Issues in ICT Services - Research Paper Example

Issues in ICT services Name Course Tutor’s Name Date: Overview Advancement in Information Communication Technology (ICT) infrastructures has opened new dimensions in communication and virtual connectivity. With ICT, it is now easy to access, share, store, replicate and even manipulate information and images. The technologies involved in ICT have reduced the effort and time needed to communicate, and this is no doubt a welcome development for many people. Yet, and as Olanreqaju, Ali, Khalifa and Manaf (2013) observe, authentication and protection of much of the information shared through ICT services remain a concern not only to individuals, but also to corporate bodies, non-governmental organisations, and governments. The risk of hackers/intruders is ever lurking, and there is a possibility that they can access confidential information, use it, alter it, or even delete vital information. The effectiveness of ICT services therefore calls for effective technology whose security and privacy can be guaranteed. Yet, in a world where any security issues are being challenged, it is unclear if absolute privacy in ICT services will ever be achieved. The absence of privacy guarantees is even worse considering the absence of a legal framework which would provide detractive or punitive measures to perpetrators who breach people’s privacy. The concept of privacy has been defined variably as “an individual condition of life characterised by exclusion from publicity” (Britz, 2000, n.pag); “the right to be let alone” (Moore, 2008, p. 412), or the “state of possessing control over a realm of intimate decisions, which include decisions about intimate access, intimate information, and intimate actions” (Inness, 1992, p. 140). A right to privacy therefore can be understood as a person’s right to control inner spheres of their personal information, body, powers and capacities. As Moore (2008) indicates, “it is a right to limit public access to oneself and to information about oneself” (p. 420). In the United Kingdom (UK) today, the right to privacy is represented in the Human Rights Act (HRA) 1998, which has its basis in European Convention on Human Rights (ECHR) article 8 (Equality and Human Rights Commission (EHRC), 2011). In spite of the existence of the HRA, there have been concerns in the UK that the law has lagged behind especially in the wake of changes and advancements in ICT services (EHRC, 2011). Consequently, is has been argued that the state, which has the mandate to uphold people’s and organisation’s right to privacy, is failing in fulfilling that mandate. Sharing sensitive information, including passwords People and/or institutions could share sensitive information either knowingly or unknowingly. Sharing of sensitive information (e.g. name, address, financial information, health records etc) is commonplace especially when dealing with institutions such as banks, government agencies, hospitals, institutions of learning or insurance companies. Once a person gives out their confidential information, they do so with the expectation (and perhaps conviction) that the recipient body will not disclose such information to third parties. Yet, it has been indicated that such institutions are prone to breaches of privacy, where some of the information stored in their computer databases are lost, compromised, or altered. Olanrewaju et al. (2013) for example note that Medical Identity Theft (MIDT) is one of the most common crimes in the healthcare sector. MIDT is defined as “a specific type of identity theft that occurs when a person uses someone else’s personal health identifiable information” (p. 19). Such identifiable information includes the names, addresses, birthdates, security numbers and healthcare providers of patients. MIDT (especially in the US) has been found to be done by organised and sophisticated hacking groups who access electronic medical records stored in hospital or insurance company servers. The hackers then use MIDT to obtain prescription drugs and medical drugs among other things using patients’ names and details (Olanrewaju et al., 2013). Governments also lose confidential information entrusted to them by private citizens and organisations. In the UK for example, HM Revenue and Customs lost two computer discs in October 2007 (EHRC, 2011). The discs contained names, addresses, bank details and national insurance numbers of families who had filed benefit claims from the organisation. Unlike hacking which is often an external criminal attack, the foregoing discs were lost through negligent practice by officers who had sent the discs via a courier service to the National Audit Office. It later turned out that the officer was neither authorised to access the files nor send them in the first place. It was thus argued that the loss of data was not only negligence in the officer’s part, but also on his seniors’ part (EHRC, 2011). According to the University of California (UC) Santa Cruz (2014), ways through which involuntary revelation of information and passwords occurs include through theft or loss (where unsecured paper files, electronic media, portable electronic devices, and computers are lost or stolen) or through unauthorised access to insecurely transmitted or stored personal identity information (PII) and sensitive information (this can happen if files are stored in a publicly accessible ‘place’). Additionally, passwords can be hacked mainly because hackers are able to take advantage of missing operating system updates or security patches. In some cases, users make their passwords too simple thus making hacking an easy undertaking. Virus infection on computers can on the other hand makes PII inaccessible, thus meaning that even important information about people stored in computer databases is rendered unusable. Moreover, UC Santa Cruz (2014) notes that insecure disposal of data-containing devices is also another major way through which people and institutions inadvertently share sensitive information. A case in point is when an institution of learning sold two hard drives on eBay without wiping the data. In the UK, cases of lost Universal Serial Bus (USB) discs containing sensitive information about people in several institutions have been reported (EHRC, 2011). It is also possible that a compromise of contractors’ computers can expose PII. Cookies are also another way through which people (although unknowingly) disclose their private information. By description, cookies are tools in the web browser which store information about ones browsing habits (Commonwealth of Australia, 2014). One of the controversial qualities of cookies is that they are stored in one’s computer without the owner’s consent (Eichelberger, n.d.). Additionally, they collect the personal information of the person browsing the Internet and can share the same. Often, the user does not even know their information is being shared. Even when the user is notified of the presence of cookies, they are really never told with whom, or for what reason their information is being shared. The cookie debate as indicated by Eichelberger (n.d.) has also questioned the safety of personal information, especially considering that there is a possibility that cookies can allow access to other information stored in a computer’s hard drive. It is also argued that user information obtained through queries could make people a target for marketing initiatives, which ideally would be a breach of their privacy (Eichelberger, n.d.). A breach of privacy would be considered because people feel disrespected when the information they have not personally revealed is known to third parties, who then use it to target them with unsolicited advertisement or information. In addition to involuntary revealing of information and passwords, UC Santa Cruz (2014) observes that people inadvertently reveal their passwords by replying to phishing emails or clinking on links such emails. An example is when a faculty physician “unknowingly provided the user name and password of his email account in response to an email message that appeared to come from the university’s internal computer servers” (Miaoulis, 2009, para.2). Other scenarios that may involve sharing of sensitive information include online shopping (where the identity of the purchaser needs to be verified) and registering or subscribing for specific online services (usually a person’s email address and screen name are required). Some sites may also ask for personal information that includes age, nationality, gender, physical address, photos etc). There also are competitions that require the competitor to fill in their demographic details, personal interests and other types of personal data. Other examples include virtual worlds (including online games), which require a person to provide personal details during registration (Commonwealth of Australia, 2014). Impact of sharing sensitive information The impact of sharing sensitive information can range from harmless (but disturbing altogether), to costly consequences, which may affect one’s financial wellbeing, personal integrity, and some may even lead to criminal charges. One of the least harmless consequences of sharing sensitive information is spam mail being delivered to one’s inbox (Commonwealth of Australia, 2014). Spam is a generic name used to refer to electronic junk mail. Such kind of mail can be delivered to one’s inbox, through instant messaging, Multimedia Messaging Service (MMS) or Short Message Service (SMS). The latter two are delivered to a person’s cell phone especially in cases where their cell phone numbers have been revealed to third parties. Spam messages can contain information related to marketing of products or services, while some may contain fraudulent or offensive material. Still, others can contain computer viruses or phishing content (Commonwealth of Australia, 2014). Internet-based fraud is another consequence of sharing sensitive information. Fraudsters seek personal details from targets, and those details are later used for deceptive undertakings, including obtaining money using their targets’ PII. Closely related to Internet-based fraud is identity theft, which the Commonwealth of Australia (2014) defines as a “type of fraud that involves stealing money or gaining benefit by the perpetrator pretending to be someone else” (para. 6). The organisation for Economic Co-operation and Development (OECD, 2008) defines ID theft as occurring when “a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an authorised manner, with the intent to commit, or in connection with, fraud or other crimes” (p. 2). Some of the ways through which ID theft is committed include the use of malware, spam, phishing and hacking. After obtaining PII, the perpetrators then misuse the victims’ existing accounts (e.g. credit card accounts, Internet accounts (e.g. email accounts, Facebook and other social networking sites), medical insurance accounts, bank accounts, and telephone accounts among others. The perpetrator could also open new accounts using the victims’ personal details. When this happens, all the billing for the new accounts are placed on the victims’ account. That means that they lose money. It is also possible for perpetrators to use stolen identities to commit other frauds, which include obtaining government benefits, medical services or supplies, or even giving it to the police if stopped for a crime (OECD, 2008). Another consequence of sharing sensitive information is that one becomes a target of many scams. Scams are often disguised as lotteries (i.e. the targeted person receives an email stating that he/she has won a prize. To claim the prize however, he/she is required to pay a small fee). Scams can also be implemented as advance fee schemes (also known as Nigerian 419). Here, the scammer offers to leave a substantial amount of money to the target, but he/she is first required to pay some fee to transfer the claimed money from a foreign account). Another type of scam is mule, which is a form of money laundering activity where victims are involved in transferring huge amounts of money between accounts. The victim, if caught by the authorities, may face criminal charges in the end). Perpetrators of such crimes also use phishing (emails sent from spoofed or falsified emails). Phishing is a major source of identity theft (Commonwealth of Australia, 2014). Industrial espionage is also a likely consequence of disclosure of sensitive information especially when the perpetrator is able to access trade secrets or competitive advantage information about a corporate entity (Granger, 2010). Overall, the inadvertent sharing of sensitive information makes people all the more prone to scams, fraud and other security breaches on their person or the institutions they represent. It makes privacy all the more hard to achieve, because hackers and identity thieves are often on the lookout to find weaknesses that exist in ICT infrastructures. The targeted population (albeit unknowingly or ignorantly) also share their information by replying to phishing emails, carelessly storing or discarding data, or simply not taking enough precautions. Organisations charged with guarding people’s private information also have infrastructural weaknesses, which sometimes lead to the sharing of information belonging to thousands of people whose personal information is stored in their databases. Such organisations include learning institutions, government bodies, hospitals, banks and medical insurance companies among others. Combating Social Engineering attacks a) Legislative measures According to the Science and Technology Committee (2007), a law requiring organisations to notify their clients whenever there is a breach of data security should be the first step towards promoting personal security and privacy on the Internet. In the US, such laws are commonplace with at least 45 states having adopted data breach disclosure laws by the end of 2009. Ideally, data breach disclosure laws are meant to help people mitigate the consequences of their PII being disclosed to third parties. According to Romanosky, Telang and Acquisti (2010) such laws also inspired by the concept that if corporate organisations and government bodies are required by law to disclose any information security breaches, they will realise that such disclosures will be negative publicity on their part. Consequently, they will improve their security measures and rid themselves of substandard security practices. Ponemon Institute (2005) supports the foregoing argument by indicating that a significant number of consumers have been found to lose confidence in firms that suffer information security breaches. Although no country has fully tapped on the legal approach of creating consequences for perpetrators of social engineering attacks, Lewis (2004) notes that attribution of such attacks is not too complicated nowadays. In other words, it is not easy to pinpoint who the perpetrator was in a social engineering attack. Lewis (2004) notes that the absence of criminal or civil consequences to the perpetrators means that one can get away without being held responsible. Admittedly, pursuing a perpetrator who may reside in a different geographical area may be too expensive and/or tasking. However, governments can use legislation to ensure such people found in engaging in social engineering attacks pay for their crimes. Lewis (2014) further argues that legislation needs to come up with policies that govern how much is too much when companies or governments retaliate (e.g. by hacking back). The author argues that placing false information on one’s network is one way through which companies can mislead hackers. However, companies, individuals and/or governments should avoid going out of their own network. If a company goes into another company’s network with the intention to retaliate or hit back for alleged social engineering attacks, Lewis (2014) argues that becomes a matter that needs to be handled by the law. Unfortunately, not enough legislative measures are in place to provide the necessary deterrent measures to such retaliatory attacks. From literature, it would appear that most efforts to address social engineering are based in the US. For example, the US enacted the Identity Theft and Assumption Deterrence Act in 1998, which made it a felony to: Knowingly transfer, possess or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local laws (Scheb & Scheb II, 2011, p. 231). The UK and other European countries are yet to catch up, despite their populations being equally susceptible to social engineering attacks. In an effort to curb identity theft, the US established the Identity Theft Task Force (ITTF), whose mandate was to examine the use of legislative measures in investigating, prosecuting and recovering proceeds obtained by criminals who perpetuate identity theft (Ryder, 2011). Another mandate of the ITTF is to suggest policies and safety mechanisms which can enhance people’s security and privacy of information. ITTF recommended that: People’s social security numbers should only be used by federal agencies (or corporate organisations) only when necessary, national standards requiring corporate organisations to safeguard PII, and give notice to consumers whenever there is a breach need to be established; federal agencies need to create awareness among consumers, the public and private sectors on defending themselves against detecting and deterring perpetrators of social engineering; and that a law enforcement centre with specific attention to coordinate information and efforts on curbing social engineering should be established (Ryder, 2011). Despite the seemingly goodwill from US legislature, some authors like Lafferty (2007), indicate that there is still no law enforcement on the ground. Consequently, Lafferty (2007) suggests that most of the war against social engineering would have to be fought by individual organisations and professionals. At the European level, the Data Protection Directive 95/46/EC is cited a leading legislative instrument for combating social engineering attempts. The directive indicates that anyone who violates its legal requirements which make it unlawful for people to unlawfully acquire and use personal data can be prosecuted (Robinson et al., 2011). Another policy instrument that has been suggested by Robinson et al. (2011) is the requirement for biometrics to be produced by users of PII. Such a requirement, it has been argued, would make it impossible for hackers to fraudulently benefit from the PII obtained about persons. For example, without matching the victims’ biometrics, their names, addresses, date of birth, financial and insurance details would not benefit a perpetrator who would have wanted to use them for financial gain (Robinson et al. 2011). However, this proposal remains just a proposal to date. Even if it were made into a legislative instrument, it is argued that corporate organisations that stand the risk of losing their trade and competitive information to hackers would not benefit much from the proposal. Notably however, such a policy measure would safeguard the interest of millions of private citizens whose vulnerability to social engineering attacks costs them a great deal of money annually and subjects them to distress. Overall, it would appear from the analysis above that, legislative measures for curbing social engineering attacks is still an area that needs to be developed. As Robinson et al. (2011) note, effective legislation would require governments to work together to provide punitive and deterrence measures that are not only applicable in one geographical jurisdiction, but also across borders. This is informed by the fact that social engineering attacks are not limited by geographical locations. A perpetrator in Malaysia can for example wage attacks on British citizens or on Americans. b) Technology measures to combat social engineering attacks Bjork (2005) noted that “it doesn’t matter what technology you have – there is no technology that can protect you against human beings – forget it” (p. 186). While the truth of this statement is arguable, the statement holds some sense in that social engineering attacks do not target the technological aspect of an organisation. Rather, it targets the individuals therein with an aim of obtaining information that will enable perpetrators gain access to the system. Still, the foregoing does not mean that technology measures are completely irrelevant. Technical controls such as routers, encryption, antivirus software, firewalls, smart cards, alarms and alerts, biometrics, and dial-up call-back systems among others can be used to protect information in a manner that ensures that confidentiality and integrity of data is enhanced. Restricting access to data (e.g. through Access Control List (ACL)) To succeed in restricting access to data, Davis (2014) observes that technology experts need to build technological features in an operating system. The features restrict access to information based on the user’s knowledge of a common secret or based on their identity. When used correctly, restricting access to data is an efficient manner of curbing social engineering efforts; however, and as Davis (2014) indicates, it has its limitations. For example, it may not prevent different users in the same network from accessing information stored in different computers. The implication of this is that if one computer is compromised, the effects can be felt in an entire network. Encrypting data Data encryption is another technical measure that organisations can adopt to curb social engineering. The primary goal of data encryption is to make data undecipherable to anyone who has access to it, and who does not have a decryption key. Cryptography can protect data from being accessed by unauthorised parties, prevent data from being altered, and prevent non-repudiation where the receiver would deny receiving information or the sender would deny ever sending it (Klingman, 2005). Using an encryption key, the person encrypting data converts readable text into non-readable ciphertext, and only a person with an encryption key can re-convert it into readable text. The challenge for organisations that use data encryption as a method of curbing social engineering is to ensure that the decryption key is well hidden and that no unauthorised persons can access or control the same (Davis, 2014). It has been argued that encrypting data merely transforms problems associated with data protection to problems “of protecting cryptographic keys” (Davis, 2014, n.pg). Data hiding Also known as security through obscurity, data hiding strives to store sensitive information in a place where people cannot easily find out. Some of the places where information is hidden include the application source code, Windows registry and configuration files (Davis, 2014). It is however indicated that social engineers can easily detect when data is hidden especially with utilities such as diskmon, filemon, and regmon (Davis, 2014). Data hiding can be done by embedding secret messages on images, in video sequences, audio sequences, and even in IPv4 headers (Kayarkar & Sanyal, 2012). The latter is especially useful when transmitting data over networks, and involves fragmenting data into different sizes and appending each fragment with a message authentication code (MAC). For the recipient to decipher the information however, he/she needs to have the message authentication code. In other words, the sender and the recipient need to have pre-shared the MAC in the same sequences that the messages were sent (Davis, 2014). Controlling system access Controlling access to information by layering the clearance levels is also cited as a measure through which social engineering can be lessened. For example, an organisation may require people to use passwords, a personal identification number (PIN), or biometric identifiers before accessing specific information. Of the foregoing, biometric identifiers are the most efficient, yet the most expensive to run (Siddiqui & Muntjir, 2013). To enrol for biometrics, the system captures a person’s unique biometric identifiers, processes them, and stores them. During verification, the specific biometric identifier is captured, processed, compared with what is in the system and either accepted or denied depending on whether a match was found. Some of the biometric measures include face recognition, voice analysis, signature biometrics, vein geometry, iris scan, retina scan and geometry of the hand (Siddiqui & Muntjir, 2013). Among the advantages of using biometrics is that they cannot be easily mimicked or stolen. The downside of biometrics however is that to work, it has to first gather and store someone’s intrinsic information. To people of different cultures and religious persuasions, obtaining and using such intrinsic information is contrary to their privacy expectations (Smart Card Alliance, 2003). Updating software It is said that social engineers often seek to find out whether an organisation is running out-of-date or unpatched software, because such gives them a window to exploit the system (Granger, 2002). The challenge for the technical experts in charge of running a system is ensuring that the software is up-to-date, because as Tornikoski (2014) indicates, “your software is like the front door to your PC” (n.pag). If the software is out-of-date, the system is prone to all kinds of attacks. For instance, even banner ads which run on a website could pose a danger to the system because most are built to take advantage of different plug-ins (e.g. flash and Java) in order to access data. Overall, although technological measures provide the basic infrastructure from which information protection is done, there is overwhelming evidence in literature (Nohlberg, 2008; Granger, 2002; Mitnick & Simon, 2002) that human beings always are the greatest source of risk for information exposure. As such, one can conclude that technological measures alone cannot succeed in curbing social engineering; rather, for relative success to be achieved, organisations would need to combine both technological and human aspects. Specifically, and as discussed below, organisations would need to educate and create awareness among employees regarding the value of the information they have access to, how to protect it, and how to react in case the information is inadvertently exposed. c) Education and awareness The literature on social engineering seems to agree about the absence of an overall solution to the problem. Education and awareness is therefore recommended as the most desirable way through which social engineering attack vulnerabilities can be reduced (Mitnick & Simon, 2002; Granger, 2002). It has been argued that an educated and informed population would be knowledgeable about the kinds of attacks that would occur, ways of detecting such attacks and how to react when an attack is suspected to have occurred (Mitnick & Simon, 2002). One of the biggest lessons in education and awareness is related to letting employees know that no one (not even a fellow employee, but mostly not a remote caller) can be trusted with sensitive information such as passwords. The weakest link in an organisation (and the most likely target for social engineering attacks) are those employees, managers, or business owners who are unaware of the value of the information contained in the system; people who have special privileges (e.g. system administrators); specific departments who hold potentially valuable information (e.g. human resource, accounting etc); and/or manufacturers or vendors who supply an organisation with software and hardware (Mitnick & Simon, 2002). It has been found that in most organisations, people have a certain degree of security awareness (Mitnick & Simon, 2002). However, their knowledge on security matters is often not adequate enough, and even where it is, it is overshadowed by paranoia, caution, gullibility, and a level of suspicion. According to Mitnick and Simon (2002), the foregoing factors affect security knowledge and awareness. Education and awareness should address a number of issues. According to Nohlberg (2008), corporate policies are the first step that employees need to be educated about. By understanding such policies, employees would be better positioned to understand what is considered right or wrong in an organisation. Next is security issues, which include personal safety and collective organisational safety. Again, understanding security issues would enable employees to understand when they are secure, and when their security is compromised. Employees also need to be educated about their role. According to Nohlberg (2008), understanding one’s role enables the employee to know what to do or how to react when something that is out of the ordinary is suspected. Finally, the employees need to be educated about reporting and responding (Nohlberg, 2008). Generally, this means that employees need to be empowered with knowledge that would enable them know how to report a suspected breach in security. Nohlberg (2008) argues that every organisation needs to ask itself if its employees would become suspicious and report in the appropriate manner and to the right person an unknown person who enters the office, sits on a computer and starts working on it. If the answer to the foregoing answer is in the negative, the organisation needs to educate its employees some more, because they would easily fall prey to social engineering attacks. In relation to awareness creation, employees need to know: the information that has value (and therefore needs to be protected); that their friends are not necessarily the organisation’s friends (hence the need to keep trade secrets secret and sensitive organisational information confidential); that passwords are personal and should not be shared even with their colleagues at work; and that knowing each other and identifying strangers who have not been introduced to them as co-workers is vital for their own security and for the organisation’s (Nohlberg, 2008). Granger (2002) further notes that social engineering attacks are perpetuated either in the physical aspect (e.g. an imposter calls, visits an organisation, or dumps a malware-laden flash drive in a strategic place near the organisation where he/she is almost certain an employee will pick and use it in the office); or in the psychological aspect (i.e. friendliness, conformity, ingratiation, impersonation, and persuasion). If employees will therefore help in the fight against social engineering, it is important for them to understand the form of social attacks that can target them.Additionally, employees need to understand that they should protect themselves even outside the organisational environment. For example, carrying flash drives that have sensitive company information is risky in that the flash drive can be stolen or lost. Additionally, and this is especially for people who carry work home, employees need to be educated that they cannot share their laptops or PCs with their friends. Picked up flash drives (especially those that are curiously marked (e.g. with a mark indicating some curious content inside) should be avoided even in home computers. Since not every employee will abide by everything they are told, organisations also need to put in place security policies which every employee will have to abide by. According to Granger (2002), organisations need to develop policies that are neither too general nor too specific. The foregoing argument is informed by the thought that policy enforcers (employees), would need some flexibility, but would need some limits in their daily practices to avoid being too complacent. Overall, it would appear that education and awareness plays a critical role in averting or reducing social engineering exposure. After all, it has been argued that the human link is easier to use when seeking to access information when compared to penetrating a system through hacking. As such, it is important that employees are made to understand the value of the information they hold, the possible attacks that might come their way, the form that such attacks may assume, and how and whom to report suspected social engineering attacks. Overall, it can be argued that education empowers people by making them more aware not only of the physical social engineering attacks, but also about the psychological attacks, which may not seem or even feel like attacks when being executed. The psychological social engineering attacks are manipulative, friendly, and meant to source information from unsuspecting employees without raising eyebrows. In the end however, a little bit of everything (i.e. legislative measures, technological measures, and education and awareness) will be needed to reduce the prevalence of social engineering attacks. Currently, it would appear that legislative measures are underdeveloped, technological measures are insufficient, and education and awareness is still something that many organisations have not fully ensured their employees are equipped with. References Britz, J.J. (1996). Technology as a threat to privacy: Ethical challenges to the information profession. Retrieved April 24, 2014, from http://web.simmons.edu/~chen/nit/NIT%2796/96-025-Britz.html Commonwealth of Australia. (2014). Protecting personal information. Cyber Smart. Retrieved April 24, 2014, from http://www.cybersmart.gov.au/Schools/Cyber%20issues/Protecting%20personal%20information.aspx Davis, A. (2014). Safeguard database connection strings and other sensitive settings in your code. MSDN Magazine, November, retrieved April 25, 2014, from http://msdn.microsoft.com/en-us/magazine/cc164054.aspx Eichelberger, L. (n.d.). The cookie controversy: cookies and internet privacy. Cookie Central. Retrieved April 24, 2014, from http://www.cookiecentral.com/ccstory/cc3.htm Granger, S. (2010). Social engineering fundamentals, part II: Combat strategies. Retrieved April 24, 2014, from http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-ii-combat-strategies Inness, J. (1992). Privacy, intimacy and isolation. New York: Oxford University Press. Kayarkar, H. & Sanyal, S. (2012). A survey on various data hiding techniques and their comparative analysis. 1-9. Klingman, C. (2005). The use of technology to combat identity theft. The Department of the Treasury. 1-117. Lafferty, I. (2007). Medical identity theft: The future of healthcare is now – lack of federal law enforcement efforts means compliance professionals will have to lead the way. Healthcare Compliance, 9(1), 11-20. Lewis, J. A. (2014). Cyber threat and response. Centre for Strategic & International Studies. 1-8. Miaoulis, W. (2009). Internet security breach found at UCSF-phishing. HIPAA Security and Privacy Advisors, LLC. Retrieved April 23, 2014, from http://www.hipaasecurityandprivacy.com/2009/12/internet-security-breach-found-at-ucsf.html Mitneck, K.D., & Simon,W.L. (2002). The art of deception: Controlling the human element of security. London: Wiley. Moore, A. (2008). Defining privacy. Journal of Social Philosophy, 39(3), 411-428. Nohlberg, M. (2008). Securing information assets: Understanding, measuring and protecting against social engineering attacks. Thesis, Stockholm University, 1-225 Olanrewaju, R.F., Ali, N., Khalifa, O & Manaf, A.A. (2013). ICT in telemedicine: Conquering privacy and security issues in health care services. Electronic Journal of Computer Science and Information Technology, 4(1), 19-24. Organisation for Economic Cooperation and Development (OECD). (2008). OECD policy guidance on online identity theft. OECD Ministerial Meeting on the Future of the Internet Economy, Seoul, Korea, 17-18 June. 1-20. Ponemon Institute. (2005). National survey on data security breach notification. The Ponemon Institute. Ranger, S. (2007). Data breach laws make companies serious about security. Robinson, N., Graux, H., Parrilli, D., Klautzer, L., & Valeri, L. (2011). Non legislative measures to combat identity theft and identity related crime: Final Report. DG Home Affairs, Rand, Europe. Romanosky, S., Telang,R., & Acquisti, A. (2010). Do data breach disclosure laws reduce identity theft? 1-42. Ryder, N. (2011). Financial crime in the 21st century: Law and policy. Northampton, MA: Edward Elgar Publishing. Scheb, J., & Scheb II, J. (2011). Criminal law. NY: Cengage Learning. Science and Technology Committee. (2007). Personal internet security. House of Lords Science and Technology Committee. 5th report of session 2006-07, HL paper 165-I. Siddiqui, A., &Muntijir, M. (2013). A study of possible biometric solution to curb frauds in ATM transaction. IJASCSE, 2(2), 1-6. Smart Card Alliance. (2003). Privacy and secure identification systems: the role of smart cards as a privacy-enabling technology. A Smart Card Alliance White Paper, 1-34. Tornikoski, A. (2014). The threat landscape. Retrieved April 25, 2014, from http://www.f-secure.com/en/web/business_global/software-updater/threat-landscape. University of California (UC) Santa Cruz. (2014). Security breach examples and practices to avoid them. Information Technology Services. Retrieved April 23, 2014, from http://its.ucsc.edu/security/breaches.html Read More