Dissertation Final With Final Revisions
-
Upload
khangminh22 -
Category
Documents
-
view
4 -
download
0
Transcript of Dissertation Final With Final Revisions
In the Name of God the Mercy-‐giving the Merciful
Mobile Security:
A Systems Engineering Framework for Implementing Bring Your Own Device (BYOD) Security Through the Combination of Policy Management and Technology
By Nima Zahadat
B.S. in Theoretical and Applied Mathematics, August 1991, George Mason University
M.S. in Information Systems, August 2005, The George Washington University
A Dissertation submitted to
The Faculty of The School of Engineering and Applied Science
of the George Washington University in partial fulfillment of the requirements for the degree of Doctor of Philosophy
January 31, 2016
Dissertation directed by
Paul Blessner
Professorial Lecturer in Engineering Management and Systems Engineering
ii
The School of Engineering and Applied Science of The George Washington University
certifies that Nima Zahadat has passed the Final Examination for the degree of Doctor of
Philosophy as of 25 September 2015. This is the final and approved form of the
dissertation.
Mobile Security: A Systems Engineering Framework for Implementing Bring Your Own Device
(BYOD) Security Through the Combination of Policy Management and Technology
Nima Zahadat
Dissertation Research Committee:
Paul Blessner, Professorial Lecturer of Engineering Management and Systems Engineering, Dissertation Director
Shahram Sarkani, Professor of Engineering Management and Systems Engineering, Committee Member
Thomas Andrew Mazzuchi, Professor of Operations Research and of Engineering Management, Committee Member
James Wasek, Professorial Lecturer of Engineering Management and Systems Engineering, Committee Member
Lile Murphree, Jr., Professor of Engineering Management, Chair Person of the Examination Committee
iv
Dedications
Dicata Deo Domino Universi
• To my wonderful mother, Tooran Khajehnoori, whose memory will always be
with me
• To my dear father, Seyed M. Zahadat, who missed seeing me obtain my Ph.D. by
just a few months
• To my delightful son, Joseph Aryo Zahadat (Joey), who is bright, fun, kind,
patient, and whose mere presence brings a smile to daddy’s face
• To my brilliant sister, Dr. Nazdaneh Zahadat, DDS, the youngest and the first to
get her doctorate degree but whose life was tragically short
• To my supportive brothers, Massih Zahadat and Mani Zahadat
• To my delightful nephew, Ian Arman Taylor, who is bright, fun, and kind
• To my great friend K. Shawn Azarmanesh, who has always been supportive and
encouraged me to go after this degree more than anyone else
• To my little tiger Bamm Bamm, who was a blessing these past 18 years
• To my respectable cohort classmates, for their consistent support and in
particular, Tariq Oun for being my 300 miles weekends driving partner for 3
years and for being supportive of me throughout this challenging process
• To Ron Ross, Ph.D., fellow at NIST for inspiring me to do this research and his
subsequent support throughout including reviewing my entire dissertation
• To Carl Friedrich Gauss, whose life’s works, dedication, genius, and honor was
an inspiration during my youth and since there after
v
Abstract
Mobile Security: A Systems Engineering Framework for Implementing Bring Your Own Device
(BYOD) Security Through the Combination of Policy Management and Technology
With the rapid increase of smartphones and tablets, security concerns have also
been on the rise. Traditionally, Information Technology (IT) departments set up devices,
apply security, and monitor them. Such approaches do not apply to today’s mobile
devices due to a phenomenon called Bring Your Own Device or BYOD. Employees find
it desirable to use personal mobile devices for their work and make no distinction
between using their carriers’ services versus their organizations’ Wi-Fi. BYOD is an
extension of corporate networks and thus it is essential to secure BYODs to protect
enterprise networks (Wang & Vangury, 2014).
To address the security concerns of BYOD, many vendors have introduced
Mobile Device Management (MDM) systems. Such systems by themselves do not and
cannot provide comprehensive solutions to BYOD precisely due to the nature of BYOD:
the user and not the enterprise owns the device. BYOD necessitates a different paradigm,
one in which the device is removed as the primary object of security and one in which the
device, the user (employee), and management are all taken into consideration. Further,
the approach to security would necessitate technology, policy management, and people
integration instead of the traditional technology alone approach.
In this dissertation, risks of allowing BYOD balanced by its benefits will be
examined. The instrument for addressing BYOD security concerns will be presented as a
BYOD Security Framework. The framework has three pillars: People, Policy
vi
Management, and Technology. It will be demonstrated that these three pillars are
necessary in order to secure BYOD implementations in an enterprise.
To validate the framework, an empirical survey was conducted from a pool of 114
industry security practitioners. The resulting dataset was analyzed via nonparametric
statistics for ordinal data to determine the association between the level of the BYOD
Security Framework elements being de facto implemented in organizations and the
frequency of security breaches associated with BYOD in those organizations to identify
and confirm key elements of the framework.
vii
Table of Contents
Dedications ........................................................................................................................................................ iv
Abstract ................................................................................................................................................................ v
List of Figures ................................................................................................................................................ xiii
List of Tables .................................................................................................................................................. xiv
Glossary of Terms and Acronyms ........................................................................................................... xv
1 Introduction .......................................................................................................................... 1
1.1 Overview ..................................................................................................................................... 1 1.2 Purpose of the Research .......................................................................................................... 2 1.3 Research Outline ....................................................................................................................... 3 1.4 Contribution to the Body of Knowledge .............................................................................. 4 1.5 Summary of Dissertation Organization ............................................................................... 4
2 Literature Review ............................................................................................................... 6
2.1 Overview ..................................................................................................................................... 6 2.2 Background ................................................................................................................................ 9 2.3 Why BYOD? ............................................................................................................................ 11 2.4 BYOD Adoption ..................................................................................................................... 12 2.5 Examples of BYOD ................................................................................................................ 13 2.6 Benefits of BYOD ................................................................................................................... 15 2.7 Top Failures in BYOD Security .......................................................................................... 17 2.7.1 Inconsistent Security Policies .................................................................................................. 17
2.7.2 Leakage in Shared Media ........................................................................................................... 17
2.7.3 Minimal Management .................................................................................................................. 18
2.7.4 Readable Data Remaining in Disposed Devices ............................................................... 18
2.7.5 Inter-‐application Data Leakage ............................................................................................... 18
2.8 Challenges and Risks of BYOD ........................................................................................... 18 2.9 BYOD Security Lifecycle ...................................................................................................... 19
3 Research Problem and Hypotheses .............................................................................. 23
3.1 Problem Statement ................................................................................................................. 23 3.2 Research Hypotheses ............................................................................................................. 23
4 BYOD Security Framework .......................................................................................... 26
viii
4.1 Plan ............................................................................................................................................ 27 4.1.1 Business Environment ................................................................................................................ 27
4.1.2 BYOD Standards ............................................................................................................................. 29
4.1.3 Mobile Device Management (MDM) ..................................................................................... 32
4.1.4 Application Store ........................................................................................................................... 33
4.1.5 Asset Management ....................................................................................................................... 34
4.1.6 Network Environment ................................................................................................................ 35
4.1.7 Governance ...................................................................................................................................... 35
4.1.8 Risk Management Strategy ....................................................................................................... 36
4.1.9 User Training .................................................................................................................................. 37
4.1.10 Legal Issues ...................................................................................................................................... 38
4.1.11 Device Maintenance and Support .......................................................................................... 40
4.1.12 Is BYOD the Right Choice? ......................................................................................................... 41
4.2 Identify ...................................................................................................................................... 43 4.2.1 Register .............................................................................................................................................. 43
4.2.2 User Training .................................................................................................................................. 43
4.2.3 Provision ........................................................................................................................................... 44
4.3 Protect ....................................................................................................................................... 45 4.3.1 Device Authentication ................................................................................................................. 45
4.3.2 Wireless Protection ...................................................................................................................... 46
4.3.3 Network Architecture ................................................................................................................. 49
4.3.4 Awareness and Training ............................................................................................................ 50
4.3.5 Application Store ........................................................................................................................... 51
4.3.6 Application Whitelisting and Blacklisting .......................................................................... 52
4.3.7 IPSec/VPN ........................................................................................................................................ 53
4.3.8 Mobile Device Management ..................................................................................................... 54
4.3.9 Location Awareness ..................................................................................................................... 55
ix
4.3.10 Device Fingerprinting ................................................................................................................. 56
4.3.11 Device Encryption ......................................................................................................................... 57
4.3.12 Sandboxing ....................................................................................................................................... 57
4.3.13 Virtualization .................................................................................................................................. 58
4.3.14 Endpoint Protection ..................................................................................................................... 59
4.3.15 Mobile Operating System Patching ....................................................................................... 60
4.3.16 Application Patching .................................................................................................................... 61
4.4 Detect ........................................................................................................................................ 62 4.4.1 Vulnerability Detection .............................................................................................................. 62
4.4.2 Malware Detection ....................................................................................................................... 63
4.4.3 Attack Detection ............................................................................................................................ 64
4.4.4 Lost Device ....................................................................................................................................... 65
4.4.5 Data Loss Detection/Prevention ............................................................................................ 65
4.4.6 Device Monitoring ........................................................................................................................ 66
4.5 Respond .................................................................................................................................... 67 4.5.1 Vulnerability Remediation ........................................................................................................ 67
4.5.2 Malware Removal ......................................................................................................................... 68
4.5.3 Incident Response ......................................................................................................................... 69
4.5.4 Device Account Deactivation ................................................................................................... 70
4.5.5 Remote Wipe ................................................................................................................................... 70
4.6 Recover ..................................................................................................................................... 72 4.6.1 Corporate Backups ....................................................................................................................... 72
4.6.2 Employee Backup .......................................................................................................................... 73
4.6.3 Device Tracking ............................................................................................................................. 74
4.7 Assess and Monitor .................................................................................................................... 76 4.7.1 Review and Evaluation of BYOD Program ......................................................................... 76
4.7.2 Insider Threat ................................................................................................................................. 77
x
4.7.3 Penetration Testing ...................................................................................................................... 77
4.7.4 Periodic Review of Approved Devices ................................................................................. 78
4.7.5 Approval of New Devices ........................................................................................................... 78
4.7.6 Device de-‐provisioning ............................................................................................................... 78
5 Key Controls as Part of BYOD ..................................................................................... 81
5.1 Overview .................................................................................................................................. 81 5.2 Incentives ................................................................................................................................. 83 5.3 Disincentives ............................................................................................................................ 83 5.4 Compliance Tactics ................................................................................................................ 83 5.5 Ongoing Communication ...................................................................................................... 84
6 How to Use the BYOD Framework .............................................................................. 85
6.1 Establishing a BYOD Security Program ........................................................................... 85 6.2 Identifying and Communicating with Stakeholders ....................................................... 88 6.3 Identifying Policy and Capability Gaps ............................................................................ 88 6.4 Selecting a BYOD Solution .................................................................................................. 89 6.5 Implementing BYOD ............................................................................................................. 89 6.6 Managing BYOD .................................................................................................................... 90
7 Recommendations on BYOD Strategies and Policies ............................................... 91
7.1 Overview .................................................................................................................................. 91 7.2 BYOD High-Level Strategies ............................................................................................... 91 7.3 Suggested Stages for Planning and Initiating a BYOD Policy ..................................... 92 7.3.1 Clearing Up Misconceptions ..................................................................................................... 93
7.3.2 Instituting a Baseline ................................................................................................................... 95
7.3.3 Classifying and Priortizing Use-‐Cases via Workforce Analysis ................................. 97
7.3.4 Diversity Analysis for Support ................................................................................................ 98
7.3.5 BYOD Technology Assessments .............................................................................................. 99
7.3.6 Sample Policy Symposium ..................................................................................................... 100
7.3.7 BYOD Policy Structure ............................................................................................................. 103
8 Research Approach and Methodology ...................................................................... 105
8.1 Problem Statement ............................................................................................................... 105 8.2 Survey Instrument ............................................................................................................... 105 8.3 Data Capture Process .......................................................................................................... 107
xi
8.4 Demographics ........................................................................................................................ 108 8.5 Experts Panel ........................................................................................................................ 112 8.6 Experts Panel Interview Results ....................................................................................... 113
9 Research Hypotheses and Methodology .................................................................... 120
9.1 Overview ................................................................................................................................ 120 9.2 Research Question and Hypotheses ................................................................................. 121 9.2.1 Hypothesis 1 (H1) ...................................................................................................................... 125
9.2.2 Hypothesis 2 (H2) ...................................................................................................................... 127
9.2.3 Hypothesis 3 (H3) ...................................................................................................................... 130
9.2.4 Hypothesis 4 (H4) ...................................................................................................................... 132
9.2.5 Hypothesis 5 (H5) ...................................................................................................................... 134
9.2.6 Hypothesis 6 (H6) ...................................................................................................................... 136
9.2.7 Hypothesis 7 (H7) ...................................................................................................................... 138
9.2.8 Hypothesis 8 (H8) ...................................................................................................................... 141
9.2.9 Hypothesis 9 (H9) ...................................................................................................................... 143
9.2.10 Hypothesis 10 (H10) ................................................................................................................ 145
9.2.11 Hypothesis 11 (H11) ................................................................................................................ 147
9.2.12 Hypothesis 12 (H12) ................................................................................................................ 150
9.3 Additional Statistical Findings .......................................................................................... 152 9.4 Summary of Data Analysis ................................................................................................. 154
10 Conclusions and Recommendations ........................................................................... 155
10.1 Overview ................................................................................................................................ 155 10.2 Summary of Key Research Parameters .......................................................................... 155 10.3 Conclusions ............................................................................................................................ 160 10.4 Research Caveats and Recommendations ...................................................................... 163
11 References ........................................................................................................................ 166
12 Appendix A – Checklist for Determining Enterprise Readiness for BYOD ..... 179
13 Appendix B – MDM Standard Capabilities Starter Template ............................ 182
14 Appendix C – Survey Questionnaire ......................................................................... 184
xiii
List of Figures
Figure 1: Tablet BYOD Adoption by Industry, Source: (Gartner, 2013) ......................... 13
Figure 2: Smartphone BYOD Adoption by Industry, Source: (Gartner, 2013) ................ 13
Figure 3: Aspects of a BYOD Program ............................................................................ 19
Figure 4: BYOD Security Lifecycle ................................................................................. 20
Figure 5: BYOD Security Framework .............................................................................. 26
Figure 6: Network Environment ....................................................................................... 35
Figure 7: Risk Management Strategy ............................................................................... 36
Figure 8: Key De-provisioning Activities ........................................................................ 79
Figure 9: BYOD System Security Engineering Process ................................................... 86
Figure 10: BYOD Strategy Foundation Surrounded by Technologies ............................. 92
Figure 11: Sample Managed Diversity Framework (Girard, 2011) .................................. 99
Figure 12: Current Industries of Survey Participants ..................................................... 110
Figure 13: Current Job Titles of Survey Participants ...................................................... 110
Figure 14: Years of Experience in Information Security of the Participants .................. 111
Figure 15: Size of the Organization of the Survey Participants ...................................... 111
Figure 16: Educational Level of the Survey Participants ............................................... 112
xiv
List of Tables
Table 1: Possible Responses to the Framework Particulars ............................................ 107
Table 2: Possible Responses to Security Breaches ......................................................... 107
Table 3: Understanding Kendall tau-b (Τb) Values ......................................................... 121
Table 4: Summary of z-values, Τb values, and P-values ................................................. 125
Table 5: Hypothesis 1 Results ......................................................................................... 127
Table 6: Hypothesis 2 Results ......................................................................................... 129
Table 7: Hypothesis 3 Results ......................................................................................... 131
Table 8: Hypothesis 4 Results ......................................................................................... 133
Table 9: Hypothesis 5 Results ......................................................................................... 136
Table 10: Hypothesis 6 Results ...................................................................................... 138
Table 11: Hypothesis 7 Results ...................................................................................... 140
Table 12: Hypothesis 8 Results ...................................................................................... 142
Table 13: Hypothesis 9 Results ...................................................................................... 144
Table 14: Hypothesis 10 Results ..................................................................................... 147
Table 15: Hypothesis 11 Results ..................................................................................... 149
Table 16: Hypothesis 12 Results .................................................................................... 151
Table 17: Fisher’s z and calculated Τbz Values for H1 – H12 ........................................ 153
Table 18: Summary of Τb values and rejection of null/alternate hypotheses .................. 154
Table 19: BYOD Organizational Readiness Checklist ................................................... 181
Table 20: Mobile Device Management Standard Capabilities Starter Template ........... 183
xv
Glossary of Terms and Acronyms
802.1x – An IEEE Standard for Port-Based Network Access Control (PNAC) that
provides authentication for devices connecting to a LAN or WLAN and is part of the
IEEE 802.1 group of networking protocols.
Bring-Your-Own-Device or BYOD – Refers to the business model of allowing
employees to utilize personally owned devices to conduct work activities, including
connection to and storage of sensitive corporate data.
Defense-in-Depth – An approach for establishing an adequate security posture in a
shared-risk environment that allows for shared mitigation through: the integration of
people, process, and technology; the layering of security solutions within and among IT
assets; an, the selection of security controls and solutions based on their relative level of
robustness.
De-provision – The act of removing provisioned software, apps, settings, digital
certificates, and sensitive data from a device that will no longer participate in the BYOD
program.
Governance – The processes and management that ensure the efficient and effective use
of information technology that aligns with corporate vision, goals, and objectives.
Provision – The act of preparing a device for usage within an organization’s BYOD
program. It may include the installation of software, apps, settings, and/or digital
certificates.
AES Advanced Encryption Standard
BYOD Bring Your Own Device
CVSS Common Vulnerability Scoring System
xvi
DLP Data Loss Prevention
DMZ Demilitarized Zone
HIPAA Health Insurance Portability and Accountability Act
GPS Global Positioning System
IDS Intrusion Detection System
IPS Intrusion Prevention System
IRP Incident Response Plan
IT Information Technology
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
MAC Mandatory Access Control
MAC Media Access Control (Hardware address of interface cards)
MDM Mobile Device Management
MSB Minimum Security Baseline
NFC Near-Field Communications
OTA Over-the-Air
PIN Personal Identification Number
PKI Public Key Infrastructure
SDLC System Development Life Cycle
SIEM Security Incident and Event Management
SMS Short Message Service
SSID Service Set Identifier
SSL Secure Sockets Layer
xvii
TKIP Temporal Key Integrity Protocol
VPN Virtual Private Network
WEP Wired Equivalent Privacy
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access II
In the Name of God the Mercy-‐giving the Merciful
1
1 Introduction
"The methods that will most effectively minimize the ability of intruders to compromise
information security are comprehensive user training and education. Enacting policies
and procedures simply won't suffice. Even with oversight the policies and procedures
may not be effective: my access to Motorola, Nokia, AT&T, Sun depended upon the
willingness of people to bypass policies and procedures that were in place for years
before I compromised them successfully."
Kevin Mitnick, world famous most wanted hacker
1.1 Overview
Bring Your Own Device or BYOD is a movement that has been around ever since
individuals began bringing their own particular USB flash drives, or install personally
preferred program or system, to accomplish the tasks that had been assigned to them. In
such cases, throughout the years, the security of organizational resources and data has
been achieved through a variety of technological innovations. These include controlling
of the desktop environment by implementing different technologies; for instance, the use
of central software-based policy controls, restriction of the installation of applications,
disabling USB ports, and the monitoring of desired workstations to a degree that were
deemed necessary.
The current consumerization of IT has been a central point for several years and
analysts agree adoption of personal mobile devices will continue to flourish (Burt, 2011).
What is lacking is a comprehensive solution that allows for secure operation of BYOD
within the enterprise (Ron Ross, Ph.D. fellow at NIST, personal communication, May 3,
2
2013) (Greengard, 2014). The focus of this dissertation is addressing the security
concerns of BYOD by presenting a validated framework as the solution.
1.2 Purpose of the Research
In this dissertation, risks of allowing BYOD balanced by its benefits will be
examined. This dissertation has three overarching objectives. The first is to address the
security concerns of BYOD, which necessitate technology, policy management, and
people integration instead of the traditional technology alone approach. The second is to
propose a BYOD Security Framework as the solution to BYOD security concerns. The
framework has three pillars: People, Policy Management, and Technology. It will be
demonstrated that these three pillars are necessary in order to secure BYOD
implementations in an enterprise. The final objective is to validate the proposed
framework. This is done via an empirical survey conducted from a pool of 114 industry
security practitioners. The resulting dataset is analyzed via nonparametric statistics for
ordinal data to determine the association between the level of the BYOD Security
Framework elements being de facto implemented in organizations and the frequency of
security breaches associated with BYOD in those organizations to confirm key elements
of the framework.
The allure of this research lies in the integration of several areas of engineering
management and systems engineering. A framework is proposed and validated using
statistical analyses. The proposed framework addresses requirements analysis, functional
analysis, and controls (in particular security controls), which fall in the realm of systems
engineering. Further, policy management needs to be incorporated as part of the
framework in form of planning, design, implementation, testing, monitoring, and
3
enforcement, all of which fall into the realm of engineering management. Organizational
stakeholders would be interested in the framework and the research findings since
embracing and properly implementing BYOD can improve a firm’s productivity and
performance leading to the firm’s competitive advantage (Caldwell, Zeltmann, & Griffin,
2012).
1.3 Research Outline
Extensive research using existing literature on information systems, mobile
security, BYOD security, and policy management were conducted. Additionally,
interviews with industry leaders and experts were shepherded. A strategy agenda and
research methodology were developed. The research resolved to answer the
following overarching question: Can a balanced application of technology and policy
using a security framework significantly reduce security breaches in an enterprise
where Bring Your Own Device (BYOD) is allowed/implemented?
A framework was then developed as the solution to the BYOD security concerns
and named BYOD Security Framework. To assess the effectiveness of a de facto
implementation of the framework, a survey was created and distributed to systems
engineers, security practitioners, and project managers. The results of the survey were
analyzed using nonparametric statistical analyses. The results showed with reasonable
degree of confidence that a de facto implementation of the BYOD Security Framework
would reduce security breaches associated with BYOD in an enterprise.
4
1.4 Contribution to the Body of Knowledge
This research helps security practitioners, project managers, and systems
engineers in understanding the new paradigm of BYOD while providing them with a
solution in the form of a security framework, which can be used to secure their existing
organizational BYOD programs or in creating new ones. The framework is modular in
nature and thus scalable. Practitioners can choose to implement some or all parts of the
framework depending on their needs and risk appetite. Furthermore, the framework can
be used as a reference to determine security gaps in areas of existing BYOD
implementation within an organization. The results of this dissertation imply that
practitioners who implement a comprehensive BYOD program using the BYOD Security
Framework can expect significant improvement in productivity gains, reduced costs in
procurement, training, hardware, software, and support while successfully and efficiently
mitigating the associated risks inherent in BYOD.
1.5 Summary of Dissertation Organization
In this dissertation, risks of allowing BYOD balanced by its benefits will be
examined. It is helpful to give a synopsis of the dissertation’s organization to the reader.
The dissertation starts out by the study of literature and then dives into an analysis of
BYOD and some examples of its use. The research question and corresponding
hypotheses are presented next. The BYOD Security Framework is next presented
followed by some key policy controls. This presentation is in turn followed by
recommendations in policy management and usage scenarios. The research
methodology, data collection, results and analyses are presented next. Recommendations
for future research areas then follow along with the dissertation’s conclusions, which
5
wraps up the dissertation. The appendices present valuable tables for planning and
starting a BYOD program as well as the dissertation’s survey questionnaire.
6
2 Literature Review
"Against the growing, unstoppable backdrop of consumerization and BYOD [bring your
own device], every mobile device is a risk to business."
Raimund Genes, Trend Micro CTO
2.1 Overview
Information security incidents have increased considerably during the past
decade, owing more and more to personal mobile devices (Siponen, 2014). So far,
mobile devices have not been anywhere near as big a target as have desktop machines,
however, they have not been spared either (Michael & Viega, 2010). It has been
estimated that over half of all information system security violations are directly or
indirectly caused by employee failure to comply with security procedures and personal
mobile devices have been a major contributor (Son, 2011). It is not surprising then, that a
critical concern for organizations is the extent to which employees comply with
information security policies, and in particular when using BYOD (Son, 2011) (Siponen,
2014).
Given the desire of employees to bring the devices they use at home into the
workplace, organizations need to adopt a “bring your own device” (BYOD) vision – that
is, securing the network and data regardless of how workers access information
(Thompson, 2012). Today's IT departments need to enable the chaos that comes from a
BYOD environment. This doesn't mean accepting high levels of risk, but it does mean the
security department cannot act as the barrier to business transformation, says Gordon
Thomson, Cisco Security EMEA (2012).
7
If it were not for the security and privacy concerns, BYOD would not worry
anyone (Mansfield-Devine, 2012). Organizations sometimes start out by saying “no” to
BYOD only to find out later they have been participants through email, text messages,
and document sharing. On the other hand, many organizations embrace it rapidly and
then are overwhelmed by the security and privacy implications. Since in a BYOD
environment, the organization does not own the desktop (devices are privately owned and
are portable), the solution to their security concerns seems to be to make the user part of
their security model; that is, a system of access control based on whom, what and maybe
even where. Users need to play an active role in the information security environment by
preventing unwanted incidents, protecting organizational material and immaterial assets,
and reacting to incidents (Vance, 2012). Examples might be locking their devices and
setting automatic locks, password etiquette, cautious use of email and the Internet on
their personal devices, cautious use of organizational assets and data when outside the
organization, and reporting information security breaches.
Certainly, it's possible to build a reasonably secure mobile device, just as it's
possible to build a reasonably secure desktop but this security comes at the expense of
functionality (Michael & Viega, 2010). This defeats the appeal that mobile devices have
for their owners. Jansen suggests User Interface plugins, encryption, and policy
incorporations (Jansen et al., 2004) but most of what is proposed apply to managed,
company owned devices circa 2003 and do not apply to today’s post Apple iOS and
Google Android based BYOD that permeate all aspects of society.
In addition, high information security workloads create conflicts of interest
between functionality and information security especially in BYOD since users work
8
considerably with their easy to use apps to get their work done (Von Solms, 2004).
Simply documenting requirements of expected information security behavior and general
awareness campaigns have little effect by themselves on user behavior and awareness
(Von Solms, 2004). Approaches where user participation is embraced can be much more
effective for influencing user awareness and behavior.
Most organizations are totally dependent on their IT systems to capture, store,
process and distribute company information (Von Solms, 2006). This has grown rapidly
with the advent of mobile device BYOD. Information security is and has always been the
discipline to mitigate risks impacting the confidentiality, integrity, and availability of an
organization’s IT resources (Von Solms, 2006). This discipline has been forced to
expand with the advent of BYOD but not necessarily in a predictive and cohesive
manner. Many organizations are not even aware that BYOD is used on their networks; of
those who are, many have little to no technologies and/or policies in place to address
BYOD (Mansfield-Devine, 2014). BYOD thus, is a trend that requires studying as part
of the information security governance of an organization. To protect valuable
information, organizations must stop making a distinction between devices in the
corporate network and devices outside of it, argues Bill Morrow of Quarri Technologies
(2012).
Most organizations do not realize that security is corporate governance
responsibility (the buck stops at the top) and that information security is also a business
issue and not just a technical issue (Von Solms, 2004). Information security governance
is a complex issue and there is no off-the-shelf solution available for it. An information
9
security plan needs to be based on identifiable risks. It should be clear that a corporate
security policy and associated enforcement and monitoring are essential.
In addition, information security awareness amongst users is of core importance
(Von Solms, 2004). Further, information security administrators and managers must be
empowered with the tools, infrastructure, support mechanisms, and enforceable policies
to properly perform their duties. Information security should be a priority of executive
management, including the Board and CEO and should therefore commence as a
corporate governance responsibility needing to integrate information security into
corporate governance (Posthumus & Von Solms, 2004).
Corporate governance consists of the set of policies and internal controls by
which organizations, irrespective of size or form, are directed and managed. Information
security governance is a subset of the organization’s overall corporate governance
program (Von Solms, 2006). The proposed BYOD Security Framework needs to be
placed within the information security governance of the organization.
2.2 Background
BYOD is short for Bring Your Own Device, a play on the acronym BYOB (Bring
Your On Beer). It is a trend that has been around ever since people first brought their
own USB flash drive, or installed their favorite browser or program, to get their job done.
In such cases, over the years, a variety of solutions have come into existence in order to
secure organizational resources and data. These included controlling of the desktop
environment using policies. These policies were both written policies as well as policies
applied via technology such as Microsoft’s Active Directory Group Policies. For
example, using central software-based policies, IT could lock down installation of
10
applications, disable USB ports, and even monitor a desired workstation to any degree
deemed necessary. They may or may not also put out a policy outline as to proper use of
the devices and software and restrictions in place.
Much like Coke, Xerox or Kleenex that have had their names become generics
(“Do you have Coke?”), BYOD has become such an eponym referring almost exclusively
to smartphones with tablets especially in the work environment, with tablets being a
distant second.
When Apple introduced its iOS devices (the iPhone followed quickly by its iPad),
the popularity and ease of use of these devices made them too enticing for employees not
to use them for their jobs on-site and off-site. Google entered the market shortly after
with its Android operating system along with an added twist: it used open licensing, so
vendors could modify the source code. Additionally, users could install whatever they
wished, to their hearts’ delight, a model that is not in Apple’s iOS devices. Since these
devices are privately owned, IT faces the challenge of how to secure their organizations’
resources and data from being lost, stolen, or exploited. Consider the scenario in which a
legitimate employee copies confidential data into his smartphone, and then loses the
phone a couple of days later. Or perhaps a nurse takes a picture that includes a patient’s
private information, with the camera in her iPad, and then forgets about the picture. The
device may be lost or stolen and the image may be transmitted unwittingly (or
purposefully) to a third party, violating the patient’s privacy as well as the Health
Insurance Portability and Accountability Act (HIPAA) regulations. These are two quite
common scenarios that are not that difficult to imagine. While security software
companies hail loads of solutions to the problems of mobile security, usually in the form
11
of some Mobile Device Management (MDM) system, based on this research, none has
the technology to protect an organization’s resources against BYOD or to alleviate all
privacy concerns.
2.3 Why BYOD?
BYOD has many advantages, such as reducing companies' cost and increasing
users' productivity (Wang & Vangury, 2014) (Scarfo, 2012). Saving money in
procurement, hardware, software, licensing, service agreements, and insurance are
additional benefits of BYOD (Caldwell, Zeltmann, & Griffin, 2012). Increased mobility,
flexibility, productivity and employee satisfaction are considered as some of the key
reasons for the adoption of BYOD (Rivera et al, 2013). Additional considerations for
BYOD include:
• BYOD is portable, so employees can work from anywhere
• BYOD increases efficiency since employees are well versed in using their own
devices; this also means that the burden of training is lowered (Finneran, 2012)
• Employees tend to look after their own devices with more diligence than
company-provided ones (Ghosh, 2013)
• Services can be provided to rural areas; for instance, patient monitoring in remote
locations can be done using BYOD at very little cost
• Via apps such as GotoMeeting, virtual conferences are easy and quick to set up
from anywhere using mobile devices
• Services can be delivered in the field; for instance, an insurance agent can provide
proper services right at a customer’s location, report the results back to the
12
company, and finalize the transaction using his BYOD with custom company
apps installed
• Organizations such as Khan Academy (www.khanacademy.org) and
Harvard/MIT edX (www.edxonline.org) provide low cost, high quality online
education ideal for BYOD learning experiences (Miller, 2012)
• Communication and information sharing is instant and available from just about
anywhere, with or without Wi-Fi or LAN resource availability
2.4 BYOD Adoption
According to David A. Willis, while BYOD is occurring in companies and
governments of all sizes, BYOD is most prevalent in midsize and large organizations
($500 million to $5 billion in revenue, with 2,500 to 5,000 employees) (Willis, 2013).
BYOD allows small companies to go mobile without a large device and service
investment, and in some cases, the low-cost consumer apps can add significant value
without significant cost (Willis, 2013). Unlike tablets, over half the companies that allow
smartphone BYOD subsidize at least part of the expenses for their employees. Figures 1
and 2 show the adoption of BYOD by industry.
13
Figure 1: Tablet BYOD Adoption by Industry, Source: (Gartner, 2013)
Figure 2: Smartphone BYOD Adoption by Industry, Source: (Gartner, 2013)
2.5 Examples of BYOD
Mobile devices are improving healthcare tremendously, especially for the poor
and those in rural areas, says West (2012). West contends that mobile data traffic will
increase eighteen-fold by 2016 and that mobile technology is poised to alter how
healthcare is delivered. Using BYOD, patients can be monitored in real time, even those
in rural areas, since 3G and 4G wireless services can be used to reach them. Mobile
14
devices can be used to access patient records, raise health awareness, perform
telemedicine such as reminding patients of their medication via texting, and even use text
messaging to determine emergency room wait times. West predicts that with real time
monitoring, $197 billion in overhead would be saved over 25 years, while an additional
$305 billion in productivity would be gained by 2022. Furthermore, physicians using
their BYOD respond more promptly to medical results, have fewer errors in medication
prescription, and show improved data management and record keeping practices (Willis,
2013). Since it is BYOD, physicians can use their devices at multiple locations since
many doctors work at more than one hospital or medical facility. According to J.
Goedert, the benefits of BYOD and mobility are not just for doctors (Goedert, 2013);
patients, especially kids, love using the iPad and those devices help them not to think
about needles. iPads are especially sought after and doctors prefer them to RIM
Blackberries: the iPads have larger screens, are easy to take from patient to patient, are
easy to use, have no keyboards, and thus easy to sanitize, a point specifically made by
many doctors refusing to use Blackberries (Mansfield-Devine, 2012). With so many
benefits, hospitals are learning that it is not possible to deny BYOD (Goedert, 2013).
BYOD is not a passing fad. It is here to stay, in the healthcare industry.
The main challenges of BYOD in healthcare are security and, as part of that,
patient privacy. Some additional areas of concern are: upgrades to network
infrastructures, having a strategy for lost BYOD since the devices are not owned by the
healthcare organization, providing solution for the mixing of personal and professional
data on BYOD, providing for proper data sanitation of devices, and the distribution and
control of applications across these devices. These are enormous challenges and not
15
unique to the healthcare industry. As of 2013, there are over 12,000 healthcare apps for
Apple iOS devices and more than 30,000 for Android-based devices (Mansfield-Devine,
2012). To add to the complexity, unlike Apple devices, Android devices are spread out
in their operating system versions, capabilities, features, and base security, since Android
uses open licensing. What this means, in a nutshell, is that an app that can be securely
put on one Android-based device may not be able to be placed securely on another
Android-based device due to the operating system version. Another area of consideration
involves the policies to be implemented, in software, hardware, wireless, carrier based
services, as well as personnel and management (i.e. people-based policies for proper
clearance, conduct, and access).
2.6 Benefits of BYOD
There are clear benefits and business reasons that an organization may gain as a
result of a successful employment of a BYOD program. Typically, the benefits of BYOD
can be characterized in one of three ways: employee morale, increased productivity, and
cost benefits. Employees are far more comfortable and satisfied using devices that they
have chosen to invest in, which in turn may also lead to higher levels of efficiency and
productivity when compared to employees who are issued a device that they may not be
familiar with. BYOD also allows employees to carry one device for personal and work
functions rather than carrying multiple devices. A single device is less likely to be lost or
stolen than an employee who carries multiple devices. BYOD may make an organization
more attractive to employees by making the company look flexible and in-touch with
today’s technology, which may increase recruiting and retention. Employees will
16
appreciate the convenience of carrying a singular device, of their choosing, to conduct
both their business and their personal activities upon.
The driving factors for some organizations to implement BYOD are the rise of
employee expectations with regard to mobile technology coupled with the rising costs of
the latest mobile devices. At the time of this writing, a new Apple iPhone 6 with 32
gigabytes of storage costs nearly $300 with the purchase of a two-year agreement from a
carrier. The cost to keep up with employee expectations can be immense and difficult to
overcome, particularly to smaller businesses and organizations. At the same time,
organizations may not realize return on investment by purchasing the latest and greatest
mobile technology through every evolution. Since its initial release in 2007, Apple has
released nine iPhone models. In the same timeframe, thirteen versions of the popular
Android operating system have been released, each with its own flagship device
highlighting new features and capabilities. The mobile technology market is evolving
more than once per year!
Organizations may realize cost savings from several vectors when properly
implementing a BYOD program. First and foremost, the organization is no longer
responsible for purchasing mobile devices. Given the prices of the latest devices, that
cost savings is significant. Employees using their own devices for work are more likely
to invest in new technology at their own pace, which saves the organization from the
costs of keeping up with the latest technology. Another advantage that results in cost
savings is that organizations are not required to maintain a telecommunications support
staff to administrate and manage carrier agreements. Maintenance and technical support
are handled between the employee and their carrier, abstracting organizations from
17
providing help desk or other support for the devices. Employees utilizing BYOD are far
more likely to be familiar with their chosen device, eliminating the need for any
additional training by the organization.
2.7 Top Failures in BYOD Security
Defining Top Failures can be a challenging task since each organization has
unique security requirements and challenges. However, certain failures are so common
that they deserve to be mentioned specifically. Clearly there are many concerns, but
this list serves as a good starting point. To have a more structured approach, a
checklist for BYOD readiness would be necessary (see appendix A). Such a checklist
would serve as a precursor to the application of a framework that would serve as
the resolution to the BYOD systems security concerns. Girard has identified a list of
the top BYOD security failures (Girard, 2013). Below is the list followed by a brief
description of each failure:
2.7.1 Inconsistent Security Policies
Policy gaps are the foundation of most security failures and BYOD security is no
exception. A typical instance is requiring complex passwords on desktops and laptops
but allowing a simple 4-digit passcode in BYOD devices.
2.7.2 Leakage in Shared Media
USB and flash devices such as SDs are common culprits here. Enterprises may
bypass inventorying removable media in favor of honor systems, where users are
encouraged to encrypt their devices, or perhaps enterprises ignore the problem all
18
together. This allows for sensitive files to move between generic devices and invariably
causes leakage of sensitive data.
2.7.3 Minimal Management
The unrestricted and easy access that BYOD enjoys was rarely if ever tolerated
for laptops. BYOD devices are frequently allowed to connect to enterprise networks,
access email, access and manipulate data, and very often few controls if any are in place
to check such access.
2.7.4 Readable Data Remaining in Disposed Devices
Many recycled, traded, or sold smartphones and tablets contain sensitive data
even after they were presumably erased; this includes those devices that were “properly”
erased. Many users are not aware that when they “delete” their data, the operating
system simply marks the location as erasable and that the data can still be retrieved.
2.7.5 Inter-application Data Leakage
As smartphones and tablets can store gigabytes of data easily, including email
attachments, pictures, and documents, there is a good chance that their data gets shared
between applications and possibly copied to unapproved and/or unsecured locations
through sync tools, cloud tools, or automated backups.
2.8 Challenges and Risks of BYOD
BYOD, particularly as it relates to smart phones, presents a distinctive set of
challenges and risks to any organization. Throughout this dissertation and in particular in
the BYOD Security Framework, challenges, risks, and solutions as they relate to three
19
core aspects of a BYOD program, depicted in figure 3, will be addressed: People, Policy,
and Technology.
Figure 3: Aspects of a BYOD Program Every aspect of BYOD can be categorized under one of these three groupings in order to
help readers understand the different components of BYOD and how each plays a critical
role in the overall process. Policy can help guide and shape user behavior and
Technology can be used to enforce policy. In the end, it is the People who stand to
benefit and represent the greatest risk to BYOD.
There are cultural challenges to groom a responsible and security-conscious user
base. Organizations must develop policies surrounding BYOD that align with the core
business mission and the risk tolerance of the organization. Technology must be selected
and implemented to enforce and manage BYOD policies. Risks to sensitive corporate
data must be managed in the face of a myriad of challenges. Finally, there are legal
issues upon which little guidance exists in the way of legislation or case law.
2.9 BYOD Security Lifecycle
The BYOD Security Lifecycle defines the stages of a mobile device during its
participation within a BYOD program. This BYOD Security Lifecycle is presented in
order to provide structure and context to the steps presented later in the BYOD Security
Framework. The BYOD Security Lifecycle is displayed in figure 4 below.
20
Figure 4: BYOD Security Lifecycle
Register. The device is registered with the BYOD program. The device and mobile
operating system are examined to ensure they meet the minimum standards for inclusion
in the program.
Provision. The device is provisioned using Over-The-Air (OTA) or other enrollment
process. During provisioning, the device is installed with any configurations, settings,
software, and certificates necessary to prepare the device for BYOD.
Operate. The user is granted access to approved organization resources with the device.
The user continues to enjoy the benefits of BYOD while maintaining compliance with all
organizational requirements for participation in the BYOD program.
De-provision. The device will no longer participate in the BYOD program. All
organizational data are removed in accordance with organizational policies. Any
Register
Provision
Operate
De-‐provision
21
organizational configurations, settings, software, and certificates are removed. The
device is returned to the user and is no longer able to access organizational resources.
2.10 Current State of BYOD
The momentum gained by the popularity of BYOD seems unstoppable. A 2012
study conducted by Cisco showed that an astounding 95% of respondents from a pool of
600 U.S. IT and business leaders say their organization permits employee-owned devices
in the workplace. According to a global survey of Chief Information Officers conducted
by Gartner’s Executive Programs, more than 38 percent of companies expect to stop
providing devices to workers by 2016 (Gartner, 2013).
BYOD remains largely uncharted territory with few real success stories. Worse,
many organizations are currently participating in BYOD without knowing it. Employees
who are able to connect their corporate email on their personal smart phone or tablet are
participating in BYOD, whether the organization chooses to admit it or not. With no
level of operational management regarding how corporate data are accessed, stored,
processed, and transmitted on employee-owned devices, this course of action represents a
great deal of risk. Organizations that profess to disallow BYOD but do not actively
prevent it through preventative or detective security controls place themselves in a similar
risky situation. Other organizations have chosen to face BYOD head-on. These
organizations have an advantage over their counterparts, but may have had little guidance
to direct their early actions and implementations.
Technology to support BYOD is still largely an emerging market. Early adopters
of BYOD were mostly limited to Mobile Device Management (MDM) standards. MDM
will be explained in more detail in the framework (section 4). MDM is certainly better
22
than nothing, but often lacks the innovative and sophisticated features to be effective as a
singular solution. Another popular approach is the sandboxing method, by which
company data are kept in a separate, encrypted container from personal data. The
solution is fairly effective in design, but limits the primary functionality of the mobile
device by only allowing access to business resources through the sandbox’s applications
rather than native device applications. Other technology innovations are arriving by the
day, and include: GPS-based mobile device policy enforcement, virtualization, and data
loss prevention.
Current BYOD policies are equally unproven and untested. The legalities of
BYOD and the authorized actions of the business are very much in question. There is
little in the way of legislation or case law on which to base BYOD policies.
Compounding matters is a plethora of legal issues and challenges for which no clear
answers are available. During the BYOD policy planning process, it is critical that the
organization seek legal and human resources counsel to ensure policies meet existing
human resources statutes and remain enforceable. A more detailed discussion of the legal
challenges surrounding BYOD can be found in section 4.1.10 of the framework.
23
3 Research Problem and Hypotheses
"Spending hundreds of thousands of pounds, euros or dollars on a security system,
plugging it in and switching it on — then presuming your company is secure — is a
totally inadequate approach, because it usually results in relatively poor levels of
protection for your organization as the threats from criminals are constantly changing."
Ray Bryant, CEO of idappcom
3.1 Problem Statement
Based on the literature review and wide-ranging interviews with security experts,
no study was found that proposed a comprehensive solution or a framework to broadly
address the BYOD security concerns. The proposed framework of this dissertation is
presented later in this article.
3.2 Research Hypotheses
This dissertation attempts to answer the following overarching question: Can a
balanced application of technology and policy using a security framework significantly
reduce security breaches in an enterprise where Bring Your Own Device (BYOD) is
allowed/implemented? In order to answer this question, the following twelve research
hypotheses were postulated:
H1: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related data security
breaches.
24
H2: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related wireless (Wi-
Fi) security breaches.
H3: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related cellular
security breaches.
H4: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
rogue mobile devices access.
H5: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of authentication related
security breaches.
H6: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lost/stolen mobile devices.
H7: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
unauthorized mobile access.
H8: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of understanding of organizational security policies.
25
H9: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of training and education of organizational employees.
H10: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of awareness of organizational policies.
H11: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of document related security
breaches (e.g. improper document sharing, saving, copying, emailing, printing, and
scanning of documents).
H12: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
mobile application flaws.
It is worthwhile studying the framework prior to statistical analyses of the hypotheses.
Section 4 below presents the BYOD Security Framework followed by recommended
policy controls and policy recommendations. A recommended set of guidelines for
applying the framework properly is presented afterwards. The statistical study and
analyses to validate the framework is then undertaken.
26
4 BYOD Security Framework
The BYOD Security Framework is a modular architecture that can be easily
integrated into a larger information security program. This framework provides a starting
point for organizations to structure their BYOD program around. It can be used to create
a new program or improve upon an existing one. The framework outlines a seven-step
process that encompasses the entire BYOD lifecycle mentioned previously. The
framework is iterative and assumes that organizations will revisit each step in the process
on a periodic basis in order to provide continuous monitoring of the organization’s
BYOD program and to continuously assess the effectiveness of the program. The BYOD
Security Framework is illustrated in figure 5 below.
Figure 5: BYOD Security Framework
27
4.1 Plan
The first step in undergoing any major
endeavor is to properly plan. In this section,
we will highlight some of the key concepts that
are critical during the planning process of a
mobile device BYOD security program.
The Plan phase requires close
coordination across multiple disciplines and
among all stakeholders. It is vital that the
planning process is supported at the very
highest levels of management to ensure that appropriate time and human resources are
allocated.
There are several key concepts that will require decision points prior to moving
on in the framework. Each concept will be explained along with its potential impact as
well as an outline of the consequences of common decisions.
4.1.1 Business Environment
The first step in planning for a BYOD program is to understand how BYOD and
mobile devices fit into the business landscape of the organization. Planners should
identify who BYOD users are and what business resources BYOD users will be
accessing. Organizations that only need to expose email to their BYOD users will
require a significantly different security posture than another organization requiring file
or internal web access. By identifying the typical use-cases for BYOD, planners will be
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
28
better able to advise and guide the organization through key decision points in their
BYOD planning process.
According to a recent SANS Institute survey on Mobility and BYOD Policies and
Practices, 51% of respondents identified knowing what sensitive data devices can access
as one of the most critical practices for BYOD. Organizations should determine which
information systems, assets, data, and capabilities will be accessed by BYOD devices.
The types and level of accesses by BYOD will vary from organization to organization
and even employee to employee. Planners should consider all the possible use-cases to
help shape the protective, detective, and reactive security controls necessary to secure
BYOD access. Some examples of internal information resources that might be accessed
via BYOD are highlighted below.
• Electronic Mail
• Intranet websites
• Productivity applications
• Collaboration tools
• Social Media
• Internal databases
• Storage
• Cloud services
• Custom applications
• Network access
• Remote access
29
4.1.2 BYOD Standards
In order to ensure that BYOD devices are capable of supporting functional and
security requirements, a set of hardware and operating system standards need to be
established, maintained, and published. Operating systems and their hardware platforms
should have the capability to support the implementation of critical mobile security
requirements. Planners should determine who will bear responsibility for establishing
BYOD standards and requirements. Once determined, organizations need to publish a
list of approved devices that users may access to determine if their devices are eligible for
inclusion in the BYOD program.
As critical as the establishment of standards is the ability of the organization to
maintain and update standards. New mobile technologies evolve every 6-9 months.
Planners should understand that if the organization falls behind in their ability to respond
to changes in technology, it would have a negative effect and possibly undo the positive
effects of having a BYOD program in the first place.
A non-exhaustive list of BYOD requirements is included below. This list is
meant to be a starting point for discussion only. Organizations should establish their own
requirements that align with organizational missions, goals, and objectives. The Defense
Information Systems Agency has published an exhaustive list of security requirements in
the Mobile Operating System Security Requirements Guide, available for free download;
key elements are listed below. Organizations should take into account any potential
limitations of their chosen MDM solution, such as hardware and operating systems
supported, when publishing a list of approved devices. Key requirements should include:
30
• The device should be supported by the chosen MDM solution1
• The device should integrate with organization’s email system
• If required, the device should support certificate-based authentication, including
query of organization certificate revocation status
• The mobile device should enforce a mandatory access control (MAC) policy
• The device should support for periodic, forced password changes
• The device should enforce a lock function to prevent unauthorized users from
gaining access, including automatic locking after a defined period of inactivity
and user-directed locking
• Device lock should hide previously visible information from the screen
• The device should not automatically execute applications without user direction
• The device should support the creation and sending of organization-required
auditing data, including accurate date and timestamps
• The device should support and meet organizational encryption requirements for
data-at-rest and data-in-transit
• The device should support mutual authentication and encryption between the
provisioning server and provisioned device during trusted over-the-air (OTA)
provisioning
• The device should not permit users from removing organizationally-required
applications
• The device should not permit a user to disable or modify security policies or
enforcement mechanisms
1 Not all MDM solutions are capable of supporting every device on the market. Check section 4.1.3 on MDM later in this dissertation as well as product literature to ensure approved devices are supported.
31
• The device should prevent applications from accessing other applications and data
stored on the device
• The device should support Internet Protocol Security (IPSec) with Advanced
Encryption Standard-128 (AES-128) or better encryption for Virtual Private
Network (VPN) tunnels
• The device should encrypt the Private Key Infrastructure (PKI) certificate store
using AES-128 or better encryption
• The device should prohibit remote activation of collaborative computing
functions, including microphones, cameras, and networked white boards without
user concurrence
For organizations with more stringent security standards, these additional requirements
are worthy of consideration:
• The device should support organization legal/warning banner prior to device
unlock
• The device should support alignment of device timestamps with organization
network time to support forensic analysis and investigation of events that cross
mobile devices into the organization’s network
• The device should support organization PKI requirements, including verification
of public keys and denial of untrusted certificates and certificate authorities
• The device should support enforcement of password complexity requirements
• The device should verify the integrity of software and applications before
installation and execution
32
• The device should support disabling or securing Bluetooth and Near-Field
Communications (NFC)
• The device Wi-Fi module should support WPA2 with EAP-TLS authentication
and AES-CCMP encryption
• The device should authenticate tethered connections before granting access to the
device
• The device should detect and report the presence of unauthorized software and
applications
4.1.3 Mobile Device Management (MDM)
Any technology solution to implementing a successful BYOD program starts with
Mobile Device Management. MDM provides OTA control of data, applications, and
configuration settings for mobile devices. Most MDM solutions consist of a server
located either in the organization’s network or in the cloud that communicates with
managed devices via the Open Mobile Alliance (OMA) Device Management (DM)
protocol. OMA DM is an open standard that defines a common feature set, including
device provisioning, software upgrades, and fault management. Most MDM vendors
offer a fairly standard set of capabilities, which are included in Appendix B of this
document.
Not all MDM solutions are created equal and organizations should pay careful
attention to each product’s capabilities. Many MDM solutions offer advanced features,
but those features may only be available for a particular device model or operating
system.
33
4.1.4 Application Store
The true power of the smartphone is not in the features of its operating system,
but in the seemingly infinite possibilities of its applications. With great capability comes
great risk. Organizations should plan for how BYOD devices will be permitted to
download and install applications. Depending on the organizational mission, there are
many different solutions and each may offer benefits and drawbacks to the success of the
BYOD program.
Applications today are no longer being written exclusively by larger software
companies who could presumably be trusted and be held accountable. Anyone with the
knowledge and proper tools can create an “app” and publish it for public download.
Organizations cannot implicitly trust the integrity and quality of publicly available
applications. Applications may contain unintended flaws that could expose
organizational information or even allow attacks directly upon the enterprise network.
Malicious developers may create entertaining and popular applications with a more
sinister payload. Organizations should plan for how they will balance the user demand
for openness with the need to protect organizational assets and data.
There are several possible solutions presented in sections 4.3.5 and 4.3.6 of this
document. Some key questions that planners should ask include:
• Will the organization allow full and open access to any and all applications?
• Should the organization blacklist known-bad applications?
• Should the organization whitelist and only allow known-good applications? If so,
what will be the inclusion process for applications?
34
• Will users be permitted to download applications from a public source (e.g.
Apple App Store, Android Market, etc.)?
• Will the organization stand up its own application marketplace?
Full and open access may introduce unmanageable risks while restrictions placed
on applications may eliminate the appeal of a BYOD program in the first place.
Decisions should be based around solid risk management planning.
4.1.5 Asset Management
Organizations must know what they are protecting before they can hope to protect
it. Asset management encompasses the full range of processes and technology from
which BYOD devices are registered and approved, configuration controlled, and
managed. Organizations can expect that asset management will play a critical role in the
overall risk management process of BYOD.
Asset management includes activities to formally approve users and devices into
the BYOD program, register devices, install required software, configurations, and
applications to meet organizational requirements, and to manage the relationship between
the organization, the user, and the device throughout the BYOD lifecycle.
During the planning process, organizations should determine who will be
responsible for asset management, the tools used, and the reporting metrics required in
order to maintain visibility of the BYOD program. MDM solutions may offer some
degree of asset management, but care should be taken to ensure the capabilities meet the
organization’s requirements.
35
4.1.6 Network Environment
The greatest single technical defense against attacks resulting from the
exploitation of a mobile device is the architecture of the network. As important as what
planners intend the device to access is what the device can actually access. A purpose-
built network architecture will permit BYOD devices to access required organization
information resources while retaining strategic network access and intersection points
where protective, detective, and reactive security controls can be placed. There are a
number of technological solutions that are capable of performing the required functions,
including firewalls, access-control lists, virtual local area networks (VLANs), zoning,
VPN, and application wrapping among others. There are many methods and solutions to
engineer sound network architecture, but the best advice is to treat the BYOD interface as
an untrusted, demilitarized zone (DMZ) and expose only those information resources
specifically required. This is illustrated in figure 6 below.
Figure 6: Network Environment
4.1.7 Governance
Organizational planners will need to identify the policies, processes, and
procedures used to operate and monitor the organization’s BYOD program. Governance
36
should include statutory, regulatory, legal, security, environmental, and operational
requirements at a minimum. It is critical to understand the limitations of mobile security
technology in order to comprehend which aspects of the BYOD security program are
technically enforceable and which are relying solely on policy for enforcement. Some
key planning items include:
• Identify existing organization information security policies
• Identify security roles and responsibilities
• Identify statutory, regulatory, and legal requirements
For instance, if a MDM solution is chosen that relies upon an installed application
that the user can remove, then organizational policy must dictate that BYOD users are not
permitted to remove the required application. In this manner, organizations can augment
the limitations of their technology solution by shaping user behavior through policy. In
this instance, the organization should ensure that users are briefed and trained on their
responsibilities to participate in the BYOD program.
4.1.8 Risk Management Strategy
The Risk Management Strategy surrounding BYOD should be based upon the
principles of Identify, Protect, Detect, and Respond, illustrated in figure 7.
Figure 7: Risk Management Strategy
Identify
Protect
Detect
Respond
37
These four concepts encompass the four major activities that will drive risk
management decisions surrounding BYOD. First, identify the information and assets that
need to be protected. Second, protect information and assets using available technology
to automate protection mechanisms and enforcement actions. Examples of protect may
include device encryption, pass-phrases, and application white/black listing. Third,
recognize that there will be gaps between protection mechanisms and the likely attacks
used to gain access to information and assets. Deploy detective security controls to
provide visibility and situational awareness in order to detect suspicious activity. Last,
when suspicious activity is detected, the organization must respond accordingly.
Response actions may include automated actions, such as automatic device wipe after a
predetermined number of failed login attempts, or manual actions, like enabling GPS-
locator services on a stolen device. In short, identify what needs to be protected, protect
what can be protected, detect what cannot be protected, and respond accordingly.
The goals of the risk management strategy are to provide a modular security
framework that can be easily integrated into a larger information security program (e.g.
NIST SP800-37). Organizations should plan for who is responsible for identifying risks
and how they will identify them. During the planning process, planners should discuss
what tools and techniques might be used to identify risks. Also, planners should discuss
whether periodic risk assessments will be utilized or if a more continuous monitoring
solution is desired.
4.1.9 User Training
The largest risk in any BYOD program lies in its users. Whether through
negligence, malice, or pure bad luck, users have the ability to cause great harm to an
38
organization. Never is this truer than in a BYOD scenario where users are empowered to
do whatever they want because the device belongs to them. Therefore, it is absolutely
critical that users are trained on the rules of behavior and their responsibilities as good
corporate citizens in the effective use of BYOD.
Planners should identify the key training components of their BYOD program,
including what will be presented during initial and refresher training, the frequency for
mandatory training, and who will be responsible for developing and maintaining the
training curriculum.
4.1.10 Legal Issues
There are a number of key legal issues that need to be discussed and planned for
among all stakeholders in the BYOD program. Many of these issues and questions do
not have definitive answers. Little exists in the way of legislation or case law to
determine an organization’s rights and responsibilities in a BYOD program. Among
these key legal issues are:
• Does the organization have the right to wipe the device, including personal data
and applications, if the device is lost or stolen, in order to protect sensitive
corporate data?
• Can the organization monitor access to personal email accounts? If not, how will
corporate email be monitored? If so, what restrictions does the organization have
regarding how this information can be used?
• What happens to corporate data when an employee is terminated, for whatever
reason?
39
• What liability does an organization have when a device is encrypted and the key
is lost, effectively rendering personal data and applications unusable?
• What responsibility does an employee have if he or she sells or transfers
ownership of the device, such as gifting to a child? What action will the
organization take for failure to notify such a transfer of ownership?
• What are the organization’s requirements for data breach notification in relation
to the data stored/processed on BYOD?
• Do organizations have a right to search and seize the device as they would
corporate property? What about in the case of e-discovery?
• May the organization use GPS to track employee whereabouts? If not, how will
this behavior be prevented?
• How will organizations prevent inadvertent exposure of personal information it is
not legally allowed to see (e.g. ADA, Genetic Information Non-Discrimination
Act, etc.)?
• Who owns the data on the device?
• What responsibility does the organization have for backing up the device and
providing the employee access to those backups?
• How will the organization prevent the employee from backing up sensitive
corporate data onto unprotected assets, such as carrier or manufacturer cloud
backup services?
40
4.1.11 Device Maintenance and Support
Planners will need to inform Senior Leaders of available maintenance and support
options for providing help desk-related support for hardware and mobile operating
system issues that may arise.
The first option is for the vendor or carrier to provide all device maintenance and
support. This option requires the lowest overhead from the organization to ensure that
their users’ support needs are met. By utilizing vendors or carriers to provide help desk
support, there is less risk that device warranties will be voided by potential help desk
actions, which may increase the overall appeal of the BYOD program. Conversely, it
leads to little organizational control over the level of service provided as well as
introduces risk that sensitive organizational data may be exposed to vendor or carrier help
desk personnel. Organizations should consider adding safeguards and/or policies to
remove or wipe sensitive data prior to a device being turned over to the vendor or carrier.
The second option for device maintenance and support is a hybrid plan. The
hybrid option lets the organization provide support for critical user problems while
deferring other issues to the vendor or carrier. The hybrid option requires additional
resources in the form of a help desk and supporting assets from the organization.
Planners will need to establish the scope and authority of organizational help desk
personnel and clearly articulate when problems will require escalation to the vendor or
carrier to preserve device warranties. Should a problem be escalated to the vendor or
carrier, planners should consider adding safeguards and/or policies to remove or wipe
sensitive data prior to a device being turned over to the vendor or carrier.
41
The final option for BYOD endpoint support is for the organization to provide full
support. This allows for the greatest amount of organizational control over devices and
the information resident on them; however, it also increases staffing and training costs for
endpoint support personnel competent in all the technology platforms allowed under the
BYOD policy. Providing full support for the devices may also cause any hardware
repairs to void employees’ warrantees on their devices. Potential legal implications
aside, this can lead to a lower overall appeal and lower employee buy-in for the BYOD
program.
4.1.12 Is BYOD the Right Choice?
While there will be more extensive discussion of the topic of this section later in
the dissertation, it is thought that a brief discussion is worthwhile here. Once an initial
round of planning has occurred and the organization has a good measure of what it takes
to successfully implement BYOD, the next planning item should determine if BYOD is
right for the organization. A proper cost/benefit analysis should be conducted, consistent
with existing organizational IT investment processes to determine what the organization
stands to gain by implementing BYOD.
For some organizations, the risks and/or costs may not outweigh the benefits. In
that case, the organization needs to ask itself: What have we done to prevent BYOD?
Many organizations are already implementing BYOD without their knowledge but have
done nothing to control it. Today, many corporate email users can easily connect their
corporate email account to their device because nothing actively prevents it. This is a
nightmare scenario for security professionals, because they are left to defend an attack
vector that they don’t know exists. The backdoor access may expose the organization to
42
data leakage, loss of sensitive information if the device is lost or stolen, or a laundry list
of other risks, all without the knowledge of the organization whose data have been
exposed.
Part of this decision is selling security process improvements to upper
management, which is not easy because security professionals have often focused on
vague although troubling potential threats and BYOD security is no exception. Security
experts are often seen as alarmists in the boardroom. Selling security as a means to
mitigate risk, notably privacy issues that could lead to legal action from affected
customers and reliability issues that could lead to violation of service-level agreements
and system downtime are more plausible and can be assigned monetary value by
managers and thus offer a more effective approach (Howard & Lipner, 2009).
43
4.2 Identify
The Identify phase begins the BYOD
Security Lifecycle. During the Identify phase,
devices are registered for participation in the
BYOD program, officially approved for use,
and provisioned with required security settings
in accordance with the established plan
developed in Phase 1.
4.2.1 Register
In accordance with the BYOD Security
Lifecycle, the first step in the Identify phase is to register the devices that will require
protection. During the registration process, the user will present the device for inclusion
into the organization’s BYOD program. The assigned department within the organization
will evaluate the device to ensure it meets established hardware and operating system
requirements for inclusion in the process. Using an automated or manual workflow
system, official approval should be given by delegated organizational resources that the
device meets established standards and is eligible for inclusion into the BYOD program.
Some organizations may want to consider eligibility criteria for employees as well as
devices. The additional check will ensure repeat violators of BYOD or other security
policies are not placed in a position to cause additional harm.
4.2.2 User Training
Prior to granting the user any access to organizational resources or data, the user
should be trained on the policies and procedures as well as their individual role and
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
44
responsibilities in carrying out the security controls associated with the organization’s
BYOD program. This initial training helps to clearly communicate the rules of behavior
expected of BYOD users while establishing the corporate culture for BYOD. User
training should be periodically reviewed for content updates and users periodically
trained. Periodic training will reinforce security norms and build a culture of security
responsibility and awareness surrounding BYOD. A workflow should only permit a user
to progress when initial BYOD security has been acknowledged and the user is certified
as having been successfully trained.
4.2.3 Provision
Next, the device should be provisioned in accordance with organizational policy.
Provisioning is the act of implementing security configurations, settings,
applications, device profiles, and software certificates necessary to fully realize all
security controls established as part of the BYOD program. Provisioning may occur
OTA or in person, as approved by the organization during the Plan phase. If groups are
utilized to configure department-specific accesses or security controls, group membership
should be assigned during the Provision step.
45
4.3 Protect
Once devices have been identified, and
users have been enrolled in the BYOD program
appropriately, the organization needs to ensure
that the devices, and the information that resides
on them, are appropriately protected throughout
the BYOD lifecycle.
4.3.1 Device Authentication
Policy is required regarding credentials
to unlock the device. There are several
decisions involved in deciding the level of protection required for smartphone access.
Many mobile operating systems have the capability to enforce two-factor authentication.
These can include token codes, common access cards, or biometrics. The use of two-
factor authentication can lower the overall appeal of the devices due to the increased time
involved in unlocking devices. Some two-factor implementations also carry increased
overhead to the organization.
There also needs to be a mobile device passcode policy. Most mobile operating
systems support utilization of a Personal Identification Number (PIN) for authentication.
Although this is the easiest manner of unlocking devices, and may be most desirable by
employees, it may be deemed inadequate to protect sensitive organizational data due to
the relative ease of cracking a four or six digit PIN. This means that organizations may
opt to require strong passwords.
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
46
No matter the organizational decisions regarding the credentials required to
unlock the device, the policy needs to address the sharing of credentials. This includes
sharing credentials with a significant others, children or other family members, friends,
and coworkers.
4.3.2 Wireless Protection
Many employee-owned devices, including both phones and tablets, are unable to
connect to networks via wired Local Area Networks (LAN) when utilized at the
workplace; they require a wireless architecture to be capable of connecting to a network.
There are several key items to consider when building a wireless architecture to support
employee-owned devices, including authentication, encryption, and consideration of who
might be listening despite the best protections.
When considering authentication, organizations should decide whether to use one-
or two-way authentication and whether to utilize individual or group authentication.
One-way authentication refers to an architecture where the device or user authenticates
itself to the network. Two-way authentication means the device or user authenticates
itself to the network and the network authenticates itself to the device, offering a greater
degree of protection from spoofed networks. An example of group authentication is a
home wireless router that requires a single, shared password to grant access to the
network. Individual authentication refers to a scheme where the device, user, or
potentially both, authenticate themselves individually against an access control list. The
measures of authentication protection should commensurate with the sensitivity of the
data and resources that may be accessed once authentication has occurred.
47
Many organizations use a single shared password associated with a service set
identifier (SSID) to grant access to their wireless networks. The shared nature of SSID
all but guarantees eventual compromise of the password. Once compromised, the
network segment is completely exposed unless other protective security controls are put
in place. Given today’s technology, there are many other solutions that can be deployed
with far greater protections for little more cost. The single, shared password for
authentication may be adequate for some organizations, but most should look for more
robust authentication protections.
One available option for increased authentication protection is to use an enterprise
802.1x authentication server for allowing the devices to connect to the network. 802.1x
can be configured to rely on an existing Lightweight Directory Access Protocol (LDAP)
server, such as Microsoft Active Directory, to provide individual authentication to the
network. 802.1x has considerably more overhead than simply relying on the wireless
routers for authentication with a single, shared password but offers a much higher level of
confidence in the authentication protection afforded. Some devices, however, will
automatically retry connections to 802.1x authentication servers with the same
credentials any time that their authentication fails causing inadvertent denial of service
attacks against users’ domain accounts by locking them out.
There are many other authentication solutions on the market today and more
evolving often. Organizations should use care in evaluating the full range of
authentication solutions to choose the solution that best meets their functional and
security requirements and aligns with the organization’s risk appetite.
48
Another key aspect of wireless protection is the encryption standards in use. As
wireless attacks become more advanced, wireless protection standards have evolved to
meet the threat. The majority of devices currently support Wi-Fi Protected Access II
(WPA2) using Advanced Encryption Standard (AES). It is recommended that WPA2
with AES is required by the organization when accessing sensitive data and resources as
opposed to WPA2, Wired Equivalent Privacy (WEP) and WPA, that rely on weaker
encryption standards, and are considered insecure (NIST, 2007) (Von Solms & Von
Solms, 2004)
Beyond the corporate network, it can be expected that employees will connect
their devices to public or unsecured networks. To protect communications, there are
many options available that the organization should explore. The easiest option is to
utilize network restrictions on the device to permit connection to trusted networks only.
While easy, it greatly limits the usability of the device and will not work in most BYOD
situations. Another option is to take advantage of security solutions that utilize an
“always-on” VPN solution that runs through the corporate network. The VPN solution
protects the confidentiality and integrity of communications, but introduces latency
associated with the VPN solution. Other, less secure options include denying access to
unsecured wireless networks or preventing corporate connections over unsecured
connections. In the end, the planners should select the solutions that best align with the
overall business goals and are within the organization’s risk tolerance.
Based on the physical location of the device, there are also concerns regarding the
path that data takes over cellular networks. If a device is transmitting unencrypted data
over the cellular network, including voice and Short Message Service (SMS), it is
49
possible that eavesdropping could occur. Therefore, the physical location of employees
should be taken into account, especially for international companies. There have been
cases of nation-states monitoring both incoming and outgoing traffic, which could
compromise sensitive data in transit through cellular towers in the host country. Some
wireless solutions are also applicable to cellular transmission, most notably an always-on
VPN that goes through the organization’s corporate network, thus offering protection of
in-transit data on the BYOD.
4.3.3 Network Architecture
Establishing a network boundary permitting access to employee-owned devices is
critical to ensuring that the network is appropriately protected from the possible threats
that they present to corporate resources. There are far too many possibilities to explore
each option, but this section will outline some key concepts to consider when planning
network architecture to support BYOD.
First, the entry point for mobile devices into the corporate network should be
structured to allow for appropriate protective and detective security controls to control
and monitor mobile device network traffic. Control could be established using VPN
architecture, network monitoring tools (e.g. IDS/IPS, Next-Generation Firewall, etc.),
separate VLANs, and/or separate address spaces.
Second, the path from the untrusted entry point to the internal corporate resources
must provide a layered protective and detective security layer to control and monitor
network traffic passing between the untrusted and trusted zones. The intersection points
can be used to deploy additional protections, such as data loss prevention (DLP).
50
Some mobile security solutions use the concept of an always-on VPN connection
to provide data-in-transit protection for network-based communications to and from the
managed device. In this scenario, the network architecture needs to grant access to
internal resources when required while also allowing outbound Internet communication
for non-corporate destinations. Again, the intersection point represents an appropriate
place to layer protective and detective security controls.
4.3.4 Awareness and Training
Training should be conducted initially, prior to device registration in the BYOD
program, and should repeat at least annually for all users, regardless of their participation
in the program.
Training should include all aspects of the BYOD program that include a level of
user responsibility. There are several areas of user responsibility within BYOD.
Employees must understand the regulations protecting them, their data, and the security
requirements for organizational data stored on or transmitted by their personal devices.
Employees must also be briefed on the appropriate protocol for reporting security
incidents, including a lost or stolen device, so that the organization can take appropriate
actions to protect the data resident on it. Users should be trained on their other
responsibilities in maintaining compliance with BYOD policies, such as ensuring that
applications and software are kept up-to-date.
Training should occur for both non-privileged and privileged users, such as MDM
administrators and security operations analysts. It is natural that personal and corporate
data reside on the device in some combination and thus organizations may be subject to
laws and restrictions that limit what information they can capture and utilize. Privileged
51
users with potential access to restricted information need to understand their roles and
responsibilities in carrying out their duties. Privileged users should fully understand
where their authority begins and ends with regards to operation of the BYOD security
apparatus.
4.3.5 Application Store
There are multiple options for an appropriate application store, each at different
cost and allowing for different levels of organizational control over the employee-owned
devices.
The first option is to allow unrestricted access to public application stores. This
option is the most desirable to employees, as it allows them to download any applications
they desire without restriction. This relies on trusting the vetting processes of the
applications being allowed in their respective stores. Some application stores, such as the
Android Market, have notoriously poor malware vetting processes, instead opting to
leave the burden of protection on the users. This is not to say that other application stores
are significantly better – there have also been instances of malicious developer-signed
applications in Apple’s App Store. The malicious applications can trigger a variety of
unwanted actions, including data theft and utilization of the device as a pivot to access
restricted resources within the organization. Access to the contact list poses the threat of
spam, targeted advertising, phishing, and spear-phishing; these threats are not only to the
organization, but a compromise can also cause an organization’s clients to be exposed to
these tactics.
There is also the option to utilize a Corporate Application Store and deny access
to the commercial Application Stores. This option represents a more secure option,
52
allowing organizations to only publish permitted applications to the Application Store.
This is associated with both considerable overhead and a lessened overall appeal of the
BYOD program.
4.3.6 Application Whitelisting and Blacklisting
If the decision is made to use the public application stores for applications
resident on the device, there is the choice to either grant access to specific authorized
applications, known as whitelisting, or to deny access to specific unauthorized
applications, known as blacklisting. Restricting access to either known-good applications
or blocking access from known-bad applications will reduce exposure to poorly formed
or malicious software.
Blacklisting is a reactive method of ensuring that only applications deemed secure
are resident on the employee-owned devices. This means that an application must be
discovered, and deemed to be a threat, before being added to the blacklist. This can
cause new malicious applications not to be on the blacklist, allowing them access to the
corporate network.
Whitelisting and blacklisting both require considerable overhead in the form of
corporate resources assigned with maintaining and updating the lists, although services
exist to outsource the listing functions. Whitelisting is a proactive security control that
provides a greater level of assurance that applications are safe than blacklisting does, as it
proactively denies all applications that have not been organizationally reviewed for
security. This keeps new malicious applications from being added to the device before
they can be evaluated. Whitelisting, however, is more likely to impede the employees
53
from downloading the applications that they want, as those applications will need to be
reviewed first, thus lowering the appeal of the BYOD program.
Either of these options allows the organization to restrict access to malicious
applications and reduce the overall operational risk of a BYOD program, however, in
either case, if users cannot access their desired applications, there may be less
organizational buy-in to the BYOD program.
As with most processes in BYOD, user participation is required and a workflow is
needed for users to request whitelisting of particular applications. If a user desires to use
a particular app on his phone to get his job done, he should be able to request the vetting
of the app via a form, preferably online, and be guaranteed an answer within a certain
timeframe, perhaps two business days. The form will need to capture why the user needs
such an app and include a disclaimer that in case the request is denied, the user may not
use that app to do job related work. The vetting process needs to be quick for obvious
reasons. This process can be enhanced if a suggestion form is available where users can
suggest apps, even if they are not currently using them. This allows more time for the
vetting process thereby lowering the risk of malicious apps.
4.3.7 IPSec/VPN
Virtual Private Networks, or VPNs, allow for the connection of employee-owned
devices to access the organizational network as though they were within the network’s
protections. This offers a level of protection against data being intercepted or stolen in
transit.
Internet Protocol Security or IPSec is an open standard allowing for mutual
authentication and encryption of communications over the network and between
54
networks. This is one of the available methods for enabling VPNs. IPSec VPNs allow
for access that is similar to being physically connected to the corporate network; however
connections can be limited to specific applications on the device to mitigate the risk of a
compromised device accessing any network resources that they desire.
Secure Socket Layer (SSL) VPNs provide a similar capability to IPSec VPNs,
however they can provide additional levels of control; this includes the restriction of
access to specific users or groups on the network. This allows for a greater level of
organizational control over remote access to resources than IPSec VPNs do.
Both IPSec and SSL can be used without VPNs, as well, to allow for
authentication and encryption of traffic passed over the network.
4.3.8 Mobile Device Management
A critical aspect of protecting mobile devices as part of a BYOD program is a
MDM. Before provisioning a mobile device with MDM software, an automated or
manual process should inform MDM administrators that the user is authorized to
participate, with the identified device, in the organization’s BYOD program.
MDM administrators should be carefully selected and the principle of least
privilege taken into account. MDM administrators will have complete rights over nearly
every aspect of every mobile device under the purview of the MDM solution.
Organizations should ensure their MDM administrators are trusted and their activity
monitored.
MDM is typically deployed through an enrollment or provisioning process.
Devices can be provisioned from the MDM server using OTA or other methods. Some
MDM solutions allow for integration with directory services, such as Microsoft Active
55
Directory, to realize increased visibility across the organization. The provisioning
process will install the necessary certificates, configurations, and software required to
enforce BYOD security standards.
If users require different settings based upon a set of criteria (e.g. division,
geographic location, etc.), most MDM solutions offer administrators the option to
structure profiles around groups, from which BYOD users can be assigned. Groups
simplify the management and deployment of MDM profiles when users require different
settings.
A comprehensive list of MDM standard features can be found in Appendix B.
4.3.9 Location Awareness
Many mobile devices possess GPS location capabilities. Beyond telling a user the
most direct route to their local drive-thru, they can also promote a level of device self-
awareness that can be utilized in collusion with a MDM solution to enact protective,
detective, and reactive security controls based on the device’s location.
Some solutions are capable of disabling different components on managed
endpoints. Examples include disabling cameras and microphones when carried into
specific locations, such as meeting rooms used to discuss sensitive organizational topics.
They may also restrict network access depending on the data being accessed (e.g.
disallow access to corporate data when attached to an unknown or unsecured wireless
network).
Location-aware solutions can ensure that specific physical locations of the
building are protected from unauthorized recording and photography. These may be met
with far less resistance than ensuring that each employee leaves their phone in a locker or
56
on a shelf outside of a protected area, which could detract from the value of the BYOD
program or the overall work environment.
4.3.10 Device Fingerprinting
Device fingerprinting allows devices to be identified, or fingerprinted, as an
additional means of authentication. There are two methods of device fingerprinting,
passive and active.
Fingerprinting allows for agentless identification of a device, and non-repudiation
of data transmitted from that device. Generally, this is based on client configurations. In
the case of BYOD, many devices may be configured exactly to meet the Minimum
Security Baseline (MSB), while being of the same operating system and model.
Traditional passive fingerprinting may see many of the same fingerprints, making passive
fingerprinting a model that may not stand up as well.
For the sake of BYOD, a more substantive fingerprinting model is recommended.
Many MDM solutions offer application-layer fingerprints based on criteria unique to the
device to ensure that there are no two devices with the same fingerprints, so that they can
all be positively identified. This is considered more invasive, and may involve adding
information such as Media Access Control (MAC) address and Serial Number to the
fingerprint to ensure that it is unique. This also allows for the fingerprint to remain static
– passive fingerprinting allows fingerprints to change as users modify the settings on
their devices.
Having static, application-layer device fingerprints allows for a higher level of
protection for network resources, as not only will a user’s authentication credentials need
to be compromised, but also their device will need to be, as well.
57
4.3.11 Device Encryption
Encryption is a cornerstone of BYOD security. Encrypted VPNs, using IPSec or
Secure Sockets Layer (SSL), provide for the confidentiality and integrity of data in
transit, but this may leave data on the devices unencrypted once it has reached that
destination.
There are several solutions to this, including some that may be resident on devices
already. For example, the Apple iPhones have mandated full device hardware encryption
utilizing AES-256 since the 3GS version, and this level of security cannot be disabled.
Other popular devices, such as those based on Android and Windows Mobile, do not
have this level of security mandated, though it is available through security settings.
An organization must ensure that the work effort involved in accessing
information on a lost or compromised device is great enough to allow response actions to
take place prior to the loss or theft of data resident on the device.
4.3.12 Sandboxing
Sandboxing allows for an application to run in a protected area on the device.
This allows for corporate data to be contained and segregated from the employees’
personal data. This allows for targeted wipes and targeted backups of corporate data,
ensuring that personal data are neither stored on corporate resources, nor deleted when a
targeted wipe is performed to ensure that corporate data are not compromised.
This BYOD solution, however, only ensures that the application is protected. It is
often at the discretion of the employees as to where data are stored, meaning there is still
the possibility that corporate data exists outside the protected area designated for
corporate data.
58
There are two methods of implementation for a sandboxed solution: zero-trust and
one-way trust. Zero-trust solutions do not allow information to transfer either into or out
of the sandbox, providing a virtual separation between organizational and personal apps
and data. One-way trust solutions allow some data to be transferred into the sandbox.
For example, records such as contacts can be moved from the untrusted area on the
device into the sandboxed area; however they do not permit data to be moved back to the
unprotected area of the device. Either of these solutions may be the best fit for an
organization depending on the sensitivity of the data, the organizational mission, and the
organization’s risk tolerance.
The major detractor of a sandboxed application solution is that the application
uses its own interface as opposed to the standard interface of the device. Productivity and
employee satisfaction may be reduced while using an unfamiliar interface that does not
contain the features and benefits that led the user to purchase the device in the first place.
In a one-way trust environment, employees may choose to use the native interface to
perform potentially sensitive work in the untrusted area on the device, and then transfer
the data into the protected area for further transmission. The scenario described
circumvents the security controls put in place to protect organizational assets and data
and should be mitigated through additional security controls, policy, and user training.
4.3.13 Virtualization
The option for a virtualization solution offers the greatest level of control over
organizational data that is used by employees from their devices.
A virtualization-based BYOD solution allows for a device to access a thin client
that stores, processes, and transmits all data from organizationally owned and operated
59
hardware. This keeps organizational data from being stored on, processed, or transmitted
by the employee-owned device. This solves several of the inherent problems with
BYOD. To name a few, the loss of a device, or even a device being shipped to a vendor
for repair, no longer requires it to be wiped. The risks associated with both corporate and
employee backups are also removed.
This is not without major detractors, however. A virtualization-based solution
comes with substantial overhead, in servers, storage, processing, and a network backbone
capable of low latency while in use – not to mention administrators with the appropriate
expertise in workforce mobility virtualization.
Among the primary benefits of BYOD are that employees are more productive
due to working with interfaces that they are comfortable with and that they have chosen
to use; a virtualization-based approach will often utilize one-size-fits-all thin clients,
forcing employees to use the same interfaces that they embraced BYOD to be rid of.
This may lower productivity and may also lower employee satisfaction, making the
BYOD program less appealing.
4.3.14 Endpoint Protection
There are multiple options when deciding on appropriate endpoint protection.
Most mobile operating systems have solutions allowing an agent to be installed on the
device. This will cause resource utilization overhead on the employee-owned device,
such as processor, memory, and network usage.
There are several solutions that allow for centralized management of security on
endpoints to supplement the chosen MDM solution. These will have lower resource
utilization overhead for employee-owned devices.
60
There are also locally managed solutions for endpoint protection. If a local
solution is decided upon, the administrative control over this solution may be left in the
employees’ hands, leading to potentially insecure configurations. If this approach is
taken, a generic minimum-security baseline should be established for the local endpoint
protection solution, and additional awareness training should be added to the employee
BYOD training regarding the expectations for local endpoint protection.
4.3.15 Mobile Operating System Patching
To ensure a high level of protection for mobile devices, vendor operating system
patches should be applied in a timely manner. Vendor patches regularly include
mitigation and remediation of known security flaws on mobile operating systems.
Many operating system functional upgrades are released with additional features
that contain insecure configurations and new security flaws waiting to be exploited by
opportunistic threat actors. An organization must decide whether to allow its users to
upgrade their own devices at will, or if it will need to be done as part of the
organization’s configuration management process.
There is potentially high overhead involved with exploring the security
implications of every upgrade to every organizationally-supported operating system, and
the overall appeal of a BYOD program may be lessened if an employee cannot have the
shiny new Android or Apple operating system the day it launches. Decisions should be
driven based on the organization’s risk management strategy, risk appetite, and threat
landscape.
61
Failing to install new operating system upgrades may have a negative effect and
can lead to users having insecure or unstable operating systems on their devices. This
can result in compromised data or a reduction in productivity.
4.3.16 Application Patching
The process for patching both corporate and non-corporate applications has
potential security implications. The Security Officer will need to develop an appropriate
vulnerability management policy regarding the patching of applications.
Corporate applications should closely follow the software development lifecycle
(SDLC) to allow for a reasonable expectation of secure application releases.
Non-corporate applications can also have far reaching implications on the security
of the device. Many applications are not designed with security in mind, and one cannot
necessarily expect the newest version of “Words with Friends”, “Angry Birds”, or
“Facebook for Windows Mobile” to be free of possible backdoors that an attacker could
use to gain access to the device. Users will need to be responsible for ensuring that their
personal applications are kept up to date. If application white- or blacklisting is in use,
the organization should ensure the list encompasses each version release of listed
applications.
62
4.4 Detect
Even when devices are adequately
protected, changes in the technological
landscape cause new attack vectors to arise
regularly. Due to this, there are several
different events that need to be identified so
that an organization can proactively prevent,
or respond to and recover from, intentional or
unintentional threat events.
4.4.1 Vulnerability Detection
Software and configuration flaws can have unintended consequences, including
denials of service, unauthorized access to organizational resources, and the loss or
compromise of data. Detection of these vulnerabilities can be performed in several ways.
Many automated software use tactics similar to those that a hacker would use in the
reconnaissance stages of an attack. Among these are verifying that the device is alive,
and then probing the device to find out what services are running. There are several
vulnerability scanners on the market with the capability to find software flaws on a
variety of mobile operating systems.
There are several advantages of using automated vulnerability scanners.
Generally, there is only a low level of effort involved in finding known software and
configuration flaws that attackers could potentially exploit. Often, these flaws are also
identified with documented fixes readily available.
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
63
The possible disadvantages of these vulnerability scanners is that there is
generally increased network usage associated with them. Also, as new technologies
emerge and new vulnerabilities are found, the scanners must be kept up to date. As
employee-owned devices are not always on the network, the ideal time to perform
vulnerability scanning would be when they are which are also the times of day where the
network will already be experiencing the most strain. Some vulnerability scanning
engines will not support all of the available mobile operating systems.
There is also the question of legality of scanning employee mobile devices,
finding potential weak areas in their software and configurations that could be exploited.
As many documented bugs also have documented exploits, retaining this information on
a network server may be a risky decision. An attacker gaining access to that server
would effectively have a database of their reconnaissance phase completed for them if
they were to perform an attack.
The organization’s Security Officer will need to decide on the requirements for
vulnerability scanning and detection while on the network, however, these are actions
that will need to be taken by the security operations team and overseen by the Director of
Security Operations.
4.4.2 Malware Detection
Part of the risk that employee-owned devices pose is that users have
administrative control of these devices, and that they are not always connected to
networks with the same level of protection as organizational networks. That can lead to
malicious software being resident on them; this software may be used to gain access to
employee-owned devices. The two primary antivirus methodologies for BYOD are
64
organizational and client based, and the organization’s Security Officer will need to
decide which of these is the most beneficial to obtain an acceptable level of risk.
Agentless anti-malware solutions can be run as an internal service for the
organization. These solutions have the same downsides as vulnerability scanners – they
require consistent updates to the signatures to remain effective. These will also require
the security operations team to manage, and can increase network strain while they are
scanning, because again, this must be done during the day. However, these solutions will
provide the organization with the peace of mind that the antivirus is kept up to date – it is
not left in the employees’ hands to ensure that their antivirus is up to date.
If the solution is to be local malware protection, this will require less network
utilization and lower employee overhead. This, however, relies on employees to ensure
that the antimalware solution is kept updated.
4.4.3 Attack Detection
If vulnerabilities or malicious software are not detected, or if they are detected
and not remediated, attackers can exploit these to gain a network foothold. A foothold
within the network can be used as a pivot to gain access to areas of the network that are
otherwise restricted. Attacks need to be detected so that they can be responded to
appropriately.
When connected to corporate networks, the Security Incident and Event
Management (SIEM) solution, Intrusion Detection/Prevention Systems (IDS/IPS), and/or
Next-Generation Firewalls should be placed and configured appropriately to detect
malicious activity targeting the endpoints within the protected area of the network that
they are allowed to connect, as well as malicious activity emanating from devices within
65
that area. SIEM, IDS/IPS, and Next-Generation Firewall solutions should be deployed
using a Defense-in-Depth strategy to maximize protection and visibility into mobile
device traffic.
4.4.4 Lost Device
Even with all the safeguards, it must be assumed that at some point, an employee
will have a device lost or stolen. The BYOD training plan needs to cover the importance
of users reporting lost or stolen devices to the appropriate information owner. This will
allow for the information owner(s) of the data resident on the device to determine the best
course of action, and to initiate the appropriate recovery actions.
4.4.5 Data Loss Detection/Prevention
In order to detect security violations or potential exposure of sensitive data, a data
loss detection or prevention (DLP) system could be used. There are several different
ways to implement DLP. The solutions presented assume the reader has some familiarity
with DLP and the current industry offerings.
The first method assumes that all network traffic is routed through an “always-on”
VPN connection. In this scenario, the DLP solution is deployed at a strategic network
location where all BYOD traffic will eventually cross in order to detect security
violations. Because the traffic will inevitably cross the sensor, DLP violations can be
detected and appropriate actions taken. This solution can be beneficial because it may
not require additional hardware or software beyond existing enterprise capabilities
(assuming the organization has already deployed a DLP solution).
The second method is to install a DLP client either on the device or, in the case of
a sandbox BYOD solution, in the sandbox. A direct DLP client on the device may detect
66
attacks that might otherwise be missed. However, solutions are limited in both scope and
effectiveness while the market continues to evolve. This solution is also more expensive
to deploy and operate, but offers potentially the best protection available, assuming a
solution that works for all approved devices can be found.
The last solution is to rely upon existing DLP solutions to protect against data
loss. While connected to a corporate network or using corporate email, these solutions
may prove partially effective. The danger is that users may inadvertently or maliciously
send data out through unmonitored interfaces, such as Wi-Fi, Bluetooth, cellular,
personal email, post to the web, etc. Regardless of the chosen solution, organizations
should examine the ability of users to transmit sensitive data over the cellular network,
effectively bypassing network security controls.
4.4.6 Device Monitoring
Employee-owned devices will need to be monitored for communications that may
contain potentially sensitive information. However, as the employee owns the device,
there are regulatory restrictions and legal implications of an employer monitoring
communications.
Many MDM solutions allow for communication through the application to be
tracked, though there will need to be criteria to establish the difference between personal
and organizational data transfer. Monitoring of an employee's communication with a
personal contact could potentially expose sensitive information, including data protected
by law. The criteria for monitoring must be appropriately vetted to ensure due diligence
and due care on the part of the organization in the case of personal information being
discovered.
67
4.5 Respond
Once a threat event has taken place,
the organization must respond. The response
will be based on the nature of the risk or threat
event that has presented itself to the
organization.
4.5.1 Vulnerability Remediation
When periodic scans discover
vulnerabilities in software, either due to code
flaws or insecure configuration, the risk must
be mitigated to an organizationally acceptable level. This requires that the level of risk
be determined. Many vulnerabilities may already have Common Vulnerability Scoring
System (CVSS) scores2 associated with them, allowing for a quick basis for the level of
risk presented to the organizational computing environment. Depending on the type of
vulnerability, and the level of risk presented, there are several choices available. The
owner of the device should be made aware of what is happening, and why, at every point
throughout this process.
In the case of an insecure configuration, scan findings should be reviewed to
determine whether the vulnerability is resident on a single device, a subset of related
devices, or all devices. Generally, if it is resident on a single device, this can be
remediated without utilizing the organization configuration management process. Some
device operating systems may not support configurations that are otherwise required as
2 http://nvd.nist.gov/cvss.cfm
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
68
part of the Minimum Security Baseline (MSB), leading to several related devices
showing the same insecure configuration vulnerability. This may be remediated through
compensating controls or through third party applications, or may need to be accepted as
a risk in allowing these devices to be part of the BYOD program. If all devices are
showing the same vulnerability, then the impacts of remediation should be researched
through the configuration management process, and the viability of adding controls to
mitigate the risk should be determined. If it is determined that the risk cannot be
accepted as it is, and requires remediation, the organization should update their MSB.
In the case of software code vulnerability, the organizational vulnerability
management process should be followed. The decisions made should involve
communication with the device owner, or owners, if it is due to an insecure operating
system or application.
4.5.2 Malware Removal
There also have to be documented procedures for malware removal, whether it is
intentionally malicious or “accidentally” poses a threat. The IT Security Staff will need
to make an informed decision as to the course of action to mitigate these potential threats
based on a set of predetermined criteria, so that the security operations team can take the
appropriate mitigating action.
The safest route, as always, is to wipe the device. This will ensure that the
malware, even at the rootkit level, has been removed. It provides the highest level of
organizational assurance that the risk posed by the malware has been removed.
69
Some applications may pose an inadvertent threat, as previously discussed, and
the ideal way to address these may be to remove them from the device, and disallow them
via an application store whitelisting or blacklisting solution.
4.5.3 Incident Response
As suspicious activity is detected, organizational incident response personnel will
respond in accordance with the organizational Incident Response Plan (IRP). The
organizational IRP needs to be appropriately resourced to handle incidents related to
employee-owned devices. The additional challenges presented by a BYOD program,
including the lack of organizational device control, lack of remote access capability, and
the implications of taking physical possession of the device, must be adequately
identified and socialized through policy and user training. Business needs and scope
must be established prior to any incident response activity to ensure compliance with
organizational policy, and any applicable laws and regulations.
Response activities to potential attack or compromise of a device should be
published and accepted by both Senior Leaders and the users. While not a panacea to
legal battles over organizational responsibility of employee data, proper socialization will
help establish a corporate culture that supports business goals with regards to incident
response. Employees should be trained and should formally acknowledge IRP
procedures and the employee’s role in compliance with the IRP.
A significant risk in the area of incident response is the preservation of evidence
on the device. The lack of organizational control of the device can lead to corruption of
forensic findings due to actions, either accidentally or purposefully, performed by an
employee. The IRP and supporting employee training should identify these scenarios and
70
provide clear guidance on roles and responsibilities by both employees and incident
response personnel.
As outlined in the legal issues (4.1.10) section of this framework, situations may
arise where the most appropriate incident response action is to wipe the device. In those
cases, the organization should ensure they are prepared technically, culturally, and legally
to deal with any potential repercussions resulting from the loss of organizational and
employee data.
4.5.4 Device Account Deactivation
Once a user has reported that a device has been lost or stolen, or the security
operations team discovers that the device has been compromised, the IT operations team
will need to deactivate the device account. This will disallow it from being used to
access protected organizational resources in the event that a threat actor gains control of
it.
4.5.5 Remote Wipe
Once an employee reports that a device is lost or stolen, the organization will
need to take steps to protect data that may be resident on the device. This includes
wiping the device remotely so that if the device is stolen, no organizational data can be
compromised. There are several approaches to this, which will need to be discussed by
the Security Officer and the information owner(s). The security operations team will then
be responsible to enact one of two possible remote wipe capabilities, depending on
organizational decisions.
The entire device can be wiped. This ensures that no organizational data, nor an
employee’s personal data, can be stolen. Therefore, potentially sensitive data types,
71
though no longer recoverable from the device, will not fall into the hands of a threat
actor. This also protects employee’s personal data, which could be used for spear
phishing and other social engineering attacks. There may be legal issues which need to
be explored with regards to wiping an employee’s personal data from an employee-
owned device. This could cause some level of discontent if an employee reports their
device lost or stolen, only to find it, as a brick, sitting on the dresser when they return
home.
Targeted directories or specific sandboxed areas on the device where
organizational data are to be stored can be wiped. This will leave all employee-owned
data on the device, avoiding potential legal implications. However, there may be some
organizational data that remains resident on the device outside of those directories.
72
4.6 Recover
Following the initial response to a
threat event, the organization must be able to
fully recover from the event.
4.6.1 Corporate Backups
In the case of a device that was
wiped, whether it is due to loss, theft, or
being shipped to a vendor for repair, the
organization will need to be able to recover
the data, or a subset of the data, that were
stored on it. The same is true if the device suffers catastrophic failure. The most
common means of ensuring that the data are recoverable is a corporate backup solution.
There are several options in deciding what information to back up with a corporate
backup solution.
The whole device can be backed up. If the device is lost, stolen, or suffers
catastrophic failure, this will ensure that no organizational data are lost, as well as
ensuring that employees’ data are not lost. This will, however, lead to increased
organizational storage requirements, depending on the amount of employees that are a
part of the BYOD program. There is also potential for employees to perceive misuse of
their personal data stored on organizational servers. It is recommended that the
organization seek legal counsel regarding the implications of backing up employees’
personal data on corporate infrastructure, as these data could include information covered
under multiple laws.
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
73
Targeted directories or specific sandboxed environments can be backed up. This
ensures that employees’ personal data will not be stored on organizationally-owned
servers, alleviating potential legal qualms and ensures that administrators do not have the
capability to sift through employees’ personal data. This will also ensure that file servers
are not bloated with unnecessary personal data from employee-owned devices. However,
all organizational data may not be stored within the targeted scope of the backup, leading
to the possibility of permanent loss if the entire device is not backed up.
As always, there is the option to completely forego a corporate backup solution.
This will require no overhead, and will ensure that no employee data are stored on
organizational servers. However, if a device is lost, stolen, or suffers catastrophic failure,
all organizational data that is resident on the device may be permanently lost.
Information owners will need to determine, in collusion with the Security Officer,
the scope of employee-owned device backups, based on the requirements for
confidentiality, integrity, and availability of information that is stored on them, weighted
against the potential legal implications of potentially storing sensitive personal data on
the organizational backup solution.
4.6.2 Employee Backup
If users are unable to access the corporate backup solution, or if it does not back
up all of the data on their device, they may be inclined to perform personal backups.
These backups may take place prior to a mobile operating system upgrade in case the
upgrade is unsuccessful, or even prior to device de-provisioning to retain either the
personal or sensitive corporate data that were otherwise sanitized from the device. This
74
can include using either cloud-based backups or backups that are stored locally on
employees’ other personal devices.
If employees do back up their devices to either cloud-based solutions or to other
devices that may or may not be a part of the organizational BYOD program, then there is
a high probability of sensitive organizational data being stored on assets entirely outside
of organizational control.
If employees cannot perform these backups, then they will have to rely on
corporate backups of their information, which can be out of date unless they are
performed on-demand. There will also be the risk that if employees are only able to
restore their device from the corporate backup solution, they may only be willing to
perform software updates while at work, lowering their overall efficiency. An employee
may also elect to forego operating system updates, which can lead to additional published
security flaws being resident on their devices, leading to an increased possibility of
compromise.
The Security Officer and information owner(s) of data expected to be resident on
the devices need to weigh the additional risks of data compromise, and weigh this with
respect given to the corporate backup solution, to decide on the capabilities of users to
back up their own devices.
4.6.3 Device Tracking
Whether or not devices are able to be tracked by the organization is another
potentially sticky item. This will need to be discussed by all stakeholders, including user
representatives, to ensure an appropriate decision is made.
75
If an organization tracks the devices, it may allow for the recovery of lost or
stolen devices. This can alleviate the potential for wiping a device that was reported as
lost or stolen, but appears to be in the residence of the employee.
However, the organizational BYOD program may have a lesser appeal due to the
potential misuse. Along with the possible level of discomfort, there is currently no case
law regarding the tracking of employee-owned mobile devices; the legality of this has not
been established. This may lead to supervisors tracking phones when an employee is
supposed to be in attendance at an off-site meeting and seeing that they are on the fourth
hole of a local golf course – what course of action can an employer take, if any?
There are also applications that allow employees to track their own devices (e.g.
“Find my iPhone”), which may be recommended or mandated by the organization in lieu
of an organizational capability to track employee device whereabouts. This can aid in the
ability for recovery of a device without the legal or moral implications of an organization
doing so.
If the Security Officer has made a determination allowing employee-owned
device tracking within the organization, it is recommended that only the security
operations team is capable of tracking devices to maintain a level of checks and balances.
If employees are mandated to have the capability of tracking their own device, this
burden lies with the user in tracking and discovering the location of their device.
76
4.7 Assess and Monitor
After implementation, it is critical to
assess and monitor the BYOD security program
for effectiveness and efficiency. Threats,
technology, and security solutions will continue
to evolve. Organizations need to ensure a
continuous monitoring and feedback loop is in
place to meet the changing landscape. This
section will outline some key facets of the
Assess and Monitor phase of this BYOD
Security Framework.
Throughout the BYOD lifecycle, there will be risks associated with the program.
These must be appropriately mitigated to ensure that the program maintains value to the
organization.
4.7.1 Review and Evaluation of BYOD Program
The BYOD program needs to be reviewed and evaluated for effectiveness on a
periodic basis to ensure that it remains relevant and effective to the organization. The
entire BYOD security program should be re-evaluated on at least an annual basis, using
this framework as a roadmap for conducting evaluation efforts. Security requirements
should remain applicable to the business mission. Policies and procedures should be
reviewed at least annually to ensure they continue to meet security requirements. Last,
the security controls should be assessed as part of a larger risk management program to
validate that controls are implemented and operating as designed.
7. Assess and
Monitor
1. Plan
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
77
4.7.2 Insider Threat
Despite the media attention that cyber attacks garner, the oldest and most
effective way to damage, destroy, and exfiltrate sensitive information remains the trusted
insider. Insiders are usually granted access to sensitive information as part of their
normal duties. Privileged insiders may have knowledge of security controls and how to
exploit them as well as locations and access methods to sensitive information.
Organizations should plan to address insider threat concerns stemming from the use of
BYOD into their existing mitigation schemes. Particular attention should be paid to
system administrators of critical BYOD security functions, such as MDM.
4.7.3 Penetration Testing
Penetration testing can expose vulnerabilities that were not found through other
detective security controls. Organizations should carefully plan the scope of penetration
testing efforts in order to comply with any regulatory or legal requirements regarding
employer penetration testing conducted on employee devices. As of the time of this
writing, there is little in the way of laws or legal precedents regarding penetration testing
conducted on employee devices.
One approach is to using devices owned by the organization and perform
penetration testing (along with other needed testing) using those devices. This way,
many of the holes and security vulnerabilities of the network can be detected. The
opposite testing can attempt to break into organizationally owned devices in order to
detect security vulnerabilites on those devices. The organization’s security team can then
move to incorporate the needed patches and policies in place while keep the users
informed of the process.
78
4.7.4 Periodic Review of Approved Devices
As security requirements change and threats evolve, organizations will need to
periodically review approved device lists. Changes to security requirements or the threat
landscape may make devices or mobile operating systems obsolete. Organizations should
plan for and train BYOD users on how the decision will be communicated and develop a
standard transition plan to allow users to migrate their obsolete devices to an approved
devices. Organizations should also be prepared to handle cultural unpopularity of
removing a device for security reasons. The constantly changing nature of mobile
technology and employees’ desires to keep up may mitigate this risk, but organizations
should be prepared regardless.
4.7.5 Approval of New Devices
In order to keep up with constantly evolving devices and mobile operating
systems, organizations should periodically evaluate new industry offerings for inclusion
into the BYOD program. In addition to organizationally-initiated reviews, employees
should have a means to submit new devices and mobile operating systems as candidates
for inclusion. Failure to maintain a relevant device and mobile operating system list will
surely detract from the success and appeal of the organization’s BYOD program. New
devices and mobile operating systems should be evaluated using criteria established
earlier in this framework to ensure the candidate is capable of meeting all security
requirements at an acceptable level.
4.7.6 Device de-provisioning
Employees will leave the company at some point, even in organizations with very
high retention rates. This means that a course of action must be taken by the organization
79
to protect potentially sensitive organizational data that is resident on their BYOD devices.
All stakeholders in the de-provisioning process should be briefed on their roles and
responsibilities in carrying out de-provisioning activities.
Figure 8: Key De-provisioning Activities
During the de-provisioning process, four key items must be addressed, outlined in
figure 8. Any device access to organizational information or assets must be removed.
Accesses may come in the form of email accounts, installed applications, or digital
certificates. Sensitive organizational data must be wiped using approved mechanisms to
prevent data retrieval. If the device is being removed from use completely, employees
should consider removing their own personal information on the device as well.
Remaining digital certificates and security settings must be removed in addition to any
security software installed by the organization (e.g. MDM). One solution to achieve this
Remove Accesses
Wipe Sensitive Data
Remove Certs & Settings
Remove Security Software
80
goal is to restore the device to its factory default settings, once data have been removed.
As part of the de-provisioning process, organizations should confirm de-provisioning
activities, including data wipes, and track associated security metrics.
The removal of sensitive data is critical in the de-provisioning process. Sensitive
data may come in many forms depending on the nature of the organization and the
employee’s role. It cannot be assumed that just because the device has been wiped that
all sensitive data are free from disclosure risks. If allowed, employees may have backed
up their device and its data on non-corporate media. In those situations, it may be
beneficial to perform a de-provisioning interview with BYOD users to confirm deletion
of sensitive data beyond the organization’s control.
81
5 Key Controls as Part of BYOD
"Just because a mobile site is meant to be viewed on a mobile browser with limited
functionality doesn't mean an attacker can't load it in a normal browser and have full use
of their powerful tools to bypass authentication, find vulnerabilities in non-standard
encryption and ultimately crack the site. … It's like having two doors to your bank vault.
Web applications of today are like the highly guarded front door fortified by mature
security practices and fully capable of stopping an intruder. Mobile APIs are like the
unguarded back door — offering far easier access to would-be attackers."
Pete Soderling, founder of Stratus Security
5.1 Overview
As has been mentioned, technology alone cannot guarantee the success of BYOD
programs. A successful policy implementation and its management are also necessary. It
is important to understand that such policies will have many parts that are non-technical
and others that are technical. Part of such a policy implementation would be a set of
process controls that encourage users to comply with enterprise policies. Planners of
BYOD would benefit from using such controls in order to improve the policy compliance
wherever technology solutions may come up short. Process controls can be defined as a
set of procedures and techniques used to influence compliance with policies. As BYOD
implementations must comply with a variety of legal, financial, regulatory, HR, and
service-level necessities, having such controls is crucial to success. Of course, enforcing
policies is always a challenging matter.
82
The idea here is to implement technology policies, user-related policies, and
process-related policies so that once in place, supporting technologies such as MDMs can
be configured so that BYOD is implemented successfully. Successful implementation
means different things to different enterprises, but a good definition would be an
implementation with the minimal risk level as required by the enterprise. The goal of
process-side policy compliance is to address the users’ level of awareness and their
motivation to comply with the policies. Success begins with proper education. BYOD is
a shift in how enterprises, IT, and users think and relate to one another. In BYOD, all are
in far greater partnership than ever before in securing the enterprise’s resources and data.
While it is true that IT needs to adapt to this new phenomenon, users also need to adapt
and to realize the critical role they play. As with anything, education works best when
enforced and tested periodically. This fact highlights the important connection between
education and motivation. Motivation is where the controls come into play.
As part of the control process, an Acceptable Use Agreement should be mandated
for all employees, whether or not they are BYOD participants. Such agreements have
traditionally leaned heavily on disincentives, that is, what would happen if a user has not
followed the policies stated in the agreement. A common issue has been that such
agreements have not been read carefully traditionally and even when they have been, they
may not have been well understood by users. While such an agreement may give IT a
sense of indemnification (“We told you so”), the fact is such a sense, real or imagined, is
not a solution to BYOD especially during a breach. By failure to apply all the
motivational controls listed below, the success of the BYOD program can be severely
handicapped.
83
The control tools of motivation can be organized into four general control
processes:
5.2 Incentives
This type of control encourages the users to actively participate based on some
kind of reward. This does not need to be monitary in nature and in fact monitary rewards
should be discouraged. As an example, the incentive for using a company preferred
device or OS may be freer access to the enterprise’s resources such as data and apps. As
stated previously, users should be made active participants in the BYOD program. For
instance, users can be asked to rank themsevles accurately based on certain questionnaire
and then be considered to be placed in various levels of BYOD particiaptions.
5.3 Disincentives
By far the most common, this type of control discourages the users to take
particular actions based on negative implications. For example, if the user fails to report
a lost device that had been used to access the enterprise’s resources within 24 hours, the
user’s employment may be terminated. Disincentives are by far the most used control
process implemented by organizations to secure resources and typically form the
cornerstone of Acceptable Use Agreements. Used alone, however, without additional
key controls explained, they can lessen the appeal of BYOD and even create an
environment where BYOD is used in secret.
5.4 Compliance Tactics
This type of control uses a variety of compliance techniques. For example,
having a user sign an agreement/pledge to protect the enterprise’s intellectual property
84
reduces the likelihood that data leakage will occur. This is akin to someone signing an
agreement that they will recycle glass and plastic. The mere acceptance of such
responsibility increases the likelihood of compliance.
5.5 Ongoing Communication
This control focuses on the many methods for communicating and re-
communicating compliance requirements at the various points within the process. For
example, a short text message that pops up when a user makes a connection to the
enterprise network using BYOD or a brief message that plays during a support call,
reminding a particular policy, can go a long way by providing positive and non-intrusive
reinforcement. This control is most effective when applied in context; users are more
likely to comply with a policy when that policy is stated in context. Using opportunities
at service points to communicate policies in a just-in-time manner is a good example.
85
6 How to Use the BYOD Framework
The purpose of the framework is to assist organizations with implementing
BYOD and integrating BYOD into their existing business operations. The framework
does not represent an all-inclusive list of potential risks and mitigation strategies which
would simply be impossible. Instead, the framework is meant to guide discussions by all
stakeholders within the organization to help them identify risks and solutions that are
applicable and appropriate to the organization. Given the wide variety of business
missions and potential BYOD implementations, organizations are advised to rely on their
own subject matter experts to analyze how the concepts presented in this framework
apply to their organization.
6.1 Establishing a BYOD Security Program
Organizations may use this framework to build a new BYOD program or to
improve on an existing solution. In either scenario, the organization’s risk management
process should be invoked to identify the current status of BYOD security and to analyze
security and policy capability gaps within the organization. The organization can then
make adjustments to their BYOD program to reflect changes in risk levels.
Using the concept of Information Systems Security Engineering, the following
example outlines the steps to implement a BYOD program, depicted in figure 9.
86
Figure 9: BYOD System Security Engineering Process Step 1: Discover Information Protection Needs. During this first, critical step, the
organization clearly communicates the high-level goals of the BYOD program.
Communication should occur from the senior executive level and outline the business
objectives and risk tolerance levels of the organization to facilitate clear guidance to
BYOD planners and implementers. Planners will articulate the types of systems and
information to be accessed by BYOD users and identify any applicable security laws,
regulations, or policies.
Step 2: Define BYOD Security Requirements. Once information protection needs have
been identified, security requirements for the BYOD program should be defined.
Security requirements should identify the specific action items required to meet the
87
security objectives of the BYOD program. Requirements should be traced from their root
source (e.g. security laws, regulations, or policies) and clearly communicate the action,
threshold, and expected result of each security requirement. Requirements should align
with the high-level guidance provided by senior executives and the overall business
mission.
Step 3: Design BYOD Security Architecture. Security Architecture defines how the
BYOD program will align with existing security controls in order to meet security
requirements. Aligning the BYOD security architecture with existing organizational
security architecture ensures consistency among security control quality throughout the
organization.
Step 4: Develop Detailed BYOD Security Design. The detailed security design
incorporates technical and non-technical security controls into a cohesive solution that
meets security requirements. During this step, organizations outline specific use-cases
and conduct analysis of alternatives to identify technologies and policies that will
implement established security requirements at the defined threshold levels. The detailed
security design represents the final step in the planning process.
Step 5: Implement BYOD Security. The detailed security design is executed in
accordance with all planning guidance. Technologies are procured, configured, and
implemented. Policies and procedures are created and authorized in accordance with the
organization’s standard operating procedures. At the completion of this step, all security
controls are implemented and functioning as intended.
Step 6: Assess Security Effectiveness. The final, and arguably most important, step is
to assess the implemented solution against the security requirements to ensure all security
88
controls are working as intended at their defined threshold levels. Any gaps should be
identified and remediated in accordance with the organization’s risk management
process.
6.2 Identifying and Communicating with Stakeholders
A BYOD program should be implemented in accordance with existing
organizational project management techniques. As part of the project management
process, a communications plan should be identified to outline all BYOD stakeholders
and establish the frequency and content of communications. Because BYOD crosses
many traditional organizational boundaries, it is imperative that stakeholders are
informed, involved, and provide feedback at all stages of the BYOD lifecycle.
6.3 Identifying Policy and Capability Gaps
While technology in the BYOD arena continues to evolve on a daily basis, it is
near impossible for all security controls and requirements to be met with technology
alone. Organizations should pay careful attention to which security requirements can be
met with technology and identify where gaps exist between technology and security
requirements that must be filled with security policy. Policy can be an effective way of
meeting regulatory and compliance requirements, but may still offer significant risk if
there is no way to automate the enforcement of security policy. For example, an
organization may require that users do not access corporate resources from an unsecured
wireless network. However, if a technology solution does not exist to actively prevent
the user from connecting to an unsecured wireless network then the organization is
relying upon security policy to shape the user’s behavior. The gaps between policy and
89
technology may represent significant risk areas that organizations should pay careful
attention to.
6.4 Selecting a BYOD Solution
A BYOD solution should represent a careful balance of technology and policy,
capability and security, and cost savings versus security risks. Proper planning that
adheres to this BYOD framework will assist organizations with selecting a BYOD
solution that meets the overall organization goals, complies with security requirements,
and balances competing interests.
A one-size-fits-all solution does not exist and would not be appropriate given the
wide variety of business missions, criticality of information, and BYOD implementations
that may exist from organization to organization. The best advice in selecting a BYOD
solution is to examine every aspect of the business and analyze how BYOD may affect
the cost, security, and risk of the organization. Proper planning will help identify
technology requirements, analyze capability gaps, implement effective policies, and
understand the business and security risks associated with BYOD.
6.5 Implementing BYOD
While proper planning cannot be stressed enough, it is also imperative to
implement the plan effectively. By following this framework and the BYOD lifecycle,
organizations should have the necessary planning tools to effectively implement BYOD.
Technology should be implemented in accordance with the requirements
established during the planning process. Initial and periodic testing should occur to
ensure all technology components are functioning as designed and continue to meet
functional and security requirements.
90
Policies should be written so they are clear, concise, and most importantly,
enforceable. Understand that policy may be the only security control in place to shape
user behavior in certain instances. Therefore, the effectiveness and enforceability of
BYOD policies remain critical to the overall success of the BYOD program.
6.6 Managing BYOD
Organizations must manage BYOD throughout the BYOD lifecycle to ensure that
risks are identified and understood by all stakeholders. Each stakeholder must
understand his role and responsibility in carrying out the overall BYOD program.
Executive-level commitment will make or break BYOD.
Mobile technology, and the risks associated with mobile technology, is evolving
constantly. As new requirements evolve, organizations should evaluate how their current
BYOD solution meets new and emerging requirements. Organizations should plan for at
least an annual review of their BYOD program to stay abreast of advances in technology
and legislation or case law that may affect the effectiveness and enforceability of BYOD
policies.
91
7 Recommendations on BYOD Strategies and Policies
"App stores and mobile apps are the greatest hostile code and malware delivery
mechanism ever created."
Winn Schwarta, chairman of MobileActiveDefense
7.1 Overview
Enterprises are becoming aware of the need to have BYOD strategy and policy in
place; this simply cannot be ignored. The checklist included in Appendix A is a good
starting point prior to using the framework presented. Next, the framework is used to
integrate the BYOD security program in the overall system security of the organization.
In an effort to further assist the planners and architects of BYOD with the formation of
strategies and policies, below a high level overview of BYOD planning and operations
followed by a recommended policy approach are outlined.
7.2 BYOD High-Level Strategies
What follows are strategy recommendation for BYOD planners and architects:
Demand. The demand strategy enables the understanding of business requirements, user
abilities, and the preferred outcomes of application mobilization.
Supply. The supply strategy focuses on how to deliver a desired result based on existing
partnerships and skill sets.
Governance. Part of the governance strategy is the understanding of how standards and
policies will be implemented and how they will evolve along other processes and parts of
the enterprise.
92
Risks and Issues. This strategy focuses on meeting security requirements, their growth
and change, and how they will mature.
The four parts of the high level strategy for BYOD are diagrammed in figure 10
surrounded by mobile/BYOD security technologies and challenges. This is a modular
approach and items from around the core can be removed or added as needed for the
oragnizational business processes.
Figure 10: BYOD Strategy Foundation Surrounded by Technologies
7.3 Suggested Stages for Planning and Initiating a BYOD Policy
Business and technical priorities and requirements must be periodically reviewed
as described previously in the BYOD Security Framework. Historically, organizations
have had the tendecnies to take their mobile policies which include BYOD policies for
granted. This is partly due to outdated mode of thinking and reasoming.
93
First, a short while ago, a phone was just a phone and the mentality has not yet set
in fully for many organizations that smartphones and BYOD in particular are powerful
devices. Second, many organizations that allowed smartphones, typically provided them
in the form of Blackberries which were controlled and managed centrally. This gives the
wrong sense of security that any smartphone including those that are BYOD can be
managed the same way. Third, historically the only real application of choice for
smartphones was email and email providers offered needed controls (such as Microsoft
Exchange ActiveSync for Exchange mail from Microsoft). In today’s world, apps on
smartphones can do just about everything a desktop can do and in many instances do
them faster and easier. Lastly, oragnizations still have the tendency to think of personal
mobile devices as mere accessories instead of noteworthy and capable IT systems.
For these reasons among others, the option not to bring the organization’s mobile
policies, and in particular BYOD, up to date poses considerable risks to information
security. Assuming that an organization has reached the decision point that including
BYOD is part of, and a cost of, doing day-to-day operations, then in order to achieve
superior operations and results sought after, a well-thought of and superior BYOD policy
is also required.
7.3.1 Clearing Up Misconceptions
Functions of IT often times come with preconceptions and biases regarding the
role that they must provide in supporting new devices and updating them. Often times,
the stakeholders become entagled over precedence. The end result of this stage however,
will be the clarification of BYOD facts, myths, and realities for all the stakeholders. The
94
designers, managers, and architects must grab such an occaion to conduct an open
conversation regarding the impact of BYOD across all user and management levels.
The designers and architects of BYOD must take into account understanding on
certain foundational views:
Traditional desktop policy models do not apply to BYOD. Most organizations have
security and management policies that are out of date, especially with regards to BYOD.
Many of these organizational policies are spread across several teams including IT
operations, IT security, and telecommunications to mention a few. As such, no single
organizational unit is usually ready to accept responsibility for the BYOD policy life
cycle. This is exasperated by the request of end users for access to mission-critical
applications and data and by the speed with which they require such access.
There is no one size fits all policy template that fits every BYOD scenario. Analyses
of risks and issues along with their related obligations are specific to an organization’s
business and operation context. The architects, managers, and designers tasked with
BYOD policy creation and management need to evaluate external policy examples,
preferably from multiple sources, and in the end adopt their own by selecting proper
controls tailored to their organizational needs. They must next follow this with proper
justification of those controls.
Organizational support for BYOD is mandatory. As has been explained, BYOD is
riskier than traditional desktop models and presents uncharted territories in the IT
security system landscapes. Even organizations with rules against BYOD are eventually
forced to relent even if under special circumstances or for special personnel.
95
Mobile devices including BYOD are becoming the new liability. Organizations that
delay dealing with BYOD or ignore it entirely will be at the head of the next wave of
security breaches and public humiliations along with the associated legal and reparative
costs. BYOD mobile devices are typically consumer-grade devices and manufacturers of
these devices usually stress ease of use and user experience over enterprise requirements
such as security, privacy, and manageability. This is unlike RIM Blackberries, which are
typically secure because they are centrally managed, much like laptops.
7.3.2 Instituting a Baseline
It is paramount that before any new policies are written, as much as possible for
all previous policies be discovered, then evaluated to find out areas compelling changes
as well as possible areas of commonality. Performing such a search may bring to light
the following and possibly more:
• Possible older mobile device policies in place
• Desktop policies that also reference mobile devices
• Policies unknown to IT operations and/or IT security
• HR policies that are not linked to any IT policies
• Partners and contractors policies
As part of such a search and review, the following attributes should be considered a part
of the planning for a new BYOD policy:
• The existing perception and attitude towards security, policies, and management
(supportive, hostile, apathetic)
• Historical precedence of departments that have been most involved in policy
planning and policy formation
96
• Controls that have been implemented in the past most commonly
• Common past security practices
• Existing instances of agreements, guidelines, and policies
• Other useful and relevant documents that should be cited for BYOD policy
Additionally, it is required to first know the initial landscape and existing user
expectations before the BYOD policy can be planned and developed. This requires
taking an inventory of the mobile devices that are in use. Girard recommends the
following data to be included (Girard, 2011):
• Number of devices by platform, operating systems, and versions of both devices
and their operating systems
• Number of mobile devices in use by employees and contractors
• A detail assessment of existing data residing and passing through the devices
• Apps in use by the devices as well as app ownership (personal, corporate)
• Security profiles, if any, on the devices
• Any mobile device (including BYOD) policies that are already in place
• Complete list of entry paths including VPN, Wi-Fi, cellular, shared media (such
as USB) used by devices gaining access to data and enterprise resources
Inventorying these devices and associated information is fairly difficult especially if the
organizations do not have mobile device tools and reporting methods already in place. If
necessary, IT can announce a cutoff date for some types of access in possible worse case
scenario.
97
For this stage, the final output will be detailed narrative of devices in use as well
as the user expectations. This allows the organization to perform some cost analysis as
well as obtain a solid understanding of how BYOD has contributed or detracted from the
business processes.
7.3.3 Classifying and Priortizing Use-Cases via Workforce Analysis
BYOD policies need to be context-‐oriented to balance the environmental
realities of the organization’s use-‐cases. Simply building on existing technological
foundations won’t be enough. BYOD policies may solve the wrong problems, if any
at all in the absence of proper context analysis; with context, the planners and
architects will have the support and cooperation of the user base and senior
management (Girard, 2011). This means the architects need to discuss the BYOD
policy with users and senior management and to document their needs and wants,
whether actual or perceived. Some questions to consider include:
• Where are mobile devices used? This should include off-‐site use also
• In what context are mobile devices used and how?
• What constitutes necessary authentication?
• What constitutes mandatory authentication?
• Are users allowed to share devices? Are they sharing devices regardless?
• Will users use organization related apps offline as well as online?
• Will users use personally downloaded apps to do company work?
• Which information will be accessible with the BYOD mobile devices?
• Will information be copied to the users’ devices or stay resident on the
organization’s network?
98
• Who are the owners of mobile devices? In BYOD, it is undoubtedly the users.
The next question to ask is, who owns the organizational data on those
devices?
• Exactly who will be held responsible for the security of mobile devices?
Responsibility needs to be defined to include such concerns from possession,
upgrades, and updates, to the securing the device and the data on it
• What levels of support are users and senior management expecting?
• Are there any recommendations that are being offered from users regarding
loss or theft of the devices and possible risks associated with misuse?
The result of this stage will be a comprehensive account of the users wants and
needs. These use-‐cases are justifiable and will form a foundational part of the BYOD
policy. Furthermore, since users and senior management have played active roles,
the policies will be more likely to be understood and abided by.
7.3.4 Diversity Analysis for Support
As there are different mobile platforms for users to choose from, a managed
diversity analysis is needed. Such an analysis offers the BYOD architects with the
necessary assurance and provision that the organization will be providing end users,
based on mobile device type (platform, operating system, etc.) and job functions (Girard,
2011). Every commitment by the organization is subject to what is realistically
deliverable by IT and what they can guarantee, thus playing a major role in the mature
development of the BYOD policies. IT is responsible in communicating to end users that
decisions have advantages and possible penalties. If users breach certain boundaries, the
privileges can change and the BYOD policies may need to be adjusted to reflect those
99
changes. The output of this stage would be a diversity framework or a decision matrix
that displays which platforms, operating systems, and versions will be supported within
different job roles. Each decision point can be further developed, documented, and
detailed as needed. A table such as the one listed in figure 11 can be used to start the
processes for this stage.
Level 1
Full Support by
IT
Level 2
Partial Support by
IT
Level 3
100% User
Responsibility
Executives
Accounting
Sales
HR
Contractors
…so on
Figure 11: Sample Managed Diversity Framework (Girard, 2011)
7.3.5 BYOD Technology Assessments
As has been mentioned prior and will be discussed in more detail later in this
dissertation, MDMs are the primary technology tools available for mobile systems
including BYOD. Planners and architects of the BYOD policies are required to initially
decide how much they can trust a range of mobile devices based on the intrinsic
weaknesses in each platform prior to selecting a MDM solution (Girard, 2011). Some
imperative questions to consider are: (1) how much investment is enough; (2) how will
IT Support Level
User Groups
100
such spending extend to future platforms and future security threats; and (3) what must be
the minimum satisfactory BYOD policy?
The designers ought to also study the following three areas of mobile
management technologies:
• Software tools provided by MDM
• Device and user authentication tools (typically part of MDM)
• Enterprise app stores application delivery
The choices made in this stage along with associated decisions define how policy
statements and essential processes will be designated in the next stage (7.2.6) (Gartner,
2011).
7.3.6 Sample Policy Symposium
The sample policy discussion points here are recommendations according to their
roles in the BYOD policy. Sample wording would not be appropriate and is not provided
as choice of wording is specific to the enterprise. The enterprise’s legal team, auditors,
and regulators must approve such wording. Keep in mind that the responsibilities listed
are recommendations and provided as guidelines. Also that the entities listed may have
differing roles:
Level of Risk: HR and IT Responsibility
• Mobile device division (see figure 11)
• Allowable business functions
• Device and user authentication requirements
o Local to device
o Remote to organization’s portals
101
• Methods of application and data delivery
• App store controls for both public and in-house app stores
Boundary of Liability: HR and Legal Responsibility
• Compliance requirements for government, industrial, partners, etc.
• Acceptable Use Agreement signed by employees in exchange for access
• Allowable access levels for external media; encryption level requirements
BYOD Devices: IT, Developers, and Security Team Responsibility
• Acceptable device level including minimums and maximums for hardware,
firmware, device version, and operating system
• Password requirements such as complexity, retry and time-out rules
• PIN length requirements and whether simple PINs will be allowed
• “No Hacking” policy (implementing zero-tolerance)
• Cleanup for sensitive data
• Security certificate requirements for any access: email, apps, data, networks
• Application and device encryption
• Organization may decide to filter data at their discretion
• Loss/theft reporting accountabilities and escalations
• Employees must accept organization’s lock/wipe resolutions
• Approved encrypted containers needed for local data storage
• Organization can ask for verification that organizational data have been removed
Help Desk and Escalation (Support): IT Department Responsibility
• Self-help web sites audited by support (FAQs)
• Support limits on approved devices/models
102
• For VPN, email, and Wi-Fi, requisite installation of certificates
• Device locking, wiping, and restoration procedures
• Exceptions (perhaps for executives)
Administrative: IT Department Responsibility
• Device enrollments under the control of the organization for all devices
• Requirements for proper reporting of lost, stolen, modified, and discarded devices
• Management control for Wi-Fi, Bluetooth, and Cellular connections
• Logical and physical device disposal; logical refers to the soft removal of the
device from the organizational systems
Freelancers/Suppliers/Partners: IT, HR, Business Unit, and Legal Responsibility
• Participating in the company BYOD management may not be possible or
advisable for partners/contractors
• Strong authentication must be required to access sensitive data
• Encrypted containers for local business data storage
• Limit system access to server resources: secure web portals, VMware, Citrix
• Local apps need to be self-secured where possible
• Business partner contract clearly states the required code of conduct; monitor
violations
Usage with High Risk: Operations, Security Team, and Legal Responsibility
• May include travel to international locations deemed risky
• Require approved VPN use for access to sensitive systems
• Require strict email/data/device loss prevention policies
• When returning from trips to high risk locations, consider wipe and rebuild
103
Policy Administration/Updates: Operations, HR, and Legal Responsibility
• Departments and entities accountable for ownership, changes, and updates to
BYOD policies
• Implemented schedule for updates/revisions
• Notifications methods to end users
Compliance: Operations, Security Team, HR, and Legal Responsibility
• BYOD policy reviews and monitoring
• Penalties for deliberate violation of agreement
• Remedies and methods of redress if violation was unintentional
This stage will produce a clear, understandable, and defensible statement of work, listing
and justifying the paramount points in the BYOD policy, based on accurate
understanding of the business rules and processes.
7.3.7 BYOD Policy Structure
This last stage provides guidance for the ordered outline in which information
needs to be in the final BYOD policy documentation. The outline’s emphasis is on
clarity and readability, conveying relevance to the end reader immediately. A partial
suggested list of the content ordering in the final policy guide recommended by Girard
(Girard, 2011) are presented here:
• Definition of what is considered a mobile device, definition of mobile/BYOD
policy, affected individuals/departments, MDM
• The premise and scope of organizational control of BYOD devices
• Obligations of the organization and end users (employees, contractors, partners)
• The specific rules/controls to be implemented and tracked as proposed in 7.2.6
104
• Consequences of violating rules/controls
• Reference materials
This final stage of the BYOD policy will construct an easy to read and clear-cut policy
document using the discoveries in stage 7.2.6. Suggestions and objections raised will
have been acknowledged and documented trailing back to the users’ wants and needs
combined with assessments of the suitability of mobile platforms (Girard, 2011).
Furthermore, biases, preconceptions, assumptions, and other discovered barriers to
realization will have been predicted and responded to in the final BYOD security policy.
105
8 Research Approach and Methodology
8.1 Problem Statement
Initial findings attained through literature review and interviews suggested that
BYOD security is a sensitive area requiring thoughtful research. Literature review and
interviews also suggested that serious study for this field is earnestly lacking. The
premise of the research was that a BYOD Security Framework could be designed for an
enterprise which when implemented would reduce security breaches. The framework
would be comprised of a combination of technology management and policy
management. In a nutshell, Use BYOD Security Framework à Reduce security
breaches associated with BYOD.
It was thus decided that the research’s objectives could not be achieved through
literature review alone. Therefore, a survey questionnaire was conducted as the non-
literature based data gathering tool to collect empirical data required for suitable
statistical analysis to support the research question. Thus, the characteristics of the
activities performed throughout this dissertation most closely correspond to those of
quantitative methods as defined by (Creswell, 2013).
8.2 Survey Instrument
A series of 60 measurement survey questions were drawn from the review of
literature to test the quantitative hypotheses among security practitioners and security
engineers. In order to confirm reliability and validity of the survey instrument, the
measurement survey questions were expressed in a manner that avoids systematic bias
and errors. As such, the survey instrument was reviewed by experts in academia and the
106
industry for content validity, then pilot tested to evaluate the survey effectiveness with
regards to its reliability when gathering data required for statistical analysis (Alreck &
Settle, 2003).
A series of 48 independent questions were asked followed by 12 dependent
questions corresponding to the 12 hypotheses (see Appendix C for the questionnaire).
The questionnaire was divided into four main parts. Part I contained an information sheet
about the research study, introduced the researcher, and provided the invited participant
with the goals, objective, and the procedures of the research study including a glossary of
important terms. Participants were given clear directions as well as complete assurance
of the confidentiality and anonymity of their responses. Part II consisted of five
demographic questions used to represent the nature of the population sample (Alreck &
Settle, 2003). Part III consisted of 48 survey questions used to measure the extent to
which framework elements have been de facto implemented in a well-defined fashion and
practiced by the participants’ organizations though without any mention of the
framework; these 48 questions formed the independent variables of the survey
instrument. Part IV consisted of 12 survey questions used to measure the extent of BYOD
security related breaches, given the level of framework elements implementation, again
without any mention of the framework; these 12 questions formed the dependent
variables of the survey instrument.
Through this approach, a meaningful correlation would be created between the
level of the framework elements implementations and related security breaches. For
example, if many subjects felt that most of the framework elements had been well-
defined and implemented in their environment with regards to BYOD and the frequency
107
of breaches was minor or non-existent, a conclusion can be drawn that the hypotheses are
validated and thus the framework is sound. To administer the questionnaire, the
measurement survey was created using the online tool Qualtrics (qualtrics.com) and
administered to security engineers, project managers, information systems professionals,
and security practitioners. Throughout the survey, terms that required definitions were
highlighted in blue and a simple mouse hover would present the participant with a
balloon that would present the definition or explanation. In this manner, the survey was
made manageable and easy to read, avoiding excessive wording.
8.3 Data Capture Process
The responses were measured using the Likert rating scale. Tables 1 and 2 below
show the two types of Likert scale responses and their weighted values:
Response Weighted value
Strongly Agree 5 Agree 4 Neither Agree Nor Disagree 3 Disagree 2 Strongly Disagree 1 Don’t Know 0
Table 1: Possible Responses to the Framework Particulars
Response Weighted Value
No Breaches 5 Some/Minor Breaches 4 Moderate Degree of Breaches 3 Excessive Breaches 2 Critical (Business Impactive) Breaches 1 Don’t Know 0
Table 2: Possible Responses to Security Breaches
108
An invitation to participate in the survey study was sent to 1,017 individuals who
were selected from lists made available by the Project Management Institute, the
Information Systems Security Association, the IEEE, and the US military security
engineers and practitioners. The survey was distributed using online software service
Qualtrics (qualtrics.com).
The data collection from the finished surveys was performed through Qualtrics
survey software. Microsoft Excel 2007 was then used for scrubbing, filtering,
organizing, quality check, and pre-testing the collected data. For the data statistical
analysis, Minitab® 16 was used. The survey response rate was 138 out of 1,017
(13.57%). Eliminating incomplete surveys, 114 points remained (11.21%).
8.4 Demographics
The survey participants spanned many industries, job titles, experience levels with
security, and came from varying organizational sizes. The demographics presented here
help clarify the expertise, job description, and an experience level of those surveyed.
From these data, it is possible to draw intelligent assumption about the qualification of
those who participated in the survey. Given that the survey was technical in nature, it is a
fair assumption that those who took it and completed it must have had an acceptable level
of understanding of the terminology, the technologies, the policies, and the concerns
related to mobile security and BYOD in particular.
60% of those surveyed indicated that they were engineers or in information
systems and security. 74% were directly responsible for security related operations such
as standards, auditing, compliance, or management. Interestingly, 50% or half the
respondents had more than 11 years experience in information security with 69% having
109
more than 6 years experience with information security. These facts are significant since
6 years prior to the survey date of 2014, mobile devices and BYOD mobile devices in
particular were in their infancy so many of these professionals have lived and worked
through this changing paradigm. It is also noteworthy to point out that 88% of the
respondents indicated at least 1 year experience in information security.
The size of the organizations that the survey participants work for is also of
interest. 50% indicated working for larger organizations, those having more than 1,000
employees while in total 75% work for organizations having more than 500 employees.
Smaller organizations were represented as well but it is notable to understand that most
participants worked for larger enterprises, where BYOD security concerns are typically
the highest. The majority of the participants had at least a bachelor degree (87%) with
49% possessing at least a master level degree. The demographics information is
presented in figures 12 through 16. A final point to mention on demographics: of those
in “other” industries (17%), 56% were involved with defense and/or federal government
security.
110
Figure 12: Current Industries of Survey Participants
Figure 13: Current Job Titles of Survey Participants
1%
6%
3% 2%
13%
47%
11%
17%
Healthcare/Biotechnology
Education
Manufacturing
Finance/Accounting
Engineering/Security Engineering
Information Systems/Infomration Security
Telecommunication
4%
36%
17% 7%
10%
26%
CSO/CISO
Project Manager/IT Manager/Director/CIO
Security Administrator/Security Manager
Security Analyst/Compliance Ofhicer/Auditor
Security Architect/Security Engineer
Other
111
Figure 14: Years of Experience in Information Security of the Participants
Figure 15: Size of the Organization of the Survey Participants
12%
19%
21%
29%
19%
None
1-‐5 years
6-‐10 years
11-‐15 years
More than 15 years
7% 11%
7%
25%
50% 50 or less
51-‐250
251-‐500
501-‐1000
1001 or more
112
Figure 16: Educational Level of the Survey Participants
8.5 Experts Panel
In order to justify the 12 hypotheses are complete and other factors aren’t missing
from analysis, a panel of experts was sought and an additional semi-structured survey and
interviews conducted based on recommendations from Bernard (1988). In all 20 experts
were surveyed and interviewed. The purpose of this survey and interviews was to ask the
question of “what else if anything could be missing from BYOD security”; in other
words, are there other areas of mobile security breach that are not addressed via the 12
hypotheses? Section 8.6 below addresses the result of the interviews with each expert
along with their title and expertise area. The semi-structured survey and interview
questions used with the panel of experts are in Appendix D. All the respondents had at
least a bachelor degree with the greater majority having master or doctorate degrees.
10% 3%
38%
46%
3%
High School
Associate
Bachelor
Master
Doctorate
113
8.6 Experts Panel Interview Results
In order to make the results readable, each interview is listed separately along
with the expert’s title, education, years of experience, and qualifications.
Expert 1
• Title: Fellow at National Institute of Standards and Technology (NIST)
• Education: PhD
• Years Experience: 15+
• Qualifications: Information security, risk management, security
architecture/engineering, systems resiliency, risk management frameworks,
international outreach programs for cybersecurity and critical infrastructure
protection
• Comments: The 12 hypotheses are very comprehensive and they hold together
very well. The hypotheses really outline and compartmentalize the BYOD
security breaches
Expert 2
• Title: Assistant Vice President
• Education: Master
• Years Experience: 11-15
• Qualifications: Information security, project management, security systems
• Comments: Agree that the hypotheses are fairly complete. Secondary forms of
authentication (e.g. RSA token) should also be considered along with BYOD
Expert 3
• Title: Forensics Analyst and Professor
114
• Education: PhD
• Years Experience: 11-15
• Qualifications: Security expert, forensics expert, mobile forensics
• Comments: The hypotheses are quite complete in that they address both the
technology as well as the policy areas of mobile security
Expert 4
• Title: Management of Information Systems Professor
• Education: PhD
• Years Experience: 15+
• Qualifications: Former Department of Defense security and cybersecurity
analyst, project management
• Comments: I believe the above mentioned factors completely address the security
concerns of mobile device BYOD
Expert 5
• Title: Security Analyst
• Education: PhD
• Years Experience: 1-5
• Qualifications: CISSP, CISM, CIPP (US Government and Private Sector),
CAHIMS, and HCISPP certified
• Comments: Agree that the 12 factors are applicable; items 1, 5, and 8-12 are also
applicable to stationary devices
Expert 6
• Title: Security Manager
115
• Education: Master
• Years Experience: 11-15
• Qualifications: Intrusion detection, Snort, malware analysis, incident response;
CISSP, CCNP Security, and CHFI certified
• Comments: Strongly agree that the 12 factors are complete
Expert 7
• Title: Chief Information Officer
• Education: Master
• Years Experience: 11-15
• Qualifications: Analytical skills
• Comments: Strongly agree that the list looks complete
Expert 8
• Title: Security Architecture and Engineer
• Education: Bachelor
• Years Experience: 6-10
• Qualifications: Experienced IT security auditor, developer, ISSO certified
• Comments: Agree that the 12 factors form a complete list
Expert 9
• Title: Security Analyst
• Education: Bachelor
• Years Experience: 15+
• Qualifications: NSA-IAM, CAP, and CFCP certified
• Comments: Strongly agree that the 12 factors are complete
116
Expert 10
• Title: Chief Information Security Officer
• Education: Master
• Years Experience: 15+
• Qualifications: CISSP, CISA, CSSLP, CISM, ISSAP, ISSMP, IEM, IAM
certified
• Comments: More time would be needed to discuss if these 12 factors are
complete but they are a great start. Application security should be the most
important one though since that is what is going to really connect into the
organizational data
Expert 11
• Title: Cyber Security Researcher and Developer
• Education: PhD
• Years Experience: 11-15
• Qualifications: CISSP and Security+ certified
• Comments: Agree that the factors are complete. Would add prevention of
security breaches due to malicious applications/malware being downloaded onto
mobile devices (author note: this has been addressed in the framework and the
questions)
Expert 12
• Title: Security Analyst
• Education: PhD
• Years Experience: 15+
117
• Qualifications: CISSP certified
• Comments: Agree that the 12 factors are complete
Expert 13
• Title: Chief Information Officer
• Education: PhD
• Years Experience: 6-10
• Qualifications: Software engineer, web developer, simulation modeling and
analysis
• Comments: Strongly agree that the 12 factors are complete
Expert 14
• Title: Security Analyst/Compliance Officer
• Education: PhD
• Years Experience: 1-5
• Qualifications: Project management and supply chain management expertise
• Comments: Strongly agree and trust that the 12 factors are complete
Expert 15
• Title: Security Consultant
• Education: 15+
• Years Experience: Master
• Qualifications: CISSP certified
• Comments: Agree that the 12 factors are pretty complete
Expert 16
• Title: Director of Security
118
• Education: Master
• Years Experience: 15+
• Qualifications: Security analyst, architect, consultant and engineer
• Comments: Strongly agree that the 12 factors listed are very complete. Thought
long and hard about additional areas and could not come up with anything else.
This is a well thought out list
Expert 17
• Title: Compliance Officer
• Education: Master
• Years Experience: 15+
• Qualifications: CISSP and PMP certified
• Comments: Disagree that the 12 factors are complete. The 12 factors focus only
on prevention. Although clearly important, an employee will unintentionally or
intentionally BYOD and connect to a workstation/server. As such detection and
correction cannot be ignored (author note: detection and correction are addressed
in the framework and in the questions; the author disagrees with this expert’s
opinion)
Expert 18
• Title: Chief Information Officer
• Education: Bachelor
• Years Experience: 6-10
• Qualifications: CISA
• Comments: Strongly agree that the 12 factors are complete
119
Expert 19
• Title: Project Manager
• Education: Master
• Years Experience: 11-15
• Qualifications: 14 years of project management expertise including management
of security projects
• Comments: Strongly agree that the 12 factors are complete
Expert 20
• Title: Consultant
• Education: Master
• Years Experience: 15+
• Qualifications: Security+, CEH, CHFI, CISSP and 10+ years consulting the
government, military, and private organizations on various projects with many
being security related
• Comments: Strongly agree that the 12 factors form a complete list
120
9 Research Hypotheses and Methodology
9.1 Overview
In order to test the research hypotheses, as the data collected was ordinal in
nature, nonparametric statistics was applied. Each research hypothesis was tested in order
to discover corresponding measures of association and concordance between a de facto
implementation of the BYOD Security Framework elements and possible BYOD related
security breaches. In order to determine the association and concordance between a
single framework element’s implementation (an independent variable) and a possible
security breach (a dependent variable), the corresponding questions’ response data were
selected and then the Cross Tabulation and Chi Square statistics tool in Minitab was run
against that selection. The measured Kendall tau-b (Τb) and P-value were observed.
Kendall Τb correlation coefficient was used to measure the association between
responses of the survey measurement questions, where, on a scale of -1.0 (negative
association) to 1.0 (positive association), the degree and the nature of the relationship
between a de facto implementation of BYOD Security Framework elements (independent
variables) and the possible BYOD security breaches (dependent variables) were
determined. A positive Τb value demonstrates that the ranking of the dependent variable
increases by increasing the ranking of the independent variable, whereas a negative Τb
value demonstrates that the ranking of the dependent variable decreases by increasing the
ranking of the independent variable and vice versa (Siegel, 1956). The P-value was
calculated in order to evaluate the probability of concordance versus the probability of
discordance for the survey questions responses. For the P-value, if the observed value
121
was lower than 0.05, then a statistically significant correlation existed between the
selected independent and dependent variables. According to Yates et al. (1993), the
Kendall Τb correlation guidelines listed in table 3 can be supposed.
Kendall Τb Coefficient Meaning
Less than +/- 0.10 Very weak association
+/-0.10 to +/-0.19 Weak association
+/-0.20 to +/-0.29 Moderate association
+/-0.30 to +/-0.39 Moderately strong association
+/-0.40 and above Strong association
Table 3: Understanding Kendall tau-b (Τb) Values
9.2 Research Question and Hypotheses
While the research question and hypotheses were mentioned previously as a
stepping-stone to the BYOD Security Framework, it is worth having them be revisited
here as the dissertation moves into statistical analysis of each hypothesis and then the
research question validation.
This dissertation attempts to answer the following overarching question: Can a
balanced application of technology and policy using a security framework significantly
reduce security breaches in an enterprise where Bring Your Own Device (BYOD) is
allowed/implemented? In order to answer this question, the following twelve research
hypotheses were postulated:
122
H1: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related data security
breaches.
H2: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related wireless (Wi-
Fi) security breaches.
H3: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of mobile related cellular
security breaches.
H4: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
rogue mobile devices access.
H5: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of authentication related
security breaches.
H6: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lost/stolen mobile devices.
H7: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
unauthorized mobile access.
123
H8: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of understanding of organizational security policies.
H9: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of training and education of organizational employees.
H10: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
lack of awareness of organizational policies.
H11: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of document related security
breaches (e.g. improper document sharing, saving, copying, emailing, printing, and
scanning of documents).
H12: There is a significant correlation between implementation of the BYOD Security
Framework for an enterprise and corresponding reduction of security breaches related to
mobile application flaws.
According to Yates et al. (1993), a Τb of 0.4 or higher would indicate a strong
correlation between a de facto implementation of BYOD Security Framework
elements and corresponding reduction in security breaches. In order to calculate the
P-values, the Τb approximation to the normal distribution was used since the sample size
is greater than 40 (Siegel, 1988) (Zaiontz, 2015):
124
𝑧 = 3𝜏 𝐶(𝑛, 2)2𝑛 + 5
where 𝜏 is the Τb value and C(n,2) is the combination of the sample size n taken 2 at a
time. In order to use the normal distribution one-tail approximation, the Τb values were
normalized for the [0,1] range and then the z-values were calculated based on those
values. Next the corresponding P-values were calculated. The normalization process
was done using the following routine equation:
𝑧! = 𝑥! −min (𝑥)
max 𝑥 −min (𝑥)
For the data collected via survey, the sample size n is 114. Using our calculated Τb
values in the formula, we obtain the following z-values and corresponding P-values listed
in table 4.
125
Table 4: Summary of z-values, Τb values, and P-values
9.2.1 Hypothesis 1 (H1)
The first main research hypothesis attempts to shed light on the following sub-
question: Can the BYOD Security Framework implementation for an enterprise reduce
mobile related data security breaches? To achieve a strong degree of statistical
significance it will be supposed that Τb = 0.4 is the minimally acceptable and minimally
significant correlation coefficient value based on Yates et al. (1993) recommendation (see
Kendall Τb z-value Normalized
Τb
Normalized
z-value
Significant?
(P < 0.05)
0.427 6.73516 0.50000 7.88660 Yes (P < 0.00001)
0.467 7.36609 0.73529 11.5979 Yes (P < 0.00001)
0.342 5.39444 0.00000 0.00000 No (P = 0.5)
0.431 6.79825 0.52353 8.25774 Yes (P < 0.00001)
0.510 8.04433 0.98824 15.5876 Yes (P < 0.00001)
0.416 6.56165 0.43529 6.86598 Yes (P < 0.00001)
0.456 7.19258 0.67059 10.5773 Yes (P < 0.00001)
0.492 7.76042 0.88235 13.9175 Yes (P < 0.00001)
0.512 8.07588 1.00000 15.7732 Yes (P < 0.00001)
0.512 8.07588 1.00000 15.7732 Yes (P < 0.00001)
0.452 7.09794 0.63529 10.0206 Yes (P < 0.00001)
0.439 6.92444 0.57059 9.00001 Yes (P < 0.00001)
126
table 3), which would necessarily imply a strong correlation between a de facto
implementation of the BYOD Security Framework and significant reduction of
corresponding security breaches. Based on this assumption the corresponding null and
alternate hypotheses were developed from the conceptual BYOD Security Framework:
H10: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related data
security breaches.
H1a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related data
security breaches.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median of the
x values were taken. While the mean and median values can sometimes be the same or at
least very close, they differ greatly if data values are clustered toward one end of their
range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
127
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis 1 (Q1y) are
listed in table 5.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.427 0.00001 (Yes)
Possible security breach (dependent variable)
Q1y How often has your organization had data security breaches, during the past year? This can be loss of data, stolen data, or unauthorized data alteration. Table 5: Hypothesis 1 Results
The positive value for Kendall Τb of 0.427 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to data breaches. The test of reliability and
significance was confirmed, assuming a confidence interval of 95% (alpha-level = 0.05),
with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is enough
evidence suggesting that a well-defined implementation of the BYOD Security
Framework significantly reduces mobile and BYOD data security breaches so we reject
the null hypothesis H10.
9.2.2 Hypothesis 2 (H2)
The second main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
mobile related wireless (Wi-Fi) security breaches? To achieve a strong degree of
128
statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and
minimally significant correlation coefficient value based on Yates et al. (1993)
recommendation (see table 3), which would necessarily imply a strong correlation
between a de facto implementation of the BYOD Security Framework and significant
reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H20: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related
wireless (Wi-Fi) security breaches.
H2a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related
wireless (Wi-Fi) security breaches.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median of the
x values were taken. While the mean and median values can sometimes be the same or at
least very close, they differ greatly if data values are clustered toward one end of their
range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
129
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis 2 (Q2y) are
listed in table 6.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.467 0.00001 (Yes)
Possible security breach (dependent variable)
Q2y How often wireless sessions to your organizational resources (network, data, applications) resulted in security breaches over the past year? Table 6: Hypothesis 2 Results
The positive value for Kendall Τb of 0.467 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to wireless (Wi-Fi) breaches. The test of
reliability and significance was confirmed, assuming a confidence interval of 95% (alpha-
level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that
there is enough evidence suggesting that a well-defined implementation of the BYOD
Security Framework significantly reduces mobile and BYOD wireless (Wi-Fi) security
breaches so we reject the null hypothesis H20.
130
9.2.3 Hypothesis 3 (H3)
The third main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
mobile related cellular security breaches? To achieve a strong degree of statistical
significance it will be supposed that Τb = 0.4 is the minimally acceptable and minimally
significant correlation coefficient value based on Yates et al. (1993) recommendation (see
table 3), which would necessarily imply a strong correlation between a de facto
implementation of the BYOD Security Framework and significant reduction of
corresponding security breaches. Based on this assumption the corresponding null and
alternate hypotheses were developed from the conceptual BYOD Security Framework:
H30: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related
cellular security breaches.
H3a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of mobile related
cellular security breaches.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median of the
x values were taken. While the mean and median values can sometimes be the same or at
least very close, they differ greatly if data values are clustered toward one end of their
range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
131
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q3y) are listed
in table 7.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.342 0.5 (No)
Possible security breach (dependent variable)
Q3y How often cellular sessions to your organizational resources (network, data, applications) resulted in security breaches over the past year? Table 7: Hypothesis 3 Results
The positive value for Kendall Τb of 0.342 suggests a moderately strong and
positive association between a well-defined implementation of the BYOD Security
Framework and reduction of security breaches related to cellular breaches. This value,
however, is less than the sought after Τb of 0.4 which would have indicated a very
strong reduction of breaches or a significant reduction; it shows a moderately strong
reduction instead. The test of reliability and significance was not confirmed, assuming a
132
confidence interval of 95% (alpha-level = 0.05), with a P-value = 0.5 (Salkind, 2012). It
cannot be concluded that there is enough evidence suggesting that a well-defined
implementation of the BYOD Security Framework significantly reduces mobile and
BYOD wireless (Wi-Fi) security breaches significantly so we reject the alternate
hypothesis H3a. It should be noted that the values still support a reduction in security
breaches though they point to a moderate reduction.
9.2.4 Hypothesis 4 (H4)
The fourth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to rogue mobile devices access? To achieve a strong degree of
statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and
minimally significant correlation coefficient value based on Yates et al. (1993)
recommendation (see table 3), which would necessarily imply a strong correlation
between a de facto implementation of the BYOD Security Framework and significant
reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H40: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to rogue mobile devices access.
H4a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to rogue mobile devices access.
133
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median of the
x values were taken. While the mean and median values can sometimes be the same or at
least very close, they differ greatly if data values are clustered toward one end of their
range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q4y) are listed
in table 8.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.431 0.00001 (Yes) Possible security breach
(dependent variable) Q4y How often mobile related security breaches, do you believe, may have resulted from rogue mobile devices during the past year? Table 8: Hypothesis 4 Results
134
The positive value for Kendall Τb of 0.431 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to wireless (Wi-Fi) breaches. The test of
reliability and significance was confirmed, assuming a confidence interval of 95% (alpha-
level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that
there is enough evidence suggesting that a well-defined implementation of the BYOD
Security Framework significantly reduces mobile and BYOD wireless (Wi-Fi) security
breaches so we reject the null hypothesis H40.
9.2.5 Hypothesis 5 (H5)
The fifth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
authentication related security breaches? To achieve a strong degree of statistical
significance it will be supposed that Τb = 0.4 is the minimally acceptable and minimally
significant correlation coefficient value based on Yates et al. (1993) recommendation (see
table 3), which would necessarily imply a strong correlation between a de facto
implementation of the BYOD Security Framework and significant reduction of
corresponding security breaches. Based on this assumption the corresponding null and
alternate hypotheses were developed from the conceptual BYOD Security Framework:
H50: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of authentication
related security breaches.
135
H5a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of authentication
related security breaches.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q5y) are listed
in table 9.
136
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.510 0.00001 (Yes) Possible security breach
(dependent variable) Q5y How often has your organization had authentication breaches, during the past year?
Table 9: Hypothesis 5 Results
The positive value for Kendall Τb of 0.510 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to authentication breaches. The test of
reliability and significance was confirmed, assuming a confidence interval of 95% (alpha-
level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that
there is enough evidence suggesting that a well-defined implementation of the BYOD
Security Framework significantly reduces mobile and BYOD authentication security
breaches so we reject the null hypothesis H50.
9.2.6 Hypothesis 6 (H6)
The sixth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to lost/stolen mobile devices? To achieve a strong degree of
statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and
minimally significant correlation coefficient value based on Yates et al. (1993)
recommendation (see table 3), which would necessarily imply a strong correlation
between a de facto implementation of the BYOD Security Framework and significant
reduction of corresponding security breaches. Based on this assumption the
137
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H60: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lost/stolen mobile devices.
H6a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lost/stolen mobile devices.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
138
BYOD Security Framework de facto implementation and hypothesis (Q6y) are listed
in table 10.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.416 0.0000
1 (Yes)
Possible security breach (dependent variable)
Q6y How often security breaches from lost or stolen mobile devices affected your organization, during the past year? Table 10: Hypothesis 6 Results
The positive value for Kendall Τb of 0.416 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to authentication breaches. The test of
reliability and significance was confirmed, assuming a confidence interval of 95% (alpha-
level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that
there is enough evidence suggesting that a well-defined implementation of the BYOD
Security Framework significantly reduces mobile and BYOD authentication security
breaches so we reject the null hypothesis H60.
9.2.7 Hypothesis 7 (H7)
The seventh main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to unauthorized mobile access? To achieve a strong degree of
statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and
139
minimally significant correlation coefficient value based on Yates et al. (1993)
recommendation (see table 3), which would necessarily imply a strong correlation
between a de facto implementation of the BYOD Security Framework and significant
reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H70: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to unauthorized mobile access.
H7a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to unauthorized mobile access.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
140
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q7y) are listed
in table 11.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.456 0.00001 (Yes)
Possible security breach (dependent variable)
Q7y How often security breaches from unauthorized mobile devices accessing your organizational resources occurred, during the past year? Table 11: Hypothesis 7 Results
The positive value for Kendall Τb of 0.456 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to unauthorized mobile device access breaches.
The test of reliability and significance was confirmed, assuming a confidence interval of
95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be
concluded that there is enough evidence suggesting that a well-defined implementation of
the BYOD Security Framework significantly reduces security breaches related to
unauthorized mobile and BYOD access so we reject the null hypothesis H70.
141
9.2.8 Hypothesis 8 (H8)
The eight main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to lack of understanding of organizational security policies? To
achieve a strong degree of statistical significance it will be supposed that Τb = 0.4 is the
minimally acceptable and minimally significant correlation coefficient value based on
Yates et al. (1993) recommendation (see table 3), which would necessarily imply a strong
correlation between a de facto implementation of the BYOD Security Framework and
significant reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H80: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of understanding of organizational security policies.
H8a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of understanding of organizational security policies.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
142
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q8y) are listed
in table 12.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.492 0.00001 (Yes)
Possible security breach (dependent variable)
Q8y How often has your organization had mobile device security breaches as a result of employees’ lack of understanding of security policies, during the past year? Table 12: Hypothesis 8 Results
The positive value for Kendall Τb of 0.492 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to lack of understanding of security policies.
The test of reliability and significance was confirmed, assuming a confidence interval of
95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be
143
concluded that there is enough evidence suggesting that a well-defined implementation of
the BYOD Security Framework significantly reduces security breaches related to lack of
understanding or organizational security policies related to mobile and BYOD security so
we reject the null hypothesis H80.
9.2.9 Hypothesis 9 (H9)
The ninth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to lack of training and education of organizational employees?
To achieve a strong degree of statistical significance it will be supposed that Τb = 0.4 is
the minimally acceptable and minimally significant correlation coefficient value based on
Yates et al. (1993) recommendation (see table 3), which would necessarily imply a strong
correlation between a de facto implementation of the BYOD Security Framework and
significant reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H90: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of training and education of organizational employees.
H9a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of training and education of organizational employees.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
144
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q9y) are listed
in table 13.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.512 0.00001 (Yes)
Possible security breach (dependent variable)
Q9y How often has your organization had mobile device security breaches as a result of lack of education and/or mandatory security training for employees, during the past year? Table 13: Hypothesis 9 Results
145
The positive value for Kendall Τb of 0.512 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to lack of education and/or mandatory security
training. The test of reliability and significance was confirmed, assuming a confidence
interval of 95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it
can be concluded that there is enough evidence suggesting that a well-defined
implementation of the BYOD Security Framework significantly reduces mobile and
BYOD security breaches related to lack of employee education and training so we reject
the null hypothesis H90.
9.2.10 Hypothesis 10 (H10)
The tenth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to lack of awareness of organizational policies? To achieve a
strong degree of statistical significance it will be supposed that Τb = 0.4 is the
minimally acceptable and minimally significant correlation coefficient value based on
Yates et al. (1993) recommendation (see table 3), which would necessarily imply a strong
correlation between a de facto implementation of the BYOD Security Framework and
significant reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H100: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of awareness of organizational policies.
146
H10a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to lack of awareness of organizational policies.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q10y) are
listed in table 14.
147
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.512 0.00001 (Yes)
Possible security breach (dependent variable)
Q10y How often has your organization had mobile related security breaches by employees who later claimed they were unaware of organizational policies, during the past year?
Table 14: Hypothesis 10 Results
The positive value for Kendall Τb of 0.512 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of security breaches related to lack of awareness of organizational policies
by employees. The test of reliability and significance was confirmed, assuming a
confidence interval of 95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind,
2012). Thus, it can be concluded that there is enough evidence suggesting that a well-
defined implementation of the BYOD Security Framework significantly reduces mobile
and BYOD security breaches related to lack of employee awareness of organizational
policies so we reject the null hypothesis H100.
9.2.11 Hypothesis 11 (H11)
The eleventh main research hypothesis attempts to shed light on the following
sub-question: Can a BYOD Security Framework implementation for an enterprise reduce
document related security breaches (e.g. improper document sharing, saving, copying,
emailing, printing, and scanning of documents)? To achieve a strong degree of statistical
significance it will be supposed that Τb = 0.4 is the minimally acceptable and minimally
significant correlation coefficient value based on Yates et al. (1993) recommendation (see
148
table 3), which would necessarily imply a strong correlation between a de facto
implementation of the BYOD Security Framework and significant reduction of
corresponding security breaches. Based on this assumption the corresponding null and
alternate hypotheses were developed from the conceptual BYOD Security Framework:
H110: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of document related
security breaches (e.g. improper document sharing, saving, copying, emailing, printing,
and scanning of documents).
H11a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of document related
security breaches (e.g. improper document sharing, saving, copying, emailing, printing,
and scanning of documents).
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
149
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q11y) are
listed in table 15.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.450 0.00001 (Yes)
Possible security breach (dependent variable)
Q11y How often document related security breaches related to mobile devices occurred, during the past year, as a result of improper, non-‐existent, or unclear policies in place? (Breaches can be improper sharing, improper saving to the cloud or portable media, improper emailing, and improper printing and scanning among other things.
Table 15: Hypothesis 11 Results
The positive value for Kendall Τb of 0.450 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction of document related security breaches. The test of reliability and
significance was confirmed, assuming a confidence interval of 95% (alpha-level = 0.05),
with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is enough
evidence suggesting that a well-defined implementation of the BYOD Security
Framework significantly reduces document related mobile and BYOD security breaches
so we reject the null hypothesis H110.
150
9.2.12 Hypothesis 12 (H12)
The twelfth main research hypothesis attempts to shed light on the following sub-
question: Can a BYOD Security Framework implementation for an enterprise reduce
security breaches related to mobile application flaws? To achieve a strong degree of
statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and
minimally significant correlation coefficient value based on Yates et al. (1993)
recommendation (see table 3), which would necessarily imply a strong correlation
between a de facto implementation of the BYOD Security Framework and significant
reduction of corresponding security breaches. Based on this assumption the
corresponding null and alternate hypotheses were developed from the conceptual BYOD
Security Framework:
H120: There is no significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to mobile application flaws.
H12a: There is significant correlation between implementation of the BYOD
Security Framework for an enterprise and corresponding reduction of security breaches
related to mobile application flaws.
The corresponding independent (x) questions and the dependent (y) question are
listed in Appendix C. In order to aggregate the independent (x) values, the median value
of the values was taken. While the mean and median values can sometimes be the same
or at least very close, they differ greatly if data values are clustered toward one end of
their range and/or if there are a few extreme values. This is referred to as skewness in
statistical terms. In such cases, the mean can be considerably influenced by the few
151
extreme values, and not be representative of the majority of the values in the data
set. Under these circumstances, median gives a better representation of central tendency
than average (Frederick & Brian, 1979).
The median value of the independent (x) questions was calculated and then
statistically compared against the dependent question (y) values using the Minitab Cross
Tabulation and Chi-Square analysis; in other words, a de facto implementation of the
BYOD Security Framework (the x questions) against the possible security breaches (the
y question). The resulting Kendall Τb and P-‐values for the relationship between the
BYOD Security Framework de facto implementation and hypothesis (Q12y) are
listed in table 16.
Measure of Association Corresponding Survey Questions Τb P < 0.05?
Protection of resources and assets (independent variables)
Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)
0.439 0.00001 (Yes) Possible security breach
(dependent variable) Q12y How often security breaches resulted from mobile application security flaws during the past year?
Table 16: Hypothesis 12 Results
The positive value for Kendall Τb of 0.439 suggests a strong and positive
association between a well-defined implementation of the BYOD Security Framework
and reduction security breaches related to mobile application flaws. The test of reliability
and significance was confirmed, assuming a confidence interval of 95% (alpha-level =
0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is
enough evidence suggesting that a well-defined implementation of the BYOD Security
152
Framework significantly reduces mobile and BYOD security breaches related to mobile
application flaws so we reject the null hypothesis H120.
9.3 Additional Statistical Findings
In order to take into account all-encompassing views of the collected data, three
further statistical operations were performed. First, the P-values for all associations were
combined using the Fisher method (Fisher, 1934) for a combined P-value result of 0.000.
Second, the overall median value of the independent (x) values were compared to the
median value of the dependent (y) values using the Minitab Cross Tabulation and Chi-
Square analysis; this in fact means if all the elements of the Framework are implemented,
then what is the impact on security breaches? The Τb value obtained was most
interesting: 0.534. This not only indicates a very strong correlation between the
implementation of the Framework elements and resulting reduction in security breaches
related to BYOD, but it is also larger than any of the Τb values obtained previously
when individual breaches were studied (See Tables 1 – 12). This can be interpreted to
mean that with a complete de facto implementation of the BYOD Security Framework,
the overall security breaches related to BYOD are significantly reduced as a whole, more
than just its individual parts.
Finally, a roll-up operation was performed to display the results of the study
analyses for the initial 12 high-level research hypotheses. The roll-up operation entailed
performing Fisher’s z transformation, an alternate method of averaging correlation
coefficients described by Corey et al. (1998) and studied by Fieller et al. (1957), to
average the Kendall Τb values and to provide an comprehensive overview of how
153
applying an enterprise-wide BYOD Security Framework approach significantly reduces
BYOD related security breaches. Each correlation coefficient Τb can be converted into a
Fisher’s z using equation (i) (Corey et al., 1998):
z = 0.5*ln((1 + Τb)/(1 - Τb)) (i)
The Fisher z transformation results can then be averaged and the outcome back-converted
to correlation coefficient denoted as (Τbz) using equation (ii) (Corey et al., 1998):
Τbz = (e2z-1)/(e2z+1) (ii)
For each of the 12 high-level hypotheses, this same rollup operation was performed and
the results analyzed. These results are displayed in table 17.
H1 H2 H3 H4 H5 H6 Fisher’s z 0.382 0.413 0.293 0.366 0.448 0.367 Τbz 0.364 0.391 0.285 0.351 0.420 0.351 H7 H8 H9 H10 H11 H12 Fisher’s z 0.376 0.433 0.453 0.436 0.387 0.393 Τbz 0.359 0.408 0.424 0.410 0.369 0.374 Table 17: Fisher’s z and calculated Τbz Values for H1 – H12
As an example, consider hypothesis H5: BYOD Security Framework implementation for
an enterprise reduces authentication related security. The Τbz value of 0.420 suggests a
strong and positive association between implementation of all the BYOD Security
Framework elements and the corresponding reduction of authentication related security
breaches as stated in hypothesis H5. Overall, the Τbz values indicate moderately strong to
strong positive associations between a well-defined implementation of the BYOD
Security Framework elements and the overall reduction of BYOD related security
breaches. Furthermore, the overall calculated P-value of 0.000 using the Fisher method
discussed previously indicates that a statistically significant relationship exists between a
154
well-defined implementation of the framework elements and reduction of BYOD related
breaches. Based on these analyses and the previously discussed Τb associations, we
conclude that the BYOD Security Framework is valid and its implementation in the
enterprise would significantly reduce BYOD related security breaches.
9.4 Summary of Data Analysis
The following table summarizes the hypotheses and the resulting data analysis. If a Τb
was greater than 0.4, then according to Yates et. al. (1993), the correlation is a strong
one; values between 0.3 and 0.4 indicate a moderately strong correlation.
Hypothesis:
Significant Reduction in
Kendall Τb Significant?
(P < 0.05)
Null/Alternate
H1: Data breach 0.427 Yes (P < 0.00001) Reject null
H2: Wireless breach 0.467 Yes (P < 0.00001) Reject null
H3: Cellular breach 0.342 Yes (P = 0.5) Reject alternate
H4: Rogue device breach 0.472 Yes (P < 0.00001) Reject null
H5: Authentication breach 0.510 Yes (P < 0.00001) Reject null
H6: Lost/Stolen device breach 0.416 Yes (P < 0.00001) Reject null
H7: Unauthorized access breach 0.456 Yes (P < 0.00001) Reject null
H8: Confusion over policy breach 0.492 Yes (P < 0.00001) Reject null
H9: Lack of training breach 0.512 Yes (P < 0.00001) Reject null
H10: Lack of awareness breach 0.512 Yes (P < 0.00001) Reject null
H11: Document related breach 0.450 Yes (P < 0.00001) Reject null
H12: Application (app) flaw breach 0.439 Yes (P < 0.00001) Reject null
Table 18: Summary of Τb values and rejection of null/alternate hypotheses
155
10 Conclusions and Recommendations
10.1 Overview
This dissertation fills a gap in the academic literature and contributes to the
security engineering and engineering management body of knowledge by providing a
practical framework for secure implementation of personal mobile devices or BYOD.
The strategies, policy management, and technology integration processes presented in the
BYOD Security Framework form an enhanced security management system for
deployment of BYOD. The analyses of the twelve research hypotheses demonstrate that
a BYOD strategy is achievable via the use of the BYOD Security Framework resulting in
sustained productivity improvement at the enterprise.
10.2 Summary of Key Research Parameters
The first research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of authentication related security breaches” is supported with the
results of the Kendall Tau analysis. The results showed that given a de facto
implementation of the BYOD Security Framework, the resulting mobile related data
security breaches are reduced significantly (tau = 0.427). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
The second research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of mobile related wireless (Wi-Fi) security breaches” is
156
supported with the results of the Kendall Tau analysis. The results showed that given a
de facto implementation of the BYOD Security Framework, the resulting Wi-Fi related
data security breaches are reduced significantly (tau = 0.467). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
The third research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of mobile related cellular security breaches” is not supported
with the results of the Kendall Tau analysis. The results showed that given a de facto
implementation of the BYOD Security Framework, the resulting cellular related data
security breaches are reduced moderately strongly (tau = 0.342) but not significantly (i.e.
very strongly). The P value of 0.5 further confirms this conclusion.
The fourth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to rogue mobile devices access” is
supported with the results of the Kendall Tau analysis. The results showed that given a
de facto implementation of the BYOD Security Framework, the resulting rouge mobile
access related data security breaches are reduced significantly (tau = 0.431). The results
indicate a very strong correlation between the implementation of the framework elements
and significant reduction of data breaches as related to personal mobile devices. The P
value of less than 0.00001 further confirms this conclusion.
157
The fifth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of authentication related security breaches” is supported with the
results of the Kendall Tau analysis. The results showed that given a de facto
implementation of the BYOD Security Framework, the resulting authentication related
data security breaches are reduced significantly (tau = 0.510). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
The sixth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to lost/stolen mobile devices” is
supported with the results of the Kendall Tau analysis. The results showed that given a
de facto implementation of the BYOD Security Framework, the resulting lost/stolen
related data security breaches are reduced significantly (tau = 0.416). The results indicate
a very strong correlation between the implementation of the framework elements and
significant reduction of data breaches as related to personal mobile devices. The P value
of less than 0.00001 further confirms this conclusion.
The seventh research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to unauthorized mobile access” is
supported with the results of the Kendall Tau analysis. The results showed that given a
de facto implementation of the BYOD Security Framework, the resulting unauthorized
158
mobile access related data security breaches are reduced significantly (tau = 0.456). The
results indicate a very strong correlation between the implementation of the framework
elements and significant reduction of data breaches as related to personal mobile devices.
The P value of less than 0.00001 further confirms this conclusion.
The eighth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to lack of understanding of
organizational security policies” is supported with the results of the Kendall Tau analysis.
The results showed that given a de facto implementation of the BYOD Security
Framework, the resulting lack of understanding of organizational security policies related
data security breaches are reduced significantly (tau = 0.492). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
The ninth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to lack of training and education of
organizational employees” is supported with the results of the Kendall Tau analysis. The
results showed that given a de facto implementation of the BYOD Security Framework,
the resulting lack of training of employees related data security breaches are reduced
significantly (tau = 0.512). The results indicate a very strong correlation between the
implementation of the framework elements and significant reduction of data breaches as
159
related to personal mobile devices. The P value of less than 0.00001 further confirms this
conclusion.
The tenth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to lack of awareness of
organizational policies” is supported with the results of the Kendall Tau analysis. The
results showed that given a de facto implementation of the BYOD Security Framework,
the resulting lack of awareness of employees of organizational policies related data
security breaches are reduced significantly (tau = 0.512). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
The eleventh research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of document related security breaches (e.g. improper document
sharing, saving, copying, emailing, printing, and scanning of documents)” is supported
with the results of the Kendall Tau analysis. The results showed that given a de facto
implementation of the BYOD Security Framework, the resulting document related data
security breaches are reduced significantly (tau = 0.450). The results indicate a very
strong correlation between the implementation of the framework elements and significant
reduction of data breaches as related to personal mobile devices. The P value of less than
0.00001 further confirms this conclusion.
160
The twelfth research hypothesis claim that “There is a significant correlation
between implementation of the BYOD Security Framework for an enterprise and
corresponding reduction of security breaches related to mobile application flaws” is
supported with the results of the Kendall Tau analysis. The results showed that given a
de facto implementation of the BYOD Security Framework, the resulting mobile
application flaws related data security breaches are reduced significantly (tau = 0.439).
The results indicate a very strong correlation between the implementation of the
framework elements and significant reduction of data breaches as related to personal
mobile devices. The P value of less than 0.00001 further confirms this conclusion.
10.3 Conclusions
The main inspiration behind this research was the author’s experience in the
world of security and security management and his curiosity about the lack of any kind of
comprehensive solution to the security of personal mobile devices in the workplace.
Upon further research through the literature along with personal interviews with industry
experts, CIOs, and academia, it became clear that comprehensive solutions aren’t
available for securing of personal mobile devices on enterprise networks. Interestingly
the literature offers a good deal of expertise on the problems, issues, and concerns
regarding mobile security and BYOD while failing to provide a comprehensive solution.
Certainly, it is possible to build a reasonably secure mobile device, just as it is possible to
build a reasonably secure desktop but this security comes at the expense of functionality
(Michael & Viega, 2010). This defeats the appeal that mobile devices have for their
owners. Jansen suggests User Interface plugins, encryption, and policy incorporations
(Jansen et al., 2004) but most of what is proposed apply to managed, company owned
161
devices circa 2003 and do not apply to today’s post Apple iOS and Google Android
based BYOD that permeate all aspects of society.
The purpose of this research was to address the security concerns that arise from
allowing and/or implementing BYOD in an organization and contributing to the body of
knowledge by proposing a solution in the form of a validated framework. The BYOD
Security Framework was presented as having seven necessary stages encompassing the
BYOD Security Lifecycle’s four mandatory stages. These stages are Plan, Identify,
Protect, Detect, Respond, Recover, and Assess/Monitor. The quantitative research
following the framework included a survey questionnaire to collect qualitative insights of
factors that determine a secure implementation of a BYOD program as outlined in the
BYOD Security Framework. More specifically, the statistical results showed with a
reasonable degree of confidence that an organization having de facto implemented the
BYOD Security Framework would significantly reduce associated BYOD security
breaches. This framework was innovated and statistically validated as a proposed solution
to securely implementing a BYOD program in the enterprise. A security team can use
the framework’s seven stages and the BYOD Security Lifecycle in their organizational
BYOD program to achieve their objectives while mitigating risk in a clear and well-
defined manner. In the often-chaotic world of BYOD, this framework serves as an
exceptional and well-defined tool to be used by security teams and practitioners.
The twelve main hypotheses in this dissertation address the basic research
question that implementation of the BYOD Security Framework significantly reduces
breaches related to personal mobile devices. A not so unexpected benefit of
implementing the BYOD Security Framework and thus having a mobile program in the
162
enterprise is increased productivity. While this is a side benefit of the framework, it is
worthy of mention. Consider Intel Corporation which started its BYOD program in 2008
and by the end of 2012 more than 23,000 employees had been enrolled in its program.
Intel’s IT department created a cloud which provided access to company services and
resources. Employees recounted they each saved 57 minutes daily on average in 2012,
corresponding to a productivity gain of five million hours for 2012 (Intel, 2014). The
elements of the BYOD Security Framework that are in Intel’s BYOD program are:
• Device registration
• Employee training and usage agreement
• Data protection via policies and encryption
• Security enforcement policies such as monitoring devices and mandatory wipes
• Expected device support levels from Intel
• Compliance with Intel’s policies and code of conduct
• Software application restriction on devices
• Application approval process
While these elements are only a portion of the presented framework, hopefully it is clear
the productivity impact that just this subset of the framework brings combined with an
apparent security level, as Intel has not reported any major security breaches related to its
BYOD program.
BYOD can provide an exceptional landscape to be explored and can be especially
worthy for an organization’s bottom line (Caldwell, Zeltmann, & Griffin, 2012). The
research concludes that a well-defined and well-managed BYOD approach based on a
balanced combination of technology and policy management, as laid out in the BYOD
163
Security Framework, allows for preservation of a desired level of security while offering
many benefits of BYOD to an organization.
10.4 Research Caveats and Recommendations
Mobile security and in particular BYOD have become such an integral part of
everyday life that a new term has been coined to describe the phenomenon:
consumerization, a word that is not yet in any dictionary or for that matter the Microsoft
Word spell checker. From apps that are designed to help handicapped people, to those
helping doctors and engineers, to those for teachers and education, those used by banks
and financial institutions, those for hospitality, entertainment, games for all ages, and
even apps for measuring our heart rates and sleep patterns, the personal smartphone is
everywhere and used by all. It should be clear that a single security process or guideline
is not sufficient for every organization or even a single type of organization. Each
enterprise has its own business needs, policies, risk level, and each would need to
customize their own security framework. The BYOD Security Framework serves as an
excellent foundation and starting point for further research and improvement of security
for a particular area. Further research into each specific area of interest can build on the
BYOD Security Framework. For example, interested security researchers in the health
industry can start their research with the BYOD Security Framework, fine-tune and
extend its principles with an eye towards practical and secure implementation of personal
mobile devices in the healthcare industry. The same can be said for architectural
organizations, colleges and universities, schools, manufacturing, software developers,
and any other needs area. Researchers with focus on one particular area can become
more granular in their approaches to presenting more specific solutions to the use of
164
BYOD within the confines of their particular area. More specifically, the study
conducted for this dissertation offers the following areas of opportunities for future
systems engineering and engineering management research:
1. Custom secure app development and operating system extensions for unifying
existing legacy system interfaces on personal mobile devices
2. BYOD secure packaged application developments for small to mid-size
businesses that are easily integrated. These can be decentralized and thus not
require the overhead of having central servers yet providing security for data in
transit and data in place
3. Specific policy development based on the BYOD Framework for various industry
sectors such as healthcare, education, IT, etc. that provide out of the box policy
solutions for BYOD
4. General and industry-specific training modules and processes focused on
educating users in a BYOD environment
5. Further research in the areas that build on BYOD, namely Bring Your Own
Service (BYOS) and Bring Your Own Apps (BYOA) and how they should be
integrated with the BYOD Security Framework. BYOS comprises of employees
using their own devices (BYOD) to do company work but also using their own
choice of services such as VPN and cloud services. BYOA comprises of
employees using their BYOD to do company work using custom apps developed
by themselves or else developed by a third party which the user contracted to
develop the custom app
165
There are many other research venues of course but these are some practical ones to start.
The last research area on this list, namely BYOS and BYOA present excellent research
opportunities for making BYOD a truly enterprise and productive paradigm for the near
and distant futures.
166
11 References
[1] Absalom, R. (2012). International Data Privacy Legislation Review: A Guide for
BYOD Policies.
[2] Ackerman, E. (2013). The bring-your-own-device dilemma [Resources At Work].
Spectrum, IEEE, 50(8).
[3] Alberts, C. J., & Dorofee, A. J. (2010). Risk Management Framework: DTIC
Document.
[4] Albrechtsen, E. (2007). A qualitative study of users' view on information security.
Computers & Security, 26(4), 276-289. doi:
http://dx.doi.org/10.1016/j.cose.2006.11.004
[5] Albrechtsen, E., & Hovden, J. (2009). The information security digital divide
between information security managers and users. Computers & Security, 28(6), 476-
490. doi: http://dx.doi.org/10.1016/j.cose.2009.01.003
[6] Alreck, P. L., & Settle, R. B. (1985). The survey research handbook (p. 146).
Homewood, IL: Irwin.
[7] Anderson, E. E., & Choobineh, J. (2008). Enterprise information security strategies.
Computers & Security, 27(1–2), 22-29. doi:
http://dx.doi.org/10.1016/j.cose.2008.03.002
[8] Arbaugh, W. A. (2003). Wireless security is different. Computer, 36(8), 99-101.
[9] Armerding, T. (2013). The Department of Homeland Security and its obsolete
Android OS problem, 2013, from http://www.csoonline.com/article/742371/the-
167
department-of-homeland-security-and-its-obsolete-android-os-
problem?source=CSONLE_nlt_update_2013-11-03
[10] Ballenstedt, B. (2013). Study Predicts BYOD Boom by 2016 Retrieved May 23,
2013, from http://www.nextgov.com/cio-briefing/wired-workplace/2013/05/study-
predicts-byod-boom-2016/62990/
[11] Banuri, H., Alam, M., Khan, S., Manzoor, J., Ali, B., Khan, Y., . . . Zhang, X. (2012).
An Android runtime security policy enforcement framework. Personal and
Ubiquitous Computing, 16(6), 631-641. doi: 10.1007/s00779-011-0437-6
[12] Baskerville, R. (1993). Information systems security design methods: implications for
information systems development. ACM Computing Surveys, 25(4), 375-414. doi:
10.1145/162124.162127
[13] Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., & Wolf, C.
(2011). Mobile security catching up? revealing the nuts and bolts of the security of
mobile devices. Paper presented at the Security and Privacy (SP), 2011 IEEE
Symposium on.
[14] Benefits of Enabling Personal Handheld Devices in the Enterprise. (n.d.). Retrieved
21 July 2015, from http://www.intel.co.uk/content/www/uk/en/it-leadership/intel-it-it-
leadership-benefits-of-enabling-personal-handheld-devices-in-the-enterprise-
practices.html
[15] Bernard, H. R. (1988). Research methods in cultural anthropology (p. 117). Newbury
Park, CA: Sage.
168
[16] Bishop, M. (2003). What is computer security? Security & Privacy, IEEE, 1(1), 67-
69.
[17] Burt, J. (2011). BYOD trend pressures corporate networks. eweek, 28(14), 30-31.
[18] Caldwell, C., Zeltmann, S., & Griffin, K. (2012, July). BYOD (bring your own
device). In Competition Forum (Vol. 10, No. 2, p. 117). American Society for
Competitiveness.
[19] Choo, K.-K. R. (2011). The cyber threat landscape: Challenges and future research
directions. Computers & Security, 30(8), 719-731. doi:
http://dx.doi.org/10.1016/j.cose.2011.08.004
[20] Choras, M. (2013). Comprehensive approach to information sharing for increased
network security and survivability. Cybernetics and Systems, 44(6-7), 550-568. doi:
10.1080/01969722.2013.818433
[21] Coles-Kemp, L. (2009). Information security management: An entangled research
challenge. Information Security Technical Report, 14(4), 181-185.
[22] Corey, D. M., Dunlap, W. P., & Burke, M. J. (1998). Averaging correlations:
Expected values and bias in combined Pearson rs and Fisher's z transformations. The
Journal of general psychology, 125(3), 245-261.
[23] Creswell, J. W., & Clark, V. L. P. (2007). Designing and conducting mixed methods
research.
[24] Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding
Compliance with BYOD (Bring Your Own Device) Policies Utilizing Protection
169
Motivation Theory: Bridging the Intention-Behavior Gap. Journal of Information
Systems.
[25] Dodd, C. (2013). Pros and Cons of Bring Your Own Device Retrieved May 25,
2013, 2013, from http://turbinehq.com/2013/bring-your-own-device/
[26] Fayad, M., & Schmidt, D. C. (1997). Object-oriented application frameworks.
Communications of the ACM, 40(10), 32-38.
[27] Fieller, E. C., & Pearson, E. S. (1961). Tests for rank correlation coefficients: II.
Biometrika, 29-40.
[28] Finn M. Halvorsen, O. H., Martin Eian, Stig F. Mjolsnes. An Improved Attack on
TKIP. Trondheim, Norway: Norwegian University of Science and Technology.
[29] Finneran, M. (2012). Mobile Security Gaps Abound. Informationweek, 26-29.
[30] Fisher, R. A. (1934). Statistical methods for research workers.
[31] Forcht, K. A., & Ayers, W. C. (2000). Developing a computer security policy for
organizational use and implementation. Journal of Computer Information Systems,
41(2), 52-57.
[32] Frederick, H. and E. D. Brian (1979). Exploratory Data Analysis, Sage.
[33] Rowsell-Jones, A., Jones, N. (2012). Checklist for Determining Enterprise Readiness
to Support Employee-Owned Devices [Research]. Gartner (G00234127)
[34] Ghosh, A., Gajar, P. K., & Rai, S. (2013). Bring your own device (BYOD): Security
risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4),
62-70. Siponen, M., & Willison, R. (2009). Information security management
standards: Problems and solutions. Information & Management, 46(5), 267-270.
170
[35] Girard, J. (2013). Top Seven Failures in Mobile Device Security [Research]. Gartner
(G00246862)
[36] Girard, J. (2011). Seven Steps to Planning and Developing a Superior Mobile Device
Policy [Research]. Gartner (G00225405)
[37] Godlove, T. (2012). Examination of the factors that influence teleworkers' willingness
to comply with information security guidelines. Information Security Journal, 21(4),
216-229. doi: 10.1080/19393555.2012.668747
[38] Goedert, J. (2013). Mobile device management software: the answer to BYOD?
Health data management, 21(2), 32, 34, 36 passim.
[39] Greengard, S. (2014, July 7). Missing in Action: BYOD Security. Retrieved July 30,
2014, from http://www.cioinsight.com/blogs/missing-in-action-byod-security.html
[40] Halpert, B. (2004). Mobile device security. Paper presented at the Proceedings of the
1st annual conference on Information security curriculum development, Kennesaw,
Georgia.
[41] Hayes, J. (2012). The device divide. Engineering & Technology, 7(9), 76-78.
[42] Hays, W. L. (1960). A note on average tau as a measure of concordance. Journal of
the American Statistical Association, 55(290), 331-341.
[43] Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for
information security management. The Journal of Strategic Information Systems,
20(4), 373-384. doi: http://dx.doi.org/10.1016/j.jsis.2011.06.001
[44] Howard, M., & Lipner, S. (2009). The security development lifecycle. O'Reilly
Media, Incorporated.
171
[45] Ifinedo, P. (2012). Understanding information systems security policy compliance:
An integration of the theory of planned behavior and the protection motivation
theory. Computers & Security, 31(1), 83-95. doi:
http://dx.doi.org/10.1016/j.cose.2011.10.007
[46] Intel. (2013). Accelerating Business Growth through IT. Retrieved from
http://www.intel.com/content/dam/www/public/us/en/documents/reports/2012-2013-
intel-it-performance-report.pdf
[47] Janessa Rivera, R. v. d. M. (2013). Gartner Predicts by 2017, Half of Employers will
Require Employees to Supply Their Own Device for Work Purposes. Stamford, CT:
Gartner.
[48] Jansen, W. A., Gavrila, S. I., Korolev, V., Heute, T., & Séveillac, C. (2004, June). A
Unified Framework for Mobile Device Security. In Security and Management (pp. 9-
14).
[49] Jaramillo, D., Katz, N., Bodin, B., Tworek, W., Smart, R., & Cook, T. (2013).
Cooperative solutions for bring your own device (BYOD). IBM Journal of Research
and Development, 57(6), 5-1.
[50] Jarvelainen, J. (2013). IT incidents and business impacts: Validating a framework for
continuity management in information systems. doi: 10.1016/j.ijinfomgt.2013.03.001
[51] Jones, J. (2012, 2 Aug 2012). BYOD: Organizations Question Risk vs. Benefit.
BYOD, from http://blogs.technet.com/b/security/archive/2012/08/02/byod-
organizations-question-risk-vs-benefit.aspx
172
[52] Keith W. Miller, J. V., George F. Hurlburt. (2012). BYOD: Security and Privacy
Consideration. IEEE, 14(5), 53-55. doi: 10.1109/MITP.2012.93
[53] Knapp, K. J., Franklin Morris Jr, R., Marshall, T. E., & Byrd, T. A. (2009).
Information security policy: An organizational-level process model. Computers &
Security, 28(7), 493-508. doi: http://dx.doi.org/10.1016/j.cose.2009.07.001
[54] Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in
computer and information security: Pathways to vulnerabilities. Computers &
Security, 28(7), 509-520. doi: http://dx.doi.org/10.1016/j.cose.2009.04.006
[55] Loucks, J., Medcalf, R., Buckalew, L., & Faria, F. (2013). The Financial Impact of
BYOD. Retrieved from http://www.cisco.com/web/about/ac79/docs/re/byod/BYOD-
Economics_Econ_Analysis.pdf.
[56] Lu, W. P., & Sundareshan, M. K. (1990). A model for multilevel security in computer
networks. IEEE Transactions on Software Engineering, 16(6), 647-659. doi:
10.1109/32.55093
[57] Malin, A. (2007). Designing networks that enforce information security policies.
Information Systems Security, 16(1), 47-53. doi: 10.1080/10658980601051490
[58] Manley, M. E., McEntee, C. A., Molet, A. M., & Park, J. S. (2005). Wireless security
policy development for sensitive organizations. Paper presented at the 6th Annual
IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005,
June 15, 2005 - June 17, 2005, West Point, NY, United states.
[59] Mansfield-Devine, S. (2012). Interview: BYOD and the enterprise network.
Computer Fraud & Security, 2012(4), 14-17.
173
[60] Mansfield-Devine, S. (2014). Majority Of Organizations Have No BYOD Policies.
(2014) Retrieved 10/14, 2014, from http://www.tripwire.com/state-of-security/top-
security-stories/majority-of-organizations-have-no-byod-policies-2/
[61] Marsa-Maestre, I., De La Hoz, E., Gimenez-Guzman, J. M., & Lopez-Carmona, M.
A. (2013). Design and evaluation of a learning environment to effectively provide
network security skills. Computers and Education, 69, 225-236. doi:
10.1016/j.compedu.2013.07.022
[62] Martinez-Moyano, I. J., Conrad, S. H., & Andersen, D. F. (2011). Modeling
behavioral considerations related to information security. Computers & Security,
30(6–7), 397-409. doi: http://dx.doi.org/10.1016/j.cose.2011.03.001
[63] McGee, A. R., Coutiere, M., & Palamara, M. E. (2012). Public safety network
security considerations. Bell Labs Technical Journal, 17(3), 79-86. doi:
10.1002/bltj.21559
[64] Michael, B., & Viega, J. (2010). Mobile device security. IEEE Security & Privacy,
8(2), 0011-12.
[65] Michael, K. (2012). Security Risk Management: Building an Information Security
Risk Management Program from the Ground Up. Computers & Security, 31(2), 249-
250. doi: http://dx.doi.org/10.1016/j.cose.2011.12.011
[66] Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: security and privacy
considerations. IT Professional, 14(5), 0053-55.
[67] Morrow, B. (2012). BYOD security challenges: control and protect your most
sensitive data. Network Security, 2012(12), 5-8.
174
[68] Moyer, J. E. (2013). Managing Mobile Devices in Hospitals: A Literature Review of
BYOD Policies and Usage. Journal of Hospital Librarianship, 13(3), 197-208.
[69] Parker, D. B., & Parker, D. (1976). Crime by computer: Scribner New York.
[70] Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. Determining
employee awareness using the Human Aspects of Information Security Questionnaire
(HAIS-Q). Computers & Security(0). doi:
http://dx.doi.org/10.1016/j.cose.2013.12.003
[71] Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the
abusive insider: An examination of insiders’ causal reasoning following internal
security changes. Computers & Security, 30(6–7), 486-497. doi:
http://dx.doi.org/10.1016/j.cose.2011.05.002
[72] Posthumus, S., & Von Solms, R. (2004). A framework for the governance of
information security. Com
[73] Pros and cons of ‘Bring Your Own Device’ (BYOD). (2013, March 19). Retrieved 21
August 2015, from http://turbinehq.com/2013/bring-your-own-device/
[74] Rhee, H.-S., Ryu, Y. U., & Kim, C.-T. (2012). Unrealistic optimism on information
security management. Computers and Security, 31(2), 221-232. doi:
10.1016/j.cose.2011.12.001
[75] Rivera, D., George, G., Peter, P., Muralidharan, S., & Khanum, S. (2013). Analysis of
Security Controls for BYOD (Bring your own Device).
[76] Roberts, P. (2013). If iOS is Less Secure, Why Does Android Get Attacked? All
Things Security Retrieved May 23, 2013, from
175
http://www.veracode.com/blog/2013/04/if-ios-is-less-secure-why-does-android-get-
attacked/
[77] Rouse, M. (2013). Mobile Device Management Systems Retrieved July 14, 2013,
from http://searchmobilecomputing.techtarget.com/definition/mobile-device-
management
[78] Ryan, J. J. C. H., Mazzuchi, T. A., Ryan, D. J., Lopez de la Cruz, J., & Cooke, R.
(2012). Quantifying information security risks using expert judgment elicitation.
Computers & Operations Research, 39(4), 774-784. doi:
http://dx.doi.org/10.1016/j.cor.2010.11.013
[79] Salkind, N. J. (2012). Statistics for People who (think They) Hate Statistics: Excel
2010 Edition. Sage.
[80] Scarfo, A. (2012, November). New security perspectives around BYOD. In
Proceedings of the 2012 Seventh International Conference on Broadband, Wireless
Computing, Communication and Applications (pp. 446-451). IEEE Computer
Society.
[81] Schreuders, Z. C., McGill, T., & Payne, C. (2013). The state of the art of application
restrictions and sandboxes: A survey of application-oriented access controls and their
shortfalls. Computers & Security, 32(0), 219-241. doi:
http://dx.doi.org/10.1016/j.cose.2012.09.007
[82] Security, S. (2013). Mobile Device Security Implementation Plan Statistics.
[83] Siegel, S. (1956, 1988). Nonparametric statistics for the behavioral sciences.
176
[84] Singh, N. (2012). BYOD Genie Is Out Of the Bottle–“Devil Or Angel”. Journal of
Business Management & Social Sciences Research, 1(3), 1-12.
[85] Siponen, M., & Willison, R. (2009). Information security management standards:
Problems and solutions. Information & Management, 46(5), 267-270. doi:
http://dx.doi.org/10.1016/j.im.2008.12.007
[86] Siponen, M., Adam Mahmood, M., & Pahnila, S. (2014). Employees’ adherence to
information security policies: An exploratory field study. Information &
Management, 51(2), 217-224. doi: http://dx.doi.org/10.1016/j.im.2013.08.006
[87] Son, J. Y. (2011). Out of fear or desire? Toward a better understanding of employees’
motivation to follow IS security policies. Information & Management, 48(7), 296-
302.
[88] Stricklen, M., McHale, T., Caminetsky, M., & Reddy, V. (2007). Mobile device
management: Google Patents.
[89] Stytz, M. R. (2004). Considering defense in depth for software applications. Security
& Privacy, IEEE, 2(1), 72-75.
[90] Tang, W. K. (2003). The Effect of WLAN Security Evolution on Home, Enterprise
and Hotspots Market. SANS Institute Retrieved from
http://www.giac.org/paper/gsec/3606/effect-wlan-security-evolution-home-enterprise-
hotspots-market/105865.
[91] Thayer, R. (1998). Network security: Locking in to policy. Data Communications
International, 27(4), 77-80.
177
[92] Thomson, G. (2012). BYOD: enabling the chaos. Network Security, 2012(2), 5-8.
doi: http://dx.doi.org/10.1016/S1353-4858(12)70013-2
[93] Tokuyoshi, B. (2013). The security implications of BYOD. Network Security,
2013(4), 12-13.
[94] United States. National Institute of Standards and Technology. (June 20, 2007).
National Vulnerability Database Common Vulnerability Scoring System Support v2.
Retrieved December 30, 2013, from http://nvd.nist.gov/cvss.cfm.
[95] US DoD. (2013). Mobile Operating System Security Requirements Guide Retrieved
December 30, 2013, from
http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html
[96] Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance:
Insights from Habit and Protection Motivation Theory. Information & Management,
49(3–4), 190-198. doi: http://dx.doi.org/10.1016/j.im.2012.04.002
[97] Von Solms, B. (2000). Information Security — The Third Wave? Computers &
Security, 19(7), 615-620. doi: http://dx.doi.org/10.1016/S0167-4048(00)07021-8
[98] Von Solms, B. (2006). Information Security – The Fourth Wave. Computers &
Security, 25(3), 165-168. doi: http://dx.doi.org/10.1016/j.cose.2006.03.004
[99] Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security
management. Computers & Security, 23(5), 371-376. doi:
http://dx.doi.org/10.1016/j.cose.2004.05.002
[100] Von Solms, S. (2005). Information security governance–compliance management
vs operational management. Computers & Security, 24(6), 443-447.
178
[101] Wang, Y., Wei, J., & Vangury, K. (2014, January). Bring your own device
security issues and challenges. In Consumer Communications and Networking
Conference (CCNC), 2014 IEEE 11th (pp. 80-85). IEEE.
[102] West, D. (2012). How mobile devices are transforming healthcare. Issues in
Technology Innovation, 18, 1-14.
[103] Whiteside, T. (1978). Computer capers: Tales of electronic thievery,
embezzlement, and fraud: Crowell.
[104] Willis, D. A. (2013). Bring Your Own Device: The Facts and the Future.
[Research]. Gartner (G2422315), 1-15.
[105] Wong, S. (2003). The evolution of wireless security in 802.11networks: WEP,
WPA and 802.11 standards. SANS Institute Retrieved from
http://www.sans.org/reading-room/whitepapers/wireless/evolution-wireless-security-
80211-networks-wep-wpa-80211-standards-1109.
[106] Yates, P. M., Beadle, G., Clavarino, A., Najman, J. M., Thomson, D., Williams,
G., ... & Schlect, D. (1993). Patients with terminal cancer who use alternative
therapies: Their beliefs and practices. Sociology of Health & Illness, 15(2), 199-216.
[107] Young, K. (2010). Policies and procedures to manage employee Internet abuse.
Computers in Human Behavior, 26(6), 1467-1471. doi: 10.1016/j.chb.2010.04.025
[108] Young, M. (2002). Policy-based network management: finally? Business
Communications Review, 32(8), 48-51.
[109] Zaiontz, C. (n.d.). Real Statistics Using Excel. Retrieved 6 October 2015, from
http://www.real-statistics.com
179
12 Appendix A – Checklist for Determining Enterprise Readiness for BYOD
The following table is a high-‐level checklist for implementing BYOD. It can be used
alongside the BYOD Security Framework (Rowsell-‐Jones & Jones, 2012).
Step Key Deliverable 1 Deciding on BYOD strategy Determination of which approach to
adopt to BYOD 1.1 Perform a high-‐level BYOD
problem analysis to scan for showstoppers
1.2 Validate the program and define the goals
Evidence and goals for supporter and stakeholders
1.3 Describe the scope and identify the supporter
Commission the BYOD program, definition of goals, and identity of supporters
1.4 Identify stakeholders and solicit input
List of stakeholders and the issues/concerns that impact them
2 Grouping employees and outlining support and access for each
Segmentation of employees into multiple groups and a package of policies and technologies for each
2.1 Define employee groups Employee roles/needs matrix and a list of applications/services to be supported on BYOD devices
2.2 Assess employee information sensitivity for each group
Roles/needs matrix noted with the sensitivity of information handled by employee roles
2.3 Ascertain the provision and security options for apps and services for each group
List of preferences to deliver each key app or service onto a BYOD device along with management and security instruments
2.4 Create scenarios for device/user/application management rules for each group
Potential packages of policies and technologies to tackle the needs of particular employee roles
2.5 Choose a scenario for operation for each group
Meticulous proposition for the preferred principal scenario
3 Execution Planning Range of Tools, Network Services, Funding Models
3.1 Pick the tools and technologies
Catalog of tools for application provisioning, device administration, virtual desktop, and security
3.2 Define the networking and List of network services and providers,
180
connectivity strategy and a technical and financial policy for each supported network type
3.3 Delineate the application management and licensing policy
Recommendations and policies for application licensing, management, sourcing, and finance
3.4 Define and refine the economic aspects and create a cost model
Proposed compensation plans, expected costs, and a total cost of ownership model
3.5 Determine the user education and training requirements
Determine education and training material for proper use of BYOD over the organizational assets
3.6 Identify qualified users List of users participating in the BYOD program and align management approval for their participation
3.7 Conduct risk analysis Justification alongside business process, social, data security, and financial risks
4 Program Setup Staged Endorsement for BYOD Program
4.1 Design a comprehensive program application for stakeholder sign-‐off
Detailed program descriptions for stakeholder approval
4.2 Coach stakeholders and ensure their sign-‐off
Approval from stakeholders and supporters
4.3 Create policies and procedures
Internal policy documents, processes, user BYOD contracts and agreements
4.4 Define support procedures and processes
Supported principles, processes, and budgets
4.5 Attain external stakeholder deliverables
External policy documents (e.g. legal language for contracts, finance policies)
4.6 Develop instructional material
Teaching and training material on proper use of BYOD, appropriate connection to resources, and policy adherence
4.7 Select users and obtain agreements
Catalog of participants and signed user agreements
4.8 Rollout user training Rollout of training material on proper use of BYOD, appropriate connection to resources, and policy adherence
5 Proof of Concept Successful Pilot 5.1 Pilot the BYOD program Updated program deliverables
addressing concerns identified in the pilot
6 Implementation BYOD Program Rollout 6.1 Rollout the program Educated users, support staff, managers,
181
and new and updated devices 7 Program Renewal Periodic BYOD Health Check 7.1 Monitor and evolve the
BYOD program 12-‐month review of BYOD user satisfaction, risk, value, and all needed corrective actions
Table 19: BYOD Organizational Readiness Checklist
182
13 Appendix B – MDM Standard Capabilities Starter Template
The following table is a non-‐exhaustive Mobile Device Management (MDM)
Standard Capabilities Starter Template. Organizations should carefully consider
adding additional capabilities to this list as they are warranted with an eye towards
risk and added value.
Feature Area Feature Application Management
List authorized applications based upon user groups
Install and remove applications Enable and disable applications Remove managed applications Update applications Install certificates Enable/Prevent user from uninstalling applications Check to ensure required applications are installed Check if application is currently running Add/Remove applications from whitelist/blacklist Wipe application data Configuration Management
Enable/Disable camera and microphone
Allow automatic synchronization while roaming Disable push while roaming Remove managed Exchange account and data Enable/Disable Wi-‐Fi Control access points Enable/Disable Bluetooth Start/Stop Bluetooth discovery Exchange Server Configure Active Sync Create new Exchange account Set Exchange account display name Set Exchange account sync interval Set Exchange account protocol version Set Exchange account sender name Set Exchange account sender signature Password Policy Allow simple passwords Require alphanumeric values for password Enforce minimum password length
183
Enforce maximum password age Enforce minimum password complexity Enforce password history Get device password Set device password Set maximum number of failed login attempts before
device wipe Security Management Remote lock and unlock Remote wipe Remote reset Remove configuration data Lock management functions on device Lock device after specified inactivity period Full device encryption Wipe encrypted data SD card encryption Add/Remove whitelist/blacklist from device
Table 20: Mobile Device Management Standard Capabilities Starter Template
184
14 Appendix C – Survey Questionnaire
Welcome
Introduction: You are hereby invited to participate in a study about security aspects of personal mobile devices (smartphones and tablets) used in organizations. This phenomenon is popularly known as Bring Your Own Device (BYOD) and is very prevalent in today's business world. You are being asked to participate in this survey because of your subject matter expertise in the areas of security systems engineering, project management, and policy management. This is a voluntary participation; however, if you have accepted, we ask that you complete the survey accurately. Your employment status will not be affected in any way should you choose not to take part or to withdraw at any time.
Research: This questionnaire is part of a research study conducted by the author under the direction of Dr. Thomas Mazzuchi, supervised by HRC advisers Dr. Timothy Blackburn P.E., Dr. Paul Blessner, and Dr. William Olson, all from the George Washington University. We thank you in advance for your time.
Confidentiality: This questionnaire is anonymous and confidential and all the responses will be kept in a secure location in encrypted form. There is a small chance that someone not on our research team could find out that you took part in the study or somehow connect your name with the information we collect about you. However the following steps are being taken to reduce this risk: all responses are anonymous and no personal information including name, email, and IP address will be recorded or stored anywhere in any capacity. Should you have any questions about this study, please contact Dr. Thomas Mazzuchi at 202-994-7541. If you have any questions about your rights as related to this study, please feel free to contact the George Washington Office of Human Research at 202-994-2715.
Benefits: Taking this survey may not benefit you directly; however, the many benefits to society will include improved and more secure implementations of BYOD with additional services becoming available to users of BYOD and their respective organizations.
Time: The survey may take 20-25 minutes to complete. The author sincerely thanks you for your support and time.
185
Instructions and Definitions
Instructions: The survey is web based. Please read each question carefully, think about the scenario, and then choose the proper selection. Throughout the survey, some words including the ones below appear in blue. When you hover over them, helpful balloons appear with definitions.
Definitions: The following operational definitions are provided to help you while taking the survey; again, they are highlighted in blue throughout the survey and with a simple hover over the words, you will see the definitions:
• Multi-factor authentication: this form of authentication requires multiple steps to authenticate a user or a device. For example, when a username and password is entered, an additional step may be required such as a retina scan or scanning of a secure card before authentication is accepted.
• Two-way authentication: two-way authentication means the mobile device is authenticated by the server and the server is authenticated by the device so there is no doubt both are legitimate.
• Security breach: a security breach can be any incident that results in loss of data, loss of information, disrupts normal flow of day-to-day operations, or grants unauthorized access to systems or data.
• Unauthorized access: this is any access that has not been specifically and officially (via a written policy) authorized; it also includes promoting such an activity.
• PKI: short for Public Key Infrastructure, is a comprehensive set of technologies and policies that allow creation of security digital certificates, dispensing such certificate to users or devices, verifying and identifying such entities as needed, monitoring the certificates, controlling the use of the certificates, expiring certificates, renewing certificates, revoking compromised certificates, and providing all information needed to proper personnel and systems as to the use and condition of the digital certificates. PKI can be implemented by an organization for its own internal use, much like a business granting IDs to its employees. It can also be outsourced to outside agencies such as VeriSign and Entrust.
• Mobile devices: for the purpose of this survey, mobile devices refer to smartphones or tablets (such as iPhones, iPads, Galaxies, other Android-based devices, Blackberries, and Windows Phones) that are personally owned and used to access organizational resources whether locally or remotely (Bring Your Own Device or BYOD).
• Rogue devices: devices that are not approved by the organization but that have been used to access organizational resources. These can be devices by unauthorized third party, devices that were once approved but since have been disallowed, or any device that has not been through a registration, vetting, and provisioning process prior to being allowed to access organizational resources.
• Whitelisting/Blacklisting: whitelisting refers to an application going through a vetting process where it is determined if it has no security flaws and its use does
186
not present a risk to the organization. Blacklisting is the opposite where the application is flagged as being a risk if used.
187
Demographics Section
Q0.1 What is the current industry of your organization? Information Technology/Information Systems Healthcare/Biotechnology Education Manufacturing Telecommunication Finance/Accounting Engineering Other (please specify)
Q0.2 What is your job title where you work?
CSO/CISO Project Manager/IT Manager/Director/CIO Security Administrator/Security Manager Security Analyst/Compliance Officer/Auditor Security Architect/Security Engineer Other (please specify)
Q0.3 How many years of work experience do you have in information systems security?
None 1 – 5 years 6 – 10 years 11 – 15 years More than 15 years
Q0.4 What is the highest educational degree you have earned?
High School Associate Degree Bachelor Degree Master Degree Doctorate Degree
Q0.5 What is the size of your organization?
50 or less 51 - 250
189
Independent Questions (Xs)
Existing Mobile Security Implementations: Questions in this section refer to your organization Q4.1x
194
Dependent Questions (Ys)
Technology Breaches: Questions in this section refer to your organization Q1y
Q2y
200
15 Appendix D – Semi-Structured Experts Panel Survey Questionnaire
Welcome
Introduction: You are hereby invited to participate in a study about security aspects of personal mobile devices (smartphones and tablets) used in organizations. This phenomenon is popularly known as Bring Your Own Device (BYOD) and is very prevalent in today's business world. You are being asked to participate in this survey because of your subject matter expertise in the areas of security systems engineering, project management, and policy management. This is a voluntary participation; however, if you have accepted, we ask that you complete the survey accurately. Your employment status will not be affected in any way should you choose not to take part or to withdraw at any time.
Research: This questionnaire is part of a research study conducted by the author under the direction of Dr. Thomas Mazzuchi, supervised by HRC advisers Dr. Timothy Blackburn P.E., Dr. Paul Blessner, and Dr. William Olson, all from the George Washington University. We thank you in advance for your time.
Confidentiality: This questionnaire is anonymous and confidential and all the responses will be kept in a secure location. There is a small chance that someone not on our research team could find out that you took part in the study or somehow connect your name with the information we collect about you. However the following steps are being taken to reduce this risk: all responses are anonymous and no personal information including name, email, and IP address will be recorded or stored anywhere in any capacity. Should you have any questions about this study, please contact Dr. Thomas Mazzuchi at 202-994-7541. If you have any questions about your rights as related to this study, please feel free to contact the George Washington Office of Human Research at 202-994-2715.
Benefits: Taking this survey may not benefit you directly; however, the many benefits to society will include improved and more secure implementations of BYOD with additional services becoming available to users of BYOD and their respective organizations.
Time: The survey may take 20-25 minutes to complete. The author sincerely thanks you for your support and time.
201
Demographics Section
Q1 What is your job title where you work? CSO/CISO Project Manager/IT Manager/Director/CIO Security Administrator/Security Manager Security Analyst/Compliance Officer/Auditor Security Architect/Security Engineer Other (please specify)
Q2 How many years of work experience do you have in information systems security?
None 1 – 5 years 6 – 10 years 11 – 15 years More than 15 years
Q3 What is the highest educational degree you have earned?
High School Associate Degree Bachelor Degree Master Degree Doctorate Degree
Q4 What is the size of your organization?
50 or less 51 - 250 251 - 500 501 - 1000 1001 or more
Q5 Please list your strongest qualifications.
202
Questions
The following factors were identified as required for mobile security and Bring Your Own Device (BYOD) mobile security. How completely do you believe these factors address the security concerns of mobile device BYOD? If you believe other factors are needed that are not listed, please list them and explain why you feel these additional factors are necessary and why they are not part of one of the 12 factors listed below.
1. Prevention of data security breaches. This includes data loss, stolen data, or unauthorized data alteration
2. Prevention of wireless (Wi-Fi) security breaches 3. Prevention of cellular security breaches 4. Prevention of rogue mobile device access to corporate data, network, and
applications 5. Prevention of mobile authentication related security breaches. This includes
device and user authentication breaches 6. Prevention of mobile security breaches related to lost/stolen mobile device 7. Prevention of unauthorized mobile device access. This is different than a rogue
device prevention in that it can be an approved device but in the wrong hands or it can be an approved device and an approved user but accessing data and resources they should not have access rights to
8. Prevention of mobile security breaches related to employees’ lack of understanding of security policies
9. Prevention of mobile security breaches related to lack of education and/or mandatory security training for employees
10. Prevention of mobile security breaches related to employees’ claims of being unaware of organizational policies
11. Prevention of document related security breaches via mobile devices. Breaches can be improper sharing, improper saving to cloud or portable media, improper emailing, improper printing, improper scanning, and improper photographing
12. Prevention of mobile security breaches related to application (app) security flaws Q The above 12 factors are complete in that they encompass the necessary areas of security concerns related to mobile device operation in an enterprise, including Bring Your Own Device (BYOD) operation
Strongly Agree Agree Neither Agree nor Disagree Disagree Strongly Disagree
Your notes and comments: