed at meeting, fulfilling, and managing people’s expectations during their political authority tenure. Politicians utilize information technologies as a platform to affirm their relevance and socially acceptance by community members during election periods.  Diverse environmental gains are attributed to information technologies, for example, agencies allied to environmental conservation and preservation rely on information technology programs to monitor and detect air and noise pollution. Consequently, they determine appropriate measures to be undertaken to stop and prevent future occurrences of these types of pollution. Organizations and households have also installed fire and smoke detection applications. These prevent loss and/or damaging of properties coupled with environmental pollution mainly attributed to smoke. Social gains are retrieved from the increased use of social media networking sites. Social media sites are fast spreading bringing with them huge benefits like easy. The sites include MySpace, Facebook, Twitter, YouTube, and Instagram among others. Conversely, companies use these social networking sites to advertise and market their business ventures to friends and family members to enhance profitability rates (Viveca, 2005). 

Information technology has led to economic gains. Companies and organizations are conducting online commercial activities that rely on information technologies for recognition and financial gains. Small, medium and large organizations have been developing websites to provide the public community with relevant information regarding the activities, operations, and functions and online transactions if possible. They websites developed should be attractive, user-friendly and secure (for both customer data and online transactions). These determine the customers’ subscription and loyalty. For relevance and competitive advantage, the same companies/organizations utilize information technologies, for example, use of social networking sites like Twitter, Facebook and Whatsapp. Besides, information technology provide advertising platforms that increase sales, clientele base, and sustain a competitive advantage. Thus, information technologies is an integral facilitator of economic growth and expansion (U.S Air Force, 2009).

The importance of information technology cannot be understated. It is an integral part in modern world (business and social spheres). The security of data/information transmitted on information technology innovations is important. The security systems have to keep up with the technological innovations for reliable and secure transactions in the case of business sphere. Information security is one of the vulnerability factors of the various products of information technology. System vulnerability provide avenues for fraudulent transactions and information transfer which will negatively impact the various spheres applying information technology.

Several measures have been stated for improving IT security and reducing vulnerabilities. The most appropriate approach/solution is the integrated approach. Raising awareness on IT security, its impact and importance in modern systems will improve overall IT security environment (Abraham, David & Whitfield, 2013). The awareness will provide information and knowledge to the public in how to identify the vulnerabilities and how to deal with them. The vulnerabilities come in different forms. Occasional public updates will keep the public up-to-date on the IT vulnerabilities and how to deal with them.

2.0 Literature Review

According to Cook, Waugh, Abdipanah, Hashemi, and Abdul, more than 80% of activities facilitated by information technology systems are vulnerable to security threats and risks. The information technology (IT) sector requires high quality effective security measures that address and resolve these vulnerabilities. The measures should aim at enhancing transparency and excellence in deliverance of various services facilitated by information technology. To address these vulnerabilities, the scope should include, but not limited to networks, systems and other infrastructures across existing cyberspace. Cyberspaces are developing information technology services through use of digital networks that are prone to the vulnerabilities and high security risks. Security measures should be formulated and implemented to address and resolve these vulnerabilities for sustenance of national and international security.

Abraham, David, and Whitfield authored a report with regards to information technology vulnerabilities based on a research conducted to prove the dynamism and expansion of these insecurities since 2006 across information technology infrastructures. The authors asserted that IT users have been raising security concerns for fear of socioeconomic attacks by cyber criminals who use IT infrastructures. Malicious IT users are also invading websites, social media platforms, and other digital networks to acquire private and sensitive information for malevolent use. For example, they can acquire an individual’s private financial reports to destroy the person’s credit history and social reputation. During such incidences, it is often challenging to suspect and ascertain that personal and confidential information has been acquired illegally. Exploring information technology infrastructures to identify the various measures applied to enhance the vulnerabilities is therefore a vital procedure as it can identify factors to enhance security measures. The authors therefore asserted that cyber criminals using viruses and malware to phish and attack innocent users often facilitate information technology vulnerabilities (Abraham, David & Whitfield, 2013).

The Security and Privacy Symposium and Workshops (SPSW) define data security as an architecture developed to ensure information technology systems, programs, and applications are protected from cyber criminals/attacks. Digital networks rely on internet connectivity in order to provide information technology products and services to the users. This however facilitates cyber criminals to rely on the internet networks to steal or damage any form of data they can access and acquire. Therefore, the public should be advised to ensure their information technology infrastructures implement unique configurations to provide a layer of protection against cyber criminals (SPSW, 2015). Therefore, IT security can be largely attributed to system advancement and human judgment and awareness.

2.1 IT Security and Human Morals

IT security can be attributed to the vulnerability of human behavior/morals or reactions. Human actions are based on pre-formed opinions or wants that have best been explained by various philosophical theories. These theories include:

2.1.1 Contractualism Theory

This is an ethical theory applied to assert that, moral nature should involve applying values to undertake actions while relying on information technologies. The contractualism theory therefore strives to affirm that, applying morals, ethics, and values within information technology infrastructures can enhance the security provided by the systems and programs and reduce the vulnerabilities. For example, if all human beings acknowledged information technologies should achieve social, economic, and political gains, hackers, phishers, and other cyber criminals would not exist. Consequently, incidences of information technology vulnerabilities such as loss of data through unauthorized access and theft would be prevented.

The contractualism theory therefore asserts that, users of information technology systems and programs should achieve, enhance, and sustain security measures supported by peoples’ sense of responsibility aimed at maximizing the information technology security. Thus, information technology users should respect and uphold national and international measures effectively and efficiently implemented to mitigate the vulnerabilities that are mainly security risks. This process however involves users adopting and embracing virtue of ethics ensuring interactions across information technology systems and programs are supportive, beneficial and safely undertaken (Madeleine & Jonathan, 2012).

2.1.2 Consequentialism Theory

This theory focuses on value of actions and choices undertaken by users relying on information technology systems and programs on day-to-day basis. The consequentialism theory is therefore different and unique from theories discussed above as it does not focus on users’ moral, social, cultural, and ethical values as they utilize information technologies. Instead, it focuses on users’ manners to ensure they identify, understand, and interpret the significant measures formulated and implemented to enhance information technology security and mitigate the vulnerabilities. By applying philosophical approaches enhancing security measures implemented to reduce information technology vulnerabilities, this theory promotes a sense of responsibility among users. Consequently, cyber criminals can acknowledge use of viruses, phishing programs, malware, and hacking activities enhance information technology vulnerabilities. As a result, they can put an end to these activities leading to enhanced information technology security (Madeleine & Jonathan, 2012).

2.1.3 Deontologism Theory

This theory applies universal duty based virtue of ethics to support and encourage information technology users to uphold cultural, social, and moral ethics and values. This guarantees information technology security to be enhanced and the vulnerabilities mitigated. Persons relying on information technology systems and programs on day-to-day basis should therefore uphold freedoms, duties, ad rights aimed at enhancing privacy, social, and security benefits associated with information technology infrastructures. As a result, hackers, phishers, and persons relying on viruses to violate information technology security measures and users privacy rights through illegal accesses should reform and put an end to such unauthorized, unacceptable, and unlawful activities. The theory is therefore a decision making approach encourage use of common sense to maximize information technology security and mitigate the vulnerabilities (Madeleine & Jonathan, 2012). 

2.2 Types of Information Technology Vulnerabilities

2.2.1 Poor Configuration Management

Private and professional computers often rely on internet connectivity to meet and fulfill users’ needs mainly allied to research. For example, a user can use private computer to retrieve information from Google in order to gather facts. Conversely, an employee can use organizational computer to access an internet connection in order to undertake the firm’s operations and functions. Connectivity to any internet network ought to uphold configuration management policies. This reduces information technology vulnerabilities such as phishing and hacking.

2.2.2 Spear Phishing and Targeted Attacks

Cyber criminals mainly hackers and phishers target individuals and organizations they believe hold private and confidential information that should not be illegally accessed and used maliciously. For example, they understand some people store their personal financial information in private computers for reference purposes. As a result, they wait until the user connects to the internet without upholding the configuration management policies in order to access such information. They apply malware, malicious codes, and viruses to access the victim’s emails, websites, and other areas where any form of information has been stored. They either steal, copy, damage, or harm the information in order for the victim to suffer socioeconomic loss (Kakareka, 2009).

Cyber criminals have relied on spear phishing that involves application of malicious codes to acquire an individual’s personal financial information. Consequently, they defraud, destroy the victim’s credit history, or harm the persons’ reputation (Khonji, Iraqi & Jones, 2012).

2.2.3 Botnets

Botnets refer to networks existing in computers that have been comprised by cyber criminals. Phishers and hackers therefore rely on botnets to invade information technology infrastructures in order to commit crime and implement their malicious intentions. IT vulnerabilities concerning botnets include financial losses, social damages, and loss of private, confidential, and sensitive data that should not accessed or retrieved without authority (Kakareka, 2009).

2.2.4 Un-patched Client Side Software and Applications

            Personal and organizational computers function due to installation of various software applications. These software and applications should always be updated. This is not always the case as IT users can be either ignorant or unaware. Computers running on old software versions are prone to IT vulnerabilities. Cyber criminals attack such computers especially when they are connected to an internet network. For example, individuals and organizations have fallen victims to phishers and hackers accessing, exploiting, harming, damaging, and/or stealing data contained in computers running on old versions of a software application for malicious use (Kakareka, 2009).

2.1.5 Cloud Computing

Cloud computing allows large amounts of data to be stored and shared especially among large organizations. Delegating data protection services therefore shifts the security architecture put in place to ensure information technology vulnerabilities are minimized and prevented. Thus, as the organization shares the large amounts of data across various resources and assets relying on digital networks availability and encryption issues are likely to arise. Consequently, phishers, hackers, and other cyber criminals can apply viruses, malicious codes, and malware to access the organization’s data. This puts the organization in a vulnerable position as the data can be destroyed, damaged, stolen and used maliciously, or simply harmed in order to ensure it cannot be retrieved and used by the firm for any socioeconomic benefits (Kakareka, 2009).

2.3 Factors Facilitating Information Technology Vulnerabilities

Cyber criminals striving to steal, damage, and destroy data stored in personal and organizational computers implement information technology vulnerabilities. These vulnerabilities are artificial as malicious persons accessing information technology infrastructures to attack and result to damages or losses implement them. There is however some natural factors facilitating information technology vulnerabilities.  These natural factors include fires and floods leading to massive loss of data. This factor however is less damaging as the data is destroyed or damaged without malicious cyber criminals gaining access or retrieving the information (Kakareka, 2009).

Most organizations move data among employees consistently and often in order to ensure firm goals and objectives are achieved effectively and efficiently. This however facilitates and enhances information technology vulnerabilities as the data is accessed by several people who can expose it to cyber dangers. All the fifteen organizations reviewed confirmed they transfer and exchange different types of data among employees across various departments and levels in order for firm operations and functions to be sustained. This however provides hackers and phishers with an opportunity to gain access to the data especially when the data is stored in a computer or server. When the organization connects to the internet, cyber criminals implement viruses, malware, and malicious codes to gain access, steal, harm, or destroy the data incurring the organization socioeconomic losses (FCC, 2013).

People should understand information technology security measures they can apply on an individual and organizational level. This is because failure to identify these security measures has enhanced information technology vulnerabilities leading to violation of privacy policies and loss of private and confidential data. For examples, individuals often store data comprising their Personally Identifiable Information, credit card and bank account numbers, work and home addresses, emails, taxpayer identification and Social Security numbers in their personal computers. Failure to acknowledge they ought to install firewalls or an antivirus to prevent illegal access and retrieval of the data enhances information technology vulnerabilities. This is because once they connect to the internet cyber criminals can either hack or phish the personal computer and acquire all forms of data stored. Consequently, they can succeed in identity theft in order to incur the victim socioeconomic losses (Murmuria, Medsger & Voas, 2012).

Failure to classify information while storing it in a computer enhancesinformation technology vulnerabilities as it can be accessed and retrieved using malicious codes aiming to acquire a particular set of data illegally. Information technology users should therefore acknowledge that data classification reduces and prevents information technology vulnerabilities. For example, organizations should classify data into various classes such as the Internal Only Classification comprising of employees’ performance evaluations, audit reports, and partnership agreements. This will ensure persons that should not access the Internal Only Classification data are kept off mitigating information technology vulnerabilities. Consequently, cyber criminals cannot access and retrieve the information as it can be easily detected due to implementation of information technology security policies tasked in monitoring the data to mitigate information technology vulnerabilities (FCC, 2013).

The last factor enhancing information technology vulnerabilities is lack of a plan among individuals and organizations on how to deal with data loss. Unexpected loss of data is common especially if a computer is being accessed by more than one person. Thus, personal computers being accessed by other family members and friends can also suffer from unexpected loss of data in equal measure as rates recorded in an organization. The unexpected loss of data can be due to theft and damaging of the information by malicious cyber criminals. A viable plan to deal with such an incidence should therefore be formulated to ensure the time taken to acknowledge and deal with loss of data is minimal to minimize information technology vulnerabilities. The plan is also vital as it can put cyber criminals in a vulnerable position to expose other persons and individuals they have also attacked and stolen data from for malicious use and socioeconomic losses (Atul, Suraj & Surbhi, 2013).

3.0 Background Information

The proposal seeks to analyze the vulnerabilities of the IT systems and the probable course of actions. The vulnerabilities arise from the security risks from the malwares, viruses and other illegitimate means applied by cyber criminals. These vulnerabilities have reduced levels of privacy and confidentiality among information technology users as they have to be cautious to avoid loss and theft of private data such as personal financial information. Thus, information technology vulnerabilities compromise confidentiality, availability, and integrity of ensuring users and data are protected from unauthorized access mainly perpetrated by cyber criminals (Cook, Waugh, Abdipanah, Hashemi & Abdul, 2014).

Sure way of dealing with these vulnerabilities is development of more security systems to complement IT systems. Innovators should ensure the measures evolve as technology changes, advances, and expands in order to support and secure information technology growth and development procedure. This will ensure advanced threats and vulnerabilities especially committed by cyber criminals are reduced and ultimately prevented. Information technology security should therefore be diligent in order to understand and anticipate risks, threats, and vulnerabilities (Kakareka, 2009).

3.1 Aims and Objectives

            The proposal reiterates the importance of IT systems in modern life. However, the effectiveness and security of these systems are marred with vulnerabilities that have contributed to loss of data, and financial resources, reputational damages and identity thefts. The key objectives of the proposal include:

  1. Identify the impact and applications of the IT systems
  2. Identify the lee ways of current IT systems
  3. Identify the IT security systems and organizations
  4. Identify the vulnerabilities in IT systems
  5. Determine factors that contribute to the vulnerabilities and how they contribute

3.2 Research questions

  1. What are the consequences of nil vulnerabilities scenario on the current IT market?
  2. What are the bottlenecks in vulnerabilities research considering the development scenario of IT systems security?
  3. How can the IT security be improved with respect to the vulnerabilities?
  4. What are the different forms of vulnerabilities and their impacts on IT systems?

4.0 Methodology

4.1 Justification for Impact of Vulnerabilities in Information Technology Systems

The proposal aims at discussing information technology security and vulnerabilities. The study will focus on factors promoting information technology security and accentuating information technology vulnerabilities. The goal of the study is to make use of quantitative research methods for determining the role of vulnerabilities in IT security systems. Using quantitative research methods with an exploratory research design is vital as it will assist in conducting a credible data collection process (Creswell, 2009). The logical justifying principle for use of this research technique is the fact that qualitative research method is used with the objective of understanding a particular phenomenon. As a result, it will enable discovery of the innermost meaning of the study concerning information technology security and vulnerabilities (Creswell, 2003). For instance, use of qualitative and quantitative research approaches shall enable identification of opinions, perspectives, and attitudes aiming to resolve the need to raise awareness and enhance information security while mitigating the vulnerabilities.

Walker explains that the choice of a quantitative research strategy is because it provides the researcher with a platform from where he/she can carry statistical inferences to the study. In the same vein, it will also allow the researcher to use numerical representations (the vulnerabilities instances) while explaining a phenomenon based on the available observations (Creswell, 2003). Conversely, qualitative research approach may be used because it provides insights that will later on allow the researcher to generate theoretical frameworks (Walker, 2005). Thus, the main reason for choosing quantitative research strategy is that the study is based on client’s feedback that force the researcher to determine the different variables used in the research (Creswell, 2003; Creswell, 2009). At the same time, the use of quantitative research strategies enables the researcher to make use of the opinions and attitudes of the participants to support the statistical data (Creswell, 2003; Williams, 2007). Creswell further asserts that, a mixed approach can be helpful in a research study in the sense that it enables the researcher to gain an in-depth understanding of the roles of awareness as regards the importance of information technology security in an organization and individual levels (Creswell, 2003).

4.2 A New and Non-Obvious Technique /Solution to Answer the Problem

The current research study is concerned with determining whether raising awareness on the importance of information technology security promotes safe and secure information systems. It is important to note that there are certain practices that organizations can use in attempts to enhance organizational security awareness related to the importance of information technology security against related vulnerabilities. Some of the possible practices include training personnel and employees, determining the roles for security awareness and establishing an organizational culture to promote security awareness throughout the organization. The real data applied in conducting the research therefore includes identifying information technology vulnerabilities in order to acquire data that can be applied to mitigate them and enhance security levels. This data will be collected among people and individuals seeking to enhance information technology security but face diverse information technology vulnerabilities from phishers, hackers, and other diverse cyber criminals.

After collection of data from the sample selected, it would be possible to come up with the best solution to the current problems being experienced because of advancing information technology systems and programs. The sample will provide the representational situation of the IT vulnerabilities, for example, how the general public deals with these IT vulnerabilities. This would be an appropriate approach to the study. The proposed solution is for organizations to carry out security awareness as an on-going program to make sure that, training and knowledge is not just made available as an annual activity but rather applied to maintain a high level of information technology security awareness on a daily basis. Daily briefings from the IT department and regular trainings from the same department will help increase this awareness. The daily briefings will inform the public/employees of any potent vulnerability realized by the IT department and how best to deal with it. The briefings would be appropriate if the employees have undergone an IT security training organized by this department. Moreover, people have become the weakest links in the information technology security chain. This is because even the latest security technologies are failing to guarantee protection against the vulnerabilities and risks (Caldwell, 2013).

Thus, the proposed solution is appropriate because security technologies can protect core systems from technological attacks although they cannot protect organizations against employees and personnel providing information on social media for cyber criminals to access. The security technologies also fail to ensure organizational employees and personnel are not using various information technology networks putting the firm in a vulnerable position the organization is likely to lose data and violate clienteles’ privacy and confidentiality levels.

4.3 Choice of Data for the Study

Datasets with different characteristics are required while undertaking the study and carrying out experimental case studies. The choice of synthetic data sets is based on the observation that it is essential in meeting certain characteristics that are not found in the data from the questionnaires. In this study, the researcher has planned to use synthetic data set because it is generally difficult to get access to real cyber incident data related to information technology security awareness.

Data sets rely on anonymous data to maintain privacy and confidential levels. Using data sets guarantees privacy to companies and persons willing to participate in the study. In addition, the most viable data sets are to be used in the study with the aim of answering the research questions as depicted in the questionnaire below.

4.4 Questionnaire

Below is the questionnaire in html language to come up with an online questionnaire: The HTML version will be also uploaded to Interact2

<!doctype html>

<html>

<head>

<meta charset=”utf-8″>

<title>Untitled Document</title>

<script src=”SpryAssets/SpryValidationRadio.js” type=”text/javascript”></script>

<link href=”SpryAssets/SpryValidationRadio.css” rel=”stylesheet” type=”text/css”>

</head>

<body>

<h1>Technical threats</h1>

<p>1.Have you been contacted by someone asking for your credential information?</p>

<form name=”form1″ method=”post” action=””>

  <span id=”spryradio1″>

    <label>

      <input type=”radio” name=”eng” value=”Yes” id=”eng_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”eng” value=”No” id=”eng_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <p>2.Who can you trust online</p>

  <span id=”spryradio2″>

    <label>

      <input type=”radio” name=”trust” value=”colleagues” id=”trust_0″>

      Colleagues</label>

    <br>

    <label>

      <input type=”radio” name=”trust” value=”Boss” id=”trust_1″>

      Boss</label>

    <br>

    <label>

      <input type=”radio” name=”trust” value=”none” id=”trust_2″>

      None of the above</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <p>3.Have you ever given out your credential information to someone claiming to work for a legitimate company?</p>

  <span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    4.If yes, did you contact anyone?Who?

    <textarea></textarea>

<h2>Phishing</h2>

<p>5.Have you ever been contacted by someone who had your details and asked for your authentication details to fix a problem with your account?</p>

<span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

<p> 6.If yes, did the person put an urgency to the matter?</p>

 <span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <p>7.If the above occurs, who can you call?</p>

    <textarea></textarea>

            <p>8.Have you ever received a coupon offer giving you money on succeful completion

</p>

<span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <p>9.Have you been receiving emails with grammatical errors</p>

    <span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

<p>

10.Have you ever received emails from some friends’ or a colleagues’ email address requesting you to send them money?</p>

<span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <h2>User devices</h2>

    <p>11.Are you allowed to bring your devices or storage media to work?</p>

    <span id=”spryradio3″>

    <label>

      <input type=”radio” name=”credential” value=”yes” id=”credential_0″>

      Yes</label>

    <br>

    <label>

      <input type=”radio” name=”credential” value=”no” id=”credential_1″>

      No</label>

    <br>

    <span class=”radioRequiredMsg”>Please make a selection.</span></span>

    <p>12.If yes, what tasks do you do with it/them?</p>

<input type=”radio”>Copying work information<br>

<input type=”radio” >Storing downloaded movies and pictures<br>

<p>13Are your personal devices password protected?</p>

<input type=”radio”>Yes <br>

<input type=”radio”>No<br>

<p>14.Have you ever lost a personal device or storage media?</p>

<input type=”radio”>Yes<br>

<input type=”radio”>No<br>

<p>15.Does the organization give you devices and storage media to use at work?</p>

<input type=”radio”>Yes

<input type=”radio”>No

<h2>Network security</h2>

<p>16.Does your organization have firewall rules?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No</p>

<p> 17.Are there some sites that you cannot access as a result of this?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>18.Are some sites only accessiblee at certain times?</p>

<p>

  <input type=”radio”>Yes

  <input type=”radio”>No

  </p>

<p>19.Please list some other sites that you wish to be blocked</p>

<p>

  <textarea></textarea>

  </p>

<p>20.How do you connect to the organization’s network

  ?</p>

<p>

  <input type=”radio”>LAN

  <input type=”radio”>WiFi</p>

<p> 21.Are there some authentication to access the Wi-Fi</p>

<p>

  <input type=”radio”>you have to use a password

  <input type=”radio”>It’s open

  </p>

<p>22.Do you think that your security online is part of your responsibility?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<h2>Software and applications</h2>

  <p>23.Are you able to install any software you want in work computers?  </p>

  <p>

    <input type=”radio”>

    Yes

  <input type=”radio”>No</p>

  <p> 24.Do you verify the source of the software that you download?  </p>

  <p>

    <input type=”radio”>

    Yes

  <input type=”radio”>No</p>

  <p> 25.Please state some of the sources of the software that you download</p>

  <p>

  <textarea></textarea>

  </p>

  <p>26.Does the organization provide you with some paid software?  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No  </p>

  <p>27.List some of the software that the organization provides</p>

  <p>

  <textarea></textarea>

  </p>

  <p>28.List some of the software that the organization does not provide</p>

  <p>

  <textarea></textarea>

  </p>

  <p>29.Do you have a running antivirus in your computer?  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No  </p>

  <p>30.Is it up to date?  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No  </p>

  <p>31.How often do you update it  </p>

  <p>

    <input type=”radio”>

    Weekly

    <input type=”radio”>Monthly

    <input type=”radio”>Yearly

    <input type=”radio”>Never  </p>

  <p>32.Have some of your computers software malfunctioned?  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No  </p>

  <p>33.Did you report the problem?  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No

    </p>

  </p>

  <h2>Malware</h2>

  <p>34.Have you ever experienced computer problems such as freezing after opening an attachment

  </p>

  <p>

    <input type=”radio”>

    Yes

  <input type=”radio”>No

  </p>

  <p>35.Do you have USB antivirus programs in your computer?</p>

  <p>

  <input type=”radio”>Yes

    <input type=”radio”>No

  </p>

  <p>36.Does your antivirus program idenntify threats and eliminate them effectively?</p>

  <p>

  <input type=”radio”>Yes

  <input type=”radio”>No</p>

  <p> 37.Which antivirus program is provided by your organization.</p>

  <p>

  <textarea></textarea>

  </p>

  <p>

        38.Do you frequently forward emails that you have been forwarded by others?

  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No

  </p>

  <p>39.You can download any email attachment sent to you by

  </p>

  <p>

    <input type=”radio”>

    friends

    <input type=”radio”>friendly strangers

    <input type=”radio”>boss

    <input type=”radio”>colleagues

  </p>

  <p>40.Do you open spam emails?

  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No

  </p>

  <p>41.Do you report when you get spam emails?

  </p>

  <p>

    <input type=”radio”>

    Yes

    <input type=”radio”>No

  </p>

  <h2>System Access controls</h2>

  <p>42.Have you been assigned specific access rights?

  </p>

  <p>

    <input type=”radio”>

    Yes

  <input type=”radio”>No</p>

  <p> 43.Are these rights sufficient for you to accomplish your tasks

  ?</p>

  <p>

  <input type=”radio”>Yes

    <input type=”radio”>No

  </p>

  <p>44.Who can add or remove your access rights?

  </p>

  <p>

    <input type=”radio”>

    Admin

    <input type=”radio”>No one, they are predefined

  <input type=”radio”>Any of the IT staff</p>

  <p> 45.How are your user accounts of a system created

  </p>

  <p>

    <input type=”radio”>

    The admin

    <input type=”radio”>Me

    <input type=”radio”>I dont even own an account

  </p>

  <p>46.How are your user account credentials first delivered to you

  </p>

  <p>

    <input type=”radio”>

    Email from admin

    <input type=”radio”>Letter from admin

    <input type=”radio”>Text message

    <input type=”radio”>Telephone call

  </p>

  <h1>Not-technical threats</h1>

<h2>Password policies</h2>

<p>47.Do you have some password policies in your organization?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>48.What complexities must your password have

  </p>

<p>

  <input type=”radio”>

  Letters and Numbers

  <input type=”radio”>Letters, numbers and special characters

  <input type=”radio”>Not defined

  </p>

<p>49.What is the maximum password length allowed in your organization?

  </p>

<p>

  <input type=”radio”>

  1-4

  <input type=”radio”>4-8

  <input type=”radio”>8-45

  <input type=”radio”>Undefined

  </p>

<p>50.What is the minimum password length allowed by your organization

  </p>

<p>

  <input type=”radio”>

  8

  <input type=”radio”>6

  <input type=”radio”>4

  <input type=”radio”>Undefined

  </p>

<p>51.What is the maximum password age in your organization?

  </p>

<p>

  <input type=”radio”>

  Less than 6 months

  <input type=”radio”>6-12 months

  <input type=”radio”>more than 1 year

  <input type=”radio”>Undefined

  </p>

<p>52.What is the minimum password age?

  </p>

<p>

  <input type=”radio”>

  1 week

  <input type=”radio”>1 month

  <input type=”radio”>1 and above year

  <input type=”radio”>Undefined</p>

<p> 53.How do you recover your account when you forget your account?

  </p>

<p>

  <input type=”radio”>

  The admin reminds me

  </p>

<p>

  <input type=”radio”>

  I have to set another one and give the admin</p>

<p>

  <input type=”radio”>I use secret questions and am allowed to create another one

  </p>

<p>

  <input type=”radio”>

  Once it’s forgotten, the account is gone</p>

<p>&nbsp;</p>

<p> 54.Do you ever share your password with others?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>

  No

</p>

<h2>Backups</h2>

<p>55.Which information is considered critical to an organization

  </p>

<p>

  <input type=”radio”>

  Transaction information

  <input type=”radio”>Usernames and passwords

  <input type=”radio”>Both

  </p>

<p>56.How do you back up?

  </p>

<p>

  <input type=”radio”>

  Online

  <input type=”radio”>External storage media

  </p>

<p>57.If not online, how do you store the physical media?

  </p>

<p>

  <input type=”radio”>

  In server rooms

  <input type=”radio”>Unspecified

  </p>

<p>58.Is the information encrypted?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>59.Are the media password protected?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>60.Who can access the backed up information?

  </p>

<p>

  <input type=”radio”>

  Admin only

  <input type=”radio”>Anyone

  </p>

<p>61.Who can restore the back up?

  </p>

<p>

  <input type=”radio”>

  Admin only

  <input type=”radio”>Anyone

</p>

<h2>Physical access controls</h2>

<p>62.Does your organization have CCTV?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No</p>

<p> 63.Are there guards? </p>

<p>

  <input type=”radio”>Yes

  <input type=”radio”>No

  </p>

<p>64.What clearance level does one need to access restricted areas?

  </p>

<p>

  <input type=”radio”>

  None

  <input type=”radio”>Specified level</p>

<p> 65.How are the personnel authenticated into restricted areas?

  </p>

<p>

  <input type=”radio”>

  Biometrics

  <input type=”radio”>Signature

  <input type=”radio”>Passwords

  <input type=”radio”>None

</p>

<h2>Cracks</h2>

<p>66.Have you discovered any holes into  the system?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No</p>

<p> 67.Have you ever penetrated through the security mechanism?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>68.Have you discovered any glitches in any of your systems?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>69.Were the glitches present when acquiring the system?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

</p>

<h2>Socal Media</h2>

  <p>70.What information is public on your profile

  </p>

<p>

  <input type=”radio”>

  Name, Tel, Email, Workplace

  <input type=”radio”>Only name, others are private

  </p>

<p>71.Are your friends/followers able to access your private information?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>72.Have you ever shared sensitive information?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>73.Have you ever used a work email for social media?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

  </p>

<p>74Have you ever used your personal email for work functions?

  </p>

<p>

  <input type=”radio”>

  Yes

  <input type=”radio”>No

</p>

</form>

<p>&nbsp; </p>

<script type=”text/javascript”>

var spryradio1 = new Spry.Widget.ValidationRadio(“spryradio1”);

var spryradio2 = new Spry.Widget.ValidationRadio(“spryradio2”);

var spryradio3 = new Spry.Widget.ValidationRadio(“spryradio3”);

  </script>

</body>

</html>

4.5 Synthetic Data Sets Description

The initial step in creating the required data set is to search for past studies related to information technology security and vulnerabilities. Consequently, the most viable data sets able to answer the research questions listed above will be selected. In conducting this study, the generated datasets were formed based on age, gender, and industrial group.

4.5.1 Age

The age ranges between 30-35 years which ensures the adult population is the only group to be considered. This is because the age group mainly relies on information technologies to achieve socioeconomic growth and development.

4.5.2 Gender

The two genders, male and female, will be used. The gender feature is necessary in order to promote gender equality and minimize sample bias and errors in sampling and data collection.

4.5.3 Industrial Group

There are at least fifteen different organizations such as communication, transportation and manufacturing ideal in studying IT security and vulnerabilities. The businesses are randomly chosen out of the given set fields and the dataset utilized to discuss IT security and vulnerabilities.

4.6 Experimental Plan

The primary goal of the experiment is to provide recommendations concerning the importance of carrying out security awareness. This process should involve on-going information technology systems and program that can make sure training and knowledge acquired can be applied to maintain high levels of information technology security awareness on a daily basis. The synthetic data sets collected will be useful in determining whether the proposed recommendations are appropriate and feasible when employed and integrated in organizations. It will also be used to determine if synthetic datasets predict the same as the real data collected using questionnaires from the fifteen selected companies to be used in the study.  

4.7 The significance of the Experiment

The experiment is important because it will enable the research goals and objectives to be fulfilled and realized fully. Consequently, the necessary recommendations discussing factors to enhance technology security while mitigating the vulnerabilities to be provided and explained in-depth (Walker,2005).

5.0 Experimental Result and Analysis

5.1 Task 1: Introduction

Expounding on the research questions, the first one concerns the technical threats to Information Technology (IT) that individuals should be aware of.  These are vulnerabilities that can be exploited by attackers to get into a system and orchestrate deliberate attacks. These attackers have serious motives and often come packed with several tricks up their sleeves to perpetrate attacks. Employees ought to be enlightened about them and the most likely techniques they might use.

One of the methods used is social engineering. Social engineering involves accessing users’ information by deceiving them to give it to you. In organizations, employees may be tricked into giving very crucial information that may lead to an attack with catastrophic impacts. My questionnaire shall have questions to users on whether such incidences have happened to them whereby someone tried to obtain credential information from them. The questionnaire shall also assess on who they trust online. It will also ask about the steps they can take in the case someone has accessed such credential information. These sort of questions help me discover just how much deceivable employees are and how best to mitigate these attacks.

Phishing is another technical threat whereby attacker poses as a legitimate entity and normally in most cases use emails to request for user usernames and passwords. Once granted this information, the attacker has access to a user’s account and can use it to acquire sensitive information or to perpetrate future attacks. They normally use urgency as a tool to trigger quick and not well thought out decisions by users.  The questionnaire will have questions on whether they have ever been contacted to give out some of their authentication information. It shall also ask on who they might consider contacting incase the information has been stolen. Also, it shall ask if they get emails concerning coupons they can save to get money, whether they get emails with grammatical errors and whether they get requests from friends’ emails to send them money. This information will be used to give tailored recommendations based on the findings.

Another avenue for threats is use of employee devices and removable storage media in their work places. Employee devices such as laptops and storage media such as flash drives may be brought to work by employees and possibly be used to store sensitive information. Some may also carry viruses and introduce them to the previously well-guarded and maintained work computers. Since these devices and media are not subjected to the security controls as organizational devices, they introduce a leak into the organization. They can easily get stolen, misplaced or hacked into and the valuable data be acquired by attackers. This problem will be addressed by looking into whether employees are allowed to bring their own devices, whether they do take office work to their homes and whether they do copy some sensitive information into their own devices or storage media. The findings shall be used to recommend the most viable controls concerning devices and removable storage media.

Another potential area of attack which is the existing security architecture. Is the organization’s intranet protected from the internet, are there existing firewall rules, are some sites blocked, can some sites be accessed only at given times and also which sites the users think should be blocked from access. The questionnaire will also look at the internet usage. There are some sites some employees are not expected to use up a lot of resources visiting. The questionnaire will also assess just who can access the organization internet, are there login procedures and whose responsibility is it to ensure online security.

Software and applications in use by the employees may also be another exploitable area of concern. Trojan horses are malware that masquerade as performing useful tasks but in background perform harmful tasks. Some programs may be used to gather saved passwords, monitor users’ activities, send gathered information to attackers, cause denial of service, cripple other software such as antiviruses and replicate themselves in entire systems. The questionnaire shall ask employees questions about whether they can install any software on the work computers, do they check for the verification of the software, do they check for the source of the software and also if they prefer freeware or paid software. It shall also ask whether they have experienced anomalies in software functionality and whether they reported the problem.

A malware is any malicious software that is created with the intention to cause damage or disruption to a single or multiple systems. They include Trojan horses, viruses and worms. Most of these can be transmitted using attachments, external storage media, downloads or instant messages. Once an employee opens such attachments, storage media or messages, the malware are activated. The questionnaire shall be used to look at the possible exploits that may be used by attackers to transmit these malware. It shall enquire from users whether they might have experienced abnormal computer function after opening attachments or downloads. It will also ask about the state of the antivirus programs installed in the computer and how often they are updated. It will also ask about the sites they download their software and ask on whether they have ever received or forwarded suspicious emails from strangers. The questionnaire will also ask them whether they often open emails that have been sent to spam and whether they report these types of emails. This will enable me to assess the vulnerability of employees to these common avenues used by attackers to spread harmful programs and help to put employees on alert concerning them.

Lastly in technical attacks category are the access controls in the system. Access controls include measures put in place to ensure that only authorized persons have access to some systems (Sampemane, 2014). They generally include authorization and authentication. Authorization involves giving access privileges to users based on their roles and levels. Authentication involves use of login systems to access systems. The questionnaire shall collect data on whether all users have been assigned their respective access rights, whether these rights are sufficient for their roles and who can change these rights. Concerning authentication, it shall inquire the procedure of creation of user accounts, method of delivery of the credentials and who can create or delete user accounts. This information will enable me to give detailed recommendations on these two very critical access controls.

The questionnaire shall be used to also gather information about non-technical threats to information systems. These are threats caused by some weaknesses of the employees of an organization. This will entail information on password policies in use, the implementation of such policies, back up of critical information, physical access rights and the discovered or possible exploits to the controls that are in place. The questionnaire will also ask about the information users have made public on social media such as Facebook and twitter. This will enable the proper assessment of employee weaknesses.

Password policies are the rules in place by an organization to ensure that users adopt strong passwords and maintain their strength (Kent & Souppaya, 2009). The questionnaire will ask whether the password policies are in place and in use. It will be used to look at the character combinations required for any password. It shall also enquire about maximum and minimum password length and minimum and maximum password age. It will also ask about the recovery procedure for forgotten passwords. It will also ask about the sharing of one’s password with others. The collected information will enable a correct assessment of whether the password policies are adequate in minimizing threats and give recommendations to boost the security of the organizations systems.

As concerns back up of critical information, the questionnaire shall look at whether such information is backed up as a contingency measure in case of catastrophes or break downs. It will ask about which information is considered critical to an organization. It shall also look at the back up mechanisms in play, whether it is online back up or in external storage devices. If it is by use of the latter, the questionnaire will enquire on the storage of such media, whether they are encrypted and password protected. It shall also look at the frequency or intervals of the backing up of the information and also inquire about who can access the backed up information and also who is able to restore the backups in the event of a failure. This will be used to gauge the preparedness of the organization for a failure due to attacks or natural disasters. The findings shall also be used to determine whether the backed up information is also secure from attacks too.

Physical access controls are mechanisms used to limit the access to given areas of the organization where sensitive data is stored and also where critical processes are performed (Sampemane, 2014). The questionnaire shall enquire whether there are Closed Circuit Television cameras keeping an eye on the buildings restricted areas. It will also enquire about the presence of guards in restricted areas. It will look at who is allowed in such areas and which clearance level one must have to be granted access. It will also look at the authentication mechanisms of the personnel allowed to access such areas, do they use voice or face scans, biometrics or passwords. These findings will be used to assess whether the restricted areas are properly guarded and whether the persons with access to these areas are verified to be who they are. This will help in drawing recommendations to improve the existing security of these restricted areas.

Over the cause of time, cracks may open up in the security mechanisms that were once effective rendering them ineffective. These may result from laxity of employees mandated with securing the organization or from discovery of some bugs in systems that can evade the guards put in place. Trap doors are secret undocumented entry points to a system used by their developers. Some poor programmers fail to remove these entry points before handing over software to clients. The questionnaire will ask users whether they have discovered some secret access mechanisms or ‘cheat codes’ enabling them access or perform some restricted functions. It will also look at whether the users have been able to penetrate the system’s security mechanisms and if yes, how they did it. Logic bombs are a piece of code that executes when particular conditions are met (Beard, 2011). The questionnaire will also ask them whether they have discovered some glitches or abnormal functionalities that were not there when the systems were delivered and whether they have been reported.

Social engineering mechanisms often involve collection of user information over time to use it to get their trust and thus get them to give them sensitive information such as login credentials or organizational bank accounts information. The payoff from a successful attack is often high and therefore these attackers take time to gather this information. Social media are one of the places where employees might continually give information to the public that can be used by the attackers. The questionnaire will ask on which type of information employees have made public in social media. It will also enquire about how many friends or followers they have and which information these people can access. It shall then ask about which type of information the employees might have shared in the past and they think it’s sensitive. It shall also ask about whether employees have used their work emails in any of these social media or whether they have used their personal emails for work functions. This information will be used to gauge the carelessness of employees in safeguarding their own private information and also whether they have put into risk organization information in their social media. The findings will also help in giving recommendations that will prevent future social engineering or phishing attacks

5.2 Task 3: Results

Results were obtained and the answers were authenticated. Responses with missing parts were not considered. The valid responses were mapped onto a scale of 0 to 100 percent. The final results were obtained at a confidence level of 95%.

1. Have you been contacted by someone asking for your credential information?
  Yes70%
  No30%
  2.Who can you trust online
  Colleagues30%
  Boss60%
  None of the above10
  3. Have you ever given out your credential information to someone claiming to work for a legitimate company?
  Yes65%
  No35%
  4. If yes, did you contact anyone? Who? 
95% did not contact anyone
  5. Have you ever been contacted by someone who had your details and asked for your authentication details to fix a problem with your account?
  Yes30%
  No70%
  6. If yes, did the person put an urgency to the matter?
  Yes90%
  No10%
  7. If the above occurs, who can you call?
65% indicated they would call the service provider, 35 % were unsure who to contact, if anyone
8. Have you ever received a coupon offer giving you money on successful completion?
  Yes75%
  No25%
  9.Have you been receiving emails with grammatical errors
  Yes80%
  No20%
  10. Have you ever received emails from some friends’ or a colleagues’ email address requesting you to send them money?
  Yes80%
  No20%
  User devices
11. Are you allowed to bring your devices or storage media to work?
  Yes98%
  No2%
  12. If yes, what tasks do you do with it/them?
Copying work information30%
Storing downloaded movies and pictures70%
  13Are your personal devices password protected?
Yes10%
No90%
  14. Have you ever lost a personal device or storage media?
Yes90%
No10%
  15. Does the organization give you devices and storage media to use at work?
Yes80%
No20%
  Network security
  16. Does your organization have firewall rules?
 Yes40%
 No60%
  17. If yes, are there some sites that you cannot access as a result of this?
 Yes80%
 No20%
18. Are some sites only accessible at certain times?
Yes40%
No60%
19.Please list some other sites that you wish to be blocked
90% of these sites were torrent sites
20. How do you connect to the organization’s network?
LAN50%
Wi-Fi50%
21.Are there some authentication to access the Wi-Fi
You have to use a password 60%
It’s open40%
22. Do you think that your security online is part of your responsibility?
 Yes30%
 No70%
Software and applications
23. Are you able to install any software you want in work computers?
 Yes90%
 No10%
24. Do you verify the source of the software that you download?
 Yes40%
 No60%
25.Please state some of the sources of the software that you download
70% download from the software websites
26. Does the organization provide you with some paid software?
 Yes80%
 No20%
27.List some of the software that the organization provides
90% of the software were an antivirus and office suite
28.List some of the software that the organization does not provide
90% of the replies said download managers
29.Do you have a running antivirus in your computer?
 Yes 85%
 No15%
30. Is it up to date?
 Yes 30%
 No70%
31.How often do you update it
 Weekly30%
Monthly50%
Yearly10%
Never10%
32. Have some of your computers software malfunctioned?
 Yes80%
No20%
33. Did you report the problem?
 Yes20%
No80%
Malware
34.Have you ever experienced computer problems such as freezing after opening an attachment
 Yes 20%
 No80%
35. Do you have USB antivirus programs in your computer?
Yes40%
 No60%
36. Does your antivirus program identify threats and eliminate them effectively?
Yes80%
No20%
37. Which antivirus program is provided by your organization?
80% were Kaspersky
38. Do you frequently forward emails that you have been forwarded by others?
 Yes70%
 No30%
39.You can download any email attachment sent to you by
 friends30%
friendly strangers10%
 Boss30%
 colleagues30%
40. Do you open spam emails?
 Yes 70%
 No30%
41. Do you report when you get spam emails?
 Yes20%
 No80%
System Access controls
42. Have you been assigned specific access rights?
 Yes60%
 No40%
43. Are these rights sufficient for you to accomplish your tasks?
Yes80%
No20%
44. Who can add or remove your access rights?
 Admin80%
No one, they are predefined10%
  Any of the IT staff10%
45.How are your user accounts of a system created
 The admin80%
 Me10%
 I don’t even own an account10%
46.How are your user account credentials first delivered to you
 Email from admin70%
Letter from admin5%
 Text message15%
  Telephone call10%
Not-technical threats
Password policies
47. Do you have some password policies in your organization?
 Yes 40%
 No60%
48.What complexities must your password have
 Letters and Numbers 70%
 Letters, numbers and special characters20%
  Not defined10%
49. What is the maximum password length allowed in your organization?
 1-4 5%
 4-860%
 8-4530%
 Undefined5%
50.What is the minimum password length allowed by your organization
870%
610%
415%
 Undefined5%
51. What is the maximum password age in your organization?
 Less than 6 months60%
  6-12 months20%
 more than 1 year15%
 Undefined5%
52. What is the minimum password age?
below 3 months60%
1-12 months25%
 above 1 year10%
 Undefined5%
53. How do you recover your account when you forget your account?
 The admin reminds me10%
 I have to set another one and give the admin10%
I use secret questions and am allowed to create another one80%
 Once its forgotten, the account is gone0%
 
54. Do you ever share your password with others?
 Yes 70%
  No30%
Back ups
55.Which information is considered critical to an organization
 Transaction information 20%
 Usernames and passwords 20%
 Both60%
56. How do you back up?
 Online 20%
External storage media80%
57. If not online, how do you store the physical media?
 In server rooms80%
 Unspecified20%
58. Is the information encrypted?
 Yes 30%
 No70%
59. Are the media password protected?
 Yes30%
 No70%
60. Who can access the backed up information?
 Admin only 60%
  Anyone40%
61. Who can restore the back up?
 Admin only80%
  Anyone20%
Physical access controls
62. Does your organization have CCTV?
 Yes70%
 No30%
63. Are there guards?
Yes70%
No30%
64. What clearance level does one need to access restricted areas?
 None 25%
Specified level75%
65. How are the personnel authenticated into restricted areas?
 Biometrics30%
 Signature30%
 Passwords35%
 None5%
Cracks
66. Have you discovered any holes into the system?
 Yes15%
 No85%
67. Have you ever penetrated through the security mechanism?
 Yes15%
 No85%
68. Have you discovered any glitches in any of your systems?
 Yes 45%
 No55%
69. Were the glitches present when acquiring the system?
 Yes95%
 No5%
Social Media
70.What information is public on your profile
 Name, Tel, Email, Workplace95%
 Only name, others are private5%
71. Are your friends/followers able to access your private information?
 Yes95%
 No5%
72. Have you ever shared sensitive information?
 Yes60%
 No40%
73. Have you ever used a work email for social media?
 Yes40%
 No60%
74Have you ever used your personal email for work functions?
 Yes60%
 No40%
   

5.3 Analysis of the results

The survey had 150 valid responses. The mean security score was 4 on a scale of 0 to 10. The observed standard deviation from the mean was 3. The confidence level of 95% gave a confidence interval of +/- 4.8. Therefore, the range of security for the true population mean was from 35.2 to 44.8.

Figure 1. The results as presented in a pie chart.

The results clearly show that majority (more than half) of the employees were vulnerable to attacks. This means that calculatedly, only 60 of the 150 respondents were not vulnerable to attacks. Therefore, the remaining 90 employees could be easily tricked into giving passwords, have no active or updated antiviruses in their computers, have shared their private details on social media thus fall prey for social engineering and have so many other vulnerabilities. These results clearly are shocking and paint an ugly picture of employees being mostly reckless and insecure thus jeopardizing the security of an organization and in extension their own security.

Figure 2. The level of awareness of employees towards vulnerabilities

Concerning the level of awareness towards these vulnerabilities, it was observed that 53% of the employees were not aware on some of the active threats they faced daily at the work places. Also, a discouraging 5% of employees were aware of these threats and vulnerabilities but paid a deaf ear and did not take corrective measures. This showed laxity on the side of users in dealing with occurrences of threats and also showed that most organizations do not sensitize their employees on the threats and vulnerabilities.

Under technical threats category, most of the users in general were observed to be easy targets for phishing. In user devices category, it was observed that a large number of the users introduced the organization to external threats by bringing their own devices to work which were unsecured and could also contain malware. Concerning network security, more than half of the responses indicated that their networks were secured, this is primarily because it is mostly the administrators who are concerned with network security therefore reducing the threats that would be brought by employees. Under software and applications, it was noted that employees were introducing the organization to vulnerabilities by downloading software from untrusted sources and having no active or updated antivirus. Under malware, it was also noted that most users were easy prey for spam mails and being used to forward potentially spam mails.

Under non-technical threats category, it was noted that more than half of the users reported good use of password policies by the administrators, backups were done but not secured and there existed proper physical access controls. Most of the users were not aware of holes in their software. In the last category of social media, users terribly failed by giving a little too much information for the public to see and using work email accounts improperly.

5.4 Task 4: Comparison with Previous Studies

After comparing these results with the most updated existing results, they are almost at 100% match. According to Weldon of www.fiercecio.com, a similar study done on 400 companies with 5000 employees revealed the existence of security vulnerabilities introduced by the users (Weldon, 2015) .They reveal the shocking pattern of employees ending up as the weakest links in an organizations endeavors to secure their systems. It however shows that there are improvements as compared to earlier years. It has also shown the continued efforts by organizations to improve the state of their security by bringing in more policies and rules to make it necessary for employees to adopt to the security mechanisms.

           This proposal benefits organizations in identifying areas in which users still lag behind or fall short of the expected security standards. It clearly shows the holes that have been left opened by employees hence the organization can devise ways to close them. If left unaddressed, no matter the security measures the organization continues to invest in, they can be belittled by a small mistake arising from ignorance of employees giving way to attackers. The proposal also brings into light some exploitable vulnerabilities on the administrator’s side. From the findings, some administrators were noted to ignore the required security standards when dealing with matters such as the storage of media used for backups, failure to encrypt or use password protection on such media and failing to enforce password policies on users. Vulnerabilities on the administrator side can cause catastrophic impacts to the organization due to the nature of information they have access to and also the access privileges they have. The proposal also shows the organization the areas where it has done a good job in maintaining its security. Finally, it identifies the trends in majority of the user’s behavior as concerns their responsibility in system security and can thus help the organization plan tailored solutions to continually train their users.

 

6.0 Conclusion

People and organizations utilize information technology infrastructures across the globe for socioeconomic, political, and environmental support and benefits. They should therefore be protected from information technology vulnerabilities in order to ensure users continue to access and receive the supportive benefits they offer. This process should involve various procedures aimed at enhancing security measures. Foremost, the process of addressing and mitigating information technology vulnerabilities ought to involve understanding security risks and threats. These risks and threats like loss, theft, damaging, and harming of data are contained in private and organizational computers. The proposal has depicted the appropriate approach to fight these vulnerabilities. The approach has focused on the human effect in the mitigation of these vulnerabilities. Though these vulnerabilities might result from other factors like system failure, efficiency and down-time situations, human effect has depicted to play a colossal role in vulnerability of IT systems.

The proposal has lined out the common vulnerabilities in the It systems today and how they are mitigated. Major fraction of the population, more than half, are ignorant of these vulnerabilities and are thus prone to cyber-attacks. The credibility (with 95% confidence level) depict the actual situation on the organization systems and why companies experience the frequent data loss or other forms of cyber-attack. The awareness levels differ, as shown in the proposal, though a most enterprises have low awareness levels among the employees. The 53% unaware employees expose the organizations to greater IT security risks and are the weakest links that can be manipulated by criminals. Even a fraction of those aware pay deaf ears to the corrective measures to improve IT security. The study has identified the employees as the weakest link to these IT vulnerabilities comparing with previous studies that have depicted the same results. Future researches should concentrate on the ways of reducing the employees’ vulnerability. Future research plans will identify the best method to reduce these vulnerabilities (mitigated by employees) and the most appropriate method to implement these methods in current organization systems.

Information technology vulnerabilities are therefore serious incidents that can incur national and international industrial sectors socioeconomic losses if they are not addressed and resolved quickly and efficiently.

References

Abraham, D. S., David, C., & Whitfield, D. (2013). Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy. Cyber Security and International Agreements, Internet Corporation for Assigned Names and Number.

Alexander, J., Podgorecki, A., & Shields, R. (n.d). Social engineering. New York: Cengage Learning.

Beard, S. (2011). Logic bomb. London: New York.

Beware of phishing— and vishing. (2006). Nursing Journal, 36(12), 66-71. doi:10.1097/00152193-200612000-00051

Caldwell, T. (2013). Risky Business: Why Security Awareness is Crucial for Employees. Retrieved on 28th Aug from: http://www.theguardian.com/media-network/media-network-blog/2013/feb/12/business-cyber-security-risks-employees 

Chandramouli, R. (2014). Deployment-Driven Security Configuration for Virtual Networks6th International Conference on Networks & Communications (NETCOM 2014). Chennai, India.

Christodorescu, M. (2006). Malware detection. New York: Springer.

Cook, D., Waugh, B., Abdipanah, M., Hashemi, O., & Abdul, R. S. (2014). Twitter Deception and Influence: Issues of Identity, Slacktivism, and Puppetry. Journal of Information Warfare, 13(1), 58 – 71.

Creswell, J. (2009). Research Design: Quantitative and Qualitative Approaches (3nd Ed). California, CA: Thousand Oaks. .

Creswell, J. W. (2003). Research Design: Qualitative, Quantitative, and Mixed Method Approaches. London, UK: SAGE.

Emmett, R. (2009). Trojan horses. New York: New American Library

Kakareka, A. (2009). Computer and Information Security Handbook. Morgan Kaufmann Publications.

Kent, K., & Souppaya, M. (2009). Guide to enterprise password management (draft). Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology.

Khonji, M., Iraqi, Y., & Jones, A. (2012). Enhancing Phishing, E-Mail Classifiers: A Lexical URL Analysis Approach. International Journal for Information Security Research, 2(1/2), 236-245.

Sampemane, G. (2014). Internal access controls. Communications of the ACM, 58(1), 62-65. doi:10.1145/2687878

 Security and Privacy Symposium and Workshops (SPSW). (2015). IEEE Symposium on Security and Privacy. European Security and Privacy Symposium Report.

U.S Air Force (USAF). (2009).The Three Tenets of Cyber Security. U.S Air Force Software  Protection Initiative.

Viveca, A. (2005). Information Technology Challenges for Long-term Preservation of Electronic Information. International Journal of Public Information Systems.

Walker, W. (2005). The Strengths and Weaknesses of Research Designs Involving Quantitative Measures. Journal of Research in Nursing, 10(5), 571–582.

Yeh, Q. J., & Chang, A. J. T. (2007). Threats and countermeasures for information system security: A cross-industry study. Information & Management, 44(5), 480-491.