Dyman Associates Risk Management

Assigning risk scores to apps may slow down unwarranted access to personal information

October 28, 2014

What information is beaming from your mobile phone over various computer networks this very second without you being aware of it?

Experts say your contact lists, email messages, surfed webpages, browsing histories, usage patterns, online purchase records and even password protected accounts may all be sharing data with intrusive and sometimes malicious applications, and you may have given permission.

"Smartphones and tablets used by today's consumers include many kinds of sensitive information," says Ninghui Li, a professor of Computer Science at Purdue University in Indiana.

The apps downloaded to them can potentially track a user's locations, monitor his or her phone calls and even monitor the messages a user sends and receives--including authentication messages used by online banking and other sites, he says, explaining why unsecured digital data are such a big issue.

Li, along with Robert Proctor and Luo Si, also professors at Purdue, lead a National Science Foundation (NSF)-funded project "User-Centric Risk Communication and Control on Mobile Devices," that investigates computer security. The work pays special attention to user control of security features in mobile systems.

Li, Proctor and Si believe they may have a simple solution for users, who unknowingly allow voluntary access to their personal data.

Most users pay little attention

"Although strong security measures are in place for most mobile systems," they write in a recent report inthe journal IEEE Transactions on Dependable and Secure Computing, "the area where these systems often fail is the reliance on the user to make decisions that impact the security of a device."

Most users pay little attention, say the researchers, to unwanted access to their personal information. Instead, they have become habituated to ignore security warnings and tend to consent to all app permissions.

"If users do not understand the warnings or their consequences, they will not consider them," says Proctor, a Distinguished Professor of psychological sciences at Purdue.

"If users do not associate violations of the warnings with bad consequences of their actions, they will likely ignore them," adds Jing Chen, a psychology Ph.D. student who works on the project.

In addition, there are other influences that contribute to users ignoring security warnings. In the case of Android app permissions, of which there are more than 200, many do not make sense to the average user or at best require time and considerable mental effort to comprehend.

"Permissions are not the only factor in users' decisions," says Si, an associate professor of Computer Science at Purdue, who also led research on a paper with Li that analyzed app reviews.

"Users also look at average ratings, number of downloads and user comments," Si says. "In our studies, we found that there exist correlations between the quality of an app and the average rating from users, as well as the ratio of negative comments about security and privacy."

"This is a classic example of the links between humans and technology," says Heng Xu, program director in the Secure and Trustworthy Cyberspace program in NSF's Social, Behavioral and Economic Sciences Directorate. "The Android smartphones studied by this group of scientists reveals the great need to understand human perception as it relates to their own privacy and security."

"The complexity of modern access control mechanisms in smartphones can confuse even security experts," says Jeremy Epstein, lead program director for the Secure and Trustworthy Cyberspace program in NSF's Directorate for Computer and Information Science and Engineering, which funded the research.

"Safeguards and protection mechanisms that protect privacy and personal security must be usable by all smartphone users, to avoid the syndrome of just clicking 'yes' to get the job done. The SaTC program encourages research like Dr. Li's and colleagues that helps address security usability challenges."

Numbers speak to the amount of unsecured personal data

The modern enterprise presents numerous challenges to IT security leaders, as it requires a diverse array of applications, websites, protocols, and platforms. Mobile devices are changing the fundamental composition of network traffic and introducing new types of malware, while consumerization trends such as BYOD are introducing new devices over which IT has little control.

To organize the chaos, IT must look beyond a network packet’s site, port, or IP address and determine a security posture that relies on the complete context of data usage. A deep, thorough inspection of real-time network data can help provide the content awareness required for the granular management that a flexible, modern enterprise requires.

This report examines the shortcomings of traditional security and management processes exposed by device proliferation, an increasingly mobile workforce, and a movement toward cloud applications. It also demonstrates how a deeper understanding of application data in transit can help IT build more-flexible, business-friendly management procedures that continue to provide security and efficiency without disrupting productivity. The report concludes with best practices for testing application-aware network-security devices to gain a greater understanding of the value they will provide when deployed onto the enterprise network.

Continue reading

Developing a Project Management program for your company can be a messy thing without the help of an experienced and well-trained consulting company with years of track record on the matter. Dyman’s approach allows your “project and program managers to adjust to and incorporate overall, departmental or specific project goals while keeping standardized levels of performance consistent with company-wide objectives.”

A standardized performance is essential in unifying the company’s operations as well as assuring that the individual staff members grow with the company. Likewise, this gives out the signal to its clients that the company is highly coordinated and that each component or part of the organization is aware of what is happening to the other parts, thus, allowing communication or interaction to proceed with efficiency.

The only setback for this general approach is that it somehow constricts creativity in the individual and, hence, in the overall operational picture. For a person to be able to truly innovate and come up with outstanding progress in ideas and strategy, he or she must be allowed complete freedom or autonomy to perform within the parameters of the job but with no boundaries or limits to the methods or tools that will be needed to accomplish the task. This does not seem to be a comfortable or safe working arrangement for most companies; hence, not many apply the method effectively, if at all. This requires allowing people to have the ability to decide independently without supervision or without prior or final authorization as to the ultimate solutions to be applied in any particular issue.

The main objection to this type of management approach is that most traditionally-oriented companies follow the line of corporate organizational integrity or, to use a less palatable word, rigidity. This constraining approach expects employees to toe the main company line: verbatim and modus operandi, that is, verbally and operationally. A corporate manual of operations lays down the basic tenets and principles of the company culture and enforces the business code according to certain implementing guidelines and mechanisms which subsequently make up the body and soul of the company, so to speak.

Well and good. As long as the company can attain its goals and keeps the bottom line healthy, there should be no issue about how the work is done. However, project management, as the phrase suggests, contains variables which cannot be easily boxed in or defined according to any one-fits-all approach. In the end, the individual worker, looking into the intricacies and uniqueness of a particular problem of a client will have to adapt and innovate in order to come up with a customized solution that will be more efficient and less cumbersome. 

Perhaps, this is the way Dyman works or operates. Their website does not seem to mention any customized solutions to its clients.

It takes a free mind to go through this path of work. However, the rewards are more fulfilling and inspiring.