Int. J. Electronic Business, Vol. X, No. Y, XXXX Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. Fabricio R. Rivadeneira Zambrano* Universidad Laica Eloy Alfaro de Manabí Chone 130704, Ecuador Email: frolando.rivadeneira@uleam.edu.ec *Corresponding author Glen D. Rodríguez Rafael. Facultad de Sistemas e Informatica, Universidad Nacional Mayor de San Marcos, Lima, 15081, Peru Email: grodriguezr@unmsm.edu.pe Abstract: Bring Your Own Device (BYOD) is used by many organizations for the benefits offered by allowing the use of mobile devices to perform business tasks, but the following questions should be analyzed if any organization want to adopt a BYOD environment: What threats do currently face mobile devices that are being used in BYOD environments? What are the characteristics of the security models proposed until now in order to manage BYOD? Are there integral security models with the minimum requirements in order to take full advantage of BYOD? What are the basic controls that should be taken into account for designing security policies in a business with a BYOD environment? What are the main differences between security on BYOD environments vs. security on corporate owned mobile device environments, regarding how easy is to meet security needs? By giving answers to these questions, we will be able to have a clear vision of what it takes to adopt BYOD in an organization, its advantages, disadvantages and the changes that the organization needs to make in order to eliminate security problems that come along with BYOD. The employees have absolute control of the use and installation/uninstallation of applications on the mobile device; in security matters this fact is still the weakest link, and in the majority of the companies it is barely given attention; but in BYOD environments the employees must be the main firewall in order to avoid security problems. Keywords: BYOD; Security Risk; Security Policies; Security Management Models; Social Engineering; Mobile Security. Reference to this paper should be made as follows: Author(s) (2017) ‘Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models’, Int. J. Electronic Business, Vol. X, No. Y, pp.000–000. Biographical notes: Fabricio Rivadeneira was born in Chone, Ecuador (1975), professor at the University Laica Eloy Alfaro de Manabí. He got a degree on System Engineering by ULEAM and a Master on Project Management (2009) by ULEAM. Currently he is in the Doctoral program of System Engineering at UNMSM, Peru. His research interest is security on mobile environments. Glen D. Rodriguez Rafael received his BS in System Engineering from Universidad Nacional de Ingenieria, Lima, Peru, in 1994, ME in Information and Computer Science Engineering from Toyohashi University of Technology, Toyohashi, Japan in 2001, and Dr.Eng. in Electronic and Information Engineering at Toyohashi University of Technology, Toyohashi, Japan in 2004. From 2006, he has been a Lecturer and later a Professor at Universidad Nacional de Ingenieria, Lima, Peru. From 2008 until 2013, he has been involved in the Cubesat project of this university as responsible for the ground station. His research interests are evolutionary algorithms, software testing, search based software engineering, parallel processing, mobile communications and information security 1 Introduction BYOD, is a trend that most companies are beginning to adopt, (Boon and Sulaiman, 2015) estimate that 200 million Copyright © 201x Inderscience Enterprises Ltd. of the 360 million users employ their personal devices for work-related tasks, due to the benefits they present such as: customer satisfaction since it creates an increase in productivity. This is validated by (Page, 2013) who manifests that 80% of companies that allow a BYOD 240 F.R. Rivadeneira and G.D. Rodríguez program have seen an increase in productivity. Another benefit is that companies don’t have to cope with the devices’ or data plan’s cost. It also makes more time available for management because employees will always seek to acquire the latest mobile innovation on the market. On the implementation of BYOD environments not everything is benefits; companies also face several disadvantages in the security field such as challenges on how to manage employee-owned devices (it should distinguish the employee-owned devices from the devices of the organization and manage them separately). Another challenge is that most devices are owned by employees, the IT team cannot have complete control over these devices and applications that are installed; (Hemdi and Deters, 2016) determined in a study that 60% of workers in businesses allowing BYOD were found to use at least one free file-sharing application, and 55% of those did not tell their IT departments about such use; any intrusion not authorized by the department of IT could cause a risk of privacy leak on the employees’ side; another disadvantage is that the devices are always turned on and connected, due to this reason the vulnerability of malicious attacks increase along the different channels of communication, the situation becomes even worse when we consider that the wireless connection channels in a smart device can be attacked more easily than the wired channels. The lack or little enforcement of BYOD policies is another of the disadvantages that organizations have; policies are an important piece in the control of security problems and each organization must create a policy that suits their needs; BYOD needs a large number of policies to control and secure company data. BYOD is a tendency that companies won’t ignore and in a short period of time most organizations will allow their employees to use their mobile devices to carry out the company’s activities. The following research questions are asked in order to obtain some insight of how to take the maximum advantage of the BYOD program: • What are the threats that mobile devices currently face while being used in a BYOD environments? • What are the characteristics of security models in order to manage BYOD? • Are there integral safety models with the minimum requirements to take full advantage of BYOD? • What are the basic controls that should be taken into account for designing security policies in companies with a BYOD environment? • What are the main differences between security on BYOD environments vs. security on corporate owned mobile device environments, regarding how easy is to meet security needs? The adaption of BYOD environments has spread rapidly and continues to transform the way people and organizations work. The use of mobile devices for both personal and work activities opens up new security threats. This article aims to give a panoramic view of BYOD environments, what their security risks are, what security management models have been proposed, the policies for the use of BYOD in corporate settings and future work that must be done in order to improve the awareness of the employees so they can become the first security barrier. 2 Background BYOD is an acronym for "bring your own device," a phrase used for a scheme based on the idea of allowing employees to take their own mobile electronic communication device and use it in the workplace to perform the tasks of the organization. The scheme is primarily driven by consumer preference rather than corporate initiative. However, BYOD has potential benefits for both parties (Bell, 2013). The Bring Your Own Device phenomenon, means that employees, business partners and customers are increasingly accessing information using a web browser on a device not owned or managed by the organization, this has resulted in security implications for data leakage, data theft and regulatory compliance (Morrow, 2012). BYOD is a scheme that a company adopts, allowing its employees to bring in and use their own private mobile devices for their job. What this means is that, this one device would not only carry the individuals personal data but also their workplace data (Gladyng, 2013). Employees can have access to their company’s data at their workplace and they can also have access to the data outside the company’s environment (Olalere, et al., 2015). This enterprise IT policy allows you to use your own devices to access sensitive corporate data at work through the company's IT infrastructure. BOYD is a movement that existed since individuals began to bring their own particular USB flash drive, or installed their personally preferred programs in order to accomplish the tasks that had been assigned to them. In such cases, over the years, the security of the organizational resources and data has been achieved through a variety of technological innovations. These include controlling of the desktop environment by implementing different technologies; for instance, the use of central software-based policy controls, restriction of the installation of applications, disabling USB ports, and the monitoring of desired workstations. (Zahadat, et al., 2015). It is considered that the moment in which the BYOD phenomenon appeared was with the arrival of the Apple iPhone in 2007, which led to a revolution in the field of consumer technology. Senior executives, condemned for years to serious and functional terminals like the BlackBerry, they found a light, tactile, funny device, and they wanted to take it to the office. In 2009, the BYOD concept began to be considered when Intel recognized the importance of employees using their own devices to access corporate and network resources, but it was until 2011 when software sellers such as Citrix System shared perceptions about this new trend (Gajar, et al., 2013). Since then, the mobility revolution has not stopped, observing the proliferation of smartphones and tablets with advanced functionalities in the personal environment of workers. One of the first companies to support the BYOD model was IBM, as they recognized the increase in employees who used their smartphones or personal tablets in the workplace. IBM offers different solutions divided into Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. "technology solutions" and "services", and almost all focus mainly on the management of devices in the system. (Cuevas, et al., 2015). According to the study by (Lawrence and Francoise, 2014) in the RSA Conference, the adoption of BYOD in several countries had increased. The study determined that in India 85% of employees use smartphones to perform work activities, followed by China with 76%, Brazil with 71%, USA 55%, Canada 47%, UK 38% and Russia 5%. This study also showed that the rate of use of personal computers in the same countries are: Brazil 56%, India 55%, China 54%, Canada and USA 47%, U.K. 38% and Russia 10%. This is proof that there has been an increase of mobile devices such as Smartphones for performing work activities. (Dhingra, 2016) mentions some stats of BYOD as shown below: • It is predicted that by 2017, 50% of employers will require their employees to use their own device for work purposes. • By 2018, more than 70% of professionals will carry out their work on smart personal devices. • By 2018, there will be more than 1 billion devices used in BYOD programs around the world. • Only 30% of companies have approved BYOD policies. • 90% of IT professionals express concern about sharing content through mobile devices. • 85% of organizations allow employees to bring their own devices to work. • More than 50% of the organizations rely on users to personally protect their devices. • 53% of information users utilize their own personal devices for work; install unsupported software; or use unsupported Internet based services like Dropbox, Skype, Twitter, or Facebook to help them do their jobs. • The popularity of the smart devices generates opportunities for mobile app stores, which in 2016 will reach 310 billion downloads and 74 billion dollars in revenue. 2.1 Benefits. The BYOD implementation offers benefits to the employees and also to the organizations, among the benefits we have: Improved employee mobility.- According to the survey performed by (Schulze, 2016) 61% of employees prefer to use BYOD because it allows them to be connected from anywhere and at any time allowing them to perform their job tasks. Employee Satisfaction. - allows employees you to use your favorite mobile device creating an innovative way to work. Employees are currently dependent on their mobile devices and are accustomed to their use and management, allowing them to work in a collaborative and interactive way.. According to the survey of (Schulze, 2016) 56% of employees use BYOD for this benefit. 241 Increased employee productivity. - This benefit is aimed more at the organization because having employees who can be connected from anywhere, anytime, and satisfied, this improves productivity. Cost Reduction.- This benefit is also oriented towards the organization because it helps reduce the costs of acquiring devices, and license fees for applications who require it, because it is assumed by the employees, the companies can use this savings to provide added value, plus IT services to employees (Boon and Sulaiman, 2015). Less device support. - As the ownership of the device is transferred to the employee, the IT team can spend less time supporting end users (Pell, 2013). But everything is not a benefit by adopting BYOD, and due to this reason it creates a "unique set of challenges for IT professionals", as it "redefines the relationship between employees and the IT organization" (Lebek, et al., 2013) which will be further discussed in section 3. 2.2 BYOD approaches. For (Boon and Sulaiman, 2015) there are different approaches for BYOD, which can be: giving managed enterprise devices to the employee; adding employee’s owned devices to enterprise devices; replacing employee’s owned devices to enterprise devices. The most important objective of BYOD is to provide effective solution to allow users to enjoy the IT services not just limited to enterprise owned devices and working hours. Hence, it should allow anything required to perform work-related tasks are available in any devices, in private times and accessible in anywhere either connected remotely by Internet or WLAN in workplace. Gajar, et al., 2013) present the following implementation strategies for corporate mobile management: Here is your own device (HYOD): In this concept, devices are provided by the organization. There is total control in the device by the company. The company will provide complete support for the device, from the installation to the configuration and device settings. Choose your own device (CYOD): In this type of strategy, the organization offers a series of devices, from which an employee can choose his own device to use. The policies aren’t as strict as it was the case of having your own device and the user has authority to install some specific applications and software. CYOD is a strategy, while still embracing the fundamentals of 'consumerization', reduces the number devices an employee can choose to access corporate data. In contrast to BYOD, all aspects of the purchase and device maintenance are assigned to the employer and not the employee (Pell, 2013). Bring your own device (BYOD): The employee buys his device or the organization offers financial help to buy their own device in which they want to work in the consumer market. Here the policies are weaker and the organization has less control over the device. The user can do what they want and install as many applications as they want, only if they are complying with the policies of the organization. On your own device (OYOD): The end user can bring any device which isn’t supported by the organization. The 242 F.R. Rivadeneira and G.D. Rodríguez user has the responsibility to administer the device. No policies are needed to be followed. 3 Threats of Mobile Devices in BYOD Environments. Most organizations are totally dependent on their IT systems for capture, store, process and distribute company information. This has grown rapidly with the advent of BYOD. Information security is and has always been a discipline for mitigate the risks that affect the confidentiality, integrity and availability of an organization's IT resources. This discipline has been forced to expand with the arrival of BYOD, but not necessarily in a predictable and coherent way. Many organizations aren’t even aware BYOD is used in their networks; of which many have little to no technologies and / or policies to address BYOD (Zahadat, et al., 2015). Studies show that 89% of employees' mobile devices are connected to a business network; only 10% of these companies know that these devices are even accessing their network, a cause of concern when companies are storing vital and confidential data there. In addition, recent surveys indicate that 34% of mobile device users store sensitive data on their devices; this fact affects companies, since a company cannot be sure these sensitive data aren’t directly related to their business. These security issues are posed by many of today's devices (Page, 2013). With the problems raised by the adaption of BYOD, this paper intends to give an answer to the research question: What are the threats facing the Mobile devices that are currently used in BYOD environments? The threats to companies who implement BYOD, in most cases are the same vectors of attack performed on desktop computers but improved, targeted to exploit vulnerabilities and limitations of mobile devices; another of the threats compromising mobile devices is a guided and persistent attack, not launched at random or large number of people, on the contrary, targeting an specific device. This type of attacks, with appropriate techniques, enough time and the growing exploit of emergent technologies (social networks, cloud computing, among others), can achieve their goal. Among the threats are: • Advanced Persistent Threat (APT) is often based on a common initial vector of attack; it is a clever and stealthy threat used by a group of highly motivated perpetrators with the resources to extract and filter important sensitive data from organizations. ATP usually involves a prolonged duration method using covert surveillance in the detection of vulnerabilities, in order to infiltrate through exploitation vulnerabilities weaknesses. ATP is often difficult to detect because its ability to bypass traditional security defenses such as host firewall, intrusion detection system and other security systems (Bann, et al., 2015). ATP operations can take a long time (months or years) to examine and filter sensitive data from the target without triggering any detection. • Social Engineering. It is the art of getting user information to obtain knowledge about the information system. Instead of technical attacks on systems, social • • engineers address human beings with access to information, manipulating them to disclose sensitive information (Krombholz, et al., 2015). For (Algarni, et al., 2013) social engineering poses a real threat to many organizations, companies, governments and individuals. Sites such as social networks have been identified as some of the most common means of engineering attack due to factors that reduce the ability to detect the tricks of social engineers. 1 in 12 people browse Facebook while they are at work, either from their own device or from the company's computer (Orzeszek, 2013). Attackers can take advantage of social networking sites in many ways. One way to do this is by establishing a group that appears to be of public interest, directed to system administrators or network engineers; by this way the attackers gain administrators’ trust and can get valuable information and even the credentials of a key system in an organization (Kelley and Havilland, 2015). Malware. Since 2011, the number of mobile malware families has increased by 58%; malware has increased more than 10 times between July 2012 and January 2014. These alarming figures suggest that malware remains the most dangerous and persistent threat for corporate information. In the context of BYOD, existing security vulnerabilities in employees' mobile devices are exploited by malware to steal confidential information, sabotage networks, or divert financial transactions. In addition, since the creation of BYOD, IT departments have lost control of mobile devices, which means that accidental malware infections cannot be detected (Flores, et al., 2016). This threat has become even more versatile and frightening, as it could hide behind a user’s typical activity on the internet. They are diversifying and specializing in away from the traditional infection of links and malicious email attachments, especially in online social networking (OSN) domains and mobile devices. For example, there are social media methods that exploit the functions of OSN to spread malware through typical activities such as offering fake gift cards or misleading OSN users to share attractive videos, websites or messages included in the malware (Dang-Pham and Pittayachawan, 2015). Operating System Fragmentation. Google has declared that only 1.2% of active Android smartphones run the latest version of Android; this fragmentation causes support problems and when a IT department allows its users to bring several types of phones. Several versions of the same operating system (ex.: Android) on your network increases the risk and seriousness of security breaches. Even if only one type of phone is allowed with one version of the operating system, problems will arise if the phone/version combination is never updated by the provider. The IT department will now have to manage and secure a wide range of devices, including smartphones and tablets with different operating systems that have access to corporate data. Manufacturers constantly bring new software updates with new features to change the look, feel or performance of the device, and often a new version of the operating system changes everything that was previously safe in the previous version. The new Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. • • • software also has to be adapted to specific device hardware (radio controllers, Wifi, Bluetooth) and even on devices that are apparently similar (Rose, 2013). The Android platform suffers from vulnerabilities that allow hackers to perform malware attacks, denial of services, web-launch attacks, create undercover channels, and privilege attacks (Rose, 2013). Depending on the level of internal support that IT departments give to the growing and uncontrolled range of mobile devices available, these may not be compatible with security measures of configurations or applications with the consequence of mobile hardware and operating system fragmentation. It may prevent the minimum security requirements can be met to protect the corporate information. Theft or loss. Employees take their mobile devices to many places, which puts them at a greater risk of losing their device or to have it stolen; when this happens the user immediately loses use of the device. This could cause problems such as losing important calls, inability to handle urgent jobs or other troubles. When the device is lost or data is stolen, the degree of loss depends on what data and how it is stored in the device. In the BYOD environment, a lot of personal and organizational data is stored in BYOD equipment, which causes a serious threat (Tu and Yuan, 2012). According to (Hemdi and Deters, 2016) millions of cell phones and smartphones are lost or stolen every year. It is believed approximately 22% of the total number of mobile devices produced will be lost or stolen during their lifetime, and more than 50% of them will be never recovered. App Store. For (Arabo and Pranggono, 2013) there are some Android applications that when downloaded from a third-party market (not the Android market) are able to access the root functionality of devices ("rooted") and to turn them into Botnet soldiers without the explicit consent of the user. The lack of security control over the applications that appear in various markets of android apps lead to attack via malware and Botnets. It was reported recently that Google Play store which has more than 700,000 apps just passed 15 billion downloads. (Arabo and Pranggono, 2013) Security Certificates. According to (Vallina, et al., 2014) the key component of today's Internet security is the Transport Layer Security (TLS). This protocol provides endpoint authentication using the X.509 infrastructure. Trusted certificate authorities sign server certificates. Customers can verify these certificates by using a trusted list of CA certificates that are shipped with their browser or operating system. Because CAs can sign certificates for any site on the Internet, they form one of the weakest links in the global trust hierarchy. When a CA is compromised, the attacker (or the enforcing entity) can obtain certificates that habilitate TLS interception attacks on any target domain. Digital certificates remain a trusted source of authenticating computers over the Internet, provided they have been issued by a trusted certification authority. In fact, mobile devices don’t come with factory-preloaded AC credentials only, they also allow • 243 users to add their own or delete existing ones. Given this, corporate information can be compromised if a naive employee has been persuaded to add a fake CA to a mobile device or if an attacker has supplanted a trusted corporate digital certificate. BYOD policies and laws. Political gaps is the base of the majority of safety and security breaches and BYOD is no exception. For example, corporations normally require complex passwords on desktop and laptop computers, but they do not enforce this policy on BYOD equipment, allowing a simple 4-digit access code on BYOD devices. (Zahadat, et al., 2015). User failure to comply with security policies is increasingly cited as a key security issue in organizations, if users fail to comply with security policies, security measures become ineffective (Puhakainen and Siponen, 2010). 4 Characteristics of Security Models for Managing BYOD. This section gives an answer to the following question: What are the characteristics of the security models proposed to manage BYOD? After reviewing the literature, the following security models were found; they are presented along with their most relevant characteristics related to BYOD environments. • Mobile Device Management (MDM) remotely supervises the state of mobile devices in order to control their functions. An MDM consists of two main components: an MDM agent which is an application that is installed on the mobile device and it sends status and data to the MDM server; and a MDM server which manages received data and consequently causes commands on registered mobile device to lock down, control, encrypt, and enforce policies for them (Eslahi, et al., 2014). Most existing commercial BYOD security solutions consist of mobile device management systems (MDMs) (eg Mobile Iron1, IBM MobileFirst Protect2, Huawei BYOD3, etc.). The security controls provided by an MDM solution usually address the behavior of the device as a whole, for example by applying a blacklist of unwanted applications, but these controls are often too thick to capture the actual security policy of a complex organization (Armando, et al., 2016). • Mobile Application Management (MAM). MAM system is a solution used by IT administrators to remotely install, update, delete, audit and track related business applications on mobile devices. MDM is different because it controls mobile devices in the hardware layer; mobile application management systems monitor and control certain applications with reference to policies and requirements of the organization. MAM features include: Remote Application Provisioning, Remote elimination and configuration of application, Remote Application Updates and Backups, Whitelist and Application Blacklist (Tewari, et al., 2015). • Mobile Information Management (MIM): This is the technique that secures corporate information instead of mobile devices; the main objective of MIM is to preserve business information in a central location 244 • • F.R. Rivadeneira and G.D. Rodríguez (such as a private cloud) and securely share them between different endpoints and platforms. MIM only allows a limited number of trusted applications to control and manage encrypted corporate data. Virtualization: BYOD demands a new approach to the corporate network and the integration of technologies for its support, one of those technologies is virtualization. Virtualization helps organizations implement BYOD environments by centralizing security and access policies for all of their IT users, allowing mitigation of risks across the board. Because the server, desktop and BYOD interactions are virtualized, it is possible to build a good security umbrella around all these assets. Desktop virtualization models are low cost, they centralize resources, data and security management and reduce or eliminate the need to transmit data onto mobile devices, thus reducing the possibility of data leakage occurrences (Downer & Bhattacharya, 2015). Virtualization is a software and / or hardware environment emulation method that runs on the superior layer of another system. This simulated environment is called a virtual machine. The virtual machine is logically equivalent to a physical machine, and the reason for the widespread application of virtualization is the ability to run multiple virtual machines on just one single physical. Within virtualization we have the hypervisor which is the hardware platform virtualization software that allows multiple operating systems on a single device. This virtualization type is available on some Android devices because the platform is open. The hypervisor is used to run two or more instances of the operating system, giving the ability to run personal applications and services from a primary partition and enterprise services / applications on the virtualized operating system. There are two types of hypervisors. Type 1 hypervisors run directly on system hardware with multiple virtual systems that use virtual resources provided by the hypervisor. Type 2 hypervisors run on a host operating system that provides virtualization services, such as / O device support and memory management, where you run virtual systems using the virtual resources provided by the hypervisor. (Jaramillo, et al., 2014). Application Containers for Mobile Devices: Containerization provides administrators with the ability to create secure containers on the device within which all applications and data in the organization are found. By applying this method, data can be shared exclusively between applications that are inside the secure container. This method allows the implementation of the security policy of the organization over predetermined secure containers without affecting the functionality and the private part of the device data (Perakovic, et al., 2014). There are three major types of containers according to (Yadav, et al., 2015): 1) Application-specific containers, also called pin-in SDK packages, make changes to the exterior of the user interface, and sometimes customers do not like it. 2) Neutral application containers use an application wrapper process to provide security measures that do not form part of the application source code. The application wrapper can be deployed in a short period of time because this container doesn’t require the change of the original application code. This gives users the layout of the original application and consistency for personal space and industry. 3) Integrated containers allow security and optimization of business productivity through the use of tools and applications designed for their integration into the operating system. According to the comparative study (Perakovic, et al., 2014), the most suitable method is the neutral application container. Due to an uncomplicated application packaging process, it doesn’t change the exterior of the application user interface and at the same time it does not change in the source code. •T-dominance. It interprets and measures the security representativeness (is measured by the unique traits of smartphones: co-location communication channels in addition to the cellular links, readily available connectivity information, and regular mobility/connectivity pattern of users in the enterprise environment.) with a temporal-spatial structural property. It is a distributed algorithm that is executed in distributed form in individual smartphones, solidly preserving that property. It is called T-dominance algorithm, where T is a time limit. Each BYOD smartphone runs the T-dominance algorithm and, based on potentially obsolete information from nearby smartphones, estimates its security representativeness. If a smartphone is considered representative, it becomes an agent. The algorithm doesn’t need central coordination, which reduces maintenance overhead for enterprise IT management, and is less intrusive for BYOD employees. After executing the algorithm for a while, the whole set of BYOD smartphones will be dominated by the agents: each smartphone is an agent or very likely it is close to an agent with a delay that doesn’t exceed T. It is a more intrusive and costly defense mechanism than other methods. Priority based deployment T dominance provides an adjustable equilibrium (through T) between the security provision and the intrusion / cost mechanism (Peng, et al., 2013). Properties for an algorithm that implements Tdominance-based prioritized defense deployment: Property 1 (Correctness). The T-dominance structural property is maintained by the algorithm. Property 2 (Localization). An agent makes its activation/deactivation decisions based on its own status and the connectivity logs from other smartphones it co-locates with. Property 3 (Temporal robustness). Property 1 is achieved even if the connectivity logs obtained from other smartphones during Wi-Fi co-location is outdated. T-dominating agents play a specific role in the deployment of prioritized defense. In the patching priority, the agents resemble the high-risk population (prior to immunization) and the deposit of vaccines (after immunization) in human epidemiology. An agent makes their activation / deactivation decisions based on Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. • • their own status and the connectivity logs of other smartphones they are on. Cisco BYOD. It is a Cisco proprietary solution for a highly managed IT business structure. The architecture of the Cisco BYOD solution is based on the Cisco Borderless Network Architecture and assumes the best practices that apply to the network infrastructure designs for campus, branch offices, Internet deployments and home-office deployments. The Cisco BYOD architecture shows critical components to enable secure access to any device, easy access to network, and centralized application of enterprise usage policies. This robust architecture supports a multitude of devices, such as employee ownership, business owners, or guest users attempting to access the network locally or from remote locations. The Cisco BYOD Smart solution helps maximize business value by providing a high quality user experience, security information and easy attendance. This solution stands out among other approaches that enable the implementation of BYOD by the following: superior technology in every layer, full view of workspace, validated design with comprehensive support, integration with third parties, complete services, and seamless experience with any connection method (Hallock, et al., 2013). Brian’s BYOD Model: The use of personal devices to access corporate applications and data, shows what happens when there is a conflict between usability and security. Users speak to themselves, and chose their preferred program by selecting the tools they find are the most suitable for their work. And because these are personal property devices that follow the owner, issues of device security and remote access should also be addressed. (Tokuyoshi, 2013), security is addressed by using the following guidelines: 1) Protecting network traffic: Remote devices connecting to arbitrary networks may place corporate data at risk. Without some protection in place to secure network traffic, the information is about as private as a postcard, open to anyone to read if they make the effort to look. 2) Protecting the content of the traffic from vulnerabilities and exploits: Managed devices have the benefit of endpoint protection standards that provide a line of defense against malicious content. Unmanaged devices may or may not meet those standards, and may not be adequately protected before getting on the network. There are two issues that come into play: first, the endpoint may need better security to protect against dangerous content; and second, network security measures can play a larger role in protecting the device as well. 3) Enforcing application policy: Organizations have applications they need to protect, and want to ensure that there are appropriate controls in place for who may access them and from where. Perhaps the organization wants to place restrictions on which users may access the data center applications. Perhaps there are restrictions that must be in place to ensure that only corporate issued laptops may access the datacenter. • • 245 These types of controls ensure that the protection around the datacenter adequately models who and what can access it, and provides an appropriate level of access for a particular device. 4) Enforcing device policy: The mobile device’s operating system may have a number of security features, but the ability to ensure that it is being used properly is something that is not easily prescribed when it’s not corporate owned. An increasing number of organizations are undertaking measures to make devices policy compliant with enterprise needs through the use of technology such as Mobile Device Management (MDM). This can take an unmanaged device and make it an employee-owned managed device. 5) Protecting data on the device: Should BYOD devices be allowed to contain enterprise data? What measures are in place to secure that data, or destroy the data in the event of a lost or stolen device? Some see this as a containment issue, such as using partitioning and application containers to limit the scope of where the data goes. Some see this as a matter of data protection, such as data-level or device level encryption. Another approach is to first consider what applications (and data) the device should be allowed to access in the first place, such as using virtualization to remotely access an application or desktop without putting the application data itself on the device. BRADFORD'S BYOD Model. The process uses the Network Sentry tool from Bradford Networks; it provides access to the corporate network and personal devices according to the rules that are defined. The Network Sentry policy engine is used to define access to the network in a very specific way to meet the needs of different users and groups. Network Sentry is used to enforce those policies, provide visibility to all network access, and allow policies to be modified if necessary. It is an approach that shifts the focus from the traditional control to a flexible policy-based network provision that can support personal mobile devices. Employees can be productive in their preferred devices without compromising the organizational security (Bradford, 2013). BYOD Security Framework (BSF). This framework has been designed to achieve three objectives. First, spatial isolation is necessary in order for the personal space and corporate space to separate from each other, and to allow policies to be implemented for each of them individually. Second, corporate data protection is necessary so that unauthorized access to this data can become unworkable. This is achieved by encrypting all corporate data stored on the BYOD device. Finally, the application of the security policy must be applied so that devices could be able to comply with the requirements of the company. BSF defines two entities: the business side and the device side. The first side is composed of all corporate resources such as company servers, Internet gateways and corporate data. On this side, a network access control mechanism (NAC) is responsible for providing access control when BYOD devices attempt to access these resources. This access is 246 • F.R. Rivadeneira and G.D. Rodríguez authorized or denied based on corporate policies. In addition, the NAC has to differentiate between personal space requests and corporate space requests, which is achieved through the implementation of certificates for each of them. To manage corporate policies, a security policy database is deployed. These policies include information on how to handle the access request when dealing with a user space on a BYOD device, which devices are allowed to access the network, and the connection parameters. Finally, mobile devices are managed by integrating an MDM solution, which is based on the policy database and applies these policies to BYOD devices (Wang, et al., 2014). Remote Mobile Display (RMS): This framework meets all the goals of a safe BYOD environment. To do this, the enterprise provides the employee with a virtual machine (VM) with a running mobile operating system, which is located in the enterprise network. The employee connects via the mobile device, an RMS implementation is provided using commonly available software for an x86 architecture. RMS modifies the BSF architecture by moving the corporate space located on the mobile device to the corporate network. In addition, RMS adds a new component called Corporate Space Manager, which is used to manage access to mobile virtual machines located in the corporate network. Finally, RMS uses the Virtual Network Computing (VNC) protocol which in return relies on the Remote Framebuffer (RFB) protocol to allow the user to access their own corporate space. Like in BSF, RMS presents a BYOD side and an enterprise side. RMS uses two elements called Corporate Space Manager (CSM) and VNC to allow the user to access the business space. The VNC protocol is based on the RFB protocol, the RMS system consists of a BYOD device and an Enterprise side. The BYOD side accesses the corporate space, located in the corporate network through the VNC client residing on the device. On the enterprise side, it contains a security policy enforcement entity that enforces enterprise policies. RMS uses its CSM as a proxy server to inspect the contents of VNC packets and performs actions based on the content. The employee has access to corporate resources through the VNC application, thus solving the problem of storing corporate data on user devices. However, this system also has its limitations. The VNC protocol has a cryptographically weak password and doesn’t protect the observation or data stream manipulation. In addition, Unicode text transfer is not compatible with the RFB protocol (Gimenez, 2015). Table # 1: Security Management in BYOD Environments Security Model Mobile Device Management (MDM) Mobile Application Management (MAM). Mobile Information Management (MIM) Virtualization Application Containers for Devices Characteristic Mobile devices are connected to the corporate network through an encrypted channel. It authenticate devices by exchanging certificates from server certified organizations. With the help of Access Server, MDM can define the correct access. It continuously synchronize and backups organizational stored data from devices and to devices through the synchronization server. Lock devices, enforce policies on the device and even delete remote and local data. Monitors and controls certain applications according to the policies and requirements of the organization. Whitelist and blacklist applications. Application updates and backups. Remote elimination and configuration of the application. Remote application provisions Preserves company information in a central location. Allows a limited number of trusted applications to control and manage encrypted corporate data. Maintain the desktop within the data center. Streamline the licensing process and reduce licensing liability risks that may go along with BYOD. Meets a company's backup, recovery and compliance needs, preventing employees from storing unique enterprise data on their devices and in cloudbased applications. Easier management for the IT department. IT doesn't need to manage a large number of devices, allowing them to focus on data and application management. Data can be shared exclusively between applications within the secure container. Provides users with access to all of the organization's data through a single sign on (SSO). If some data is compromised, the entire container or that particular application can be deleted Assigns the use of various security systems, such as direct renewal or updating of content to secure containers Application Level Technical Technical Technical Technical Technical Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. T-dominance Cisco BYOD Brian’s BYOD Model 10-step process for BRADFORD'S BYOD model BYOD Security Framework (BSF) Remote Mobile Display (RMS) By using strategic sampling, agents resemble traditional Internet honeypots for intrusion detection. The T-dominance structural property is maintained by the algorithm T-dominating agents play a specific role in the deployment of prioritized defense. In the patching priority, the agents resemble the high-risk population (prior to immunization) and the deposit of vaccines (after immunization) in human epidemiology An agent makes their activation / deactivation decisions based on their own status and the connectivity logs of other Smartphones they are on. Ensure compliance with corporate access policies on any device. Know what users and devices are connected to the networks. Minimize the amount of IT resources needed to incorporate new personal devices into the network. Workspace productivity applications Collaborate with any device. Manages and protect devices and their workspace. Provide access from anywhere with a seamless connection transfer. Apply policies to grant access to information, depending on who requests it and what device to use. Take the workspace into the device. Protect network traffic from authorized and unauthorized access. Protect the traffic content from vulnerabilities through the encryption mechanism. Enforce application policy by allowing authorized access for authorized users and authorized devices. Device policy enforcement by allowing only security-compatible devices to access the system. Data Protection in the device against offline access, theft or malicious acts. Determine what mobile devices are allowed to access Determine what OS versions are allowed, only approved and secure OS versions. Determine what applications are required for security settings configuration. Determine what groups of employees can use these devices and implement user device policies. Determine what network access will be assigned based on who, what, where and when conditions. Educate users before purchasing devices for BYOD through communication policies. Inventory for reliable and unreliable devices, for administration and for forensic purposes. Inventory for trusted and untrusted users Controlled network access based on risk posture = access provision to the network. Assessment and continuous vulnerability correction. Spatial isolation is necessary for personal space and corporate space to separate from each other, and to allow policies to be implemented for each of them individually Corporate data protection is necessary so that unauthorized access to this data can become unfeasible, which is achieved by encrypting all corporate data stored in the BYOD device Application of the security policy should be applied so that the devices meet the requirements of the company. Defines two entities: the business side and the device side. Mobile devices are managed by integrating an MDM solution, which is based on the policy database and applies these policies to BYOD devices Modifies the BSF architecture by moving the corporate space located on the mobile device to the corporate network. Provides the employee with a virtual machine (VM) that runs a mobile operating system, Adds a new component called Corporate Space Manager, which is used to manage access to mobile virtual machines located on the corporate network It uses the Virtual Network Computing (VNC) protocol which in turn is based on the Remote Framebuffer (RFB) protocol to allow the user to access their own corporate space 247 Technical Technical Technical Technical Technical Technical 248 F.R. Rivadeneira and G.D. Rodríguez 5 Integral Security Model for Managing BYOD. Are there integral security models with the minimum requirements to maximize the advantages of BYOD? According to the revised literature, there isn’t a model that allows Integral management of security in BYOD environments. This is supported by the previous section describing the security model characteristics and it can be concluded that each Security Model is designed to partially manage threats which affect BYOD environments, but there is not an integral model that tries to manage both the Technical and Human factors in BYOD environments. In addition some models do not provide a confidence and satisfaction degree when using it, causing it to not take maximum advantage of the benefits that BYOD offers. Cisco proposes an integral model but is based only on technical solutions, it does not manage the human part and leaves aside some other considerations of other models. Below are the guidelines that must be taken into account to planning and design an Integral Safety Model and to make the most out of BYOD.  Establish close coordination across multiple disciplines and among stakeholders, supported at the highest levels of government (Zahadat, et al., 2015).  Understand the business environment, who the users are and what resources they access. (Zahadat, et al., 2015).  BYOD standards in order to ensure BYOD devices are able to support functional and security requirements. Organizations should establish requirements that are aligned with the organization's missions, goals and objectives (Zahadat, et al., 2015).  Device Management system (MDM). This must provide control of applications, data and configuration parameters for mobile devices, and the device is provisioned using Over-The-Air (OTA) or other enrollment process. During provisioning, the device is installed with any configurations, settings, software, and certificates necessary to prepare the device for BYOD (Zahadat, et al., 2015).  Manage assets, encompasses the full range of processes and technologies from which BYOD devices are registered and approved, configuration controlled, and managed. Asset management includes activities to formally approve users and devices into the BYOD program, register devices, install required software, configurations, and applications to meet organizational requirements, and to manage the relationship between the organization, the user, and the device throughout the BYOD cycle (Zahadat, et al., 2015).  Controlling the Network Environment. A purpose built network will permit BYOD devices to access required organization resources while retaining strategic intersection points where protective, detective, and reactive security controls can be placed. Some technological solutions that are capable of performing the required functions include: firewalls, access-control lists, virtual local area networks (VLANs), zoning, VPN, and application wrapping (Zahadat, et al., 2015).    Governance. Organizational planners will need to identify the policies, processes, and procedures used to operate and monitor the organization’s BYOD program. Governance should include statutory, regulatory, legal, security, environmental, and operational requirements. It is critical to understand the limitations of mobile security technology in order to comprehend, which aspects of the BYOD security program are technically enforceable and which are relying solely on policy for enforcement (Zahadat, et al., 2015). Network Access Control, establishing and enforcing network access control (NAC) policies for businessowned Windows laptops can be extended to implement policies for personal ownership devices (Orans, 2012), a NAC combination and mobile device management enforces policies in a BYOD environment. Devices are not managed by MDM agents and should be limited to internet access only, or placed in a limited access area in which they can access an applications subset and network resources according to the user / group role. (Harris, et al., 2013) mention that security awareness and training for most employees is desirable; awareness of the security problem and training to acquire security skills. Security professionals in charge of protecting information systems need a superior level: education, meaning that expertise is developed for professionals working within the security discipline. An obstacle for the introduction of enterprise software applications on mobile devices is that you can present your own security issues and compatibility of IT departments. The tendency for employees to use their own mobile phones and smartphones, in particular, is unstoppable and the user is essentially taking control of the company's security program, a situation that should be addressed by developing relevant security policies and /or updating existing company policies to help protect both the company’s network and legal rights to reduce and liability risks (Bell, 2013). The next step after applying all technical controls is to design BYOD policies among the organization's employees, which is discussed in the next section. 6 Basic Controls for Designing Security Policies for BYOD Environments. For (Putri and Hovav, 2014), security information policy only studied resources that were owned by an organization so that organizations could have full control of their resources. In BYOD, resources aren´t owned by the organization. The devices used to carry out the work are property of the employees. However, access resources are owned by the organization, for example network and information. Any attempt to control an employees' personal device could create a perceived threat to their freedom in using their own device. Security policy can be perceived as a burden and an obstacle to employees’ work because it restricts the way they use their own devices. 31% of the companies surveyed by SANS saying that they do not have policies in place to handle BYOD and a further 26% stating that they only “sort of” have policies, it is possible to see how unsecure mobile devices are infiltrating corporate Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. networks. Only 14% of companies feeling that the policies that they do have in place are very thorough and 49% feeling that their policies catch some basic threats or none at all. It can be seen that policies are a large issue that companies need to be addressing. (Gladyng, 2013). For (Shumate and Ketel, 2014) BYOD policies are an integral part of the control and mitigation of the security problems, although they are often neglected by many companies as indicated in the SANS survey. Each organization must create a policy that suits their unique needs and situations. This policy must be updated on a regular basis, at least once a year. As technology changes the policy with respect to this technology type must also change. The change in the mobile industry is even faster than in the IT industry in general. The controls that manage mobile devices need to be updated to address the new risks that could eventually be created by these changes. With this, the answer to the fourth research question begins. What are the basic controls that should be taken into account for the design of security policies in companies with a BYOD environment? According to (Madzima, et al., 2014) Policies have always been regarded as the good starting points for gaining and exerting control on an enterprise for they provide the framework for formalizing guidelines for BYOD adoption and the use of employees owned devices. When designing, implementing and executing a policy, an enterprise would know what to do in the event that a device is lost, an employee resigns from the company, and also how to manage data and network access for all the BYOD devices. A good policy should neither be overly restrictive on how employees may use their device nor overly relaxed to the extent of granting the enterprise access to the employee’s personal data. Up next are the basic controls for designing general policies that all organizations must take into account, to serve as a starting point in the design of a specific BYOD policy. Policies of the Organization: • Audit Devices. This involves establishing all the devices you use to manage corporate data, including those owned by your employee (Puhakainen and Siponen, 2010). • Amnesty. The company's IT staff must tell employees what personal property devices they must bring in order to be added to company networks and security features (Puhakainen and Siponen, 2010). • Adding security. The company's IT staff must configure all employee-owned devices to meet the company's security requirements (Puhakainen and Siponen, 2010). • Employee profiles. It is suggested that in order to successfully classify employees, the following profiles should be taken into consideration: Standard user, advanced user, professional user, guest user (Vignesh and Asha, 2015). • Acceptable use policies. Clearly define what is allowed in term of use of internet and particularly social media with it fast becoming a popular avenue of attack by social engineers (Mott, 2013). Mobile Device User Policies: • Password. All devices must have a password to access the device, which must be changed frequently, to create a password you must avoid consecutive numbers and 249 data related to the employee. According to (Allam, et al., 2014), Cisco, in a study conducted in 2013, found that nearly 40% of smartphone users do not have a password enabled on their device. • Antivirus and Anti-malware. Use these solutions to protect the device against malware and viruses, it is also necessary to activate the automatic update of these applications so that the mobile device is always protected (Downer & Bhattacharya, 2015). • Sensitive Data. Avoid accessing and processing sensitive data over public wireless networks that don’t have a password or encryption. (Mott, 2013). • Lost or stolen devices. The following must be taken into account: What will the process be for notification by employees? What are the steps to eliminate access to the corporate network? What steps will be taken to eliminate the data stored on the device? Companies must have a plan in place to handle the lost or stolen device (Tewari, et al., 2015). • Encrypt the external memory card. Memory slots are available on most mobile devices; external memory cards can be stolen which results in data breach, and therefore there must be encryption software to encrypt the external memory card (Vignesh and Asha, 2015). • GPS lock. It is a lock based on location that can be applied through GPS; the data can be decrypted and accessed only from a specific geographical area, such as the workplace or home (Vignesh and Asha, 2015). (Madzima, et al., 2014) suggest that the BYOD policy should provide evidence of employee knowledge and agreement for the use of their personal devices to carry out the work of the company. It is also important that the company's BYOD policy covers areas of potential conflict between employees and employers 7 BYOD Security vs Corporate owned device Security In corporate owned device environments, security management of the device is managed by the IT department. The IT Department decides what is installed and what is not installed, the device model and the version of the OS installed; it restricts the ability to install applications and access internet sites. In BYOD environments the device is owned by the employees, therefore they are the ones in charge of the security management; the IT department can apply some preventive, corrective and technical measures of mobile security management, but it is the employee who has full control of the device. In table 2, a comparison between BYOD security and corporate owned device security is shown, focusing in the ease of meeting security needs. 250 F.R. Rivadeneira and G.D. Rodríguez Table # 2: Difference between BYOD security and Mobile security # 1 2 3 4 5 6 7 8 9 10 11 Security Features Manage extra applications installed by users Manage devices that are accessing the corporate network Separation between private and business spheres Social Network Access Management Malware application management Ensure that mobile devices are homogeneous Ensure that all OS versions on mobile devices are homogeneous. Complexity of user support Device Management in the event of theft or loss Enforcement of policies and laws Predisposition of users to training Ease of compliance in BYOD 12 Manage the termination of the employee's relationship with the company Prevent and mitigate social engineering attacks Prevent and mitigate Advanced Persistent Threat (APT) Ensure the privacy of company data Low High High Low High Low Low High 13 Low Ease of Compliance in corporate owned device High Low High 15 Low High Low High Low High Low High Low High Table 3 shows the coverage performed by the different BYOD security models according to the characteristics presented in table # 2. According to table # 3, it can be concluded that the BYOD models are focused on technical solutions, but in the characteristics where the employee has absolute control of the mobile device there is no model that allows to manage the security. For example, the use of social networks by employees can not be managed, which could easily lead to a social engineering attack or Advanced Persistent Threat (APT). High Low Low High Low High Low High 14 Table # 3: Coverage of BYOD Security Models Security Model Mobile Device Management (MDM) Mobile Application Management (MAM). Mobile Information Management (MIM) Virtualization Application Containers for Devices T-dominance Cisco BYOD Brian’s BYOD Model 10-step process for BRADFORD'S BYOD model BYOD Security Framework (BSF) Remote Mobile Display (RMS) 8 01 02 03 X X X X X X X X X X X X X X 04 05 Security Features (see table#2) 06 07 08 09 10 11 X X X X X X X X Future Work There are a number of solutions to mitigate the security risks that are associated with BYOD, from the MDM, MAM, MIM, Application Containers, Virtualization, but these partially solve the risks, and if they eventually solve one, a new gap will eventually open. By reviewing the literature we notice that an integral model hasn’t been X 15 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 14 X X X X X 13 X X X X 12 considered and a future work would be precisely to design an Integral Model for the security management in BYOD environments in order to allow to take full advantage of this trend. When organizations allow their employees to use their mobile devices to perform work tasks, it is likely that by allowing this there is an increase in the use of social networks while on the job, the danger is that employees can Bring Your Own Device (BYOD): a Survey of Threats and Security Management Models. share company data on social networking sites often with the best of intentions, such as for supportive purposes. Nearly a third of IT departments suffered data loss in the 2011, while 60% of them suffered two or three data loss, each with an estimated average cost of 2 to 5% of total revenue the company (Caldwell, 2012). A future work would be mechanisms to mitigate the loss of data through social networks in BYOD environments. Applying security policies in BYOD environments is vital to maximize this trend’s benefits of this trend, and to mitigate the security risks associated with it, some companies make known these policies through a document with 20-pages waiting that employees understand it, when in some cases it was written for regulators, lawyers and auditors, These documents must be written with language appropriate to the target audience, and explain the consequences of noncompliance. According to (Caldwell, 2012), “Training programmes should not be developed by techies they should be eveloped by marketers” in this way it will be possible to training employees better with respect to the security policies, also must be taken into account that people learn in different ways. User awareness is key and awareness training should be part of every corporate security program, so another future work would be to create awareness programs that allow BYOD employees to apply security policies in a natural way and easily detect the attacks you may be experiencing. 9 Conclusions BYOD has become a good strategy that companies use due to their great benefits; companies like CISCO and others create technical solutions and implement policies to help mitigate the risks that comes with implementing this strategy. From the review of current literature on security, it has been found that there are numerous technological strategies to address the information about the risks of security but one main factor has been left out and that is the human factor. With the study of the literature regarding BYOD, the following questions could be answered: • What are the threats that mobile devices currently face while being used in a BYOD environments? The following threats were found: Advanced Persistent Threat (ATP), Social Engineering, Malware, Operating System Fragmentation, Theft or Loss, Application Store, False Security Certificates, Policies and BYOD Laws. • What are the characteristics of security models in order to manage BYOD? We found 12 security models for BYOD environments, of which 11 are based on the technical management of the mobile device and its connections. Only the BYOD Policy Management Model has characteristics oriented to the human factor. • Are there integral safety models with the minimum requirements to take full advantage of BYOD? According to the revised literature, there is no model that allows a comprehensive management of security in BYOD environments, because each security model is designed to manage some of the threats that affect BYOD, but there is no integral model that tries to • • 9 251 prevent both the technical and human factors by which mobile devices can be compromised. What are the basic controls that should be taken into account for designing security policies in companies with a BYOD environment? The basic controls that should be considered for the design of BYOD policies are classified into organization policies’ controls, such as: audit devices, amnesty, security addition, employee profiles, acceptable use policies; and mobile device user policies’ controls such as: password, antivirus and anti-malware, sensitive data, lost or stolen devices, encryption of external memory card, GPS lock. These controls serve as a starting point for designing a specific BYOD policy for any organization. What are the main differences between security on BYOD environments vs. security on corporate owned mobile device environments, regarding how easy is to meet security needs? There is 15 security features that show a complete mistmatch between the ease of compliance in BYOD vs. ease of compliance in corporate owned mobile devices. There are 11 features that are easier to meet in corporate owned mobile devices than in BYOD. Most research regarding mobile security has been done with the traditional corporate owned device environment in mind, therefore, additional research into BYOD security management and models is needed. References Algarni, A., Xu, Y., Chan, T., and Tian, Y.-C. (2013). Social engineering in social networking sites: Affect-based model. 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013). Allam, S., Flowerday, S. V., and Flowerday, E. (2014). Smartphone information security awareness: A victim of operational pressures. Computers & Security, pp.56-65. Arabo, A., and Pranggono, B. (2013). Mobile Malware and Smart Device Security: Trends, Challenges and Solutions. 19th International Conference on Control Systems and Computer Science. Armando, A., Costa, G., Merlo, A., Verderame, L., and Wrona, K. (2016). Developing a NATO BYOD security policy. International Conference on Military Communications and Information Systems (ICMCIS), pp.1-6. Bann, L. L., Mahinderjit, M., and Samsudin, A. (2015). Trusted Security Policies for Tackling Advanced Persistent Threat via Spear Phishing in BYOD Environment. Procedia Computer Science, pp.129–136. Bell, M. (2013). Considerations When Implementing a BYOD Streategy. The Role of IS Assurance & Security Management, pp.19-21. Boon, G. L., and Sulaiman, H. (2015). A Review on Understanding of BYOD Issues, Frameworks and Policies. The 3rd National Graduate Conference (NatGrad2015), Universiti Tenaga Nasional, Putrajaya Campus, 272-277. Bradford, N. (2013). Ten Steps to Secure BYOD. White Paper. Caldwell, T. (2012). Training – the weakest link. Computer Fraud & Security, pp.8-14. Cuevas, P. d., A.M, M., J.J, M., P.A, C., P., G.-S., & A, F and.-A. (2015). Corporate security solutions for BYOD: A novel user-centric and self-adaptive system. Computer Communications, pp.83–95. 252 F.R. Rivadeneira and G.D. Rodríguez Dang-Pham, D., and Pittayachawan, S. (2015). Comparing intention to avoid malware across contexts in a BYODenabled Australian university: A Protection Motivation Theory approach. Computers & Security, pp.281–297. Dhingra, M. (2016). Legal Issues in Secure Implementation of Bring Your Own Device (BYOD) . Procedia Computer Science. Downer, K., and Bhattacharya, M. (2015). BYOD Security: A New Business Challenge. Conference: Proceedings of The 5th International Symposium on Cloud and Service Computing (SC2 2015), IEEE CS Press. Eslahi, M., Naseri, M. V., Hashim, H., Tahir, N., and Saad, E. H. (2014). BYOD: Current State and Security Challenges. Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on. Flores, D. A., Jhumka, A., and Qazi, F. (2016). Bring Your Own Disclosure: Analysing BYOD Threats to Corporate Information. Conference: 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16), At Tianjin, China. Gajar, P. K., Ghosh, A., and Rai, S. (2013). Bring Your Own Device (Byod): Security Risks And Mitigating Strategies. Journal of Global Research in Computer Science, pp.62-70. Gimenez, S. M. (04 de 2015). Remote Mobile Screen (RMS): An Approach For Secure Byod Environments. Computer Science and Engineering: Theses, Dissertations, and Student Research. http://digitalcommons.unl.edu/computerscidiss/86/? utm_source=digitalcommons.unl.edu %2Fcomputerscidiss %2F86&utm_medium=PDF&utm_campaign=PDFCover Pages Gladyng, C. (2013). BYOD: Can It Harm Your Business? The Role of IS Assurance & Security Management, 31-33. Hallock, Z., Johnston, J., Macias, F., Saville, R., and Tenneti, S. (2013). Cisco Bring Your Own Device (BYOD). CISCO. Harris, M. A., Patten, K., and Regan, E. (2013). The Need for BYOD Mobile Device Security Awareness and Training. Proceedings of the Nineteenth Americas Conference on Information Systems, Chicago, Illinois. Hemdi, M., and Deters, R. (2016). Data Management in Mobile Enterprise Applications. Procedia Computer Science, pp.418 – 423. Jaramillo, D., Newhook, R., and Nassar, N. (2014). Techniques and real world experiences in mobile device security. SOUTHEASTCON 2014, IEEE. Kelley, P., and Haviland, J. (2015). Leveraging Social Networks and BYOD for Reverse Social Engineering Attacks on Corporate Networks. Academia.edu. Krombholz, K., Hobel, H., Huber, M., and Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and Applications, pp.113–122. Lawrence, D., and Francoise, G. (2014). Practical Legal Aspects of BYOD. RSA Conference. Lebek, B., Degirmenci, K., and Breitner, M. H. (2013). Investigating the Influence of Security, Privacy, and Legal Concerns on Employees' Intention to Use BYOD Mobile Devices. Proceedings of the Nineteenth Americas Conference on Information Systems, Chicago, Illinois. Madzima, K., Moyo, M., and Abdullah, H. (2014). Is Bring Your Own Device an institutional information security risk for small-scale business organisations? Information Security for South Africa. Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 5–8. Mott, G. (2013). Social Engineering and how it Affects Your Business. The Role Of Is Assurance & Security Management. Olalere, M., Taufik, M., Mahmod, R., and Abdullah, A. (2015). A Review of Bring Your Own Device on Security Issues. SAGE Open. Orans, L. (2012). Securing BYOD With Network Access Control, a Case Study. SANS Institute. Orzeszek, M. (2013). Social Engineering and Business Practice. The Role of IS Assurance & Security Management, pp.87-89. Page, L. (2013). The Trade Offs for Bring Your Own Devices. THE Role Of Is Assurance & Security Management, pp.91-94. Pell, L. C. (2013). BYOD: Implementing the Right Policy. The Role Of Is Assurance & Security Management, pp.95-98. Peng, W., Li, F., Han, K. J., Zou, X., and Wu, J. (2013). Tdominance: Prioritized Defense Deployment for BYOD Security. IEEE Conference on Communications and Network Security (CNS). Perakovic, D., Husnjak, S., and Cvitić, I. (2014). Comparative analysis of enterprise mobility management systems in BYOD environment. Conference: Research Conference In Technical Disciplines RCITD, At Zilina, Slovak Republic. Puhakainen, P., and Siponen, M. (2010). Improving Employees’ Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly, pp.757-778. Putri, F. F., and Hovav, A. (2014). Employees’ Compliance with BYOD Security Policy: Insights from Reactance, Organizational Justice, and Protection Motivation Theory. Association for Information Systems. Rose, C. (2013). BYOD: An Examination Of Bring Your Own Device In Business. Review of Business Information Systems, pp.65-69. Schulze, H. (2016). Byod & Mobile Security. SPOTLIGHT REPORT. Shumate, T., and Ketel, M. (2014). Bring Your Own Device: Benefits, risks and control techniques. SOUTHEASTCON 2014, IEEE. Tewari, A., Nagdev, P., and Kiran, I. (2015). BYOD:Usability. International Journal of Computer Science and Information Technologies (IJCSIT), 2081-2814. Tokuyoshi, B. (2013 ). The security implications of BYOD. Network Security, pp.12-13. Tu, Z., and Yuan, Y. (2012). Understanding User's Behaviors in Coping with Security Threat of Mobile Devices Loss and Theft . 45th Hawaii International Conference on System Sciences. Vallina, N., Amann, J., Kreibich, C., Weaver, N. and Paxson, V. (2014). A Tangled Mass: The Android Root Certificate Stores. Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, pp.141-148. Vignesh, U., and Asha, S. (2015). Modifying Security Policies Towards BYOD. Procedia Computer Science, 511-516. Wang, Y., Wei, J., and Vangury, K. (2014). Bring your own device security issues and challenges. Conference: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC). Yadav, S., Ganguly, U., Suman, S., and Puri, P. (2015). Threats and Vulnerabilities of BYOD and Android. International Journal of Research, pp.997-1003. Zahadat, N., Paul, B., Timothy, B., and Olson, B. A. (2015). BYOD security engineering: A framework and its analysis. Computers & Security, pp.81-99.