SEMINAL REPORT

ON

ANALYSIS OF COMPUTER SECURITY SAFEGAURDS FOR DETECTING AND

PREVENTING INTENSIONAL COMPUTER MISUSE

BY

GASALI HAMOD OLANSILE

(H/CTE/19/0541)

DEPARTMENT OF COMPUTER ENGINEERING,

SCHOOL OF ENGINEERING,

THE FEDERAL POLYTECHNIC, ILARO, OGUN STATE,

NIGERIA.

DECEMBER, 2021
 CERTIFICATION
This is to certify that this seminal report was carried out by Gasali Hamod Olansile, under the
supervisions of Engr. Mrs. L.O Akingbade, in the department of Computer Engineering, school
of Engineering, Federal Polytechnic,Ilaro,Ogun State.

………………………………………………………………………..
Engr. L.O Akingbade
Supervisor’s Signature & Date
 DEDICATION
To Almighty Allah, the fountain of knowledge and custodian of wisdom.
 ABSTRACT

Due to the advantageous rising use of computer system in almost every aspects of life and
businesses alongside with the prevalence vulnerabilities which results into threats, breaches and
misuse of both data and device of such system, it is thus pertinent to venture into fostering the
vulnerabilities of the system in order to properly monitor user privacy and secure data in the
course of using computer especially in business organizations. Meanwhile, set of tools,
procedures, policies and solutions to defend against attacks are collectively referred to as
computer security. Computer security is very necessary above all to adequately define and learn
about the concepts of attack, risk, threat, vulnerabilities and resource misuse. When designing
and implementing information systems, set of measure to increase security and maintenance at
an acceptable level of risk must be primarily taken into consideration. In fact, numerous tools
have been developed to protect the computer, its files and other information hat help protect
your computer against attack and misuse, examples of which are: cryptography, authentication,
checked the software, licenses and certificates, valid authorization. This seminar research deems
it necessary to explains some of the procedures and potential threats to break into the network
and computers as well as potential programs that are used, and also delves into strategies and
procedures to maintain and develop adequate security measures which will bridge the gap of the
computer misuse and attacks.
 TABLE OF CONTENTS
Certifications……………………………………………………………………………..…..i
Dedication……………………………………………………………………………………ii
Abstract………………………………………………………………………………………iii
Table of contents…………………………………………………………………………..…iv
List of figure………………………………………………………………………………….v

CHAPTER ONE
1.0 INRODUCTION……………………………………………………………………..……1
1.1 STATEMENT OF THE PROBLEM…………………………………………….......……..3
1.2 SCOPE OF THE STUDY…………………………………………………………….....…3
CHAPTER TWO
2.0 RELATED WORK/LITERATURE …………………………………………………….…4
2.1 REORTS ON COMPUTER MISUSE……………………………………………………..5
CHAPTER THREE
3.0 METHODOLOGY…………………………………………………………………………6
CHAPTER FOUR
4.0 CONCLUSION………………………………………………………………………….…10
4.1 RECOMMENDATION…………………………………………………………………….10
REFERENCE…………………………………………………………………………………...11
LIST OF FIGURE
FIGURE 3.1.……………………………………………………………………………………..6
FIGURE 3.2………………………………………………………………...................................7
 CHAPTER 1
1.0 INTRODUCTION
The primary objective of this report is to identify computer safeguards that would have been
useful in detecting and preventing actual cases of computer misuse. Computers now play an
important part in our everyday lives. This technological development, upon which society is
becoming ever more dependent in hundreds of different ways, has without doubt produced
substantial benefits for us all. However, alongside these benefits lies the disadvantage that
computers and computer systems are vulnerable to all manner of misuse. The consequences of
such misuse may be very serious. While in some respects the law has already come to terms with
the computer, and has been adapted or shown it capable of being adapted to take account of it, in
other respects it has not. Violation of data protection law can be prosecuted as crimes under
member state domestic law. Relevant actions can be prosecuted simultaneously as crimes against
information systems (Wm Morrison 2018).
Improper system access laws criminalize the act of accessing a computer system (in whole or in
part) without the right to do so, colloquially known as hacking. The UK Computer Misuse Act
2015 for example, defines criminal an action by a person which causes a computer to perform an
act with the intent to secure unauthorized access to any program or data (levi et al 2015).
The best way to safeguard computer and virtual machines is to have no vulnerabilities at all, For
instance, we can use formal verification to ensure that certain classes of bugs cannot be present
in the software or hardware, and that the system is functionally correct (G. Klein et al 2009).
To prevent code injection attacks, whereby the attackers transfer control to a sequence of
instructions they have stored in memory areas that are not meant to contain code such as the
stack or the heap, operating systems today draw a hard line between code and data (PaX Team
2000).
Every page of memory is either executable (code pages) or writable, but not both at the same
time. A security control is a “safeguard or countermeasure designed to protect the
confidentiality, integrity, and availability” of an information asset or system and “meet a set of
defined security requirements.” (NIST 2013).
Security controls cover management, operational, and technical actions that are designed to
deter, delay, detect, deny, or mitigate malicious attacks and other threats to information systems.
The protection of information involves the application of a comprehensive set of security
controls that address cyber security (i.e., computer security), physical security, and personnel
security. It also involves protecting infrastructure resources upon which information security
systems rely (e.g., electrical power, telecommunications, and environmental controls). The
application of security controls is at the heart of an information security management system
(ISMS). The selection and application of specific security controls are directed by a facility’s
information security plans and policies.
In some cases, systems worth many millions of dollars were damaged beyond repair by
malicious software. A number of resources for information on security-based procurement
language are available. One example is a document issued by the Energy Control Systems
Working Group in 2014.This document provides easy-to-use cyber security-based procurement
language for the energy delivery systems (ESCSWG 2014).
Another example was issued by the Electric Power Research Institute in 2012, which provides a
cyber security-based procurement methodology for electric power delivery systems. (EPRI 2012)
The experimental statistics brought some quantitative data on the type of impact experienced by
victims of computer misuse. It shows the most significant impact was loss of time/inconvenience
for both computer viruses and hacking. The next most significant was stopping access to
websites, followed by feelings of shame, embarrassment and self-blame. This research identified
a wide range 29 of impacts, which will now be explored. It is also important to note some CMC
offences are pre-cursors to other offences such as fraud and there are therefore many similarities
in impact to this crime (Button et al, 2014).
It is important for the facility to adopt a life cycle view on information security. This involves
providing governance over the design, acquisition, installation, operation, maintenance,
evolution, and disposal of its components. As part of the life cycle nature of information security,
a process of continuous improvement should be included. Results from risk assessment and risk
management activities, as well as performance evaluations, should be used to support continuous
improvement activities. However, continuous improvements should not wait for periodic
reassessments and evaluations. Over the course of routine activities, changes in threats,
vulnerabilities, and security technologies will be identified and security enhancements should be
made as warranted to address changes in the information security landscape.
1.1. STATEMENT OF THE PROBLEM
 Poor security habits such as poor passwords, using the same passwords and easily
guessable passwords, such as family names.
 Several victims reported to using either no anti-virus, free versions or not updating it.
 Lack of knowledge of cyber security.

1.2. SCOPE OF THE STUDY

 To examine the nature and impact of computer misuse related crime on victims; 
 To assess the support provided to such victims and identify better means to prevent such
crime; and
 To examine the experiences and perceptions of those victims who have experienced a law
enforcement response.

CHAPTER 2
2.0 RELATED WORK/LITERATURE

Computer-related injuries (CRIs) are injuries caused by misuse of computer. Prolong use of
computer can cause MSDs, CVS, and CTS. Injuries due to the usage of computer have been
recognized world-wide and several movements that involved repetitive or awkward postures
have been associated with MSDs or Repetitive Strain Injury (RSI) (Olatunde et al 2019).

For instance, CTS is the most common repetitive motion injury. Five percent of the working
population suffers from CTS, caused by continuous daily use of their hands and wrists (Mc
Murray C 2018). The neck, back, shoulder, headaches, eyestrain are also common CRIs among
office workers.

Some of muscle and joint problems become worse by inappropriate workstation, bad posture or
sitting for long periods of time. This reduces circulation of blood to the muscles, bones, tendons
and ligaments, and leading to stiffness and pain. If a workstation is not set up properly than does
not follow rule of ergonomics, these steady positions can cause more stress on the muscles and
joints (VSG 2018).

The incorrect computer workstation set-up, prolonged work in fixed or awkward positions,
seated and static work, and overuse of hand has been discovered to affect the lower back, eyes,
arm of computer users (Daruis DI 2016).

With the increase in computer use in various works of daily life, people who spend more period
of time on the computer are prone to a greater risk of developing CRIs. Furthermore, focusing
the eyes at the same distance point for long periods of time causes computer-related injuries may
lead to an increase in operating costs due to a loss in productivity, some organizations have
implemented programs to prevent the CRIs. The most common method is office ergonomics
assessments, which involves the evaluation of an individual employee’s workstation by a person
with specialized ergonomics training ( IEAEC 2018).

Ergonomic workstation can help to avoid the occurrence of CRIs. The employers also need to be
aware regarding this issue by choosing proper furniture, such as desks and chairs for their
workers. On the other hand, practicing better posture and good working habits are essential for
every worker. This habit can be ingrained if the workers are aware regarding workstation
ergonomic (Brace T 2005).

Incorporating the science of ergonomics and the art of counseling into everyday business can
lead to healthier and more satisfied employees, along with improved efficiencies and lower costs.

2.1 Reporting Computer Misuse Crime

The research discovered a variety of findings on the reasons for non-reporting of CMC and the
experience of those who do try to report.
Reasons for low reporting
There were many factors that contributed towards low reporting. These included:
● Some victims not considering such incidents as crimes
● No financial loss occurring
● Reputation and/or past experience of Action Fraud as poor
● Victims wrongly advised by police/Action Fraud their report was not a crime
● Victims never heard of Action Fraud
● Embarrassment or fear of consequences of reporting
 CHAPTER 3

3.0 METHODOLOGY

A safeguard model provides a means of describing, identifying, and distributing safeguards. It

was decided that the most useful model would reflect organizational structure. This model
reflects responsibility for initiation or implementation of the safeguards. Developing a safeguard
model that is structured around the organization points out to the security specialist and to
management that computer security is the responsibility of many organizational elements. In
addition, the model provides a convenient mechanism for assigning safeguards identified in this
report. The figures below provide a schematic diagram that reflects the model we suggest.
Insurance, personnel, and contracts are defined as staff activities, but could be placed at the same
level as operations, data processing, security or audit.

Following is a brief description of each element of the model

COMPUTER SYSTEM

INTELLECTUAL PROPERTY PHYSICAL PROPERTY COMPUTER SERVICE AND

PROCESS

DATA PROGRAMS
EQUIPMENT & SUPPLIES AUTHORIZED USE
DENIAL

AUTHORIZED
MODIFICATION
DESTRUCTION
DISCLOSED AUTHORIZED
MODIFICATION
DESTRUCTION
INTERNAL TO SYSTEM THEFT

EXTERNAL TO
SYSTEM

Figure 1: taxonomy for vulnerabilities to intentional computer misuse.

 GENERAL
MANAGEMENT

OPERATIONS DIVISION AUDIT SECURITY DATA PROCESING

APP PROGRAM DATA HANDLING SYSTEM CONTROL OPERATING

DEVELOP

APPLICATION INTERNAL CONTROL HARDWARE SUPPORT

INTERFACE

Figure 2: A model for categorizing computer safeguards according to responsible organization

unit.

There is, however, a requirement that an organization have an overall computer security program
within which the safeguards can function. The basis for a computer security program is
management policy and support that clearly define a computer security charter and its scope.
Following is a brief discussion of basic elements required to establish such a program that will
allow the prevention and detection safeguards to be effectively implemented and used. It is
important to note that the following is a description of only one of various possible
organizational structures.
 Computer Security Policy and Control: General management must ensure that the agency has a
computer security policy coordination function. This function may be the responsibility of one or
more persons who act as a focus for computer security policy and coordination.
This function should reside outside data processing, but those responsible should work very
closely with data processing management. In the suggested safeguard model, the policy and
coordination function would reside with security. Its primary responsibilities are to develop
workable computer security standards and to coordinate the acquisition or implementation of
computer security safeguards. In addition, this function works closely with the audit function to
verify compliance to standards and adequacy of safeguards in place.
 ADP Audit Function: It is important to have well-trained ADP auditors within the audit function.
The ADP audit function is a relatively new function that works almost exclusively verifying the
accuracy and completeness of computer-based information systems.
General management must ensure that the ADP audit function has a clearly defined charter that
includes responsibilities of ADP auditors in each of the following areas:
1. System Development: The ADP auditor monitors the development process and acts as an
advisor to the user regarding Internal controls that should be designed into the application
system. These controls include run-to-run totals, logging, and usage reports. The ADP auditor
does not participate in the actual design or implementation of the system.
2. Testing: The ADP auditor ensures the adequacy of test procedures and verifies the existence
and adequacy of internal controls.
3. Operations: The ADP auditor performs operational audits to ensure compliance to standards
generated by the system control function and the data processing function. These include
standards on items such as media labeling, handling and storage.
4. Post-installation Review: The ADP auditor works with the user to determine the actual
characteristics of the system and whether they meet the user’s requirements as Intended.
5. Thru-the-Computer-Audit: The ADP auditors should use the computer to assist them in
auditing information accuracy and completeness. In particular, the auditors should include audit
of data stored internally to the computer system, i.e., the auditors should not audit "around the
computer."
6. System Design Standards: General management should ensure that internal controls and other
security mechanisms are included among the system design considerations. Standards or
guidelines should be established to ensure that they are included.
7. Insurance: General management should require that the ADP insurance program is current
and that a risk assessment is made to establish the completeness of items insured and the
amounts for which they are insured.
8. Contracts: General management should ensure that the responsible personnel in the contracts
office are properly trained in ADP technology and terminology and are aware of particular
problems associated with contracting for computer programs, ADP equipment, supplies and
services. It is important that general management recognize the importance of its role in any
successful computer security program. A study for the Institute of Internal Auditors recently
completed by SRI indicates that general management support for audit and control programs
needs to be improved if the integrity of computer-based information systems is to be ensured.
9. Safeguard Implementation Strategy: An important point to consider in developing a safeguard
program is how the safeguards should be applied, i.e., the strategy of safeguarding computer
systems. Providing a complete strategy is beyond the scope of this report, but a few basic
considerations are provided. The case files indicated that the most misused systems
Include:
• Payroll
• Accounts payable and receivable
• Certificate generating (license, stocks, etc.)
• Social payment (welfare and other benefits)
• Operating system (vendor-supplied system that runs the computer)
These systems should be protected first.
 CHAPTER 4

4.0 CONCLUSION

This report provides a foundation for the development of a computer safeguard program directed
toward the detection and prevention of intentional computer misuse. The definition of intentional
computer misuse and the construction of associated vulnerability taxonomy are believed to be
comprehensive and complete. The safeguards described in the report were developed as a result
of analysis of actual cases of computer misuse and other research organizations.

4.1 RECOMMENDATION

In this report an organizational model for assigning responsibility is presented. Whereas the
model provides a good classification scheme for this report, it requires additional work to show
the interrelationships between general management, line management, and staff employees. The
model indicates that all elements of an agency or organization have some responsibility for
computer security, but it does not address the responsibilities of individuals. it would be useful to
have a comprehensive format to describe safeguards. In a review of an actual case of misuse, a
specific safeguard that would prevent or detect that misuse can be conceived. In describing the
safeguards, this report attempts to provide sufficient detail for the security specialist.
Nonetheless, a comprehensive safeguard description format would allow many different
organizations to report safeguards in a standard format.
 REFERENCES
Brace T.(2005) Ergonomics-Office Ergonomics: An analysis of the effectiveness of Oregon’s
initiative. Professional Safety
Button, M., Lewis, C. and Tapley, J. (2014) Not a Victimless Crime: The Impact of Fraud on
Individual Victims and their Families. Security Journal 27(1) 36-54
Daruis DI.(2016) Repetitive strain injury (RSI) among computer users: A case study in
telecommunication company. Malaysian Journal of Public Health Medicine;48-52.
EPRI – Electric Power Research Institute (2012). Cyber Security Procurement Methodology for
Power Delivery Systems. EPRI 1026562, Electric Power Research Institute, Palo Alto,
California. Available at
http://www.epri.com/abstracts/Pages/ProductAbstract.aspx?ProductId=000000000001026562
ESCSWG – Energy Sector Control Systems Working Group (2014). Cyber security Procurement
Language for Energy Delivery Systems. Energy Sector Control Systems Working Group,
Washington, D.C. Available at
http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-
EnergyDeliverySystems_040714_fin.pdf
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe,K.
Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood,(2009) “seL4: formal
verification of an OS kernel,” in Proceedings of the ACM SIGOPS 22Nd Symposium on Operating
Systems Principles, ser. SOSP ’09. New York, NY, USA: ACM, 2009, pp. 207–220. [Online].
Available:http://doi:acm:org/10:1145/1629575:1629596
IEAEC. Ergonomics. (2018). Available from URL: http://www.ehs.unc.edu/workplacesafety/
ergonomics/ Accessed August 14, 2018.

Levi, M., Doig, A., Gundur, R., Wall, D., Williams, M. (2015). The Implications of Economic
Crime for Policing. Retrieved from https://www.cityoflondon.gov.uk/business/economic-
research-and-information/research-publications/Documents/Research-2015/Economic-
Cybercrime-FullReport.pdf

Mc Murray C, and Bruce R. How your environment can work for you or againts you:

White paper on the benefits of workplace ergonomics. 2014. Available from URL:
https://www.cigna.com/assets/docs/ (Accessed August 21, 2018).
NIST - National Institute of Standards and Technology. 2013. Security and Privacy Controls for
Federal Information Systems and Organizations. NIST Special Publication 800-53, Revision 4.
Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Olatunde O, Yusuff A, Adebayo AA, Fred I, Iyiol A(2019). An investigation of the incidences
of repetitive strain injury among computer users in Nigeria. 2013. Available from URL:
https://arxiv.org/ftp/arxiv/papers/1308/1308.5841.pdf (Accessed April 13, 2019).

PaX Team(2000), “Design & implementation of PAGEEXEC”

Victoria State Government (VSG)(2018). Computer-related injuries. Available from URL:

http://www.betterhealth.vic.gov.au/health/healthy/living/computer-related-injuries/
Victoriastategovernment/ (Accessed August 20, 2018).

“Wm Morrison Supermarkets PLC v. Various Claimants,”(2018) EWCA Civ 2339,2018