Survey of companies internal security

(1)

Linköping University | IDA – Department of Computer and Information Science Bachelor Thesis | Information Technology Spring term 2017 | LIU-IDA/LITH-EX-G--17/058--SE

Survey of companies internal security

Elina Lundberg and Cecilia Malmrud

Supervisor, Marcus Bendtsen Examinator, Nahid Shahmehri

(2)

Upphovsrätt

Detta dokument hålls tillgängligt på Internet – eller dess framtida ersättare – under 25 år från

publiceringsdatum under förutsättning att inga extraordinära omständigheter uppstår.

Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka kopior för

enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervisning.

Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan

användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säkerheten

och tillgängligheten finns lösningar av teknisk och administrativ art.

Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god

sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet ändras

eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsmannens litterära

eller konstnärliga anseende eller egenart.

För ytterligare information om Linköping University Electronic Press se förlagets hemsida

http://www.ep.liu.se/.

Copyright

The publishers will keep this document online on the Internet – or its possible replacement – for a period of

25 years starting from the date of publication barring exceptional circumstances.

The online availability of the document implies permanent permission for anyone to read, to download,

or to print out single copies for his/hers own use and to use it unchanged for non-commercial research

and educational purpose. Subsequent transfers of copyright cannot revoke this permission. All other uses

of the document are conditional upon the consent of the copyright owner. The publisher has taken

technical and administrative measures to assure authenticity, security and accessibility.

According to intellectual property law the author has the right to be mentioned when his/her work is

accessed as described above and to be protected against infringement.

For additional information about the Linköping University Electronic Press and its procedures for

publication and for assurance of document integrity, please refer to its www home page:

http://www.ep.liu.se/.

(3)

Students in the 5 year Information Technology program complete a semester-long software develop-ment project during their sixth semester (third year). The project is completed in mid-sized groups, and the students implement a mobile application intended to be used in a multi-actor setting, cur-rently a search and rescue scenario. In parallel they study several topics relevant to the technical and ethical considerations in the project. The project culminates by demonstrating a working product and a written report documenting the results of the practical development process including require-ments elicitation. During the final stage of the semester, students create small groups and specialise in one topic, resulting in a bachelor thesis. The current report represents the results obtained during this specialisation work. Hence, the thesis should be viewed as part of a larger body of work required to pass the semester, including the conditions and requirements for a bachelor thesis.

(4)

Abstract

This survey aimed to examine and analyze six companies’ internal security. Six interviews were held with different sized companies, where the size of the office ranged from under ten to around 800 employees. The interviews contained questions regarding their information security, their perimeter security as well as the employees’ personal security. The larger companies had more policies and security procedures than the smaller companies. Virus protection, banning USB flash drives from outside the company, security education and a well functioning report system are vital for a satisfying internal security.

Interviewees from the smaller companies saw internal security principles as a necessity but also as an obstacle. The larger companies saw the same principles as something that would improve their security. These companies also had implemented more safety measures both in software, such as remote controls and guidelines for employees. Targeting problem areas with special educational campaigns helps employees defend themselves against social engineering.

All companies that participated either develops software or are consultant companies in IT. They deliver IT solutions in one way or another and their internal security should reflect the same high standard and IT maturity. The smaller companies did not perform any risk analyses on which threats their company faces and did not have any safeguards in place if their employees do not conduct themselves correctly on their networks. Our opinion is that this should not be limited by the size of a company and all companies should perform risk analyses to be able to improve their internal security in the future.

(5)

Acknowledgements

We would like to thank our supervisor Marcus Bendtsen, Hanna Sterneling, Elias Alesand and our opponents Per Lindström and Oscar Pap. We would like to direct a special “thank you” to the participating companies for giving us their time and letting us conduct our interviews.

“Safety First” is “Safety Always.”

– Charles M. Hayes

(6)

List of Tables

2.1 The mini risk analysis table . . . 9

4.1 A visualization of the companies approach to security . . . 15

4.2 A visualization of the companies means to uphold secure exchange with customers . 16 4.3 A visualization of the companies views on risk analysis . . . 17

4.4 A visualization of technical aspects of security . . . 18

4.5 A visualization of the companies views on the security vs efficiency trade-off . . . 19

4.6 A visualization of the situation regarding employment . . . 20

4.7 A visualization of the situation regarding termination of employment . . . 21

(9)

List of Figures

2.1 Agile software development . . . 6 2.2 Difference between sequential tasks and multi-tasking . . . 7 2.3 The waterfall method . . . 7

(10)

1 |

Introduction

By the year 2020 it is expected that up to 30 billion devices will be connected to the Internet [1]. All of them are vulnerable and faces the threat of interception, hacking and hostile takeover. Aside from the everyday person, this also puts a lot of companies at risk. But how well are the companies and their employees protected? Does every company have the same kind of policies regarding security? Trying to answer these questions and more, a survey was conducted with the aim to examine and analyze a sample of companies’ internal security in Linköping, Sweden.

1.1 Motivation

A company’s security depends on many factors, and all of these can not be categorized as outside circumstances. The US Computer Emergency Response Team (Cert) estimated in 2008 that almost 40% of the breaches in IT security are executed by employees [2]. They list malicious cyberattacks, social engineering1_{, downloading malicious internet content, information leakage and illegal activities}

as the top five largest internal security threats. A study conducted by Intel in 2015 stated that 43% of serious data breaches was perpetrated by internal actors [3]. They also found that in 68% of the data breach incidents the data retrieved by the perpetrators was serious enough to have negative financial impact or demand public admission. A survey conducted by PwC and commissioned by HM Government [4] stated that 90% of large organizations and 74% of small organizations in the UK reported that they had suffered security breaches in 2015. They report that the worst security breach for a large organization costs on average £1.46 - £3.14 million.

Working towards improving the internal security is paramount to uphold a company’s reputation and keep the security level of their operation at the desired standard. As stated, breaches cost companies a lot of money each year and occur at small and big companies alike. Studying companies’ internal security further benefits the work on improving the same.

1.2 Aims

The main intention with this thesis is to analyze different companies’ internal security. These are the questions we aim to answer:

• How well are the employees’ units protected and are there any policies and mechanisms pre-venting the employees from misconduct?

• What are the differences between the companies’ view on internal security and how are they implemented?

• Do the companies have a special point of view regarding internal security during hiring and termination of employment?

(11)

1.3 Delimitations

The study is based on six interviews and reflect the results from these interviews. Aside from the number of interviews this survey also had to adapt itself to a time limit.

All of the companies had one office located in Linköping, since face-to-face surveys deliver the most representative results [5] when conducting qualitative interviews. One interview was conducted by telephone, which is considered a good alternative, since the company representative worked at a different location. Except from some theoretical research and the interviews no other information was obtained.

1.4 Outline

The structure in this report is as follows. Chapter 2 will explain the theory mentioned by the interviewees, e.g. risk analysis methods and agile software development. The choice of method as well as the preparation and conduction of the interviews will be explained in Chapter 3. Chapter 4 will first give a brief presentation of the companies and then the results from the interviews will be presented. A discussion regarding the results and their compatible theory as well as the choice of method can be found in Chapter 5. Lastly, Chapter 6 contains this survey’s conclusions.

Additional information can be found in the appendices. The interview guide can be seen in Appendix A in English and in Swedish in Appendix B. A more rigorous description of the companies A-F can be found in Appendix C-H respectively.

(12)

2 |

Theory

In this Chapter we will describe all of the theory collected during this survey. In Section 2.1 two agile software development techniques are covered. One non-agile software development technique is described in Section 2.2. All of these techniques were discussed by the companies during their interviews. Some companies also worked according to different design principles. Three conventional design principles that are the most similar to those used by the companies are presented in Section 2.3. Furthermore risk analysis is described in Section 2.4, followed by some risk analysis tools used by the companies, mini risk in Section 2.4.1 and different types provided by ISO in Section 2.4.2. All of the interviews also covered the subject of computer viruses and remote control. Theory regarding this subject can be found in Section 2.5. Lastly, some of the companies had strict policies regarding which operating system their employees were allowed to use on their units. Some theoretical background regarding this matter can be found in Section 2.6.

2.1 Agile software development

Agile software development [6] methods have evolved from incremental software development. The agile software development uses a fixed set of principles. The solutions and requirements for these grows and expands through collaborative work in cross-functional and self-coordinating teams. Agile software development has its emphasis on adaptive planning and repetitive improvement and urges to respond rapidly and flexibly to change. These principles are the foundation of agile software development and are used as a supporting tool for the continuous evolution of the many methods out there. The term agile was first invented 2001 and called the Manifesto for Agile Software Development (Agile Manifesto) and describes the values that is honored by agilists:

• Individuals and interactions over processes and tools • Working software over comprehensive documentation • Customer collaboration over contract negotiation • Responding to change over following a plan

These values means that motivating individuals, pair programming and self-organization are impor-tant. Co-location1 is used to ensure easy communication paths, favorably face-to-face conversation. The emphasis on working software is because this is more useful and valuable than presenting the clients with documents. This working software should be delivered to the client frequently. Working continuously with the client and stakeholders2to keep them involved is used to collect requirements during the software development cycle. This is treated favorably even in late stages of development. Agile methods focus on quickly responding to changes and sustainable and continuous development, this helps to keep up a constant pace. Cooperation between developers and stakeholders should take place daily. Agile software development upholds customer satisfaction by continuous and prime delivery. Agilists believe that from self-organizing teams you get the best designs and architectures.

1_{The act of placing multiple entities within a single location.} 2_{A person, group or organization with an interest in a project.}

(13)

All this is upheld by regularly, together in the team, reflecting on their own effectiveness etc. and adjusting their work procedures appropriately. The agile methods can be visualized through a cir-cular sequence of events, as illustrated in Figure 2.1. Firstly the team develop functionality directly followed by the first stage of integration and testing. This is repeated until the product is ready to reveal to the client, or the iteration time, specified beforehand, is up. A demo release is performed, followed by feedback from the client. Afterwards sufficient changes are done and the system is tested. If all functionalities are complete the product is finished, otherwise another iteration is begun.

Figure 2.1: Agile software development

2.1.1 Scrum

Scrum is a tool created in the early 1990s for software development in order to help people address complex adaptive problems and at the same time productively and creatively deliver products of the highest possible value. Scrum is said to be simple to understand but difficult to master, according to Schwaber and Sutherland’s Scrum guide [7].

In order for a team to use Scrum, different roles must be handed out. The Scrum Team consists of a Product Owner, the Development Team and a Scrum Master. Scrum is built by Sprints, a time-box of one month or less, in which some pre-decided implementations are supposed to be completed. After a Sprint has been concluded, a new one starts immediately.

2.1.2 Kanban

The agile software development method Kanban is used for managing knowledge work3in order to balance the available work capacity with demands. This method is very similar to Scrum in many ways, with one difference that the Sprints do not have a pre-decided length.

Scotland states in his ”Aspects of Kanban” [8] that Kanban measures productivity in terms of cycle-time and throughput of valuable units of work. Both cycle-time and throughput can be improved by decreasing the amount of work in progress during a Sprint. There is also a connection between lost time and switching per task, a conclusion from this is that fewer tasks means less time lost. With this in mind, tasks in Kanban are performed by multi-tasking but fewer tasks leads to a more sequential way of working. That this is the optimal choice can be seen in Figure 2.2. The

(14)

x-axis illustrates time and the different blocks marked A, B and C are tasks. The upper row of tasks represents multi-tasking and the row underneath the timeline represents sequential tasks. The sequential way of working yields results sooner since switching tasks when multi-tasking takes up additional time.

Figure 2.2: Difference between sequential tasks and multi-tasking

2.2 Waterfall method

Contrary to the agile methods the waterfall model, according to Royce [9], is a sequential and non-iterative design process. In this method the progress in the processes is seen as a downwards flowing motion, such as a waterfall. It moves through the phases of System and software requirements, as seen in Figure 2.3.

System and software requirements Analysis Program design Coding Testing Operation and maintenance Figure 2.3: The waterfall method

The system and software requirements are captured in a product requirements document and the analysis results in models, schemes, and business rules. The program design culminates in the software architecture. In the coding segment of the waterfall lies the development, proving, and integration of software. After this the testing occurs with the systematic discovery and debugging of defects. Lastly there is operations, overseeing the running of computer systems, and maintenance of the system which includes installation, migration and support.

(15)

the fact that in some industries, for example manufacturing and construction, it is excessively high-priced to change anything afterwards. This method was adapted from hardware-oriented work to software development.

2.3 Design principles

Design principles [11] are security principles for when designing a product or a system. These principles do not replace risk analysis, and are products of experience. They circle around two common words; simplicity and restriction. Design principles are a set of practices derived from real life experience to help software developers build more secure software. The three design principles that were the most similar to what the interviewees described will be further narrated. Other examples of design principles are economy of mechanisms, complete mediation, open design and separation of privilege.

2.3.1 Least privilege

When working with the design principle least privilege [12], a subject should only be granted those privileges necessary in order for it to complete its task. The function of the subject, and not its identity, should control the assignment of rights. This design principle uses the concept of "need to know", if a subject does not need access to perform a task it should not be granted this access. Additional privileges should only be added when necessary and then removed when they are no longer needed. This includes user privileges, resource permissions such as CPU limits, memory, network and file system permissions.

2.3.2 Fail-safe Defaults

The design principle fail-safe defaults [13] declares that unless a subject is given explicit access to an object, it should be denied access to that object. This design principle limits how rights are decided when subjects or objects are created, and implies that the standard should not be to grant access but preferably to deny access. Additionally, if the subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates. As a result the system is still safe even if the program fails.

2.3.3 Psychological acceptability

The human element in computer science is recognized in this design principle[14]. Security mech-anisms should be easy and intuitive to use. This makes it easier for users to automatically and routinely apply the security mechanisms in a correct way. This security principle states that secu-rity mechanisms may add some extra burden, but only if it is both minimal and reasonable.

2.4 Risk analysis

The broad definition of risk analysis is that it includes risk assessment, risk characterization, risk communication, risk management and policies. These are relating to risk, in the context of risks of concern to individuals, to public- and private-sector organizations, and to society at a local, regional, national, or global level, according to the Society for Risk Analysis [15].

Risk analysis is, according to Rausand [16], categorized to be one of two things; qualitative or quantitative. The qualitative risk analysis evaluates risks through the use of words or colors or through a written description. Quantitative risk analysis, QRA, can be determined though calculating numerical probabilities over the possible consequences. QRA is often composed of a way to answer three questions:

(16)

• How likely is it that it will happen? • If it happens, what are the consequences?

There are a few key steps involved when conducting a risk analysis, according to Janssen and Janssen [17]. To begin with, potential threats are identified. After that, the risks are either revised with a quantitative or a qualitative risk analysis method. The risk is then calculated by multiplying the impact with the likelihood of occurrence. Risk analysis tools mentioned during the interviews were mini risk and different ISO families. These will be described in Section 2.4.1 and Section 2.4.2 respectively.

2.4.1 Mini risk

Mini risk [18] is a risk analysis tool where you only use one piece of paper, ergo a minimalistic risk analysis. On this paper you draw three columns and label them assets, threats and vulnerabilities as seen in Table 2.1. The first column should contain the highest-priority assets and the supporting business processes. In the second column the threats that are most likely to cause harm to the highest-priority assets are listed. Lastly, in the third column, the most vulnerable items in need of adjustment are written down. This risk analysis tool was developed to be a quick and easy way to estimate risks, only using one sheet of paper. It does not iterate to build on the solutions found or have a tool to find more hidden threats. The method forces companies to prioritize, since there are only room for five items per column.

Table 2.1: The mini risk analysis table

Assets Threats Vulnerabilities

2.4.2 ISO

The ISO (International Organization for Standardization) is composed of representatives from dif-ferent national standards organizations and is an international entity to compose standards. ISO advocate worldwide proprietary, industrial and commercial standards in a wide range of subjects.

A lot of companies invest considerable resources to obtain certification of one of the ISO stan-dards, called ISO 9000. ISO 9000 is in regard to the fundamentals of quality management systems. The ISO 9000 family of quality management systems standards are designed to help organizations ensure that they meet the needs of customers and other stakeholders. Although the method is widely spread internationally it is surrounded by controversy and criticism. Still, the certificate is very often viewed as a tool in order for a company to stay competitive on domestic and international markets. Furthermore, the late 1990s saw a remarkable growth in the accepts of ISO 9000 quality standards. ISO 31000 is another ISO family that consists of standards relating to risk management. It covers principles and guidelines on implementation, risk assessment techniques and a vocabulary in regard to these subjects. ISO 31000 seeks to administer a standardized risk management processes, this to replace the countless of existing standards.

Some of the interviewed companies used either ISO 9000 or ISO 31000, or had them in mind when developing their own risk analysis tool. Companies using ISO shall meet statutory and regulatory requirements related to a product or program [19]. International Standards improve the consumers faith that their products are safe, reliable and of good quality [20].

(17)

2.5 Computer viruses and remote control

A computer virus [21] is a program which spreads itself by infecting files or the system areas of a computer or network router’s hard drive and makes copies of itself. Some computer viruses are harmless and other can damage, even destroy, files. Viruses are primarily spread through emails.

Most users get viruses when they open and run unknown attachments from an email message. This can be a Trojan horse, a computer program which hides a virus or other potentially damaging programs under the pretense of being something else. A Trojan horse can state to do one action, while in fact, it is performing a malicious action on the computer. They can be included in both software that can be downloaded and installed for free or as an attachment in an email message. Ways to avoid viruses, according to US Cert [21], Creery and Byres [22], and lessen their impacts are:

• Install adequately good antivirus software, update and use it regularly

• Never open anything that is attached to an email message, unless you know the contents of the file

• Back up the important data so that no valuable work are lost due to a virus infection • Enforce security policies

• Have structured and thought through network architecture in place • System hardening, for example removing unnecessary services • Only use secure paths for employee’s remote connections

If a device has been infected with a computer virus, or any variety of malware, one way to ensure that it does not spread through a network is to remotely repair or kill the device [23]. This can be done through, for example, process termination, on-device traffic filtering, application update, device update, file removal and factory reset. This is done by pre-installed software designed for this specific purpose.

2.6 Operating systems

Devices can run on different operating systems. Some, for example Apple Inc’s iOS [24], uses their own software which is highly confidential, closed source and proprietary. The iOS has the second largest installed base worldwide on smartphones and is the largest in profits. Windows 10 Mobile [25] is another operating system that is closed source and proprietary, developed by Microsoft. It is the third largest operating system installed on smartphones, behind Android and Apple Inc’s iOS.

Other operating systems are based on Android [26], which was developed by Android Inc that as of 2005 is a part of Google Inc. This has the largest installed base on smartphones in the world. Google Inc is in charge of the Android Open Source Project (AOSP) and responsible for the further development of the operating system. Android is a mobile operating system based on Linux. The AOSP enables anyone to use its source code under an open source license, though most Android devices use a combination of open source and proprietary software. There are many different Android devices on the market developed by different companies, not just Google Inc, for example Huawei Technologies Co. Ltd.’s EMUI [27] and HTC Corporation’s HTC sense [28].

(18)

3 |

Methodology

In this Chapter we will present the preparations for the interviews in Section 3.2, as well as how the interviews were conducted in Section 3.3. Initially, 83 companies were sent an email and asked to participate in a survey. Of those 83 companies we received 14 negative and six positive responses. Interviews were conducted with all of the six companies. Five of the interviews were face-to-face and one interview was held over the phone because it was not possible to have a physical meeting. The preparation for the interviews modeled solely on Trost’s book regarding qualitative interviews [29].

3.1 Choice of method

Firstly, a choice had to be made whether the survey should be conducted using qualitative or quantitative methods. A qualitative survey gives a deeper understanding to a more limited number of interview subjects. The quantitative approach, with for example a questionnaire, gives a broader view on the multitude but has the limitation that no follow up questions can be asked. Qualitative interviews was chosen for this survey because this was deemed to give better answers to the questions we aimed to answer.

The questions asked was the same in all interviews, this to further see differences and similarities between the companies. A first draft of an interview guide was written where all subjects we found relevant to discuss were given their own topic. The draft was revised once with the supervisor and then once again later on. This gave the opportunity to change questions and add topics. The topics that was chosen was what would further deepen our understanding of the implemented internal security and also the interviewee’s view on the matter. There was also a section in the beginning with general questions about the company and a final section at the end of each interview that gave the interviewee an opportunity to add additional information.

3.2 Preparing for the interviews

The preparation for the interviews began with researching interview guides and how to ask the correct questions. The questions are located in Appendix A in English and Appendix B in Swedish. According to Trost, an interview guide should not be too detailed and should mostly consist of widely defined subjects. Although we decided to add questions to our interview guide, the bold lines can be seen as Trost’s version of an interview guide. The interview guide’s different titles were based on this notion and the questions beneath each of them where there to give a more detailed view of the company. The questions were written according to Trost’s theory regarding qualitative interviews, where hypothetical and speculative questions should be avoided and direct and simple questions should be used instead. Antonyms and negations where deliberately avoided when writing the guide since these words only confuses and distracts the interviewee from answering the real question.

After the interview guide was done it was memorized. This was done to ensure that the time with the interview subjects was spent, in the fullest extent possible, gathering their opinions on the subject.

(19)

3.3 Conducting the interviews

In the beginning of each interview the interviewee was given time to ask questions about us and our project. The interviewee was asked if he or she approved of the interview being recorded. To ensure the companies privacy the recording was only meant for our own recollection and was not shared with others. During the interview if the interviewee answered with a counter question e.g. "what do you mean with routines" the answer was that they should choose their own definition. Only one person asked questions during each interview, while the other one took notes. The roles alternated between each interview.

The interviewer for each interview read the annotators notes after the interview to see that they matched what had been said. If there was a disagreement regarding what the interviewee said the recordings were listened to.

Keeping these things in mind, the interviews were conducted during the course of four days, since the interviewees were available during different dates. With a gap of at least an hour between every interview the interviews were able to be summarized and analyzed directly after they were conducted. This decreased the risk of forgetting details. The summarized interviews can be found in Appendix C-H.

(20)

4 |

Results

In this chapter a brief description of the different companies will be presented and then the results from the interviews with said companies. The companies are divided into three different groups: a small office (0-19 employees), a medium office (20-99 employees) and a large office (100-800 employ-ees). These numbers only refer to one of the companies’ offices, and might not represent the entire company.

Company A

Company A has 68 000 employees worldwide in North- and South America, Asia and Europe. This company is a global information technology and business process services provider. With 40 years of experience regarding IT they have a broad knowledge in different fields. The office based in Linköping, Sweden falls into our category of a large office.

Company B

Company B is an IT-consultant company that is solely based in Linköping, Sweden. The office is categorized as small and they work with business systems, mobility and integration. They deliver complete systems to customers in Scandinavia.

Company C

Company C has more than 100 000 employees around the world and is a supplier of devices and services for telecom operators. The office in Linköping, Sweden is considered a large office by our standards.

Company D

Company D has offices in over 40 countries and over 15 000 employees worldwide. There are four locations in Sweden and their office based in Linköping is a large office. The company develops and delivers management solutions in a wide range of areas e.g. chemicals and aerospace.

Company E

Company E is a consulting company which specializes in product development and system develop-ment. It is based in Jönköping and Linköping, Sweden, with their headquarter in Jönköping. This office is small, according to our categorization.

Company F

Company F is a consulting company with offices in the Nordic countries. The company specializes in cyber security, among other things. The company has in total around 18 000 employees. The interviewee’s office is categorized as large.

(21)

4.1 Approach to security

A graphic summary of the companies’ answers can be found in Table 4.1. The companies had different approaches regarding their view on security whereas the larger companies’ viewpoint were quite similar. All of the larger companies, especially company A, C and F, had more policies and structure regarding their internal security. None of the companies had a clear definition of their internal security. Instead they mostly discussed the different areas in which they usually operate in regard to security. Company A’s, E’s and F’s definitions of security were based on their customers’ definition. Since they are consulting companies they put a lot of weight into being able to adapt well to their customers systems, with all of their principles and procedures.

Company A, C and F had many different policies, both regarding physical safety as well as informational security. Company B on the other hand did not have any policies at all regarding their internal security and did not do any work specifically in order to improve it. Instead they aimed for an adequately good implemented security for their own and their customers’ demands. Company D did operate according to policies, for example the office door is only unlocked if there is a security guard sitting at the front desk. Most of company D’s product development is situated around the globe, in countries like the Netherlands and the USA. The office that our interviewee was based in did not handle product development and therefore did not have the same policies for this.

In order for the companies to improve their internal security some of the companies conducted risk analyses. Company A, C and F completed risk analyses regularly and on different levels of the company. Company D also performed risk analyses, although only on a more global level.

From a more educational aspect some companies also held security courses or other forms of educational information for their employees. Company C’s employees participated in educations found online regarding bribes, breaking laws and similar. Every employee also had to sign a code of conduct regarding how to behave as an employee. The employees at company D did not participate in any education regarding security but they had to sign a certificate with security information. Company F provided surveys for the employees regarding how they are experiencing the internal security policies and to give feedback about these. Company A was the only company which ed-ucated their employees regarding ethics and anti-corruption. All sub-contractors, sub-consultants and employees at Company A had to undergo a security training once a year.

Company C, D and F had a report system in place where the employees could file a request for something to be changed, report a fault in one of the systems or any other security aspects. For company C any employee could report incidents in the system and the chief of security then decided whether or not to move forward with the incident. Sometimes external companies performed audits regarding if they followed their principles and policies. Insurance companies were also employed to keep track of whether or not the company followed up on their policies. Company D and F also provided a report system for co-workers to give feedback and report faults. For company D all of these reports were handled on a global level.

The companies also had different policies regarding whether or not the employees were allowed to use their own USB flash drives, or similar devices, and if they were allowed to install anything they wanted on their computers. At company A the employees were allowed to use their own USB flash drives, since all of the data were encrypted. The employees at company B and E were also allowed to use their own USB flash drives, as well as decide themselves what they wanted to install on their computers. Both of these companies expressed that they put a lot of faith in their employees. If an employee at company D used their own computer they did not have access to all systems. There were not a lot of restrictions regarding what you could and could not install on your computer. Employees at company C and F were not allowed to bring their own USB flash drives and at company F they were not allowed to use their company USB flash drives on someone else’s computer. No employees at either company C or F were allowed to install anything on their computers - no one had administration rights on their own computer. The IT-department handled everything regarding installation and such, so if an employee wanted something installed the IT-department needed to be contacted.

(22)

Table 4.1: A visualization of the companies approach to security A B C D E F Multiple security policies

7

No policies

7

Definition of security depending on customer

7

Does risk analyses in regard to internal security regularly

7

Security education for employees

7

Security report system

7

Policies regarding external devices

7

4.2 Secure exchange with customers

Table 4.2 graphically summarize the companies’ differences in this Section. All companies had to exchange information and work with their customers, one way or another. The companies that worked strictly according to an agile software development model shared their work in progress and did this on a regular basis. The security level regarding exchange with customers varied from company to company. Company B and E adapted their security level depending on their customer and followed that customer’s security level. Company D said that they communicate with their customers daily and this communication often took place in their own support systems. This means that the systems were secured with a username/password combination. Sometimes the communi-cation took place over the telephone or through emails, where the caller or sender trusted that the person they were speaking to is in fact the correct person. Company A, C and F were a bit stricter and had many different policies regarding the customer exchange and used encrypted communica-tion paths. For company C, when informacommunica-tion was exchanged with a customer both parties had to sign a non-disclosure agreement on an individual level. Depending on their customer company A and F enhanced their security level even more, e.g. if the information was classified. If the security level was very high the customer set up the entire communication link on their own, in order for them to monitor every step of the communication process. Company F provided consultants, which had all completed a security test, to their customers. However, everything could not be put in the hands of the companies. The customers and the companies needed to handle information in the same way in order for them to secure the information and the security process. If the customer or the interviewee’s company handled information wrong it could lead to classified information being seen by the wrong people.

(23)

Table 4.2: A visualization of the companies means to uphold secure exchange with customers A B C D E F Adapt their security level to customer

7

Communicate with customer through their own support

systems

7

Uses encrypted communication paths

7

Can enhance security level if customer demands it

7

4.3 Risk analysis

Results from this Section of questions can be seen in Table 4.3. Most of the companies performed risk analysis in one way or another. None of them used the same method, although some of them were quite similar. Company B had never performed a risk analysis on their own company, despite the fact that they had participated in risk analyses with customers previously when working on procedures. Company D on the other hand, performed risk analysis but on a global level. Risk analysis regarding informational security are not performed in Sweden, but more local problems like physical safety, protection from burglary and perimeter security lead to risk analysis in the office in Linköping. Company E used risk analysis in order to prevent disasters and the interviewee stated that they conduct this regularly but did not write them down or follow a specific model.

Company A, C and F were more strict regarding their risk analysis. All of them performed risk analysis regularly and in different areas where physical safety, perimeter security and informational security were some of them. The three companies used risk analysis in order for them to improve the security, both for the company itself and for its employees. All three companies used their own model, but all of them were similar to already existing models. Company F’s model were based on ISO-31 000 and company C’s model were based on mini risk. Company A’s model were based on standardized evaluation methods, mostly ISO-9000, and the interviewee stated that it looked a lot like the other models out there.

The reason the companies used their own models was because they thought existing models were too complicated and hard to understand.

(24)

Table 4.3: A visualization of the companies views on risk analysis

A B C D E F

Never done risk analysis on what

the company faces

7

Have no writen-down copy of their risk analysis

7

Performs risk analysis regularly in different areas

7

Does risk analysis based on ISO or

similar method

7

4.4 Technical aspect on security

Table 4.4 provides a visual summary of the companies’ answers to the interview questions regarding the technical aspect on security. Company A, C and F used campaigns to inform their employees about the risks of phishing1_{, social engineering etc. These campaigns were designed in different}

ways and target different subjects. At company C they did not send these out through email since they were more likely to be ignored, according to the interviewee. Company D on the other hand sent out a certificate through email, which the employees had to sign to confirm that they had read it. These companies had a team that worked solely with security issues and could therefore design more targeted campaigns. Company B, a smaller company, relied on the employees own ability to determine how to act in regard to email and such. All six companies had a varying number of firewalls and antivirus software. Company A had centers around the world in place to monitor their networks. Both company E and F were consultancy firms and therefore used, in most cases, their customer’s technical solutions. At their own offices company F had extensive firewalls whereas company E, a smaller company, used fewer.

All six companies provided their employees with a cellphone. Company A limited which op-erating systems this cellphone run on. They did not allow cellphones that run on Android, this because Android phones can be developed by a broad variety of companies and it is difficult to get an overview. Company B provided their employees with strictly Apple products. All companies had computers they offered to their employees, company B also gave all their employees a tablet and company D and F provided this and more when necessary. Consulting companies used their customers devices when working from the customers office.

If an employee’s device got attacked by a virus company A, C and F removed the device im-mediately whereas company B re-configured the device. If it still caused problems they removed it. Company A, C and F all looked at trends in their network to see problem areas and if it was the same kind of breach several times. They then acted on these trends to prevent viruses and kindred problems. If this problem had caused information leakage company F contacted the affected cus-tomer and discussed the outcome of the problem with them. Company E used services from another company to check for viruses etc., and therefore got notified by this company if it occurred.

All companies used both tags and personal codes to access their office. Company A had policies regarding the physical security of their perimeter protection. It was categorized class 2 and this means that it should be hard to impermissibly get inside and out of the building, this was documented

1_{The attempt to obtain sensitive information, often for malicious reasons, by disguising as a trustworthy entity in} an electronic communication.

(25)

Table 4.4: A visualization of technical aspects of security

A B C D E F

Uses campaigns to

inform about risks

7

Inform through email

7

Uses firewalls

7

Uses antivirus software

7

Limits which operating system employees’ devices uses

7

Removes device immediately if

infected with virus

7

Monitor trends in

their networks

7

Uses tags and personal code to

access office

7

Has controls both when entering and

when leaving the office

7

on their intranet. Company C used zones for different accesses, where anyone was allowed in the first zone, a visitor needed to have a tag to get into the next and the last zone requires special access. Company B had double codes and tag checks, one to get into the building and one to get into the office. To get access to another of company F’s offices they first required that the employee applied for this in their internal network. Then both the employee’s immediate supervisor and the office security responsible had to approve the application for the access to be granted.

(26)

Table 4.5: A visualization of the companies views on the security vs efficiency trade-off A B C D E F Saw security measures as something that increases efficiency

7

Saw security as an obstacle

7

Deemed that the balance was most

important

7

4.5 Trade-offs

Table 4.5 provides a visual summary of this Section. The trade-off between security and efficiency was something all companies found interesting. Company A, C and F, the biggest regarding both revenue and number of employees, deemed that this might not be a trade-off at all. They claimed that with good security their systems did not go down as much as they might have done otherwise and that this increased efficiency. Another aspect that they aired was that a system vulnerable to viruses and hackers easily gets clogged and is hard to work with. These companies considered both network and physical security to be a tool to improve efficiency. They admittedly said that not all employees shared their viewpoint. These companies tried to achieve higher network performance to make up for the delay their security might have caused in the system. Company D’s interviewee deemed it important to find a balance between productivity and security and did not feel that their security principles precluded their work.

The smaller companies both saw this trade-off conversely to the bigger companies. Company B said that they worked according to the principle of "good enough". They upheld adequately good security to ensure the safety of their office and products by and large. These companies saw security as an obstacle and somewhat of a necessary evil. Their feeling was that security must be upheld but that this might have affected the efficiency immensely. The other smaller company, company E, said that they prioritize efficiency over security in this trade-off.

Here a clear distinction was made regarding the viewpoint of security versus efficiency. The big companies, that have to had a lot of security measures in place to function and guarantee the safety towards their customers, saw security primarily as a mean to keep good performance. The small companies deemed to keep a high efficiency paramount and that the security measurements was obstacles.

(27)

Table 4.6: A visualization of the situation regarding employment A B C D E F Does basic background checks

7

Does rigorous background checks

7

Does background checks if required for assignment

7

Has security classes

for new employees

7

4.6 Employment

An overview of the following Section can be seen in Table 4.6. Company D conducted a basic background check when hiring a new person. At company F a more rigorous background check was performed, the depth of this is determined by the employment, with a security interview with the potential employee. At company A you had to undergo a background check if your particular as-signment required this, for example if you would develop something with high security classification. Company B, C and E did not conduct background checks when hiring a new employee. Although, the interviewee at company C stated that some organizations within the company might have the requirement of doing a background check. Company A also stated that they did some identification controls when hiring a new person, to check that the potential employees actually were who they said they were. At company F they sometimes had to make a check if the potential employee had a criminal record and if something came up this person would fail the control.

New employees at company D needed to sign a contract that stated that they would follow all of the policies and rules that the company required. For company C new employees needed to sit through an one hour security class as well as complete security training through an online-based tool.

(28)

Table 4.7: A visualization of the situation regarding termination of employment A B C D E F Uses checklists

7

Follows up on these checklists

7

Renews access to sensitive material periodically

7

4.7 Termination of employment

Table 4.7 presents a visual overview of answers to the question about termination of employment. Regarding termination of employment, every company had similar methods. All of them worked by a checklist where the most important things were retrieving the equipment and terminating all of the accounts connected to the former employee’s work email. Some of the companies, especially company F, also had a conversation with the employee to understand why they were leaving in order to improve the company.

Company D also had systems which followed up on whether or not everything that should have been terminated actually had been terminated. Once or twice something had been missed in company F’s procedures and an old access was still in their system but this was registered by their mechanisms in place. At company C the access to sensitive material must be renewed periodically which means that once an employment has been terminated, the access will not be renewed.

(29)

Table 4.8: Additional information the interviewees shared A B C D E F Has policies regarding employee’s personal protection

7

Saw future challenges regarding how companies are allowed to store data

7

Demands that visitors sign in and

wear a badge

7

4.8 Additional information

A summary of this Section is provided in Table 4.8. Both company A and company C had policies regarding personal protection for their employees if they worked at highly vulnerable offices or traveled to countries that were classified as dangerous. Company A tried to strategically place their offices in more safe areas but still had to have some offices at more high risk locations.

All companies had to comply with current legislation. They had to respect both the different countries’ legislation and that of unions such as the EU. Company C’s interviewee expressed their concerns regarding how to conform to these as they change. That interviewee, along with some others, talked about the new directives that the EU will execute in the upcoming years. This legislation will be regarding how a company is allowed to store personal data and who is liable. Company A and C both saw this as something that might provide challenges in the future and something they started working more and more with in recent years.

The companies handled visitors in different ways. At company A, C, D and F visitors were not allowed in the office unless they had a badge, had written themselves in a visitors log and/or had a guide joining them. At company B you had to pass through two doors demanding a code, which made it hard to intrude.

(30)

5 |

Discussion

The similarities and differences of the six companies were surprising. The larger companies, in particular A, C and F, were similar in almost every aspect, while the smaller companies had more differences. In this Chapter we will discuss the results from the interviews, found in Chapter 4, and connect them with the collected theory from Chapter 2.

5.1 Method

This survey was set up as a case study to give a deeper insight of the views and approach to security at a limited number of companies. This method yields more exhaustive answers from the interviewees, which was the aim of this survey. A broader representation on how companies at large view the security field would have been given if a questionnaire had been used instead. The use of interviews gives more elaborate answers and the opportunity of follow up questions. These follow up questions enhances the understanding of the interviewee’s answer. If a questionnaire had been used, the data set sampled from this would have given a base to draw conclusions about how companies at large relate to internal security. Since the survey was conducted through interviews with representatives from six companies no such conclusions can be drawn.

The use, as far as possible, of face-to-face interviews was in our opinion beneficial for more exhaustive answers. This did however slim down the list of companies we approached. If we had not limited ourselves to this approach at the beginning a broader spectrum of companies could have been approached for interviews. This might have given different answers and potentially change the focus of the survey. Since six of the contacted companies expressed their interest in participating, our choice did not hinder the execution of the survey.

5.2 Approach to security

Company A, C and F all had multiple security policies. Having many mechanisms helps prevent security breaches much more than only having one, or in the case with some of the companies - none at all. Company B had no policies written down and aimed for a ”good enough” kind of security. This might work for them and according to the interviewee it did, but their methods would not work for a larger company. It is easier to have an overview of the company if it has few employees. Company B put a lot of faith in their employees, and since they are so few it is easier to monitor and discuss things between one another. A company with more employees are more dependant on their policies. Additionally, this approach with no policies is not preferable if you want to be perceived as a company with high security measurements.

The consulting companies, company A, E and F also stated that they had different definitions of their security depending on which customer they work with. This shows that they have the ability to adapt to their customers. For companies with a higher security demand it can be a relief to know that the security can be enhanced.

Additionally, company A, B and E did not, as far as we learned from the interviews, have any security report system. A report system can further help the responsible to easier find security flaws or gaps in a system as well as keep track of breaches in the system.

(31)

By having policies regarding external devices, for example that an employee is not allowed to bring USB flash drives from home, a company can decrease the risk of being attacked by a virus through external devices. Company B and E were the only companies that did not have any policies regarding external devices in the office. This question also included whether or not the employees were allowed to install anything they wanted on their company computer. Policies in this area can dramatically increase the security of the company - if they are followed and enforced. If the policy only states that an employee is not allowed to bring their own flash drives or install anything they want on their computer it does not actually stop the employees from doing so. For the company to be certain that the policies are upheld further restrictions are needed. If an employee does not have administrator rights on their computer, as is the case at company C and F, they can not install anything without the IT-department’s authorization.

5.3 Secure exchange with customers

Company B and E adapted their security level to their customers. However, their default security level was basic and even though they used firewalls and antivirus software the possibility to up the security level might be paramount to get contracts with some of their customers.

Company D were the only company to state that they communicated with their customers using their own support system. This can be a way of ensuring that the communication link is secure, as well as having a greater insight into whether or not someone is eavesdropping. Since all of the companies worked according to agile software development rather than the waterfall method, constant communication with their customers is necessary. This increases the demand of having secure and perhaps encrypted communication paths when exchanging information with customers. If the waterfall method was used this might not be as important, since constant communication during the development period is not as vital for the waterfall method.

Company A, C and F used encrypted communication paths. This makes the communication more secure since nothing is written in plain language. Some of the companies also worked with customers demanding a very high security level, and both company A and F stated that they have the ability to enhance their security level even more. This way of adapting in regard to different customers can make these companies more attractive to hire.

5.4 Risk analysis

All interviewees except company B’s declared that they perform risk analyses regularly and in different areas. One follow-up question made it fairly obvious that this actually might not be the case, or that these risk analyses does not come of use to the company - company E admitted that they do not have any written-down copy of their risk analyses. Not being able to read the analyses again or in any way be able to check the results of these render them almost pointless.

On the one hand, the larger companies, A, C and F did risk analysis based on an ISO standard or similar. According to the theory, this improves the customer’s faith in the safety as well as the quality of the product. This gave the larger companies an advantage even though these risk analyses take time to implement. A standardized risk analysis method also helped these companies see how their company had evolved since the last analysis, seeing that a comparison is made with ease. Conducting these regularly results in a more sustainable and secure work environment and business. Company B on the other hand, had never done a risk analysis of the company itself or what they face. The company had done a couple of risk analyses with customers when working on various projects, but not one has been made regarding their own security. They have not had any problems with it so far, but it is our opinion that all companies benefit from having done a risk analysis on themselves or a larger project. Risk analyses helps the company and its employees to prepare for unfortunate events and how to decrease the risk of failure and damage. It also helps identify the companies’ future challenges and security vulnerabilities. According to Intel’s survey [3] developing risk assessments and incident response plans can help uphold a better internal security.

(32)

5.5 Technical aspect on security

Regarding their security, all of the companies used firewalls and antivirus protection in order for them to protect themselves from virus infected units. According to the theory, this is one step furthering the protection of their employees from malicious malware. Furthermore, company A, C and F also informed their employees of different risks they might face because, as the theory stated in Section 2.5, a very common way to be attacked by a virus is by opening or downloading a file in an email from an unknown sender. Company D informed employees about security campaigns or standards through email. It was stated by company C’s interviewee that they do not send this kind of information by email because it is likely, in their opinion, that the employees just ignore it. There is not a clear answer to what is right and what is wrong. Email is a simple and easy way to send out information to a great deal of people at the same time. But if someone really want to know that the employee has understood the demands and witness that they acknowledge it, educational meetings are a far better alternative. This was also one of the ways to improve internal security according to PwC’s study [4]. They declared that to improve their security the organizations surveyed should continue to place importance on security awareness training. This was also stated as an improvement in Intel’s survey [3]. According to the theory on how to prevent virus attacks as well as lessen their impacts most companies were working accordingly to at least some of the statements.

Company A and B limited their employees’ options regarding company provided equipment such as smartphone, laptop and tablet. Company A stated that it was more difficult to have control over Android equipment since there are so many different models. They allowed only Windows and Apple Inc products and at Company B only Apple Inc products were tolerated. Both of these companies discarded the largest installed base on smartphones and tablets. Company B did this to ensure a homogeneous policy. Using the same base for all devices aids sharing information and software development, since company B’s employees used all these devices for these purposes. The interviewee at company A’s reason for excluding devices that run on any form of Android OS was that these devices did not grant an easy overview. They can be made by any company and this makes the company apprehensive of using the devices.

Another interesting discovery was that company A, C and F once again had something in com-mon. They were the only companies to immediately remove a device if it had become infected with a virus. The other companies re-configured or re-installed the device. According to the theory, to ensure that the virus do not spread through the network the company either have to remotely repair or kill the device. Company A, C and F also monitored trends in their network. This is to detect if the same kind of problem happens several times. For a larger company with more at stake this can be vital to prevent larger attacks. This kind of protection might not be needed for a smaller company with a lower security level. To monitor networks for unusual or anomalous traffic and to increase the frequency of this was also supported as a tool to uphold better internal security, according to Intel’s survey [3].

All of the companies used tags and personal codes to access the office area to increase their perimeter security. But only company A and C had controls both when entering as well as when exiting their office. The perimeter security was not exactly the same for the two companies, but they were the only companies where you needed your tag and id-card when leaving the building. If someone who should not be in the building has managed to enter the office, this method makes it much harder for them to leave the building as well, giving the companies more time to catch them.

(33)

5.6 Trade-offs

The interviewees that stated that their companies have many policies and restrictions in use were the ones that saw security measurements as an entity that increases efficiency. They emphasized that a clogged network or one riddled with viruses or other kind of malware, or the one with the risk of these phenomenons, would not be acceptable for them. All their policies and restrictions prohibited this from happening and therefore the security measurements increases efficiency. This mindset is supported in literature and many of their policies included some of ways to avoid viruses and lessen their impacts, seen in Section 2.5. However, since some of the employees at company A, C and F complained about the amount of security policies the design principle of psychological acceptability, see section 2.3.3, must be taken into consideration. Security mechanisms have to be easy to use and intuitive, and the extra burden have to be reasonable. If the mechanisms are too hard to follow the outcome will be the opposite of what the companies aimed for, since it will cause more errors. This had already been taken into consideration by some of the companies, since they switched existing risk analysis methods for their own for easier understanding.

Company B and E found that security was an obstacle to them. This was a disagreement with the mindset of the interviewee’s from the larger companies. The companies that used less security measurements are more concerned over their decreased efficiency. Although company F stated that some of the employees occasionally complained over their many policies, security demands and high security level, they often accepted these if they understand why they are implemented. The mindset that the security policies are in the way is very common if the user never sees any impact of them or if their not told why these are enforced.

The interviewee for company D emphasized the balance between enough security measures and working efficient. This reflected the view that security effects the work in a positive way but that they thought there was a limit as to how much security is productive.

5.7 Employment

Most of the companies did not perform any standardized background checks when hiring a new employee. The only exceptions were company D, who did basic background checks, and company F with more rigorous background checks. Company A and C did background checks if it was necessary to the assignment. If an assignment did not require background checks it was not a necessity because it might have been seen as an intrusion into a persons privacy.

Company C provided their new employees with security classes from the start. This was done to inform them about the company’s security policies and what an employee can or cannot do or talk about. This was a way to easily let new employees know how to behave at their new place of employment and something we found had a purpose.

5.8 Termination of employment

All of the companies had similar procedures when terminating an employment by following checklists. One interesting thing was that it was only one company who followed up on the checklists afterwards. Some of the companies had never had a problem with it before so this might be something that would look differently if companies had had problems with it. Company C went with another method. All of the accesses needed to be renewed continually, so if someone forgets or there is a mistake when removing accesses due to a termination of employment, it will not take long before the access terminates itself.

(34)

5.9 Additional information

The companies also treated visitors differently. Company A, C, D and F demanded that visitors sign their names on a visitor’s log and wear a visitor’s badge. This is a great way of ensuring that no one unauthorized gets access to their office, but only when upheld. At company A we were escorted into the building not by our contact person, but by an employee that assumed that we had gotten clearance to enter and had a contact person. This was the truth in our case, but in violation of their policies. At company D we were directed to their refreshment room and then left unsupervised until our interviewee was ready to be interviewed. This also contradicts their own policies that no one is allowed to be left unsupervised at their premises.

Some of the companies also informed about new EU-rules regarding storing personal information and acknowledged that they needed to change their procedures. This can be contributed to their use of risk analyses on what their company faces. Company A and C where the only companies, as far as we know, that had policies regarding their employee’s personal protection. An employee was not allowed to travel for work to certain areas if, for example, the political climate there is unsteady.

Survey of companies internal security