Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Risk Assessment: BYOD Policy

Verified

Added on 2023/06/03

AI Summary

This report analyzes the risk assessment of the BYOD policy in an organization basing on the threats agents, consequences and impact of the threats on the information assets of the organization. It also provides the information security strategies to be implemented to encounter the BYOD policy threats.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running Head: RISK ASSESSMENT: BYOD POLICY 1
Risk Assessment: BYOD Policy
Name
Institution

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

RISK ASSESSMENT: BYOD POLICY 2
Table of Contents
Executive Summary.....................................................................................................................................3
Introduction.................................................................................................................................................3
Risk Assessment..........................................................................................................................................4
Threat Agents..........................................................................................................................................5
Vulnerabilities.........................................................................................................................................7
Consequences of BYOD Threats.............................................................................................................8
Impact......................................................................................................................................................9
BYOD Protection mechanisms for Information Security (Literature review)............................................10
Safeguards.............................................................................................................................................11
Conclusion.................................................................................................................................................12
References.................................................................................................................................................13

RISK ASSESSMENT: BYOD POLICY 3
Executive Summary
This report analyzes the risk assessment of the BYOD policy in an organization basing on
the threats agents, consequences and impact of the threats on the information assets of the
organization. The report analyzes different vulnerabilities and how they may impact the
corporation’s information system if they occur. It also provides the information security
strategies to be implemented to encounter the BYOD policy threats. Bring Your Device policies
allows employees to utilize own electronic devices such as laptops computers, tablets PCs and
smart phones for undertaking their official duties and responsibilities. An organization can fully
comprehend the BYOD policy threats and vulnerabilities by undertaking risk assessment of its
information systems.
Introduction
More and more corporations are implementing Bring Your Device policies which allow
employees to utilize own electronic devices such as laptops computers, tablets PCs and smart
phones for undertaking their official duties and responsibilities. Employees, therefore, will have
private terminals to assess information resources of organization. However, implementation of
Bring Your Device in organization carries various risks including information theft, data leakage,
network availability problems, loss of application security as well as legal liability. Therefore,
organizations require a well-designed cyber security framework to protect its information system
resources from the potential threats.
Information is vital to an organization’s operations, strategic objectives and its
brand and also of critical value to the clients and consumers who utilize the organization's
products and services. Therefore, the information can be considered as an organization's asset
and has its value, threats, and vulnerabilities which the threats can potentially abuse to cause
harm to the assets and the organization as a whole.
Organization’s information assets must be protected from various risks by implementing
different security strategies. To understand the risks brought by BYOD policies and processes
facing the information assets of an organization, a risk assessment must be undertaken to
comprehend the threats, key threats agents, their vulnerabilities and their potential impact on the
assets.
The organization should develop a BYOD policy that contains the procedures and
regulations to be adhered to when utilizing personal devices at the workplace. The other
strategies will include strongly encrypting the organization's data to be accessed through the
mobile device and also encrypt the data communication process (Densham, 2015). Regular
update of operating system, and the software of the system should be undertaken by the
organization, and the IT administrator should ensure that the users with personal mobile devices
are updating their antivirus and authentication measures.
Various tools and techniques should also be implemented including application
containerization software that ensures that applications are utilized in isolation and prevents
other applications from accessing. Data Loss Prevention techniques allow the network
administrators to monitor the employees' activities on the network and any security breach
source and respond quickly to that threat (Martin, Martin, Hankin, Darzi, & Kinross, 2017).

RISK ASSESSMENT: BYOD POLICY 4
Merits of BYOD
Adoption of BYOD in an organization harnesses numerous benefits including improved
productivity, reduced costs, the efficiency of work and convenience. The users face less
complication in terms of the operating systems and applications because they are utilizing the
own devices and usually know their way around the mobile devices. BYOD results in reduced IT
infrastructure expenses because the employees bring their own devices. Workplace efficiency is
also attained through BYOD implementation in an organization, because the policy allows the
employees to utilize their devices comfortably in the office. The operational costs of the
organization such as that meant for device or software upgrades, is avoided since the employees
upgraded their own devices and associated software. The expenses meant for IT operations can
then be utilized for other projects. BYOD improves the productivity and convenience in an
organization because the employees can work from anywhere at any time with no difficulties.
Therefore, an organization should not shy away from the use of personal devices in their
workplace due to the threats of the BYOD policy on the information assets, but the organization
should develop and implement a strategy to prevent and mitigate the risks of BYOD policies and
practices.
Risk Assessment
The essential benefits of undertaking a Risk assessment of the information system of the
organization are outlined below;
 Risk assessment helps in the identification of the potential vulnerabilities to be utilized by
hackers to access the organization’s information assets.
 Risk assessment results in the adoption of more secure practices, solutions and policies,
and guides in implementing the best information security strategy that suits the
organization.
 Risk assessment of the information systems of an organization justifies security
investments by presenting a fair analysis of the information security investment versus
the costs of the potential losses due to breaches of the information assets.
A key aspect of risk assessment is the identification of the threats and determination of
their likelihood of occurrence. A threat is a physical or a logical process that has the potential to
impact operations, information, and systems of an organization negatively. In developing,
information security strategy and undertaking risk assessment, the first essential procedure is to
identify and comprehend the information assets that require protection. The information assets in
an organization impact integrity, confidentiality, availability and support the institution’s mission
and vision and it strategic objectives (Boranbayev, Mazhitov, & Kakhanov, 2015).
The information system assets of an organization are namely
 Human resources: personal data of staff and reports.
 Legal: contracts and internal documentation, employees confidential information on staff

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

RISK ASSESSMENT: BYOD POLICY 5
 Finance and Economics: financial information and procurement documentation
 Information Technology: Databases, logins, and passwords, IT management information
and IT developments copyright
 Research: products test results, undergoing research
Risk identification
The role of this step in the risk assessment is to identify potential threats to the information
system. Risks in information system occur when flaws in the system or the surrounding
environment are exploited by threat agents.
The risk identification process consists of three core aspects;
i. Identification of potential threats that could harm the information system
ii. Identification of vulnerabilities within the system’s components that could be exploited
by the threats
iii. Combination of the threats and the vulnerabilities to identify the risks to which the
information system is exposed
Threat Agents
Threats Agents facing an organization due to BYOD policies and practices are elaborated
as shown;
Malware
The most persistent and dangerous threat to corporate information system is malware.
The number of malware families has rapidly increased over the past few years (Beckett, 2014).
The adoption of BYOD results in the IT department losing control over the mobile electronic
devices utilized by employees which means that accidental malware infections go undetected. In
a BYOD environment, the malware exploits the existent vulnerabilities in the mobile devices of
the employees to steal the corporation's confidential data.
Insecure Wireless Networks
In BYOD, the employees can access advanced technology such as public wireless
network and home networks. The network configuration of these networks outside the office is
unknown and is not under the organization’s information security scope but can view the
information assets of the organization. Through such insecure communication channels,
interception can be launched to steal or corrupt the information assets of the organization.
Fake Certificate Authorities
Certificate-based authentication is widely utilized over the internet to authenticate
computers and is normally issued by certificate authorities who should be trusted. Electronic
mobile devices usually come with factory preloaded CA credentials but also contain capability
that allows the user to either remove existing ones or add their own (Vignesh & Asha, 2015). In a
BYOD context, an employee may be deceived to add fake CA credentials or impersonated-

RISK ASSESSMENT: BYOD POLICY 6
trusted digital certificate to the mobile devices which then the hacker utilizes it to steal sensitive
corporate data.
Phishing
Phishing scams through phishing email are becoming more common in the cybercrime
world since it is supported by an unacknowledged employee collaboration environment such as
social networks and cloud services where it spreads with ease (Densham, 2015). A well-
structured phishing email can be utilized by scammers to evade traditional network security
frameworks and steal the company's information. In BYOD, device protection strategies are left
to the employee, and then hackers can utilize phishing scams without any difficult or detection to
access Company sensitive and critical information assets
Malicious Mobile Applications
In a BYOD context, employees can install unauthorized and non-corporate applications
either for leisure purposes or aid in their functions within the organization (Morrow, 2012).
These applications can be utilized by hackers to steal or disclose private corporate information.
Also, these malicious applications can be given more privileges by rooted mobile devices to
disseminate spam and send unauthorized anonymous sensitive data to outsiders.
Social Engineering
The broad adoption of electronic mobile devices supported by BYOD policies and
practices has made the spread of malware through email spams and social networks by scammers
easy (Tzoumas, 2013). Due to lack of security awareness, employees during their leisure time,
can access social media or open the scam emails which then result in infection of the corporate
information network.
Personal and Corporate Information Mixture
Employees utilize their own devices to conduct personal business as well as keeping in
contact with family and friends, while at the same time use it to access corporate databases,
servers, and networks to undertake work responsibilities and duties. Also, in BYOD, IT
administrators cannot monitor the illegal action on the corporate data (Yang, Vlas, Yang, & Vlas,
2013). The mixture of personal and corporate information can affect the integrity of the
corporate information due to the complexity of separating the data.
Using Personal Cloud Services for information sharing
An employee utilizes the mobile device for personal use as well as for corporate use, which then
stores all the corporate information on the private cloud storage. Personal cloud storage is
utilized to increase availability and flexibility for accessing both personal and corporate
information. Cloud services can be hacked and hence sharing of information on cloud services
may then expose confidential corporate information to corruption and unauthorized disclosure
(Romer, 2014). Also, employees can modify or share corporate data hence impacting on the
information’s confidentiality and integrity.
Uncontrolled Heterogeneous Devices inception

RISK ASSESSMENT: BYOD POLICY 7
The various electronic mobile devices used by employees to access the information assets
of an organization increases threats to confidential information. The support given by the IT
department to may be ineffective due to the incompatibility of the organization's configurations
and applications or operating system fragmentation and hardware of the device (Chang, Ho, &
Chang, 2014). Therefore, lack of proper IT control and monitoring of the mobile devices will
result in unauthorized access of the sensitive corporate information.
Stolen and Lost Mobile Devices
The mobile device of an employee maybe get lost or stolen while it is still logged on or
had “remember password” feature, then corporate information can be accessed by outsiders.
Also, some employees keep corporate data even after termination, and if the employee is
vengeful, it can result in the exposure of corporate information and also result in intellectual
property violation (Beckett, 2014).
Vulnerabilities
1. Employees Habits as vulnerability
The primary vulnerability in BYOD context is the user; the employees' habits are utilized
by intruders to lure them to access social networks or to open a phishing email during their
leisure time or to install a certain application. These activities are then exploited by intruders to
get unauthorized access to the corporate information and they them steal, contaminate or disclose
the information resulting in compromise of the integrity, availability, and confidentiality of the
corporation's sensitive information.
2. Lack of privilege to stop an ongoing application installation process
In other android application utilized in mobile devices, the user does not have the right to
terminate an application installation process once it has been initiated (Tarle, 2015). An intruder
to the organization information system can attach malware to the application and wait for the
user to install the app.
3. Dated software and non-updated security patches
The other vulnerability to BYOD threats is the use of dated software and non-updated
security patches current (Mishra, Mathur, Jain, & Rathore, 2013). This allows easy access for
intruders to steal or contaminate the organization’s data.
4. Remember-passwords
Some employees have utilized the “remember passwords” when login into their corporate
accounts in their mobile devices and this action becomes a vulnerability when the device is lost
or stolen.
Consequences of BYOD Threats
In risk assessment, the consequences of information system threats can be expressed as a
loss of trust (integrity), loss of privacy (confidentially), loss of service and loss of an asset. Blow
discussed are the consequences of BYOD threats to the information assets of an organization.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

RISK ASSESSMENT: BYOD POLICY 8
a) Information Disclosure or Leakage (Loss of confidentiality)
The mixture of corporate and personal information when utilizing a mobile device
exposes the organization's information threats that can lead to disclosure which then results in
compromise of the information confidentiality. Spoofing and tampering are also threat vectors.
For example spoofing of databases, cloud service and web applications can result in corporate
information being inverted and stored in intruders repositories. Also tampering attacks such as
XSS can result in the capture of database access credentials which then can be utilized to make
unauthorized access to databases (Aphale, Borikar, Kardile, Vasekar, & Shital, 2015).
Information traveling through an insecure channel can be stolen by an intruder through sniffing
or interception attacks. Figure 1 relays the different threats that result in information disclosure
in an organization.
Figure 1: BYOD threats’ interactions that result in information disclosure
b) Information Contamination or Corruption (Loss of integrity)
The core consequence related to BYOD attacks is information contamination which
compromises information integrity. Contamination occurs from threats due to employee habit of
accessing the corporate information employees. Corporate databases can be corrupting by
utilizing the tampering threats (Aphale, Borikar, Kardile, Vasekar, & Shital, 2015).

RISK ASSESSMENT: BYOD POLICY 9
Figure 2: BYOD threats’ interactions that result in information contamination
Impact
Once the information assets of the organization have been identified and the threats
listed, then the impact of a threat occurring must be assessed. The impact of a particular threat
will be evaluated based on levels designated as less serious, serious and exceptionally grave.
Table 1: Impact assessment framework

RISK ASSESSMENT: BYOD POLICY
10
Mitigation
Mitigation techniques to be implemented to alleviate BYOD risks are;
i. Train the employees on the wide range of security threats arising from the adoption of
BYOD including installation of applications and use of public and home wireless
networks.
ii. The IT department should provide continuous support to employees on every lifecycle of
the mobile devices.
iii. Prevent data leaks through acceptable use support policy to be signed by employees
BYOD Protection mechanisms for Information Security (Literature review)
Device and User Authentication
Password-based Authentication or other authentication techniques when accessing the
organization’s information resources should be implemented in a BYOD organization. The
authentication processes to include a limited number of input retries before the device
automatically locks out or before storage is wiped out, depending on the settings (Pritchard &
PMP, 2014).The IT administrator should have a capability to remotely set the device if
automatically locks out or when an employee forgets the password. If the device is idle for a set
period, it should have the capability to the lockout to avoid an unauthorized individual from
snooping if the mobile device had been with displaying cooperation data.
Data communication and Storage
Strongly encrypt the organization's data to be accessed through the mobile device and
also encode the data communication process. Also, trongly encrypt the organization's data stored
on both the inbuilt storage and the removable storage. To mitigate offline attacks on any the
removable media storage, it can be bound to a specific device so it can only be decrypted when
attached to that device (Sadgrove, 2016). Implement a capability of remotely wiping mobile
device storage when remote stolen or lost. Also, the device can be configured to automatically
erase itself when it is wrongly authenticated for a certain number of times.
Updating operating systems
Regular update of the operating system and the software of the system should be
undertaken. The multiple software and applications updates and security patches released by the
vendors regularly be installed (Herrera, Ron, & Rabadão, 2017). The corporation should ensure
that the users with personal mobile devices are updating their antivirus and authentication
measures. This will be a good security measure in guaranteeing corporate data stored on the
personal devices is safe from unauthorized access by third parties.
Applications
Synchronization services including websites, remote and local device synchronization
should be restricted. Digitally sign applications and distribute it through a mobile store to ensure
only applications from trusted entities are installed on the mobile devices (Tarle, 2015). Access

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

RISK ASSESSMENT: BYOD POLICY
11
to the organization’s information resources through mobile devices should be controlled
depending on their version of the operating system such as whether the device has been rooted.
Data loss prevention
Data Loss Prevention techniques allow the network administrators to monitor the
employees' activities on the network and any security breach source and respond quickly to that
threat. They do this by following up on any sensitive data that is on the network (Martin, Martin,
Hankin, Darzi, & Kinross, 2017). DLP places a watermark on sensitive data and checks for any
alteration of the data as it is being transferred within the system.
Figure 3: DLP techniques for data loss prevention in a BYOD context
Security Software
An organization should implement the following software to curb the risks resulting from
the adoption of BYOD practices. Implementation of the application containerization software
that ensures that applications are utilized in isolation and prevents other applications from
accessing the data is another techniques meant to attain information security in an organization.
The containerization technique allows the organization to implement a security policy without
touching the data as well as the data functionality on the confidential area of the mobile device
(Yadav, Ganguly, & Suman, 2015). Mobile Identity and access management- This software
implements a two-factor authentication technique and a single sign-on across multiple devices
hence making logging for employees simple. Mobile content Management-It allows an
organization to determine the storage process in the cloud as well as the access procedure by its
employees.
Safeguards
The organization should control third-party software by limiting or blocking their use in
order to prevent data security breach through such software (Herrera, Ron, & Rabadão, 2017).
An organization should develop separate secure gateways equipped with data loss prevention
tools as well as content filtering to control employees from to undertake what they are meant to
do. Also, the organization should perform regular mobile device audits and testing to know their
security capability.

RISK ASSESSMENT: BYOD POLICY
12
Conclusion
BYOD significantly improves productivity in a corporation through increased availability
and flexibility of the accessing the organization’s information. It is important for the
organization, to be aware of the security risks brought out by BYOD policies and practices. An
organization can harness the benefits of BYOD by implementing an effective BYOD strategy
that maximizes benefits while minimizing risks.
Threats Agents due to BYOD implementation include malware, wireless public networks, the
mixture of corporate and personal information and stolen and lost devices. Vulnerabilities of
BYOD include employees’ habits and dated software security patches. BYOD threats can result
in various consequences including disclosure of sensitive corporate information and corruption
of the data which compromises the confidentiality and integrity of the organization’s data.
The organization should develop a BYOD policy that contains the procedures and
regulations to be adhered to when utilizing personal devices at the workplace. The policy will
assist in controlling the behavior of users when accessing and managing the firm’s network
resources. The policy should stipulate regulatory measures including the type of devices allowed
in the work premises, the applications, and software compatible with the firm's network and the
web addresses that have been restricted to visit and the reasons why the policy should also
stipulate the consequences that follow if an employee violates the rules in the policy.
The organization should regularly conduct a risk analysis on the company’s network
regularly to make sure that all the authentication procedures and other security measures are
running as required. The organization should implement application containerization-software
that ensures that applications are utilized in isolation and prevents other applications from
accessing the data.
References

RISK ASSESSMENT: BYOD POLICY
13
Aphale, M., Borikar, U., Kardile, B., Vasekar, V., & Shital, J. (2015). Forensics investigation
for database tampering using audit logs. International Journal of Engineering Research
and Technology, 4 (3).
Beckett, P. (2014). BYOD-popular and problematic. Network Security, 2014 (9), 7-9.
Boranbayev, A., Mazhitov, M., & Kakhanov, Z. (2015). Implementation of Security Systems for
Prevention of Loss of Information at Organizations of Higher Education. 2015 12th
International Conference on Information Technology-New generations, (pp. 802-804).
Las Vegas, NV.
Chang, J., Ho, P., & Chang, T. ( 2014). Securing BYOD. IT Professional, 16 (5), 9-11.
Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach.
Network Security, 2015, 5-8.
Herrera, A. V., Ron, M., & Rabadão, C. (2017). National cyber-security policies oriented to
BYOD (bring your device): Systematic review. 2017 12th Iberian Conference on
Information Systems and Technologies (CISTI(pp. 1-4). IEEE. (pp. 1-4). IEEE.
Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare:
how safe are we? BMJ.
Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Mishra, A., Mathur, R., Jain, S., &
Rathore, J. S. (2013). Cloud computing security. International Journal on Recent and
Innovation Trends in Computing and Communication, 1(1), 36-39. International Journal
on Recent and Innovation Trends in Computing and Communication, 1 (1), 36-39.
Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data.
Network Security, 2012 (12), 5-8.
Pritchard, C. L., & PMP, P. R. (2014). Pritchard Risk management: concepts and guidance.
NW: Auerbach Publications.
Romer, H. (2014). Best practices for BYOD security. Computer Fraud & Security , 2014 (1), 13-
15.
Sadgrove, K. (2016). The complete guide to business risk management. Abingdon, U.K:
Routledge.
Tarle, P. (2015). Comparative Study of Smart Phone Security Techniques. Internal Journal of
Emerging Technology and Advanced Engineering, 5 (2).
Tzoumas, C. (2013). The BYOD World. BusinessWest, 30 (2), 45.
Vignesh, U., & Asha, S. (2015). Modifying Security Policies Towards BYOD. Procedia
Computer Science. Elsevier, 2015, vol. 50, pp. 511–516. , 50, 511–516.
Yadav, S., Ganguly, U., & Suman, S. (2015). Threats and Vulnerabilities of BYOD and Android.
International Journal of research, 2 (8), 997-1003.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

RISK ASSESSMENT: BYOD POLICY
14
Yang, T., Vlas, R., Yang, A., & Vlas, C. (2013). Risk Management in the Era of BYOD: The
Quintet of Technology Adoption, Controls, Liabilities User Perception, and User
Behavior. 2013 International Conference on Social Computing (pp. 411-416). IEEE.

1 out of 14

+13062052269

info@desklib.com

Risk Assessment: BYOD Policy

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

BYOD Policy Threats and Security Strategies for Cybersecurity

Risk Assessment of Southern Cross University

Mobile Device Usage in Education

Cybersecurity Report

Cyber Security: BYOD Risk Assessment, Certificate-based Authentication, and Anti-phishing Guideline

BYOD Risk Assessment Task 1: Critical Components 2 2 Cyber Security Name of University Author