Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy

Shefiu Olusegun Ganiyu; Rasheed Gbenga Jimoh

Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy

Abstract

Allowing employees to use their personal devices to perform official and private tasks through computing strategy known as bring your own device BYOD portends numerous benefits and security risks. The risks could propagate to enterprise information systems through some risk factors. Realistically, organisations anticipated the risks by implementing arrays of countermeasures. However, the characteristics that defined the relationships between the risk factors and the technical security controls are yet to be established. In order to evolve the features, this study conducted content analysis on some literatures which were selected through criteria developed for the research. Thereafter, the exploration revealed five characteristics that cut across risk factors, technical controls and the relationships between the former and the latter. Precisely, the derived characteristics are crucial toward achieving realistic risk evaluation process in BYOD strategy. Furthermore, the study opened more research directions as the risks circumscribing the strategy continue to emerge as global security challenge to vital information assets.

Keywords

Risk Factor, Countermeasure, Bring Your Own Device (BYOD), Risk Evaluation, Security Controls

References

P. K. Gajar, A. Ghosh, and S. Rai. “Bring your own device (Byod): Security risks and mitigating strategies”, Journal of Global Research in Computer Science, Vol. 4, No. 4, pp. 62–70, 2013.
M. N. O. Sadiku, S. R. Nelatury, and S. M. Musa. “Bring your own device”, Journal of Scientific and Engineering Research, Vol. 4, No. 4, pp. 163–165,
H. Berger and J. Symonds. “Adoption of bring your own device in HE & FE institutions”, 11th International Organizations Conference on The changing face of Knowledge Management Impacting Society, Hagen, Germany, 25-28 July 2016. Management in
A. Ganguly and M. Mansouri. “Evaluating risks associated with extended enterprise systems (EES)”, IEEE Aerospace and Electronic Systems Magazine, Vol. 27, No. 5, pp. 4–10, 2012.
J. Bhattacharjee, A. Sengupta, C. Mazumdar, and M. methodology for enterprise information security risk analysis”, Proceedings of the CUBE International Information Technology Conference, Pune, India, pp. 809–815, 03-06 September 2012.
A. Scarfò. “New security perspectives around BYOD”, Proceedings of the Seventh International Conference on Broadband, Wireless Computing, Communication Victoria, Canada, pp. 446–451, 12-14 November 2012. Applications (BWCCA),
D. A. Arregui, S. B. Maynard, and A. Ahmad. “Mitigating BYOD information security risks”, Australasian Conference on Information Systems 2016, Woolongong, Australia, pp. 1–11, 05-07 December 2016.
M. Eslahi, M. V. Naseri, H. Hashim, N. M. Tahir, E. Hisham, and M. Saad. “BYOD: Current state and security challenges”, IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), Penang, Malaysia, pp. 189–192, 7-8 April 2014.

A. Weeger and H. Gewald. “Factors influencing future employees’ decision-making to participate in a BYOD program: Does risk matters?”, Twenty Second European Conference on Information Systems, Tel Aviv, pp. 1–14, 9-14 June 2014.
N. Fani, R. VON Solms, and M. Gerbe. “Governing information security within the context of ‘ Bring Your Own Device in SMMEs’”, IST- Africa 2016 Conference Proceedings, Durban, South Africa, pp. 1–11, 11-13 May 2016.
H. Romer. “Best practices for BYOD security”, Computer Fraud and Security, Vol. 2014, No. 1, pp. 13–15, 2014.
M. Rausand. Risk assessment: Theory, methods and applications. 1st ed. New Jersey: Wiley- Blackwell, 2011.
R. L. Carroll. Enterprise risk management: A framework for success, Technical report. ASHRM, 2014.
J. P. Kindinger and J. L. Darby. “Risk factor analysis — A new qualitative risk management tool”, Proceedings of the project management institute annual seminars & symposium, Houston, Texas, 7–16 September 2000.
J. Luo and M. Kang. “Risk based mobile access control (RiBMAC) policy framework”, The 2011 Military Communications Conference, Baltimore, MD, pp. 1448–1453, 7-10 November 2011.
Y. Zhu, L. Shi, and K. W. Hipel. “The identification of risk factors in brownfield redevelopment: An empirical study”, 2012 IEEE International Conference on Systems, Man, and Cybernetics, Seoul, Korea, pp. 2429–2434, 14-17 October 2012.
R. Kissel. Glossary of key information security terms, Technical report. NIST IR 7298, April, 2006.
A. Behnia, R. A. Rashid, and J. A. Chaudhry. “A survey of information security risk analysis methods”, The Smart Computing Review, Vol. 2, No. 1, pp. 79–94, 2012.
J. Shenk. Layered security: Why it works. Technical report. SANS Institute, 2013.
J. Thielens. “Why APIs are central to a BYOD security strategy”, Network Security, Vol. 2013, No. 8, pp. 5–6, 2013.
A. S. Reddy. Making BYOD work for your organization. Technical report. Teanect, NJ, 2012.
A. D. Rivera, G. George, P. Peter, S. Muralidharan, and S. Khanum. “Analysis of security controls for BYOD (bring your own device)”, The University of Melbourne (Minerva Access), 2013.
B. Tokuyoshi. “The security implications of BYOD”, Network Security, Vol. 2013, No. 4, pp. 12–13, 2013.
M. Ketel and T. Shumate. “Bring Your Own Device: Proceedings - IEEE SOUTHEASTCON, Fort Lauderdale, Florida, 9-12 April 2015. Conference
K. AlHarthy and W. Shawkat. “Implement network security control solutions in BYOD environment”, 2013 IEEE International Conference on Control System, Computing and Engineering, ICCSCE 2013, Penang, Malaysia, pp. 7–11, 29 November- 1 December 2013.
Y. Dong, J. Mao, H. Guan, J. Li, and Y. Chen. “A virtualization solution for BYOD with dynamic platform context switching”, IEEE Micro, Vol. 35, No. 1, 2015.
W. Peng, F. Li, K. J. Han, X. Zou, and J. Wu. “T- dominance: Prioritized defense deployment for BYOD security”, 2013 IEEE Conference on Communications and Network Security, CNS 2013, National Harbor, MD, USA, pp. 37-45, 14-16 October 2013.
N. F. Schneidewind. “Predicting risk as a function of risk factors”, Proceedings of the 2005 29th Annual Workshop (SEW’05), Greenbelt MD, USA, pp. 131– 141, 6-7 April 2005. Software Engineering
H. Sato. “A new formula of information security risk analysis that takes risk improvement factor into account”, International Conference on Privacy, Security, Risk, and Trust, and IEEE International Conference on Social Computing, Boston, MA, USA, pp. 1243–1248, 9-11 October 2011.
R. A. Miura-ko and N. Bambos. “Dynamic risk mitigation in computing infrastructures”, Third International Symposium on Information Assurance and Security, Manchester, UK, pp. 325–328, 29-31 August 2007.
R. Edwards. New mobile workspaces and the business value of a shift to user centric computing. Technical report. Ovum, 2014. [32] M. Dhingra.
“Legal Issues in Secure
Implementation of Bring Your Own Device”,
Procedia Computer Science, Vol. 78, No. December
, pp. 179–184, 2016.
T. Oktavia, Y. Tjong, H. Prabowo, and Meyliana. “Security and privacy challenge in bring your own device environment : A systematic literature review”, International Conference on Information Management Bandung, Indonesia, pp. 194–199, 16-18 November 2016. Technology (ICIMTech),
S. Ali, M. N. Qureshi, and A. G. Abbasi. “Analysis of BYOD Security Frameworks”, 2015 Conference on Information Assurance and Cyber Security (CIACS), Rawalpindi, Pakistan, pp. 56–61, 18-18 December 2015.
J. D’Arcy and A. Hovav. “Does one size fit all? Examining the differential effects of IS ecurity countermeasures”, Journal of Business Ethics, Vol. 89, No. Suppl 1, pp. 59–71, 2009.
R. Kumar and H. Singh. “A proactive procedure to mitigate the BYOD risks on the security of an information system”, ACM SIGSOFT Software Engineering. Notes, Vol. 40, No. 1, pp. 1–4, 2015.
S. Tanimoto, S. Yamada, M. Iwashita, T. Kobayashi, H. Sato, and A. Kanai. “Risk assessment of BYOD : Bring your own device”, 2016 IEEE 5th Global Conference on Consumer Electronics, Mielparque Kyoto, Kyoto, Japan, pp. 16–19, 11-14 October 2016.
G. Disterer and C. Kleiner. “BYOD bring your own device”, Centeris 2013 Conference on Enterprise Information Systems, Lisbon, Portugal, pp. 43–53, 23-25 October 2013.
A. B. Garba, J. Armarego, and D. Murray. “A policy-based framework for managing BYOD environments”, International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), Vol. 4, No. 2, pp. 189–198, 2015.
V. Samaras, S. Daskapan, R. Ahmad, and S. K. Ray. “An enterprise security architecture for accessing SaaS cloud services with BYOD”, 2014 Australasian Telecommunication Networks and Applications Conference (ATNAC), Southbank, VIC, pp. 129–134, 26-28 November 2014.
T. A. Yang, R. Vlas, A. Yang, and C. Vlas. “Risk management in the era of BYOD the quintet of technology adoption, controls, liabilities, user perception, and user behavior”, 2013 International Conference on Social Computing (SocialCom), Alexandria, VA, USA, pp. 411–416, 8-14 September 2013.
C. Rathnasekara, T. Athukorala, L. Dikwellage, U. Wickramasuriya, A. Senarathne, and S. Elvitigala. “Securing corporate data in mobile devices in a COPE environment”, 6th National Conference on Technology and Management (NCTM), Malabe Sri Lanka, pp. 120–125, 27-27 January 2017.
R. Ogie. “Bring Your Own Device: An overview of risk assessment”, IEEE Consumer Electronics Magazine, Vol. 5, No. 1, pp. 114–119, 2016.
M. Souppaya and K. Scarfone. Guidelines for managing the security of mobile devices in the enterprise. Technical report. NIST Special Publication 800-124, 2013.
G. Eschelbeck. BYOD risks and rewards. Technical report. Sophos White paper. 2013.
K. Hajdarevic, P. Allen, and M. Spremic. “Proactive security metrics for bring your own device environments”, 2016 24th Telecommunications Forum (TELFOR), Belgrade Serbia, pp. 1–4, 22-23 November 2016. ISO 27001 supported
A. Murray. Mobile application management (MAM) has put MDM in its place. Available: http://www.networkworld.com/article/2189066/tech -primers/mobile-application-management--mam-- has-put-mdm-in-its-place.html. Latest Access Time for the website is 15 February 2015.
D. Dang-Pham and S. Pittayachawan. “Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection motivation Security,.Vol. 48, No. 2015, pp. 281–297, 2015.
IRS. (2012, September). Safeguards technical assistance memorandum protecting federal tax information environment. http://www.irs.gov/uac/Safeguards-Technical- Assistance-Memorandum-Protecting-Federal-Tax- Information-FTI-within-a-Mobile-Device- Environment. within [Online]. device Available:
SAP. Bring your own device (BYOD) policy guidebook questions to ask and best practices to consider. Techical report. SAP 50 112 803 (12/04),
M. Levitt. Yes MAM: How mobile device management plus mobile application management protects and addresses BYOD. Strategic Analytics. Available: http://www.business.att.com/content/whitepaper/SA -whitepaper-mobile-application-management.pdf. Latest Access Time for the website is 2 March 2015.
M. Harkins, Managing risk and information security. New York City: Apress, 2013, pp. 87–102.
D. I. G. Amalarethinam and V. J. Nirmal. “SECCON : A framework for applying access control networks”, 2014 World Congress on Computing and Communication Trichrappalli, India, pp. 268–270, 27 February – 1 March 2014. context-aware wireless Technologies (WCCCT),
O. Moonian, K. K. Khedo, and S. Baichoo. “A secure data access model for the Mauritian healthcare service”, Ist Africa 2014 Conference Proceedings, Le Meridien Ile Maurice, Mauritius, pp. 1–9, 7-9 May 2014.
M. E. Mbalanya. Bring your own device and corporate information technology security: Case of firms listed on the Nairobi securities exchange limited. M.Sc. Thesis, School of Business, University of Nairobi, 2013.
G. Fischer. “Context-aware systems: the ‘ right ’ information , at the ‘ right ’ time , in the ‘ right ’ place , in the ‘ right ’ way , to the ‘ right ’ person”, Advanced Visual Interfaces International Working Conference, Capri Island (Naple), Italy, pp. 287– 294, 27-29 May 2012.
K. Wrona and L. Gomez. “Context-aware security and computing environments”, Proceedings of the XXI Autumn Meeting of Polish Information Processing Society, Wisla, Poland, pp. 255–265, 5-9 December 2005.
W. Kelly. Four stages to conquer mobile content management. Available: http://www.techr epubl i c.com/ar ti cl e/four stages to conquer mobi l e content management/. Latest Access Time for the website is 14 February 2015.
J. Tay. Bring your own device (BYOD) is here to stay, but what about the risks? 2012. [Online]. Available: http://cxounplugged.com/2012/06/byod- mam-mdm-what-are-risks/. Latest Access Time for the website is 8 February 2016.
N. Singh. “B.Y.O.D. genie is out ff the bottle – ‘Devil or Angel,’” Journal of Business Management & Social Sciences Research (JBM&SSR), Vol. 1, No. 3, pp. 1–12, Dec. 2012.
Citrix. Best practices to make BYOD simple and secure. Citrix White paper, Fort Lauderdale, FL, USA. 0312/BYODGUIDE, 2012.
E. Knorr. What desktop virtualization really means. infoworld.com/article/2627220/vdi/what-desktop- virtualization-really-means.html. Time for the website is 14 March 2015. http://www. Latest Access
B. Posey. User environment virtualization leaves roaming http://searchvirtualdesktop.techtarget.com/feature/U ser-environment-virtualization-leaves-roaming- profiles-in-the-dust. Latest Access Time for the website is 12 February 2015. dust. Available:
B. Madden. Let's make it official and call it "user virtualization". Available: http://www.brianmadden. com/blogs/brianmadden /archive/2010/09/30/let-s- make-it-official-and-call-it-quot-user-virtualization- quot.aspx. Latest Access Time for the website is 10 February 2015.

Details

Primary Language

English

Subjects

-

Journal Section

-

Authors

Shefiu Olusegun Ganiyu This is me

Rasheed Gbenga Jimoh This is me

Publication Date

March 1, 2018

Submission Date

-

Acceptance Date

-

Published in Issue

Year 2018 Volume: 7 Number: 1

IZ

https://izlik.org/JA68MS63GJ

Cite

RIS / Bibtex

APA

Ganiyu, S. O., & Jimoh, R. G. (2018). Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy. International Journal of Information Security Science, 7(1), 49-59. https://izlik.org/JA68MS63GJ

AMA

1.Ganiyu SO, Jimoh RG. Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy. IJISS. 2018;7(1):49-59. https://izlik.org/JA68MS63GJ

Chicago

Ganiyu, Shefiu Olusegun, and Rasheed Gbenga Jimoh. 2018. “Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy”. International Journal of Information Security Science 7 (1): 49-59. https://izlik.org/JA68MS63GJ.

EndNote

Ganiyu SO, Jimoh RG (March 1, 2018) Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy. International Journal of Information Security Science 7 1 49–59.

IEEE

[1]S. O. Ganiyu and R. G. Jimoh, “Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy”, IJISS, vol. 7, no. 1, pp. 49–59, Mar. 2018, [Online]. Available: https://izlik.org/JA68MS63GJ

ISNAD

Ganiyu, Shefiu Olusegun - Jimoh, Rasheed Gbenga. “Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy”. International Journal of Information Security Science 7/1 (March 1, 2018): 49-59. https://izlik.org/JA68MS63GJ.

JAMA

1.Ganiyu SO, Jimoh RG. Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy. IJISS. 2018;7:49–59.

MLA

Ganiyu, Shefiu Olusegun, and Rasheed Gbenga Jimoh. “Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy”. International Journal of Information Security Science, vol. 7, no. 1, Mar. 2018, pp. 49-59, https://izlik.org/JA68MS63GJ.

Vancouver

1.Shefiu Olusegun Ganiyu, Rasheed Gbenga Jimoh. Characterising Risk Factors and Countermeasures for Risk Evaluation of Bring Your Own Device Strategy. IJISS [Internet]. 2018 Mar. 1;7(1):49-5. Available from: https://izlik.org/JA68MS63GJ