A Security Control Framework for Consumerization of Mobile …€¦ · security control framework for Consumerization of mobile devices in the bank sector which consists of 19 distinctive

A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector

A Thesis For The Postgraduate Degree Of Register IT Auditor

Author : Ryan W.K. Chin (Security Consultant Deloitte)

Supervisors : Abbas Shahim (Partner Atos)

Thesis Number : 1080

A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012

P a g e | 2


P a g e | 3

MANAGEMENT SUMMARY This thesis is established to acquire the Postgraduate degree of Register IT Auditor at the

Vrije University Amsterdam (VUA). It encompasses the results of a research conducted to

investigate effective controls that could be used for consumerization of mobile devices in

the bank sector. This thesis therefore aims at providing a risk based framework which IT

auditors can use for auditing and also for corporations to define effective security controls

for mobile platforms

The fundamentals of mobile devices and consumerization have been examined in order to

establish insight into this matter prior to the formulation of a security control framework.

Consumerization of mobile devices is the process or phenomenon in which consumer

products are made suitable for ‘dual use’. Dual use in this context is referred to privately

owned consumer devices being used or made suitable for business purposes next to private

use. Using privately owned mobile devices is generally referred as Bring Your Own Device

(BYOD). Recent surveys performed by Gartner and ISACA showed that global information

technology leaders recognize risks related to consumerization of mobile devices. However,

the pros related to this concept are too attractive to ignore nowadays. In total, 10 risk

categories are identified related to the use of mobile devices: R1: Data leakage, R2: Improper

decommissioning, R3: Unintentional data disclosure, R4 Phishing, R5: Spyware, R6: Network spoofing

attacks, R7: Surveillance, R8: Diallerware, R9: Financial malware & R10: Network congestion.

These risk catagories are the results of a combination of vulnerabilities. Through mapping of

Cobit controls, a risk based security control framework for mobile devices is established

which contains 19 distinctive controls to mitigate risks related to vulnerabilities. Cobit

provides a set of standards and processes that can be used to ensure that IT is working as

effectively as possible and to minimize IT-related risks. As each control is defined to mitigate

particular risk, selecting the appropriate controls from Cobit should allow assessors to define

a customized framework according to risks profiles. Ultimately, this research resulted in a

security control framework for Consumerization of mobile devices in the bank sector which

consists of 19 distinctive Cobit controls. This framework is established based on research

performed on the related risks, vulnerability and the compliancy requirements within the

Dutch bank sector.

o PO7.8 - Job change and Termination o PO4.9 - Data and System Ownership o DS5.9 - Malicious Software Prevention, Detection and Correction o DS5.8 - Cryptographic Key Management o DS5.6 - Security Incident Definition o DS5.5 - Security Testing, Surveillance and Monitoring o DS5.4 - User Account Management o DS5.3 - Identity Management o DS5.2 - IT Security Plan o DS5.11 - Exchange of Sensitive Data o DS5.10 - Network Security o DS4.5 - Testing of the IT Continuity Plan o DS4.2 - IT Continuity Plans o DS11.6 - Security Requirements for Data Management o DS11.4 - Disposal o DS11.2 - Storage and Retention Arrangements o DS1.5 - Monitoring and Reporting of Service Level Achievements o AI3.2 - Infrastructure Resource Protection and Availability

Please refer to Appendix A: The Security Framework for Consumerization for the final

framework. Implementing the suggested security controls should mitigate the risks related


P a g e | 4

to consumerization of mobile devices and also provide auditors a framework for risk based

auditing.


P a g e | 5


P a g e | 6

Contents 1 INTRODUCTION .............................................................................................................. 10

1.1 Context of this research ...................................................................................... 10

1.2 Introduction to consumerization of Mobile Devices & Problems ....................... 10

1.3 Research questions ............................................................................................. 11

1.4 Academic relevance ............................................................................................ 12

1.5 Scope & Focus ..................................................................................................... 12

2 RESEARCH METHODOLOGY ............................................................................................ 13

2.1 Research Design .................................................................................................. 13

2.2 Research Process ................................................................................................. 13

2.3 Document Structure ............................................................................................ 14

3 LITERATURE STUDY: MOBILE DEVICES & CONSUMERIZATION IN THE BANK SECTOR .... 15

3.1 Literature Study................................................................................................... 15

3.2 Trend of Consumerization on IT Risk Landscape ................................................. 16

3.3 Consumerization of mobile devices: Answer to SQ1 ........................................... 18

4 RISK ASSESSMENT MOBILE DEVICE CONSUMERIZATION WITHIN BANK SECTOR ........... 20

4.1 Identified Risks categories of Bank Sector........................................................... 20

4.2 CIA Triad for Information Security (Confidentiality, Integrity & Availability) ...... 21

4.3 Risk Assessment results....................................................................................... 21

4.4 Security risks and impact consumerization mobile devices: Answer to SQ2....... 26

5 SECURITY CONTROL FRAMEWORK ................................................................................. 28

5.1 Security Control Framework Theoretical Process ............................................... 28

5.2 Cobit Framework ................................................................................................. 28

5.3 The Bank sector & Compliancy Requirement For The Bank Sector ..................... 29

5.4 Security Control Framework Theoretical Model ................................................. 30

5.5 The Framework: The selection process ............................................................... 30

5.6 How implementing controls can ensure better security: Answer to SQ3 ........... 43

6 CONCLUSION & FUTURE RESEARCH ............................................................................... 44

6.1 Further research .................................................................................................. 45

7 REFERENCES.................................................................................................................... 47

8 APPENDICES .................................................................................................................... 48

Appendix A: The Security Framework for Consumerization .............................................. 48

Appendix B: Vulnerabilities by ENISA ................................................................................ 57

Appendix C: DNB Information Security Assessment Framework ....................................... 60

Appendix D: ENISA Risk Assessment .................................................................................. 69

Appendix E: Survey Form ................................................................................................... 73


P a g e | 7

Appendix F: Survey Results ................................................................................................ 74

Figures Figure 1: Global Security And Risk Council Challenge Assessment Online Survey .................. 11 Figure 2: Research Design ...................................................................................................... 13 Figure 3: Research Process ..................................................................................................... 14 Figure 4: Which device poses the greatest risk to your organization? ................................... 16 Figure 5: Support of Mobile Devices in Enterprises ............................................................... 17 Figure 6: Addressing risk associated with Mobile Devices ..................................................... 18 Figure 7: Deployment of mobile devices in the next 12 months ............................................ 18 Figure 8: External breaches occurrences in the past 12 months ............................................ 18 Figure 9: Attacks exploiting mobile network vulnerability ..................................................... 19 Figure 10: Explanation Risk Assessment ................................................................................. 22 Figure 11: Theoretical Process ............................................................................................... 28 Figure 12: Domains of Cobit ................................................................................................... 28 Figure 13: Theoretical Model ................................................................................................. 30 Figure 14: Explanation Security Control Framework .............................................................. 31

Tables Table 1: Usage Scenario ......................................................................................................... 22 Table 2: R1 - Data leakage ...................................................................................................... 23 Table 3: R2 - Improper decommissioning ............................................................................... 23 Table 4: R3 - Unintentional disclosure of data ....................................................................... 23 Table 5: R4 - Phishing ............................................................................................................. 24 Table 6: R5 - Spyware ............................................................................................................. 24 Table 7: R6 - Network spoofing attacks .................................................................................. 25 Table 8: R7 - Surveillance ....................................................................................................... 25 Table 9: R8 - Diallerware ........................................................................................................ 25 Table 10: R9 - Financial malware ............................................................................................ 26 Table 11: R10 - Network congestion ...................................................................................... 26 Table 12: R1: Data leakage Risk Mapping ............................................................................... 32 Table 13: R1: Data leakage Framework .................................................................................. 33 Table 14: R2: Improper decommissioning Risk Mapping ....................................................... 34 Table 15: R2: Improper decommissioning Framework ........................................................... 35 Table 16: R3: Unintentional data disclosure Risk Mapping .................................................... 36 Table 17: R3: Unintentional data disclosure Framework ....................................................... 36 Table 18:R4: Phishing Risk Mapping ....................................................................................... 37 Table 19:R4: Phishing Framework .......................................................................................... 38 Table 20: R5: Spyware Risk Mapping ...................................................................................... 39 Table 21: R5: Spyware Framework ......................................................................................... 39 Table 22: R6: Network spoofing attacks Risk Mapping .......................................................... 40 Table 23: R6: Network spoofing attacks Framework .............................................................. 40 Table 24: R7: Surveillance, R8: Diallerware & R9: Financial malware Risk Mapping .............. 41 Table 25: R7: Surveillance, R8: Diallerware & R9: Financial malware Framework ................. 42 Table 26: R10: Network congestion Risk Mapping ................................................................. 42 Table 27: R10: Network congestion Framework .................................................................... 43


P a g e | 8


P a g e | 9

Vrije Universiteit Amsterdam (VUA)

Faculteit der Economische Wetenschappen en Bedrijfskunde (FEWEB)

THESIS FOR THE POSTGRADUATE DEGREE

A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector

February 2012 – June 2012

AUTHOR

R.W.K. Chin (1649086)

Astronautenweg 153

1622DK Hoorn, The Netherlands

[email protected] / [email protected]

THESIS SUPERVISOR

Abbas Shahim

Partner Atos

De Boelelaan 1081A

1081 HV Amsterdam, The Netherlands

[email protected]

SECOND SUPERVISOR

Benessa Defend

Laan van Kronenburg 2, Amstelveen

1183 AS, The Netherlands

[email protected]

mailto:[email protected]




P a g e | 10

1 INTRODUCTION

This is the first chapter of the thesis for the Postgraduate degree of Register IT Auditor and

discusses the context, topic, problems and its research questions. The purpose for

highlighting these subjects is to capture the rationale for initiating this research and to

create common understanding. This chapter kicks-off with the description of the context in

which the research will take place. After that, the research topic will be introduced in

conjunction with a perceived phenomenon that eventually leads to a problem related to this

topic. Its problem description is given in §1.3 wherein the occurring problem is described

and analysed. This perceived problem is decomposed into several research questions which

each attends to a part of the phenomenon and are formulated in §1.4. §1.5 elaborates the

academic relevance. Chapter 1 concludes with the description of the scope that defines

what is included in this research.

1.1 Context of this research This thesis is written to acquire the Postgraduate degree of Register IT Auditor at the Vrije

University Amsterdam under the supervision of Mr A. Shahim (FEWEB). This degree is

required by employer Deloitte Touche Tohmatsu, hereafter Deloitte, as a mandatory

component for the personal development plan within the organization to ultimately become

an IT Auditor.

The results of this research are of relevance for the organization’s service portfolio as well

for the field of mobile IT security. As the use of mobile devices within a company’s context is

more and more common, thorough in-depth research on IT security is needed to enforce

and facilitate a healthy and responsible growth of its use.

1.2 Introduction to consumerization of Mobile Devices & Problems In the recent years, developments in the field of mobile devices like smartphones and tablets

have been extraordinary. ‘Normal’ mobile phones which main functionality was calling are

gradually losing ground to smartphones which are basically a personal computer in a pocket

friendly size. Due to the introduction of the IPad by Apple in January 2010, tablets became

more and more popular and even overshadowed traditional laptops and pc in terms of sales

in 2010 and 2011.

Using smartphones or tablets for the consumption of multimedia content and remote access

to information is in the modern society very common nowadays. Due to the portability and

flexibility of their use, companies started to gradually look to possibilities to use these

mobile devices for work related activities to increase efficiency. This trend resulted in the

consumerisation of mobile devices. Consumerisation drives changes in the way employees

access, store, process and exchange of corporate data.

Despite of the many benefits mobile devices have to offer, the majority of CIO’s at the same

time felt that a growing numbers of employee owned devices, which are used to access

company information, are riskier than anything which was supplied by IT department. This is

because Consumerization entails further blurring of the corporate perimeter and at the

same time introduces new challenges for organisations in meeting the confidentiality,

integrity and availability requirements of corporate data.

“Trend #1: Trojan Wars

Continue, but Zeus will

Prevail as the Top Financial

Malware” RSA cybercrime trends

report 2012

“Trend #2: Cybercriminals

will Find New Ways to

Monetize Non-Financial

Data” RSA cybercrime trends report

2012


P a g e | 11

In a survey performed by ISACA in 2011, 45% of the 2765 global members and IT

professionals responded that mobile devices represent the greatest risk to their enterprises

[ISACA’s 2011 IT Risk/Reward Barometer]. This view is also enforced by the results of the

online survey of Forrester in which the topic ‘Securing Mobile devices’ was indicated as top 1

priority in terms of security challenges [2011 Q2 Global Security And Risk Council Challenge

Assessment Online Survey].

Their concerns regarding introducing consumerization in their company are not unfounded.

As reported by RSA in their annual cybercrime trend report, cybercrime continues to show

no signs of slowing down. 2011 marked a year of new advanced threats and an increased

level of sophistication in the attacks witnessed around the globe. Cybercriminals find new

ways to monetize non-financial data. About the threats in the Bank landscape, RSA reported

the following in their 2012 cybercrime trends report:

“RSA has been observing the Trojan landscape throughout 2011, and Zeus 2.0 has continued

to dominate as the leading financial Trojan throughout the year. Indisputably the most

widely spread financial malware in the world, Zeus is responsible for around 80% of all

attacks against financial institutions today and is estimated to have caused over $1 billion in

global losses in the last five years.

Number 1 trend RSA observed in the beginning of 2011 was the surge of financial attacks

connected to the SpyEye Trojan. Financial cybercrime attributed to SpyEye variants

decreased over the course of the year, however, with 19% of attacks attributed to SpyEye in

Q1 ’11 to around 4% in Q3 ’11. At this time, SpyEye continues to be the most costly Trojan

code sold on the black market, selling for a few thousands of dollars for a basic kit and

separate plug-ins averaging $1,000 each. SpyEye also features technical complexity which

has been known to be a problem for the average cybercriminal to use effectively.

Trojans for mobile platforms

A growing trend in the world of cybercrime codes will further carry Zeus (ZitMo) and SpyEye

(SPitMo) over to the various mobile platforms, with the purpose of having these banking

Trojans steal data such as SMS codes. “InfoStealers” for the mobile platform are also likely to

emerge with Trojans designed to keylog touch-screen input and monitor data traffic through

the mobile device.” (RSA, 2012).

1.3 Research questions The question Consumerization entails is how to manage security risks as imposed by the use

of privately owned mobile phones and tablets within the bank sector (consumerization).

Mobile phones and tablets are referred as mobile devices hereafter in this thesis proposal

and the thesis itself. For this purpose, the thesis will attempt to answer the following

research question:

With what control framework can the security of mobile devices within the Bank Sector be improved to

manage identified risks related to Consumerization?

Figure 1: Global Security And Risk Council Challenge Assessment Online Survey


P a g e | 12

Several sub questions (SQ) are defined:

1. SQ1: What is consumerization of mobile devices and why does this trend require proper considerations?

2. SQ2: What are the security risks and impact imposed by consumerization of mobile devices within the Bank sector?

3. SQ3: How can the security of mobile devices be ensured using controls to manage identified risks as a result of consumerization?

1.4 Academic relevance This research is performed based on the results of the journal published by ENISA in

December 2010. ENISA performed an extensive research on Information security risks,

opportunities and vulnerabilities related to the use of smartphones (Hogben & Dekker,

2010). This research will attempt to adapt the ENISA’s risk assessment specifically for the

bank sector to ultimately define a profound risk based security control framework for

consumerization of mobile devices.

1.5 Scope & Focus Mobile Devices

As the title suggests, this thesis focusses on security & compliancy related issues of

consumerization of Mobile devices within the bank sector. In this research, mobile device is

referred to smartphones and tablets with which employees can access, process and store

corporate data. Other mobile devices like laptops and nettops are not included in this

research. The rationale behind this scoping can be found in sections “Mobile Devices” of

chapter 3. Furthermore, this research is focused on the bank sector which is the largest

group in the financial services sector. The target group of the survey for this research is

therefore performed under bank employees.

Internal Control Framework & External Auditors For Financial Statement

In addition, the scope of this research is focused on compliancy requirements which applies

to the bank sector in the Netherlands in general. Specific control frameworks (e.g. internal &

external control frameworks from internal & external accountants) that applies only to

individual bank are not considered as this may result in different outcome when this

research is reperformed by third parties.


P a g e | 13

2 RESEARCH METHODOLOGY

The problem and the research questions have been presented in the previous chapter. This

chapter will proceed with the discussion of the approach which describes the process of

planning, design, preparation, data collection, analysis and sharing of this research. This

framework contains a research design which is a specification of the logical and systematic

steps for finding the answers to the established research questions.

2.1 Research Design This section discusses the conceptual structure of this research, which is basically a blueprint

of how to achieve the overall objective. A proper documentation of this process allows other

researchers to adapt, replicate and imitate this research by providing sufficient information.

To establish such research, a specific research

design is chosen which actually contains a

collection of scientific methods in order to

achieve the goals. The case study approach of

Robert K. Yin is elicited which is comprised of the

following processes:

2.2 Research Process This section aims at describing this research design in terms of specific activities relevant for

this research. It consists of a path to be followed and the goals and objectives along the

course that need to be achieved. Figure 2-2 provides a conceptual schema of this research

process.

Figure 2: Research Design


P a g e | 14

2.3 Document Structure The structure of this thesis is established mainly conforming to the defined phases and is

structured as follows:

• Chapter 3: This chapter contains the literature study performed as an initial

research on relevant subjects related to this thesis. This chapter attempts to find

answers to the first sub research question which provides input for the next

chapter.

• Chapter 4: This chapter elaborates risks related to the usage of mobile devices. In

addition, a risk assessment by which important security attributes (Confidentiality,

Integrity & Availability) are taken into account. This chapter should provide insights

into real risks which deserve attention.

• Chapter 5: This chapter contains the security control framework which is derived

from previous study performed in chapter 3 &4. This security control framework

should provide a profound foundation which auditors can use during assessment

of using mobile devices in business context.

• Chapter 6: This chapter concludes this research performed on the subject of

mobile devices in business context.

Figure 3: Research Process


P a g e | 15

3 LITERATURE STUDY: MOBILE DEVICES &

CONSUMERIZATION IN THE BANK SECTOR This chapter provides a literature study in which definitions are explained in an attempt to

answer the first sub question derived from the main research question: “SQ1: What is

consumerization of mobile devices and why does this trend require proper considerations?”.

Additionally, this chapter also describes compliancy requirements for the bank sector within

the Netherlands.

3.1 Literature Study The main research question which is defined in chapter one contains several concepts/words

which requires explanation. This is needed in order to create a common understanding.

Answering the first sub question (SQ1) should achieve this goal:

“SQ1: What is consumerization of mobile devices and why does this trend require proper

considerations?”

The following section will provide explanations of these terms using literature, information

retrieved from renown websites etc. The second part of this question regarding the reason

why this trend should be considered is addressed in the next paragraph.

3.1.1 Definitions of Consumerization, BYOD & Mobile Devices

An unambiguous definition of the term ‘Consumerization’ is not easily established as large

number of consulted dictionaries (Merriam-Webster, Oxford dictionaries) does not provide

answers. The word ‘Consumerization’ is apparently not formally defined yet which is often

the case with emerging trends in IT. In an attempt to find a general description on this term,

a definition is given which should provide better context of the meaning of this word:

Con•sum•er•ize [kuhn-soo-muh-rahyz]

verb (used with object), con•sum•er•ized, con•sum•er•iz•ing.

1. to make (goods or a product) suitable or available for mass consumption: to

consumerize computers by making them cheaper.

2. to encourage or foster the widespread consumption of (goods or a product).

(Dictionary.com, 2012)

Consumerization in IT

The term consumerization is believed to have been first used in IT context by Douglas Neal,

John Taylor and Piet Opperman of the Leading Edge Forum in 2001. In their paper, the

authors provided aspects of consumerization that describe the term:

“The defining aspect of consumerization is the concept of ‘dual use’. Increasingly, hardware

devices, network infrastructure and value-added services will be used by both businesses

and consumers. This will require IT organizations to rethink their investments and

strategies.” (Moschella, Neal, Opperman, & Taylor, 2004).

Bring Your Own Device (BYOD)


P a g e | 16

Considering the description given above, Bring Your Own Device (BYOD) can be identified as

a form of implementation of consumerization. BYOD is a business policy of employees

bringing personally owned mobile devices to their work and using these devices to access

company resources such as email, file servers and databases as well as their personal

applications and data (Bradley, 2011).

Mobile Devices

A mobile device is a small, hand-held computing device that enables mobile computing.

Mobile computing is human–computer interaction by which the computer is transported

during normal usage. Mobile computing involves mobile communication, mobile hardware,

and mobile software. Communication issues include ad-hoc and infrastructure networks as

well as communication properties, protocols, data formats and concrete technologies.

Hardware includes mobile devices or device components (Zimmerman, 1999). Mobile

computing enables the ability to use a computing device when being mobile. Portability is

therefore an important aspect of mobile computing.

3.2 Trend of Consumerization on IT Risk Landscape The reason for performing further research on the subject of consumerization of mobile

devices is due to observations of continued trend since introduction a couple years ago. This

trend is recognized by Gartner who published a journal on predictions for IT organisation in

the coming years. In its journal, Gartner noted that users (employees) are taking more

control of the devices they use in business context which result in loss of control. Due to the

recent economic turmoil, organizations are considering consumer-grade devices for business

use. This trend is believed to result in higher employee satisfaction and more importantly,

significant cuts in operational expenses. However, Consumerization of mobile devices also

enables attacks against critical business and customer data (Plummer, et al., 2011).

The continuing trend is also observed by ISACA. ISACA conducted a survey under more than

4,700 of its members from 84 countries. The member survey results show that IT

professionals believe that their organizations are increasingly challenged to deal with BYOD.

In every region except Europe, more respondents say that employees are allowed to use

personal devices for work purposes, but members in five of the six regions say that the risk

of using a personal mobile device for work purposes still outweighs the benefits. Use of

personally owned PCs or mobile devices–typically more difficult to secure than work-issued

devices and used for a wide range of often high-risk online activities–means that sensitive

corporate information may be compromised through device theft or loss, or malware attacks

(ISACA, ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens Online Holiday

Shopping Risk, 2011).

The results of the survey that ISACA performed in

2011 showed that more than half (58%) of

information technology leaders in the US believe that

consumerization poses a greater risk to the enterprise

than mobile devices supplied by the company. Yet a

significant number of these leaders (27%) still believe

that the benefits of employees using personal devices

outweigh the risks. Other regions (Asia, Europe, Latin

America, North America, Oceania) to which the same

survey was submitted, showed comparable results

(ISACA, 2011 ISACA IT Risk/Reward Barometer—US

Edition).

“BYOD presents both opportunities and threats. It lets both employees and organizations take advantage of the latest technology innovations at limited cost to the organization.

Figure 4: Which device poses the greatest risk to your organization?


P a g e | 17

Unfortunately, it also introduces new vulnerabilities, due to the limited ability of most organizations to effectively manage and secure employee-owned devices accessing their information infrastructure,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC. “Organizations should educate their employees on their BYOD security requirements and implement a comprehensive mobile device policy that aligns with the organization’s risk profile.” (ISACA, Over Half of IT Leaders Say Employee-Owned Mobile Devices Are Riskiest , 2011).

Deloitte performed a survey under Chief Security Officers/Chief Information Security Officers (CISOs) of over 250 financial services organizations from 39 countries, 11 of the leading 100 global banks by revenue and 24 of the leading 100 global insurance organizations by revenue. In this survey, it is revealed that only 13,9 % (12,7% no support and 1,2 Do not know) of the companies do not support the use of mobile devices in their organization. Most of the companies do support either a corporate provided device or employee purchased device. Please refer to the results of question 36 of the survey which is: “To what extent is your enterprise supporting mobile devices?”.

On the question regarding what the organization does to address the security risks associated with mobile devices, it is revealed that none of the suggested controls/measures are implemented by more than 50% of the respondents. This means that most of the companies do not have all the measures in place to mitigate risk related to the use of mobile devices. This is also observed by Deloitte which noted the following:

“As a part of their mobility program, many organizations have already deployed, or plan to

deploy, mobile VPN, central device management, and mobile device management software.

However, more than 50% of respondents have not yet planned for deployment of anti-

phishing software, employee and customer-facing applications, and data loss prevention for

mobile devices”

Figure 5: Support of Mobile Devices in Enterprises


P a g e | 18

The figure below shows that most of the enterprises deployed mobile device or will deploy

them in the next 12 months.

3.3 Consumerization of mobile devices: Answer to SQ1 The first sub research question of this thesis is formulated as: What is consumerization of

mobile devices and why does this trend require proper considerations?.

Consumerization of mobile devices is the process or phenomenon in which consumer




(BYOD).

Research in this field is interesting as this trend is gaining more and more attention. Recent

surveys performed by Gartner and ISACA showed that global information technology leaders

recognize risks related to consumerization of mobile devices. However, the pros related to

this concept are apparently too attractive to ignore nowadays.

The Deloitte survey provided insights on real problems that enterprises are experiencing and

also answers the question why consumerization of mobile devices require proper

considerations. On the question whether their enterprise have been breached in the past 12

months which compromises the confidentiality, integrity and or availability of sensitive

information, all (100%) of the respondents revealed that they have been breached at least

once.

Figure 6: Addressing risk associated with Mobile Devices

Figure 7: Deployment of mobile devices in the next 12 months

Figure 8: External breaches occurrences in the past 12 months


P a g e | 19

Respondents report mobile network vulnerabilities are highest in Canada and lowest in APAC

and Japan. All other regions reported similar figures (around 11% on average) whereas the

average on global level in 2011 was 10%. Please refer to the table below:

Figure 9: Attacks exploiting mobile network vulnerability


P a g e | 20

4 RISK ASSESSMENT MOBILE DEVICE CONSUMERIZATION

WITHIN BANK SECTOR

This chapter identifies the security risks identified related to the use of mobile devices in

private and business context and herewith answers the second sub research question. This

question is defined as follows: What are the security risks and impact imposed by

consumerization of mobile devices within the Bank sector? Identifying risks is essential in

defining a profound security control framework for consumerization of mobile devices. As

mentioned in chapter one of this thesis, this research is performed based on the results of

the journal published by ENISA in December 2010. ENISA performed an extensive research

on Information security risks, opportunities and vulnerabilities related to the use of

smartphones. Their report is intended for the business and public organisations to facilitate

their evaluation and mitigation of the risks associated with adopting smartphones. This

research will attempt to adapt ENISA’s risk assessment specifically for the bank sector to

ultimately define a profound risk based security control framework for consumerization of

mobile devices.

ENISA is an agency of the European Union, established to contribute to a high level of

network and information security within the EU by:

• giving expert advice on network and information security to national authorities

and EU institutions;

• acting as a forum for sharing best practices;

• facilitating contacts between EU institutions, national authorities and businesses.

Together with EU institutions and national authorities, ENISA seeks to develop a culture of

security for information networks across the EU. This report and other ENISA reports can be

found on ENISA’s website (http://enisa.europa.eu) (Hogben & Dekker, 2010).

4.1 Identified Risks categories of Bank Sector (Hogben & Dekker, 2010) identified and analysed 10 information security risks and gave

recommendations per each risk. Their research provides an overview of generic technical

solutions to mitigate the risks but however does not provide specific security controls with

which compliancy can be demonstrated. The ten risks are:

• R1 Data leakage: a stolen or lost phone with unprotected memory allows an

attacker to access the data on it.

• R2 Improper decommissioning: the phone is disposed of or transferred to another

user without removing sensitive data, allowing an attacker to access the data on it.

• R3 Unintentional data disclosure: most apps have privacy settings but many users

are unaware (or do not recall) that the data is being transmitted, let alone know of

the existence of the settings to prevent this.

• R4 Phishing: an attacker collects user credentials (e.g. passwords, creditcard

numbers) using fake apps or (sms,email) messages that seem genuine.

• R5 Spyware: the smartphone has spyware installed allowing an attacker to access

or infer personal data. NB spyware includes any software requesting and abusing

excessive privilege requests. It does not include targeted surveillance software

(R7).

http://enisa.europa.eu/


P a g e | 21

• R6 Network spoofing attacks: an attacker deploys a rogue network access point

and users connect to it. The attacker subsequently intercepts the user

communication to carry out further attacks such as phishing.

• R7 Surveillance: spying on an individual with a targeted user’s smartphone.

• R8 Diallerware: an attacker steals money from the user by means of malware that

makes hidden use of premium sms services or numbers.

• R9 Financial malware: malware specifically designed for stealing credit card

numbers, online banking credentials or subverting online banking or ecommerce

transactions.

• R10 Network congestion: network resource overload due to smartphone usage

leading to network unavailability for the end-user.

4.2 CIA Triad for Information Security (Confidentiality, Integrity & Availability) The Confidentiality, Integrity & Availability (CIA) Triad is a venerable, well-known model for

security policy development, used to identify problem areas and necessary solutions for

information security (Perrin, 2008). CIA are security attributes that help to identify impact of

certain risks. Therefore, CIA is used in conjunction to Enisa’s risk analysis results to help

understanding the impact. Explanation on CIA is retrieved from ISO27001:

Confidentiality describes the assurance that information is shared only amongst authorised

persons or organisations. Breaches of Confidentiality can occur when data is not handled in a

manner adequate to safeguard the confidentiality of the information concerned. Such

disclosure can take place by word of mouth, by printing, copying, e-mailing or creating

documents and other data etc. The classification of the information should determine is

confidentiality and hence the appropriate safeguards.

Integrity. Assurance that the information is authentic and complete. Ensuring that

information can be relied upon to be sufficiently accurate for its purpose. The term Integrity

is used frequently when considering Information Security as it is represents one of the

primary indicators of security (or lack of it). The integrity of data is not only whether the data

is 'correct', but whether it can be trusted and relied upon. For example, making copies (say

by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity

of the information. Why? Because, by making one or more copies, the data is then at risk of

change or modification.

Availability. Assurance that the systems responsible for delivering, storing and processing

information are accessible when needed, by those who need them.

4.3 Risk Assessment results The results of ENISA’s research are discussed in this section and the original publication can

be found in Appendix D: ENISA Risk Assessment. Their risk assessment is adapted for this

research and CIA ratings as discussed in previous section is incorporated into this assessment

specifically for the bank sector. Please refer to the illustration which explains how the tables

should be interpreted.

The illustration below shows the results of Enisa’s risk assessment on the identified risk

categories (A). In this section of the table, Enisa elaborated the likelihood, Impact and

herewith the risk of each particular risk category. Their assessment is performed against

three user scenario’s: Consumers, Employee and High Official (B). These scenarios are

explained in the next section. Although extensive, Enisa’s analysis does not provide insight

on how a particular risk category impacts data related to the use of mobile devices.

Therefore, security attributes of data, confidentiality, integrity and availability, are included

in the analysis (C). These data are the result of the survey performed under 2 regular


P a g e | 22

consumers, 2 employees of a large Dutch bank and 2 high officials (managers). These surveys

can be found in Appendix F: Survey Results. (D) contains the vulnerabilities to which a

certain risk category is exposed. The explanation of each vulnerability can be found in

Appendix B: Vulnerabilities by ENISA.

Usage Scenarios

ENISA made the distinction between different usage scenarios as the impact and likelihood

of the identified risk vary depending on how the smartphone is used. ENISA defined three

different usage scenarios: Consumer (C), Employee (E) and High Official (H). For this

research, these usage scenarios are kept and customized for the bank sector.

Usage

scenario

Description

Consumer

(C)

Banks nowadays provide extensive services like mobile Internet banking applications

etc to its consumers. Within the context of this research, consumers (C) are customers

of the bank who make use of the bank applications.

The mobile device is an integral part of a person’s daily life for this group – e.g. private

phone-calls, social networking, messaging, navigation, gaming, online banking, on-the-

go entertainment, location based services, Internet browsing, micro-blogging, email,

photography, video recording, e-health, etc (Hogben & Dekker, 2010).

Employee

(E)

Within the context of this research, employees (E) are considered to have higher

authorizations within banking application for their daily operational tasks within the

bank. A good example is the authorization to approve transactions above certain

amount of money. This group of users might have access to sensitive corporate data

and other critical functionalities.

The mobile device is used by this group in a business or government organization. It is

used for business phone calls, Internet browsing, corporate email, expense

management, customer relationship management, travel assistance, contact

management and business social networking, video conferencing, scheduling tasks, and

reading documents. In some cases workflow applications are run on the mobile device,

e.g. to fill in forms as part of an employee task. Usage in this scenario is subject to IT

(security) policies, set by the employer’s IT officer. The mobile device is used for

personal use in a limited way (Hogben & Dekker, 2010).

High

official (H)

Within the context of this research, high officials (H) do not necessarily access critical

functionalities as these are required for normal employees within the bank for their

daily task. However, their communications may contain sensitive information regarding

the banks strategy, decisions etc.

The smartphone is used by a high or top-level official in a business or government

Table 1: Usage Scenario

Figure 10: Explanation Risk Assessment


P a g e | 23

organisation, or by his or her close aide. The smartphone is used as in usage scenario E

but in addition it is used for dealing with sensitive information and/or tasks. Usage in

this scenario is subject to security policies and the functionality of the smartphone may

be restricted or customized, for example by adding cryptographic modules for

protecting call-confidentiality (Hogben & Dekker, 2010).

4.3.1 R1: Data leakage

Mobile devices are general easily stolen or lost due to their size. Its memory or removable

media are unprotected, allowing an attacker to access the data stored on it. When data on

the memory or its removable media is not sufficiently protected then an attacker can access

that data. Memory of the mobile device itself and removable media like SD cards have large

capacity to store a lot of sensitive data nowadays.

Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that data

leakage entails great risk. The survey performed under the target group shows that data

leakage has a significant impact on CIA. Impact on security attribute ‘availability’ of the data

is the greatest as the data stored on the mobile device is lost indefinitely. In terms of

confidentiality and integrity, the target group responded with similar ratings which is ranged

from medium to very high.

CIA Rating ENISA’s Risk Analysis

Rating per user scenario

Confidentially Integrity Availability Likelihood Impact Risk

Consumer (C) Medium Medium Very High High Medium Medium

Employee (E) Very High High Very High Medium High High

High official (H) Medium Medium High Medium Very High High

Vulnerabilities [6.7 Lack of user awareness] [6.4 Encryption weaknesses]

4.3.2 R2: Improper decommissioning

Mobile devices are product with a relatively short life cycle. Users of such devices usually

change their device for newer ones. A mobile device which is decommissioned improperly

allows an attacker to access the data on the device.

Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that

improper decommissioning entails great risk. However, the survey performed under the

target group shows an increased impact on the security attribute ‘confidentiality’ only.

Respondents noted that data on decommissioned devices are not needed anymore or

already transferred to the new device. Data on decommissioned devices will not affect its

integrity however, the data is out in the open. Hence the high impact on ‘confidentiality’.


Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk

Consumer (C) Medium N/A N/A Medium Medium Medium

Employee (E) Very High Low Low High High High

High official (H) High Low Low Medium Very High High

Vulnerabilities [6.7 Lack of user awareness] [6.4 Encryption weaknesses]

4.3.3 R3: Unintentional disclosure of data

Mobile device users may unintentionally disclose data due to the use of functionalities that

are not thoroughly understood. Even if they have given explicit consent for certain

functionality, users may be unaware that an application collects and publishes personal data.


unintentional disclosure of data entails the greatest risk amongst all the risk categories.

However, the survey performed under the target group shows that not all three security

attributes are impacted as such. Respondents noted that ‘availability’ of data is not a

concern as the data is still available to them even though it is send with or without their

consent. The data on the device will remain the same and therefore its integrity is not in

Table 4: R3 - Unintentional disclosure of data

Table 3: R2 - Improper decommissioning

Table 2: R1 - Data leakage


P a g e | 24

dispute. However, confidentiality is more of a concern as (sensitive) data may be

transmitted unknowingly at any time.



Consumer (C) Medium Low Low Very High High High

Employee (E) Very High N/A N/A High Medium High

High official (H) High Medium N/A High Very High High

Vulnerabilities [6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]

[6.6 No privacy protection best practices][6.7 Lack of user awareness]

4.3.4 R4: Phishing

Phishing involves acquiring information by masquerading as a trustworthy entity in a

communication. An attacker collects user credentials (such as passwords and credit card

numbers) by means of fake apps or (SMS, email) messages that seem genuine.


phishing entails medium to high risk. The survey performed under the target group shows

that phishing has a great impact on ‘confidentiality’ of data as the receiving party (attacker)

may appear to be trustworthy and therefore the threshold of sending (sensitive) data is

considerable lower. Within the target group, consumers (c) noted, in contrast to other

groups, that security attribute ‘integrity’ is also impacted as well. This group uses their

mobile devices for private purposes and therefore are more inclined to install applications.

Installation of applications increases the chance of malicious functionalities on their device

which may affect their data. The remaining two groups (employees and high officials)

responded a lower impact on this attribute as they find that phishing attacks generally

involves illegal data retrievement rather than data modification.



Consumer (C) Very High Very High Low Medium High Medium

Employee (E) Very High Low Low Medium High Medium

High official (H) Very High N/A N/A Medium Very High High

Vulnerabilities [6.5 Weak app distributor authentication mechanisms] [6.7 Lack of user awareness]

4.3.5 R5: Spyware

The mobile device has spyware installed which allows an attacker to access or infer personal

data. Spyware covers untargeted collection of personal information as opposed to targeted

surveillance.


spyware attacks entails medium to high risk. The survey performed under the target group

shows that spyware attacks have significant impact on two of the three security attributes of

data. Confidentiality and Integrity are considered a concern during such attack since data is

out in the open and the attacker may modify data. Availability is not a concern as the goal of

such attacks is seldom to take away data from users.



Consumer (C) Very High Very High N/A High Medium High

Employee (E) Very High Very High N/A Medium High Medium

High official (H) High Medium N/A Medium Medium Medium

Vulnerabilities [6.1 Vulnerabilities leading to malware installation][Ability to unlock phones] [Reputation vulnerabilities] [6.2 Covert channels/weak sandboxing]

Table 6: R5 - Spyware

Table 5: R4 - Phishing


P a g e | 25

4.3.6 R6: Network spoofing attacks

An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The

attacker subsequently intercepts (or tampers with) the user communication to carry out

further attacks such as phishing.


Network spoofing attacks entails medium to high risk. The survey performed under the

target group shows that Network spoofing attacks have significant impact on two of the

three security attributes of data. Confidentiality and Integrity are considered a concern

during such attack since data is out in the open and the attacker may modify data.

Availability is not a concern as the goal of such attacks is seldom to take away data from

users. Respondents noted that Network spoofing attacks impact the CIA significantly as it

provides attackers a platform for further attack like installing spyware, phishing etc.



Consumer (C) Very High Very High Low Medium Medium Medium

Employee (E) Very High Very High Low Medium High Medium

High official (H) High Very High Low Medium High High

Vulnerabilities [6.7 Lack of user awareness]

4.3.7 R7: Surveillance

An attacker keeps a specific user under surveillance through the target user’s mobile device.

Mobile devices can be used to keep a targeted individual under surveillances. Mobile devices

contain multiple sensors such as a microphone, camera, accelerometer and GPS. This,

combined with the possibility of installing third-party software and the fact that a mobile

device is closely associated with an individual, makes it a useful spying tool.


Network spoofing attacks entails medium to high risk. The survey performed under the

target group shows that surveillance have significant impact on two of the three security

attributes of data. Confidentiality and Integrity are considered a concern during such attack.

High officials expressed increased impact on confidentiality and integrity as their

communication is usually more sensitive. One official noted that the impact is very high

when an attacker enables the microphone and camera of his mobile devices which allows

him to spy during meetings with management. Employees also share this view as

surveillance may provide insight on procedures of their daily operations and user credentials

to access sensitive bank applications.



Consumer (C) Very High Low Low Low High Medium

Employee (E) Very High High N/A Low High Medium

High official (H) Very High Very High N/A Medium Very High High

Vulnerabilities [6.1 Vulnerabilities leading to malware installation]

4.3.8 R8: Diallerware

An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that

diallerware attacks entails medium to high risk to consumers and employees and low risk for

high officials. According to their risk assessment, high officials are not likely to be impacted

with this risk as they have a more budget and are more unlikely to download rogue apps.

The survey performed under the target group shows that diallerware attacks have significant

impact on confidentiality however, integrity and availability are unlikely to be impacted.



Table 7: R6 - Network spoofing attacks

Table 8: R7 - Surveillance

Table 9: R8 - Diallerware


P a g e | 26

Consumer (C) Medium Low Low High High High

Employee (E) Very High Low N/A Medium Medium Medium

High official (H) Medium Low N/A Low Low Low

Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities] [6.3 User permissions fatigue ]

[6.2 Covert channels/weak sandboxing] [6.7 Lack of user awareness]

4.3.9 R9: Financial malware

The mobile device is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that

financial malware attacks entails medium to high risk to consumers and employees and low

risk for high officials. The survey performed under the target group shows that financial

malware attacks have significant impact on two of the three security attributes of data.

Confidentiality and Integrity are considered a concern during such attack since data is out in

the open and the attacker may modify data. Availability is not a concern as the goal of such

attacks is seldom to take away data from users.



Consumer (C) Medium Medium Low Medium High High

Employee (E) Very High Very High N/A Low High Medium

High official (H) Medium High N/A Low Low Low

Vulnerabilities

4.3.10 R10: Network congestion

Network resource overload due to smartphone usage leading to network unavailability for the end-user. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that

Network congestion attacks entails low risk. The survey performed under the target group

shows that network congestion attacks have significant impact on only the availability of

data. Confidentiality and Integrity are not of concerns as data on the mobile device cannot

be transmitted and modified during such attack.



Consumer (C) Low Low Very High Low Low Low

Employee (E) N/A N/A Very High Low Low Low

High official (H) N/A N/A Very High Low Low Low

Vulnerabilities [Inadequate resource provisioning]

4.4 Security risks and impact consumerization mobile devices: Answer to SQ2 Chapter 4 answered the second sub research question which is defined as follows: What are

the security risks and impact imposed by consumerization of mobile devices within the Bank

sector? Results of the research conducted by Enisa on risk related to the use of mobile

devices. In general, there are 10 risks applicable to the use of mobile devices. These risks are

explained in section 4.1 of this chapter. Enisa’s risk analysis is enriched with CIA ratings per

risk category retrieved from a survey performed under 2 consumers, 2 employees and 2 high

official of a large Dutch bank. Results of Enisa show that the use of mobile devices is the

most vulnerable to R1: Data leakage, R2: Improper decommissioning and R3: Unintentional

disclosure of data. The likelihood and impact are the highest among the 10 risk category.

Results of the survey performed under the target group shows that R4: Phishing, R5:

Spyware, R6: Network spoofing attacks have the greatest impact on the security attributes

of data (CIA) during attacks.

Under the target group, bank employees report higher impacts on CIA in case their mobile

devices are under attack. During interview, bank employees noted that when they use their

Table 10: R9 - Financial malware

Table 11: R10 - Network congestion


P a g e | 27

mobile device for business purposes, bank applications are required to be installed for daily

operations. These bank applications provide bank employees access to sensitive corporate

databases. Hence, the increased chance of employees’ devices having a large amount of

sensitive data or contain user credentials to access databases.

High officials and consumers report somewhat lower impact of identified risk as compared

to bank employees. High officials do not install bank applications to perform operational

tasks like employees. Chance of high officials having sensitive valuable data on their mobile

phone is low. One high official reported that he does bring his own device for business

purposes, however only the email function is intensively used. The email clients on mobile

devices are fairly secured.


P a g e | 28

Figure 11: Theoretical Process

5 SECURITY CONTROL FRAMEWORK This chapter consolidates all requirements and information acquired in the previous

chapters to the establishment of a security framework for mobile devices. In addition, this

chapter also answers the third sub question which is defined as follows: How can the

security of mobile devices be ensured using controls to manage identified risks as a result of

consumerization?

Firstly, the process of selecting relevant controls based on legal requirements, identified

risks and bank sector requirements is explained. After that, the theoretical model of this

security control framework is discussed. This chapter concludes with final sets of controls

bundled by identified risk categories.

5.1 Security Control Framework Theoretical Process The process for selecting the appropriate security controls for the usage of mobile devices

within business context is depicted in the figure below. Prior to this chapter which discusses

the final version of the framework, research has been performed on compliancy

requirements specifically for the bank sector. Banks in the Netherlands are subject of the

DNB information security assessment. The most recent version of this assessment is

established based on Cobit 4.1 which will be explained later in this chapter. Furthermore,

real risks related to smartphones/mobile devices are discussed in the previous chapter by

which CIA (Confidentiality, Integrity & Availability) are incorporated into the framework. This

will allow the business to better focus on certain controls that are of importance based on

their governance framework.

Select Best Practice Framework

Select Bank Sector Requirements

COBIT Framework Bank Sector Requirements

Select Security Controls Based on Risks

ENISA Risk Assessment

Assign CIA Rating to each Risk

Define Security Controls Framework

CIA Ratings

The result of this process is a set of Cobit controls for each risk category which governs the

bank requirements (DNB) and reporting based on security attributes (CIA).

5.2 Cobit Framework Cobit (Control Objectives for Information and Related Technologies) is a framework created

by ISACA for information technology (IT) management and IT Governance. It is a supporting

toolset that allows managers to bridge the gap between control requirements, technical

issues and business risks. Cobit enables clear policy development and good practice for IT

control throughout organizations. Cobit supports IT governance by providing a framework to

ensure that:

• IT is aligned with the business

• IT enables the business and maximizes benefits

• IT resources are used responsibly

• IT risks are managed appropriately

Cobit has become the integrator for IT best practices and the umbrella framework for IT

governance because it is harmonized with other standards and continuously kept up to date.

The process structure of Cobit, in conjunction with

its high-level, business oriented approach, provides

an end-to-end view of IT that aids organizations in

getting the most value possible from their IT

Figure 12: Domains of Cobit


P a g e | 29

investments. (ISACA, 2007). The Cobit framework is comprised of 210 distinct controls of

which most are not applicable for the identified risk related to mobile devices. Therefore, a

theoretical model is defined to distil an appropriate security framework for consumerization

of mobile devices in the bank sector. This can be found in the paragraph 5.4.

5.3 The Bank sector & Compliancy Requirement For The Bank Sector This section discusses the compliancy requirements of the Bank sector in the Netherlands.

As discussed in the scope in chapter 1 of this thesis, internal control frameworks and

external audits for the financial statements of banks are not considered in this research as

these requirements may differ significantly per organization. For this research, regulatory

compliancy requirements are elicited as this applies to the bank sector in the Netherlands in

general. Financial institutions in the Netherlands are obliged to comply with the DNB

requirements for information security.

5.3.1 DNB Information Security Assessment (Regulatory requirements)

De Nederlandsche Bank (DNB) is the central bank of the Netherlands and is part of the

European System of Central Banks (ESCB). DNB is as a central bank responsible for

safeguarding financial stability. More particularly, DNB contributes to defining and

implementing the single monetary policy of the countries which have introduced the euro

and supervises financial institutions and the financial sector.

DNB has developed an assessment framework to evaluate the security of information of

banks in the Netherlands. In respect of all measures, institutions must comply with a

maturity level of at least 3 (“defined process”). The procedures and measures must be

embedded in the IT processes and operations of all relevant units of the financial institution

so that they constitute an integral element of the organisation as a whole.

Law that explains organizations which are subject for this assessment is provided below by

DNB:

“Financial institutions subject to section 3:17 of the Financial Supervision Act (Wet op het

financieel toezicht) must, in pursuance of the first subsection of said section, organise their

operations in such a way as to safeguard controlled and sound operations.

The second subsection, opening sentence and under (a), stipulates that rules may be laid

down by or pursuant to general administrative order with regard to the attainment of

controlled business processes and business risks.

To implement these provisions, section 20(2) of the Decree on Prudential Rules for Financial

Undertakings (Besluit prudentiële regels Wft) stipulates that a financial institution – defined

as a payment institution, a clearing institution, a special purpose reinsurance vehicle, a credit

institution, a premium pension institution, an insurer or a branch as referred to in section 17

of the Decree – must have in place procedures and measures to safeguard the integrity,

continuous availability and security of electronic data. these institutions must also have in

place procedures and measures to ensure the integrity, continuous availability and security of

electronic data processing.” (dnb.nl, 2012).


P a g e | 30

5.4 Security Control Framework Theoretical Model Find below the theoretical model as a result of the selecting process as described in section

5.1. As mentioned, Cobit 4.1 is comprised of 210 controls and not all of them are applicable

to the risks that mobile devices are exposed to. All 210 distinct Cobit controls are considered

during the research. The result of this selection process is a security controls framework for

mobile devices that contains 29 controls spread over 10 identified risks. The set of controls

can be found in the next section.

Plan & Organise

P P P P P P P

C C C C C C C

Acquire & Implement

P P P P P P P

C C C C C C C

Deliver & Support

P P P P P P P

C C C C C C C

Monitor and Evaluate

P P P P P P P

C C C C C C C

Cob

it do

mai

nC

obit

proc

ess

Cob

it co

ntro

lsS

elec

tion

Crit

eria

Selection Criteria (DNB Information Security & Identified Risks)

5.5 The Framework: The selection process The security control framework for Consumerization of mobile devices and the process to

establish it are discussed in this section. All identified risk categories are analyzed in the

previous chapter in which the CIA ratings and also the compliancy requirements of the Dutch

bank sector are discussed. Please refer to the illustration below for explanation of this

framework. This framework is comprised of Cobit controls mapped to specific vulnerabilities

that contribute to a risk category (A & B). This mapping is performed by Enisa and their

results are reused for this research. Please refer to Appendix D: ENISA Risk Assessment.

These vulnerabilities are mapped to Cobit controls based on Cobit’s risk driver per control

(C). These Cobit controls are mapped to DNB’s requirements for information security for the

purpose of demonstrating compliancy (D). At last, the results of the survey performed under

the target group is included in order to determine the impact on CIA of certain risk category

(0=N/A, 1=Low, 2=Medium, 3=High & 4=Very High).

Figure 13: Theoretical Model


P a g e | 31

Figure 14: Explanation Security Control Framework


P a g e | 32

5.5.1 R1: Data leakage

According to Enisa, the risk of data leakage exists due to vulnerabilities encryption weakness

and lack of user awareness. These vulnerabilities are mapped to Cobit defined risks and in

turn mapped to the relevant Cobit controls.

- Improperly secured business data- Improper protection of information assets- Requirements for protecting business data not in line with the business requirements- Inadequate security measures for data and systems- Business process owners not taking responsibility for data- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users- Keys misused by unauthorised parties- Registration of non-verified users, thus compromising system security- Unauthorised access to cryptographic keys

- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users

6.4 Encryption weaknesses

6.7 Lack of user awareness

Cobit RisksVulnerabilities

Four Cobit controls are selected based on the risks related to the vulnerabilities. The CIA

rating is 3-3-4 (High-High-Very High).

• PO4.9 - Data and System Ownership

• DS11.6 - Security Requirements for Data Management

• DS5.8 - Cryptographic Key Management

• DS5.2 - IT Security Plan

Table 12: R1: Data leakage Risk Mapping


P a g e | 33

Table 13: R1: Data leakage Framework

Risk VulnerabilitiesCOBIT

ControlsCOBIT Control Objectives CIA


PO4.9 - Data and System Ownership

Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

6.1


DS11.6 - Security Requirements for Data Management

Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.

12.3


DS5.8 - Cryptographic Key

Management

Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.

18.3


DS5.2 - IT Security Plan

Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.

1.1

DNB

R1: Data leakage 3-3-4


P a g e | 34

Table 14: R2: Improper decommissioning Risk Mapping

5.5.2 R2: Improper decommissioning

According to Enisa, the risk of Improper decommissioning exists due to vulnerabilities No

privacy protection best practices, Lack of user awareness, User permissions fatigue and

Covert channels/weak sandboxing. These vulnerabilities are mapped to Cobit defined risks

and in turn mapped to the relevant Cobit controls.

6.6 No privacy protection best practices


6.3 User permissions fatigue

6.2 Covert channels/weak sandboxing

- Data not protected from unauthorised viewing or altering- Documents not retrieved when needed- Non-compliance with regulatory and legal obligations- Unauthorised data access- Disclosure of corporate information- Compromised integrity of sensitive data- Unauthorised access to data tapes- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users


- Security breaches- Users failing to comply with security policy- Incidents not solved in a timely manner- Failure to terminate unused accounts in a timely manner, thus impacting corporate security

- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs

Cobit RisksVulnerabilities

Six Cobit controls are selected based on the risks related to the vulnerabilities. The CIA rating

is 3-1-1 (High-Low-Low).

• DS11.2 - Storage and Retention Arrangements

• DS11.4 - Disposal



• DS5.4 - User Account Management

• DS5.5 - Security Testing, Surveillance and Monitoring


P a g e | 35

Table 15: R2: Improper decommissioning Framework



6.6 No privacy protection best

practices

DS11.2 - Storage and Retention Arrangements

Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.

12.1


practicesDS11.4 - Disposal

Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.

12.2


practices



12.3




1.1


DS5.4 - User Account

Management

Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.

17.2

6.2 Covert channels/weak

sandboxing

DS5.5 - Security Testing,

Surveillance and Monitoring

Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

16.1

DNB

R2: Improper decommissioning 3-1-1


P a g e | 36

Table 17: R3: Unintentional data disclosure Framework

Table 16: R3: Unintentional data disclosure Risk Mapping

5.5.3 R3: Unintentional data disclosure

According to Enisa, the risk of Unintentional data disclosure exists due to vulnerabilities

encryption weakness and lack of user awareness. These vulnerabilities are mapped to Cobit

defined risks and in turn mapped to the relevant Cobit controls.

Cobit Risks

- Sensitive information exposed- Inadequate physical security measures- Unauthorised external connections to remote sites- Disclosure of corporate assets and sensitive information accessible for unauthorised parties- Disclosure of corporate information- Compromised integrity of sensitive data- Unauthorised access to data tapes

- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users



Vulnerabilities

Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA

rating is 3-2-1 (High-Medium-Low).

• DS5.11 - Exchange of Sensitive Data

• DS11.4 - Disposal





DS5.11 - Exchange of Sensitive Data

Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.

18.5


DS11.4 - Disposal Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.

12.2




12.3

R3: Unintentional data disclosure 3-2-1

DNB


P a g e | 37

5.5.4 R4: Phishing

According to Enisa, the risk of Phishing exists due to vulnerabilities Weak app distributor

authentication mechanisms and lack of user awareness. These vulnerabilities are mapped to

Cobit defined risks and in turn mapped to the relevant Cobit controls.

Cobit Risks

- Unauthorised access when employees are terminated- Lack of smooth continuation of business-critical operations- Disruptions in production processing- Undetected bypassing of access controls- Unauthorised access to sensitive software- Business needs not supported by technology- Unauthorised changes to hardware and software- Access management failing business requirements and compromising the security of business-critical systems- Unspecified security requirements for all systems- Segregation-of-duty violations- Compromised system information- Keys misused by unauthorised parties- Registration of non-verified users, thus compromising system security- Unauthorised access to cryptographic keys


Vulnerabilities

6.5 Weak app distributor authentication mechanisms


Five Cobit controls are selected based on the risks related to the vulnerabilities. The CIA

rating is 4-3-1 (Very High-High-Low).

• PO7.8 - Job change and Termination

• AI3.2 - Infrastructure Resource Protection and Availability

• DS5.3 - Identity Management

• DS5.8 - Cryptographic Key Management


Table 18:R4: Phishing Risk Mapping


P a g e | 38



6.5 Weak app distributor

authentication mechanisms

PO7.8 - Job change and Termination

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.

8.5



AI3.2 - Infrastructure

Resource Protection and

Availability

Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.

18.1



DS5.3 - Identity Management

Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

17.1



DS5.8 - Cryptographic Key

Management


18.3




1.1

DNB

R4: Phishing 4-3-1

Table 19:R4: Phishing Framework


P a g e | 39

Table 21: R5: Spyware Framework

Table 20: R5: Spyware Risk Mapping

5.5.5 R5: Spyware

According to Enisa, the risk of Spyware exists due to vulnerabilities Covert channels/weak

sandboxing and Vulnerabilities leading to malware installation. These vulnerabilities are

mapped to Cobit defined risks and in turn mapped to the relevant Cobit controls.

Cobit Risks

- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs

- Exposure of information- Violations of legal and regulatory requirements- Systems and data that are prone to virus attacks- Ineffective countermeasures


Vulnerabilities

6.1 Vulnerabilities leading to malware installation


rating is 4-3-3 (Very High-High-High).

• DS5.6 - Security Incident Definition

• DS5.9 - Malicious Software Prevention, Detection and Correction





sandboxing

DS5.6 - Security Incident

Definition

Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.

15.1

6.1 Vulnerabilities leading to malware

installation

DS5.9 - Malicious Software

Prevention, Detection and

Correction

Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

19.1


sandboxing




16.1

DNB

R5: Spyware 4-3-3


P a g e | 40

5.5.6 R6: Network spoofing attacks

According to Enisa, the risk of Network spoofing attacks exists due to vulnerability Lack of

user awareness. This vulnerability is mapped to Cobit defined risks and in turn mapped to

the relevant Cobit controls.

Cobit Risks

- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Failure of firewall rules to reflect the organisation’s security policy- Undetected unauthorised modifications to firewall rules- Compromised overall security architecture- Security breaches not detected in a timely manner

Vulnerabilities



rating is 4-4-1 (Very High-Very High-Low).


• DS5.6 - Security Incident Definition

• DS5.10 - Network Security






1.1


DS5.6 - Security Incident Definition


15.1


DS5.10 - Network Security

Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.

18.4

DNB

R6: Network spoofing attacks 4-4-1

5.5.7 R7: Surveillance, R8: Diallerware & R9: Financial malware

According to Enisa, the risk of Surveillance, Daillerware and Financial Malware exists due to

vulnerabilities Covert channels/weak sandboxing, Lack of user awareness and User

Table 23: R6: Network spoofing attacks Framework

Table 22: R6: Network spoofing attacks Risk Mapping


P a g e | 41

permissions fatigue . These vulnerabilities are mapped to Cobit defined risks and in turn

mapped to the relevant Cobit controls.

Cobit Risks

- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Exposure of information- Violations of legal and regulatory requirements- Systems and data that are prone to virus attacks- Ineffective countermeasures- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs


- Security breaches- Users failing to comply with security policy- Incidents not solved in a timely manner- Failure to terminate unused accounts in a timely manner, thus impacting corporate security

Vulnerabilities





rating is 4-3-1 (Very High-High-Low), 1-1-1 (Low-Low-Low) and 3-3-1 (High-High-Low).



• DS5.4 - User Account Management

Table 24: R7: Surveillance, R8: Diallerware & R9: Financial malware Risk Mapping


P a g e | 42

Table 25: R7: Surveillance, R8: Diallerware & R9: Financial malware Framework

Table 26: R10: Network congestion Risk Mapping




sandboxing




16.1




1.1



Management


17.2

DNB

R7: SurveillanceR8: Diallerware

R9: Financial malware

4-3-11-1-13-3-1

5.5.8 R10: Network congestion

According to Enisa, the risk of Network congestion exists due to vulnerability Inadequate

resource provisioning. This vulnerability is mapped to Cobit defined risks and in turn mapped

to the relevant Cobit controls.

Cobit Risks

- Failure to recover IT systems and services in a timely manner- Failure of alternative decision-making processes- Lack of required recovery resources- Failed communication to internal and external stakeholders- Shortcomings in recovery plans- Outdated recovery plans that do not reflect the current architecture- Inappropriate recovery steps and processes- Inability to effectively recover should real disaster occur- Lack of defined measures important to the organisation- Unidentified underlying service problems and issues- Dissatisfied users due to lack of information, irrespective of quality of service

Vulnerabilities

Inadequate resource provisioning


P a g e | 43

Table 27: R10: Network congestion Framework


rating is 1-1-4 (Low- Low –Very High).

• DS4.2 - IT Continuity Plans

• DS4.5 - Testing of the IT Continuity Plan

• DS1.5 - Monitoring and Reporting of Service Level Achievements




DS4.2 - IT Continuity Plans

Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

11.1


DS4.5 - Testing of the IT Continuity

Plan

Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.

11.2


DS1.5 - Monitoring and Reporting of

Service Level Achievements

Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.

14.1

DNB

R10: Network congestion 1-1-4

5.6 How implementing controls can ensure better security: Answer to SQ3 In chapter 5, it is demonstrated that the relevant risks to the use of mobile devices in

business context can be mapped to Cobit controls which mitigate (parts of) identified risks.

This chapter concludes with an answer to the third sub research question which is defined

as: How can the security of mobile devices be ensured using controls to manage identified

risks as a result of consumerization? As discussed in section 5.2, Cobit provides a set of

standards and processes that can be used to ensure that IT is working as effectively as

possible and to minimize IT-related risks. As each control is defined to mitigate particular IT

risk, selecting the appropriate controls from Cobit should allow an enterprise to define a

customized framework according to the risks profiles and herewith ensure better security.


P a g e | 44

6 CONCLUSION & FUTURE RESEARCH A research has been performed in order to define a security control framework for mobile

devices within the bank sector. The need for such control framework is due to the trend of

consumerization and the significant risks this phenomenon entail. A main research question

has been defined which is comprised of 3 sub research questions:

With what control framework can the security of mobile devices within the Bank Sector be improved to

manage identified risks related to Consumerization?

Sub research questions:

1. SQ1: What is consumerization of mobile devices and why does this trend require proper considerations?

2. SQ2: What are the security risks and impact imposed by consumerization of mobile devices within the Bank sector?

3. SQ3: How can the security of mobile devices be ensured using controls to manage identified risks as a result of consumerization?

SQ1: Consumerization of mobile devices is the process or phenomenon in which consumer




(BYOD). This trend entails great risks that impact the security attributes (CIA) of sensitive

corporate data. Surveys performed in this field, which are discussed in section 3.1 and 3.2,

indicated that most CIO’s of global corporations would like to introduce mobile devices in

their company. They are aware of the great risks related the use of mobile devices, however

effective measures/controls are not sufficiently implemented Please refer to section 3.3

Consumerization of mobile devices: Answer to SQ1.

SQ2: In general, there are 10 risks categories applicable to the use of mobile devices. These

risks are explained in section 4.1 of this chapter. Enisa’s risk analysis is enriched with CIA

ratings per risk category retrieved from a survey performed under 2 consumers, 2

employees and 2 high official of a large Dutch bank. Results of Enisa show that the use of

mobile devices is the most vulnerable to R1: Data leakage, R2: Improper decommissioning

and R3: Unintentional disclosure of data. The likelihood and impact are the highest among

the 10 risk category. Results of the survey performed under the target group shows that R4:

Phishing, R5: Spyware, R6: Network spoofing attacks have the greatest impact on the

security attributes of data (CIA) during attacks. Please refer to section 4.4 Security risks and

impact consumerization mobile devices: Answer to SQ2.

SQ3: Cobit provides a set of standards and processes that can be used to ensure that IT is

working as effectively as possible and to minimize IT-related. As each control is defined to

mitigate particular risk, selecting the appropriate controls from Cobit should allow assessors

to define a customized framework according to the risks profiles. Ultimately, this research

resulted in a security control framework for Consumerization of mobile devices in the bank

sector which consists of 19 distinctive Cobit controls. This framework is established based on

research performed on the related risks, vulnerability and the compliancy requirements

within the Dutch bank sector. Please refer to section 5.2 Cobit Framework: Answer to SQ3.


P a g e | 45

Main Research Question

The answer to the main research question is derived from the selection process which is

described in chapter 5. In this chapter, relevant Cobit controls are mapped to the

vulnerabilities of all 10 risk categories. Please refer to Appendix A: The Security Framework

for Consumerization for the final framework. Implementing the suggested security controls

should mitigate the risks related to consumerization of mobile devices and also provide

auditors a framework for risk based auditing. This framework is comprised of the following

components

10 Risks are identified which are related to the use of mobile devices: o R1: Data leakage o R2: Improper decommissioning o R3: Unintentional data disclosure o R4 Phishing o R5: Spyware o R6: Network spoofing attacks o R7: Surveillance o R8: Diallerware o R9: Financial malware o R10: Network congestion

7 Vulnerabilities that contributes to the identified risks:

o Vulnerabilities leading to malware installation

o Covert channels/weak sandboxing

o User permissions fatigue

o Encryption weaknesses

o Weak app distributor authentication mechanisms

o No privacy protection best practices

o Lack of user awareness

19 selected Cobit controls to mitigate risks related to the vulnerabilities:

o PO7.8 - Job change and Termination o PO4.9 - Data and System Ownership o DS5.9 - Malicious Software Prevention, Detection and Correction o DS5.8 - Cryptographic Key Management o DS5.6 - Security Incident Definition o DS5.5 - Security Testing, Surveillance and Monitoring o DS5.4 - User Account Management o DS5.3 - Identity Management o DS5.2 - IT Security Plan o DS5.11 - Exchange of Sensitive Data o DS5.10 - Network Security o DS4.5 - Testing of the IT Continuity Plan o DS4.2 - IT Continuity Plans o DS11.6 - Security Requirements for Data Management o DS11.4 - Disposal o DS11.2 - Storage and Retention Arrangements o DS1.5 - Monitoring and Reporting of Service Level Achievements o AI3.2 - Infrastructure Resource Protection and Availability

6.1 Further research Further research is required in order to verify the defined security control framework. In this

research, it was attempted to define a set of controls that could mitigate the risk related to

consumerization of mobile devices. It is possible to map Cobit controls to the vulnerabilities

in theory. However, extensive verification of the framework through case study should take

place to evaluate its applicability in practice.


P a g e | 46


P a g e | 47

7 REFERENCES Business Dictionary. (2012, September 2). Retrieved September 2, 2012, from

http://www.businessdictionary.com: http://www.businessdictionary.com

dnb.nl. (2012, April 09). Retrieved from De Nederlandse Bank Eurosystem:

http://www.dnb.nl/en/about-dnb/index.jsp

Bradley, T. (2011, December 21). PCWorld. Retrieved September 1, 2012, from

PCWorld.com:

http://www.pcworld.com/businesscenter/article/246760/pros_and_cons_of_brin

ging_your_own_device_to_work.html

Dictionary.com. (2012, September 2). Dictionary Reference. Retrieved September 2, 2012,

from Dictionary.com: http://dictionary.reference.com/browse/consumerize

Doyle, J. T., Ge , W., & McVay , S. (2007, Janurary 1). Accruals Quality and Internal Control

Over Financial Reporting. The Accounting Review, Vol. 82, pp. 1141-1170, October

2007.

Hogben, G., & Dekker, M. (2010). Smartphones:Information security risks, opportunities and

recommendations for users. Crete, Greece: ENISA.

ISACA. (2007). Cobit 4.1. Rolling Meadows, USA: ISACA.

ISACA. (n.d.). 2011 ISACA IT Risk/Reward Barometer—US Edition. Retrieved Septerber 11,

2012, from www.isaca.org: http://www.isaca.org/SiteCollectionDocuments/2011-

Risk-Reward-Barometer-US.pdf

ISACA. (2011, November 1). ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens

Online Holiday Shopping Risk. Retrieved September 11, 2012, from

www.ISACA.org: http://www.isaca.org/About-ISACA/Press-room/News-

Releases/2011/Pages/ISACA-Survey-Bring-Your-Own-Device-Trend-Heightens-

Online-Holiday-Shopping-Risk.aspx

ISACA. (2011, June 1). Over Half of IT Leaders Say Employee-Owned Mobile Devices Are

Riskiest . Retrieved September 11, 2012, from www.isaca.org:

http://www.isaca.org/About-ISACA/Press-room/News-Releases/2011/Pages/Over-

Half-of-IT-Leaders-Say-Employee-owned-Mobile-Devices-Are-Riskiest.aspx

IT Governance Institute. (2007). Cobit 4.1 Framework. Rolling Meadows: The IT Governance

Institute.

Moschella, D., Neal, D., Opperman, P., & Taylor, J. (2004). The ‘Consumerization’ of

Information Technology. CSC’S RESEARCH & ADVISORY SERVICES.

Perrin, C. (2008, June 20). The CIA Triad. Retrieved September 14, 2012, from Tech Republic:

http://www.techrepublic.com/blog/security/the-cia-triad/488

Plummer, D., Prentice, S., Da Rold, C., Feiman, J., Pescatore, J., Clark, W., et al. (2011). Top

Predictions for IT Organizations. Gartner, 29.

RSA. (2012). 2012 CYBERCRIME TRENDS REPORT. Hopkinton: RSA.

Zimmerman, J. B. (1999). Mobile Computing: Characteristics, Business Benefits, and the

Mobile Framework. University of Maryland European Division - Bowie State:

Maryland.


P a g e | 48

8 APPENDICES Appendix A: The Security Framework for Consumerization

Vulnera-bilities

COBIT Controls

COBIT Control Objectives COBIT Risk Drivers CIA


PO4.9 - Data and System Ownership

Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

• Improperly secured business data• Improper protection of information assets• Requirements for protecting business data not in line with the business requirements• Inadequate security measures for data and systems• Business process owners not taking responsibility for data

6.1 Data and system ownership: The business is provided with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners make decisions about classifying information and systems and are protecting them in line with this classification.


DS11.6 - Security

Requirements for Data

Management


• Sensitive data misused or destroyed• Unauthorised data access• Incompleteness and inaccuracy of transmitted data• Data altered by unauthorised users

12.3 Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.


DS5.8 - Cryptograph

ic Key Managemen

t


• Keys misused by unauthorised parties• Registration of non-verified users, thus compromising system security• Unauthorised access to cryptographic keys

18.3 Cryptographic key management: Policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys is in place to ensure the protection of keys against modification and unauthorised disclosure.




• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users

1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.

3-3-4

DNB

R1: Data leakage


P a g e | 49


P a g e | 50

Vulnera-bilities

COBIT Controls



practices

DS11.2 - Storage and Retention

Arrangements

Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.

• Data not protected from unauthorised viewing or altering• Documents not retrieved when needed• Non-compliance with regulatory and legal obligations• Unauthorised data access

12.1

Storage and retention arrangements: Procedures are defined and implemented for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.


practices

DS11.4 - Disposal


• Disclosure of corporate information• Compromised integrity of sensitive data• Unauthorised access to data tapes

12.2

Disposal: Procedures are defined and implemented to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.


practices

DS11.6 - Security

Requirements for Data

Management



12.3

Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.






6.3 User permissions

fatigue


Management


• Security breaches• Users failing to comply with security policy• Incidents not solved in a timely manner• Failure to terminate unused accounts in a timely manner, thus impacting corporate security

17.2 User account management: Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed with a set of user account management procedures. An approval procedure outlining the data or system owner granting the access privileges is included. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Regular management review of all accounts and related privileges are performed.


sandboxing


Surveillance and

Monitoring


• Misuse of users’ accounts, compromising organisational security• Undetected security breaches• Unreliable security logs

16.1 Security testing, surveillance and monitoring: The IT security implementation is tested and monitored in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

3-1-1

R2: Improper decommissioning

DNB


P a g e | 51

Vulnera-bilities

COBIT Controls



DS5.11 - Exchange of Sensitive Data

Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.

• Sensitive information exposed• Inadequate physical security measures• Unauthorised external connections to remote sites• Disclosure of corporate assets and sensitive information accessible for unauthorised parties

18.5 Exchange of sensitive data: Sensitive transaction data is only exchanged over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.


DS11.4 - Disposal


• Disclosure of corporate information• Compromised integrity of sensitive data• Unauthorised access to data tapes

12.2 Disposal: Procedures are defined and implemented to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.





12.3 Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.

3-2-1

R3: Unintentional data disclosure

DNB


P a g e | 52


P a g e | 53

Vulnera-bilities

COBIT Controls




PO7.8 - Job change and Termination

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.

• Unauthorised access when employees are terminated• Lack of smooth continuation of business-critical operations

8.5 Job change and termination: Expedient actions are taken regarding job changes, especially job terminations. Knowledge transfer is arranged, responsibilities are reassigned and access rights are removed such that risks are minimised and continuity of the function is guaranteed.



AI3.2 - Infrastructure Resource Protection

and Availability

Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.

• Disruptions in production processing• Undetected bypassing of access controls• Unauthorised access to sensitive software• Business needs not supported by technology

18.1 Infrastructure resource protection and availability: Internal control, security and auditability measures are implemented during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components are clearly defined and understood by those who develop and integrate infrastructure components. Their use is monitored and evaluated.



DS5.3 - Identity

Management

Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access

• Unauthorised changes to hardware and software• Access management failing business requirements and compromising the security of business-critical systems• Unspecified security requirements for all systems• Segregation-of-duty violations• Compromised system information

17.1 Identity management: All users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. User identities are enabled via authentication mechanisms. User access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. User access rights are requested by user management, approved by system owners and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Deploy cost-effective technical and procedural measures are deployed, and kept current to establish user identification,



DS5.8 - Cryptograph

ic Key Managemen

t


• Keys misused by unauthorised parties• Registration of non-verified users, thus compromising system security• Unauthorised access to cryptographic keys

18.3 Cryptographic key management: Policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys is in place to ensure the protection of keys against modification and unauthorised disclosure.






4-3-1

R4: Phishing

DNB


P a g e | 54

Vulnera-bilities

COBIT Controls



sandboxing


Definition


• Undetected security breaches• Lack of information for performing counterattacks• Missing classification of security breaches

15.1 Security Incident Definition: The characteristics of potential security incidents are defined and communicated so they are properly classified and treated by the incident and problem management process.

6.1 Vulnerabilities

leading to malware

installation


Prevention, Detection

and Correction


• Exposure of information• Violations of legal and regulatory requirements• Systems and data that are prone to virus attacks• Ineffective countermeasures

19.1 Malicious software prevention, detection and correction: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).


sandboxing


Surveillance and

Monitoring










DS5.6 - Security Incident Definition





DS5.10 - Network Security

Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.

• Failure of firewall rules to reflect the organisation’s security policy• Undetected unauthorised modifications to firewall rules• Compromised overall security architecture• Security breaches not detected in a timely manner

18.4 Network security: Security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) are used to authorise access and control information flows from and to networks. Available best practices in this area (i.e. GovCert, ISO/IEC, ITSec) are considered.

R6: Network spoofing attacks

4-3-3

4-4-1

R5: Spyware

DNB


P a g e | 55

Vulnera-bilities

COBIT Controls



sandboxing


Definition




6.1 Vulnerabilities

leading to malware

installation


Prevention, Detection

and Correction


• Exposure of information• Violations of legal and regulatory requirements• Systems and data that are prone to virus attacks• Ineffective countermeasures

19.1 Malicious software prevention, detection and correction: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).


sandboxing


Surveillance and

Monitoring









6.3 User permissions

fatigue


Management


• Security breaches• Users failing to comply with security policy• Incidents not solved in a timely manner• Failure to terminate unused accounts in a timely manner, thus impacting corporate security

17.2 User account management: Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed with a set of user account management procedures. An approval procedure outlining the data or system owner granting the access privileges is included. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Regular management review of all accounts and related privileges are performed.

R7: Surveillance, R8: Diallerware & R9: Financial malware

4-3-11-1-13-3-1

DNB


P a g e | 56

Vulnera-bilities

COBIT Controls


Inadequate resource

provisioning]

DS4.2 - IT Continuity

Plans

Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

• Failure to recover IT systems and services in a timely manner• Failure of alternative decision-making processes• Lack of required recovery resources• Failed communication to internal and external stakeholders

11.1 IT Continuity plans: IT continuity plans are developed based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans are based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. The plans also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

Inadequate resource

provisioning]

DS4.5 - Testing of

the IT Continuity

Plan

Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.

• Shortcomings in recovery plans• Outdated recovery plans that do not reflect the current architecture• Inappropriate recovery steps and processes• Inability to effectively recover should real disaster occur

11.2 Testing of the IT Continuity plan: The IT continuity plan is tested on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. The extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing is considered.

Inadequate resource

provisioning]

DS1.5 - Monitoring

and Reporting of Service Level Achievemen

ts

Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.

• Lack of defined measures important to the organisation• Unidentified underlying service problems and issues• Dissatisfied users due to lack of information, irrespective of quality of service

14.1 Monitoring and reporting of Service Level Achievements: Specified service level performance criteria are continuously monitored. Reports on achievement of service levels are provided in a format that is meaningful to the stakeholders. The monitoring statistics are analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.

R10: Network congestion

1-1-4

DNB


P a g e | 57

Appendix B: Vulnerabilities by ENISA Below we describe classes of vulnerabilities which may be present in a smartphone, for use

as a reference (Hogben & Dekker, 2010).

6.1 Vulnerabilities leading to malware installation

1. Patching weaknesses

• In walled-garden app-store models, any patch has to find its way through the app-

store vetting process before it can be applied to a device. Despite an obvious

opportunity for improving security, app vetting schemes are a bottleneck in the

distribution of patches. This is a serious obstacle to the timely patching of apps,

which in a fast moving industry may be required frequently.

• Thoroughly testing that a patch does not break any applications is challenging even

for only one or just a few products. Managing a security update system for tens of

different products (some of them based on very different platforms and operating

systems, some of them already many years old, etc.) would be extremely

challenging. If security patches are not thoroughly tested for all models, automatic

updates could deliver more harm than benefits to users. Thus, deploying such an

infrastructure would be very challenging for many manufacturers.

• Several OSs still rely on users to confirm or even discover individual updates of

apps, which is a serious problem for patching security flaws.

2. Limited capabilities for 3rd party security solutions (centralised security management)

Many platforms allow only limited functionality for third-party security services. For

example, on some platforms, apps are not allowed access to processes unless they are

signed by the same developer certificate. Some platforms do not allow certain types of apps

to run in the background. This makes it difficult to provide security services which rely on

monitoring the activities of applications. This places more responsibility in the hands of the

OS and app-store providers. Although this has obvious opportunities for improving security

(see [3.3 Remote application removal]), it nevertheless creates a significant single point of

failure in the event that the provider’s defences prove inadequate.

3. Reputation vulnerabilities

Vulnerabilities in reputation systems applied to apps might allow an attacker to inflate the

reputation of an app artificially and thus gain undue trust from users. These vulnerabilities

include lack of voter authentication, the possibility of multiple votes, votes not being

weighted according to the importance of the target app, etc. (further information can be

found in the ENISA report (63) )


P a g e | 58

4. Lack of code/app review processes

Due to market forces, recent mobile platforms tend to be very open and developer friendly

to encourage adoption. This is because of current trends in which third-party application

developers have an increasingly important role in mobile device ecosystems. Furthermore

application signing infrastructures and operating system level security frameworks are

sometimes considered a major hurdle for the development of applications by third-parties.

5. Signed ≠ trusted

Users may think that signed apps are more trustworthy than unsigned apps when there may

be no such implication. Clearly in some cases, the app signature is an assertion that the app

has been checked according to certain criteria but, in other cases, it may be simply a

mechanism to establish the origin of the application. The risks from malware and spyware

are increased with respect to older phones since mechanisms available for users to

distinguish trusted from untrusted apps (reputation systems, digital signatures) are open to

abuse and misinterpretation.

6. Ability to unlock phones

These vulnerabilities are of a rather different category, in that the user of the device is aware

that he or she is disabling certain security measures, and indeed almost certainly wants to

work around them. However an unlocked phone allows the user to install apps which are not

subject to the vetting processes used in app-stores. This leads to a situation where users are

often not aware that they are executing code which has not been subject to any review

process and which operates with root privileges.


personal data from the user and usage data from other apps. Many apps are also granted

access to the user address book, which usually contains highly sensitive information (e.g.

users hide bank account details as address book entries). Network interfaces may also be

used to transmit private data covertly between apps or to an attacker; e.g. a backdoor in an

SMS app is easy to implement.

In some smartphone platforms, location data is added to photo filenames or in file

metadata. If these photos are made available to other apps or uploaded to social networking

sites, users will be asked for permission to access the gallery, but not location data. This

therefore constitutes a covert channel. For example, a user might post a photo on a public

blog or micro-blogging site, without realising that the filename contains the location of the

data.


Many platforms request user consent for app access to different types of data and

messaging (e.g. push notifications) on the phone at installation time. There are several

problems with this:

• Compared to PCs and laptops, user interfaces are usually more limited, meaning

that, for example, storage of credentials on the device is more probable and user

authentication cannot be so frequent (biometric authentication is one possible

solution). For example, a request for user authentication is more invasive on a

smartphone than on a PC and the fraction of a user’s attention which can be

devoted to dealing with security-related decisions is even smaller than in larger

form-factor environments.

• Users do not have the time or commitment to evaluate permissions requests even

though it is restricted to a once-per-install request.


P a g e | 59

• Permissions are not detailed enough to convey the risks of giving consent – e.g.

granting access to the frequently typed words list in the keyboard cache may

sound harmless to many users, but this could reveal passwords.

• Some data types naturally lend themselves to integration with user consent,

without having to assume the persistence of a decision. For example, file upload

naturally involves the user in selecting the file and therefore presents little

difficulty. Other types, however, cannot be managed in this way. It is not feasible

for the user to provide input every time their location, temperature, acceleration,

magnetic field, etc are disclosed.

• It is often very difficult for users to examine and/or change the permissions they

have granted after the initial request.

• There is no means to set global policies for permissions granted, e.g. ‘do not install

any apps which request location data for marketing purposes’.


Various high-profile weaknesses have been found in some implementations of smartphone

encryption, rendering data protection on the devices close to useless (12) (13). These

weaknesses come into play when an attacker gains physical access to the device through

theft or loss. Additionally the effectiveness of encryption mechanisms depends strongly on

the procedures and technical measures used to manage cryptographic keys.

6.5 Weak app distributor authentication mechanisms

It is often easy to impersonate a trusted brand such as a banking app. There may be no PKI

or other trust infrastructure to assure the identities of developers.

6.6 No privacy protection best practices

This applies especially to developers – there are no privacy best practices available for

smartphone developers. Given the privacy risks outlined in [Information security risk], many

of which rely on features specific to smartphones, this is an important issue.


This is no different from other platforms but is, nevertheless, a factor in some risk scenarios.

For example, unintentional disclosure of data often relies on users’ lack of awareness of the

implications of consenting to certain kinds of data disclosure.


P a g e | 60

Appendix C: DNB Information Security Assessment Framework

The DNB assessment is divided in six sections: Strategy&Policies, Organization, People,

Processes, Technology and Facilities. The full format of the DNB assessment for Information

Security of financial institutions can be found on https://dnb.nl (dnb.nl, 2012).

Strategy & Policies

https://dnb.nl/


P a g e | 61

Strategy & Policies (Continued)


P a g e | 62

Organization


P a g e | 63

People

Processes


P a g e | 64

Processes (Continued)


P a g e | 65



P a g e | 66


Technology


P a g e | 67

Technology (Continued)


P a g e | 68

Facilities


P a g e | 69

Appendix D: ENISA Risk Assessment The following Risk assessments are retrieved from (Hogben & Dekker, 2010).

R1: Data leakage

Threat description

The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.

Rating Likelihood Impact Risk

Consumer (C) High Medium Medium Employee (E) Medium High High High official (H) Medium Very High High Vulnerabilities [6.7 Lack of user awareness]

[6.4 Encryption weaknesses] Assets All

R2: Unintentional disclosure of data

Threat description

The smartphone user unintentionally discloses data on the smartphone.


Consumer (C) Very Very High High High Employee (E) High Medium High High official (H) High Very High High Vulnerabilities [6.3 User permissions fatigue ]

[6.2 Covert channels/weak sandboxing] [6.6 No privacy protection best practices][6.7 Lack of user awareness]

Assets [Personal data] [Personal and political reputation]

R3: Attacks on decommissioned smartphones

Threat description

The smartphone is decommissioned improperly allowing an attacker access to the data on the device.


Consumer (C) Medium Medium Medium Employee (E) High High High High official (H) Medium Very High High Vulnerabilities [6.7 Lack of user awareness]

[6.4 Encryption weaknesses] Assets All

R4: Phishing

Threat description

An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.


Consumer (C) Medium High Medium Employee (E) Medium High Medium High official (H) Medium Very High High Vulnerabilities [6.5 Weak app distributor authentication mechanisms]

[6.7 Lack of user awareness] Assets All


P a g e | 70

R5: Spyware

Threat description

The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance.


Consumer (C) High Medium High Employee (E) Medium High Medium High official (H) Medium Medium Medium Vulnerabilities [6.1 Vulnerabilities leading to malware installation][Ability to unlock phones] [Reputation vulnerabilities]

[6.2 Covert channels/weak sandboxing] Assets [Personal data][ Personal and political reputation]

R6: Network spoofing attacks

Threat description

An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.


Consumer (C) Medium Medium Medium Employee (E) Medium High Medium High official (H) Medium High High Vulnerabilities [6.7 Lack of user awareness] Assets All

R7: Surveillance

Threat description

An attacker keeps a specific user under surveillance through the target user’s smartphone.


Consumer (C) Low High Medium Employee (E) Low High Medium High official (H) Medium Very High High Vulnerabilities [6.1 Vulnerabilities leading to malware installation] Assets [Personal data] [Classified information]

R8: Diallerware

Threat description

An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.


Consumer (C) High High High Employee (E) Medium Medium Medium High official (H) Low Low Low Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities]

[6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]

[6.7 Lack of user awareness] Assets [Financial assets]


P a g e | 71

R9: Financial malware

Threat description

The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.


Consumer (C) Medium High High Employee (E) Low High Medium High official (H) Low Low Low Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities]

[6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]

[6.7 Lack of user awareness] Assets [Financial assets]

R10: Network congestion

Threat description

Network resource overload due to smartphone usage leading to network unavailability for the end-user.


Consumer (C) Low Low Low Employee (E) Low Low Low High official (H) Low Low Low Vulnerabilities [Inadequate resource provisioning] Assets [Device and service availability and functionality]


P a g e | 72


P a g e | 73

Appendix E: Survey Form Name (Optional):Function:Company:Date: Not

ApplicableLOW Medium High Very High

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

Consumer (C)

Employee ('E)

High official (H)

R10 Network congestion


Consumer (C)

Employee ('E)

High official (H)

R9 Financial malware

Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.

Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware

An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.

Consumer (C)

Employee ('E)

High official (H)

R7 SurveillanceSpying on an individual with a targeted user’s smartphone.

R5 Spyware

The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).

Consumer (C)

Employee ('E)

High official (H)

R6 Network spoofing attacks

An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.

Consumer (C)

Employee ('E)

High official (H)

R3 Unintentional data disclosure

Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.

Consumer (C)

Employee ('E)

High official (H)

R4 Phishing

An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.

Consumer (C)

Employee ('E)

High official (H)

Consumer (C)

Employee ('E)

High official (H)

A stolen or lost phone with unprotected memory allows an attacker to access the data on it.

R1 Data leakage

R2 Improper decommissioning

The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.

Consumer (C)

Employee ('E)

High official (H)


P a g e | 74

Appendix F: Survey Results

Function:Company:Date: 10-Sep-12 Not


C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)

R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.

Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)

Employee ('E)



Consumer (C)

Employee ('E)

High official (H)

High official (H)

SURVEY 1: Consumer (C) User (A) of smartphone (not for business)-



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)


P a g e | 75



C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

SURVEY 2: Consumer (C) User (B) of smartphone (not for business)-


Consumer (C)

Employee ('E)

High official (H)


P a g e | 76



C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)

Employee ('E)



Consumer (C)

Employee ('E)

High official (H)

High official (H)

SURVEY 3: Employee (E)Business AnalysistDutch Bank



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)


P a g e | 77



C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)

Employee ('E)



Consumer (C)

Employee ('E)

High official (H)

High official (H)

SURVEY 4: Employee (E)AssociateFinancial Institute



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)


P a g e | 78



C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)

SURVEY 5: High official (H)Head IT Risk Management DepartmentDutch Bank



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)


P a g e | 79



C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4

C 0 1 2 3 4

I 0 1 2 3 4

A 0 1 2 3 4



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R4 Phishing


Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)



Consumer (C)

Employee ('E)

High official (H)

R5 Spyware


Consumer (C)

Employee ('E)

High official (H)

Employee ('E)



Consumer (C)

Employee ('E)

High official (H)

High official (H)

SURVEY 6: High official (H)Head IT Security ServicesDutch Bank



Consumer (C)

Employee ('E)

High official (H)


Consumer (C)

Employee ('E)

High official (H)

R8 Diallerware


Consumer (C)