Biometric Applications for Information Security

Published Date: 02 Mar 2018

Chapter 1

1 .0 Introduction

In recent times, the use of computer towards accessing information has increased and this has made our lives simplified in different ways, whereby easing people around the globe to communicate and share information. Due to this growing computer technology, the need for an improved network service which involves public accessing these devices is to be put in place. Generally, this advancement in knowledge towards the use of modernised technology has lead to the investigating and unveiling of new threats to computer system security which affects the today's organisations.

From my research carried out it has been noticed that most organisations are in search of better means of improving their information security system, and also a cost effective means towards safeguards against fraud and impersonation .As we all know that data protection is a valuable resource which must be kept strictly, controlled and managed properly in an organisation. In the nutshell, the term security basically referred to as the protection and guidance of a system from unauthorised access, be it intentional or accidentally, irrespective of the service provided by the database management system. This work will generally involve the use of keystroke dynamics as a means of establishing a unique identity, which will be used as an additional measure towards enhancing information/data security in an organisation (e.g. Banks, Institutions, legislative departments, finance houses, production firms etc). This unique identity will help present a safeguard towards authenticating the access to computers by recognizing an individual based on his stored features i.e. mouse movement, keyboard application, typing rhythm etc.

The protection of an information database system at all level in an organisational system, has over the years become an essential concern, this is as a result of different type of threats and unauthorised advances made by malicious individuals. Many organisations, over the years gone ahead towards the development and adoption of a stronger web-based services of computer controls, because from my research I gathered that information and transaction worth fortunes are been dealt with on a daily basis and the organisation has to ensure its protection by all means. Because any breach of security will lead to fatal destruction of the system. During my report it was noticed that in most organisational application, the access to information database system where usually restricted through the use of a login ID/password protection scheme. This has been in place for years and if by any means this scheme is breached, and then the organisations information is generally exposed towards any possible fraudulent misuse. During my research work I gathered that, hardware based security managed systems has a positive impact towards the reduction of unauthorised access by imposter. According to “David Zhang and Anil Jain” 2006, in there

book “Advance biometric” it stated that acceptance rate is still study dependent and the results indicate that the false acceptance ratio (FAR) is still on the order of 5%, beyond the acceptable risk level of many organizations, considering the costs in terms of hardware and training time. In the nutshell it will be said that security and database plays an important role in all areas where computers are used, including business, electronic commerce, engineering, medicine, law, library science and many lot of more fields.

I would like to give a brief definition of what database is all about and its surrounding topics on which we will deal with as we proceed on the project work. Generally, database can be said to be a cart where information are stored, updated and retrieved, it is a very important part of everyday life, and has to be secured from utterances. The term Biometric said to be gotten from the combination of the Greek words ‘Bios', which means life, and ‘Metrikos 'which is said to be measuring. This technology is said to be the ability to identify an individual based on their unique characteristic, which can either be physiologically (passive) or behavioural (active) characteristic mode of identification.

Over the years it has been notice that one of the most secured and effective means of authenticating and identifying an individual involves the verification of their personal unique characteristic. This is sometimes usually done in conjunction with a PIN or token (known as multi-factor authentication) also by users name and password. One of the proper ways of managing biometric secured information database includes its registration, storage, and verification which is known as “Biometric Identity Management”. However, from research Information security is known to be one of the fastest growing areas in the IT world, and its efficiency is to be assured by minimising exposure to external and internal attacker. “Enhancing information security using keystroke dynamics (Behavioural Biometrics) as an additional measure in organisations” as my research topic was brought to light. This research report is basically aimed at reviewing information database security system and the use of keystroke biometric towards security enhancement, where by reviewing the effective implementation, design and management of information system in organisation, and protecting it from intruder. Also it will clearly highlight on the pros and cons of traditional means compared to biometrics means of application. I will strictly focus on keystroke biometrics, which is a human behavioural biometric whereby need for any form of physiological attribute, is not needed. This study (Information security and biometric application) will be place into the following stages: (Nanavati. S, (2002), Von Solms S.H (2000))

• Identification and authentication - An individual been identified and authenticated;
• Authorisation - Being authorised to use certain resources;
• Confidentiality - Ensuring confidential information i.e. data or software, stays confidential and accessible only to authorised individuals;
• Integrity - Making sure only authorised individuals can change the content of data or software;
• Non-denial - Ensuring that an individual cannot deny the authorisation of a transaction (e.g. in Banks), like changing the content of data.

The deployment of Biometrics and the above stages will require a solid understanding of the technology and why it is been deployed, its mode of function, performance and accuracy will be looked into and analysed. Also the choice of which biometric application to use depends highly on the intended application of the system, here are some of the biometric applications in existence today: finger print; face recognition, hand geometry and iris recognition etc. Some of these biometric features are applied in areas like, time and attendance systems, voter's registration, immigration and border control, access control, computer security, and financial firms. This project research work will involve a practical part of the application and to achieve the aims successfully, the following objective will be put into consideration.

Objectives:

• Presenting details of biometric applications for information security purposes.
• Comprehensive review on information security threat, breaches, awareness solutions and discussing case studies on its effect on organisational system.
• Building / implementing a keystroke access database application.
• Critically analyse and evaluate the impact of the design keystroke enable database(Pros and Cons)
• To conclude on findings and recommendation for future developments of information security system.

1.1 Why the Study and Goals

The scope of this study is to present, review and analyse problems which are been faced in organisations information security, where by been able to create and suggest a means of securing sensitive information from external sources and mostly internal sources. In recent times from information gathered it has been found that most security breaches /threat in organisations have been linked to internal sources. Here I will recommend a keystroke biometric application in organisations which are known to have a friendly environment between member of staff and the easy of sharing personal details, are on the high side. Generally I am not saying there are no securities measures in organisations to curb these intrusions, but as earlier mentioned most of these leakages are carried out by internal sources. But most organisations make use of traditional login process (user names and password, chip and pin). Alternatives to password-based authentication, keystroke biometric can either be used as an additional measure or replace the traditional method, this can help identify intruded and access are denied. A special focus will be on keystroke dynamics, in which firstly, the goal is to verbalize requirements which these alternative authentication schemes need to satisfy. After reviewing the alternative methods from a security and usability point of view, the result should be to answer the question whether the presented schemes is capable of being alternatives to password-based authentication mechanisms or not.

1.2 Related Studies.

In the past and at present a lot of studies and researches is been carried out, in regards to users identification, verification and authentication, with their respective ways of securing information system. Keystroke dynamics was first introduced in the early 1980s as a method for identifying the individuality of a given sequence of characters entered through a traditional computer keyboard (R. Gaines, W. Lisowski, S. ). Keystroke dynamics originated from studies of the typing patterns exhibited by users when entering text into a computer using a standard keyboard. Researches in this field focused on the keystroke pattern in terms of keystroke duration and keystroke latencies. Evidence from preliminary studies indicated that typing patterns were sufficiently unique and easily distinguishable from one another, much like a person's written signature (R. Gaines, W. Lisowski, S., R. Joyce and G. Gupta ).Here are some studies which have been carried out towards information security such as that conducted by “Arwa Al-Hussain (2008)”, “Biometric-based Authentication Security”, “Saleh Bleha”, “Charles Slivinsky”, and “Bassam Hussein”: “Computer-access security systems using keystroke dynamics”, “R. Joyce and G. Gupta”: User authorization based on keystroke latencies. And also “Revett, K. and Khan, A”, 2005, carried out a research on Enhancing login security using keystroke hardening and keyboard griddling. But In my research work I will look into all aspect of biometric applications in regards to keystroke dynamic application and it suitability towards detecting intruders trying to gain access into a database information system.

1.3 Problem Statement

In this research which is to attempt the implementation of keystroke biometric and mouse application as a security measures towards preventing the gaining of access to sensitive data from unauthorised individual in organisation, also to prevent password sharing and identity theft from within and outside the organisation. To be able to achieve this, I will be looking into the different types of biometrics and the added advantage presented by keystroke biometrics in relation to cost and easy of application. Finally I will not neglect the difficulties that may be encountered towards the successful achievement and completion of this research, also all necessary steps will be taken to have a conclusive project work.

1.4 Outline of Dissertation Topics and Organisation

The other part of this paper work is organised and subdivided in the following pattern. Chapter 2 will focus more on the in-depth of Biometrics application, the benefits of biometrics compared to traditional authentication methods, advantages and disadvantages of the different identification mechanism ,it challenges and effect on today's society and finally the different types of biometrics. Chapter 3 will concentrate on the information security issues, social engineering and security solutions presented by biometrics enhanced system. In Chapter 4 an in-depth analysis of the keystroke biometrics will be look into and its application towards information security. Chapter 5 will concentrate mainly on implementation of keystroke biometrics, a demonstration of its design application and functions, towards security enhancement and also user acceptability survey on the application mode will be analysed. Finally in chapter 6 I will conclude on findings and recommendation for future developments of information security system.

Chapter 2:

2.0 Introduction:

From my research it has been gathered that access to most organisation‘s computer systems which content various information are done by using authentication and identification means. The commonly used security approach towards identification and authentication is by “login process”, which involves the users ID and password. This has been in use for years towards the verification of a person trying to gain access to a computer information system. This mode of security approach has over the years been a big problem to most organisations security management system, as a result where workers could routinely share passwords with one another, sometimes forgetting their passwords or stored them in places which they could be easily seen by other people. This has lead to the level of security breaches, threats and fraudulent transaction increasing to a disturbing state, due to this the need for highly secure identification and personal verification technologies is being searched for. From researches carried out it has been found that biometric authentication can solve some of these problems, whereby help in reducing this growing security threat to a minimal level. Another importance of biometrics is its ability to improve the usability of a system since the person in use does not need to remember his or her passwords when trying to gain access to the information system. Biometrics as we know is not a new discovery to the world at large this has been in existence, during the BC and AD, just that of present more attention is been shown towards biometrics and its applications.

2.1 Why Biometrics Applications

In the application of biometrics towards security setting is “Ten times” the security for that of traditional means and also cost effective in the long run. Due to issues relating to Identity theft, terrorism and increase in the general level of crime which have also combined to heighten the need for a just technology security approach.( Security Seminar K. Tracy 1998) Biometrics application over the years has been the recommended solution choice for many organisational systems towards information security, both privately owned and government companies are in use of biometric application towards maintaining secured environmental system for information sharing and distribution.

Lets imagine the ability to unlock the door, obtain money from a machine, authenticate a credit card, retrieve information from a system or even start a car with just a glance at a camera or a touch, that is what bio application is all about and has helped to improve users security application by there uniqueness.

2.2 Introduction to Biometrics

What Is Biometrics: The word biometrics is known to be gotten from a combination two words from Greek origin meaning (bios ="life", metrikos (metrics) ="measure").The terms "Biometrics"have been in existence since the 20th century and was used to refer to the field of development of statistical and mathematical methods applicable to data analysis problems in the biological sciences (Nanavati. S. 2002). In the nutshell biometrics can be said to be an automated method in science and technology which is used in recognising, measuring and statistically analyzing biological data of an individual. These bio - measurements are done based on ones physiological or behavioural characteristics, which can be used to verify the identity of the individual. Some of the examples of biological characteristic include DNA, blood group genes, whereby physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, and behavioural characteristics include signature, voice, gait and typing patterns (keystroke). One of the greatest important advantages of biometrics lies in the fact that physical or behavioural traits' cannot be transferred to other individuals, or can they be forgotten. (Wikimedia Foundation, Inc, (2006),)

2.3 How does biometrics work?

Biometrics can be classified in two main types, which are as follows: “physiological biometrics”, this involves the use of physical trait, such as a fingerprint, iris, hand or face for recognition of an individual. Here the physical traits are collected, then analyzed, measured and stored for use. In the case of fingerprint, it is automated through a numeric encryption of its ridges, splits, dots, valleys, furrows and minutiae points. This encryption is called an algorithm, creating a binary encoded template. The iris is also digitally stored using an algorithm in the same way. (Wikimedia Foundation, Inc, (2006))

The other type of biometric solution is “behavioural biometric”. This mainly involves the use of a person's behavioural trait or pattern, such as a voice, signature or key stroke. These traits are stored in the same way to that of the physiological traits except that they are updated regularly to be able to cope with the ever changing patterns in the trait. The both type of biometrics are relevant to different situations and circumstances. Naturally it has been gathered that physiological biometrics has proved to be more reliable than that of behavioural biometric, in the sense that physical traits generally stay the same all time irrespective of the age, while that of behavioural trait changes due to one or two situation which can be caused by advancement in age, learnt habit or accidental causes.

2.3.1 Mode of biometric operations:

Identification:

In biometrics operations, when the device/networked server hold a database of registered users and when these traits are presented, it is then authorizes the searching of the database so as to establish a match with the presented trait. In theory the device is asking “Do I know you?” This method of identification is called one too many (1: N) according to “www.posid.co.uk”.

Authentication:

The theory here is that the device is requesting “Are you who you claim to be”? By presenting a user id number or a Smartcard (containing the biometric algorithm) you then prove who you claim to be. In order to prove that this id number or Smartcard belongs to the user, one is requested to present his /her biometric trait directly to the device. You are authorized if they match and denied if they do not match. This method is called one to one (1:1) “www.posid.co.uk”.

Authorization:

In the nutshell this is known to be the last stage of a biometric system function, after identification the system search for a match and then confirms it authentication where by requesting unique feature and if matched with the stored details, you are then authorized. (Wikimedia Foundation, Inc, (2006))

2.4 Importance Of Biometrics Over Traditional Authentication Methods:-

In present times most organisation, make use of Login passwords, PINs, and token towards verification and authentication for gaining access to there information database system. This are mainly designed to help protect and secure the organisations computer information network and its applications. However in most cases these technologies have been discovered to having some problems associated with them, mostly when faced with modern technology applications, like online transactions, which could involve the accessing of sensitive information such as medical reports, financial or income support information. In order to reduce these increasing problems, biometrics features are been introduced in some of these computer information applications areas. As earlier stated, “Biometrics” is known to be an automated methods of recognizing and identifying an individual based on their physical or behavioural characteristics.”(Samir Nanavati, Michael Thieme, Raj Nanavati 2002) Every individual different biometric characteristic which are unique and peculiar to them, no two person have or share the same biometric features. Some of the commonly known used biometric applications in today's society are facial, fingerprint, iris, hand scan, voice and dynamic signature. Biometric data application as a means and methods of identification is well preferred by organisation due to its several advantages over the known traditional method, which have been highlighted earlier in this chapter. Some of the major reason for the preference of bio data for information security system is that the individual to be identified is required to be present physically during the identification process, and this identification process does not require the need for password remembrance in any form. With the present increasing integration of computer, as well as internet usage in our day to day activities towards information accessing, this has called for a growing need to use a more protective method on information system assessing. This could be done by either replacing the PINs (traditional method) totally with biometrics or combining the both towards effective security measures whereby prevents unauthorized access to computer information system. As stated in previous chapter, one of the biggest issues with the use of PINs or passwords as a security measure is that it could be forgotten, likewise tokens such as passports and driver's licenses may be forged, stolen, or lost which is unlikely in biometric traits. Basically biometric applications can be used for real-time recognition, and the most popularly used is face, voice, signature, iris and fingerprint. (S.Nanavati, M. Thieme, R. Nanavati 2002) In view to biometric application compared to the traditional application, a biometric system is basically known to be a pattern of recognition of an individual by determining the authenticity of a specific physiological or behavioural characteristic possessed by the person. Several important issues are put into place during designing a functional biometric system. Basically all biometric systems consist of three (3) basic elements, which are as follows:

Enrolment: It is known to be the process which involves the collecting of biometric samples from an individual, and this is captured and stores in a secured template in a central database or a smart card issued to the user.

Templates: This is a storage cart where all the data or information representing the individual/enrolee's biometric features is stored. The template is usually been retrieved when identification is to be carried out on an individual.Biometrics system can operate using either verification (authentication) or identification mode.

Matching: It is a process which involves the comparing and analysing of individual biometric details which has been stored in the database system templates. Mainly the enrolment is the first stage during authentication, in which a template is then generated and will be used towards matching of the user's authentication.

2.4 Types of Biometric Technologies

Biometric can be classified into two main classes which are Physiological and Behavioural biometrics, this involves two main modes of applications, which can be said to be contact and contactless biometric applications. The main function of biometric technology system is to assist in the controlling of access to a network system, and also helping to authenticate an individual by establishing there identity by comparing it with already stored details, which are unique to the individual. The most significant factor which enable the implementation of a biometric towards authentication is it uniqueness, i.e no two person can have same bio data and can not be lost or guessed. Looking at the recent increase in the breach of information system, biometric authentication system is a more reliable, efficient and effective to reduce this increasing threat compared to the traditional password based authentication process.

2.4.1 Physiological Biometrics:-

In this type of biometric application, the individual is required to have biometric features stored in the bio data storage device (scanner).This device is where the user's details are collected and stored for feature use. Due to reason that a person or individual stores their bio-data and need to make direct contact when needed to gain access to an information system, has made many people have to consider this to be a technology which invades on ones personal privacy .Below are some examples.

Fingerprint Evaluation:

This is the most commonly used biometrics and the most advanced of all the biometric technologies and it is highly accurate. The challenges lies in varying quality of fingerprints across individuals and in dealing with wear in the defining irregularities in the ridges and valleys of one's finger (Nanavati. S, (2002),). New technologies have recently employed the use of pattern matching and ultrasonic scanning rather than evaluation of the irregularities which has increased the accuracy of fingerprint scanning and reduced the risk of misidentification. By scanning the geometry of an individual'shand, including height, width, shape and proportion, security systems can accurately recognize and identify individuals. This method is primarily used for physical access control and is considered the most useful in terms of durability and application. In fact, hand scanning is used effectively where other biometrics technologies cannot work due to frequency, volume, or environmental disruptions. Here is a finger print sample from Wikipedia.

Retina Scanning:

is considered among the most accurate of the biometric technologies through its evaluation of the shape and make-up of inner surface of the back of the eye. This method, while highly accurate, is also fairly costly and often perceived as difficult to use. Other complications include interference from foreign objects such as eye glasses or contact lenses. Further, scanning of a sensitive area such as one's eye decreases receptivity and willingness to use. Even so, the accuracy of retina scanning and the minimized risk of imitation make it useful in extremely high security areas where accountability is of utmost importance (Nanavati. S, (2002),) .

Hand/Finger Geometry

Hand or finger geometry is an automated measurement of many dimensions of the hand and fingers. Neither of these methods takes actual prints of the palm or fingers. Only the spatial geometry is examined as the user puts his hand on the sensor's surface and uses guiding poles between the fingers to properly place the hand and initiates the reading. Hand geometry templates are typically 9 bytes, and finger geometry templates are 20 to 25 bytes. Finger geometry usually measures two or three fingers. Hand geometry is a well-developed technology that has been thoroughly field-tested and is easily accepted by users. (Nanavati. S, (2002),) See example below of a typical hand geometry.

Iris scanning:

This is similar to retina scanning in method and level of accuracy. However, its application is considered less intrusive and is thus becoming more common. Recently, it has been introduced into the airline and banking industries and while system integration remains a challenging part of implementation, improvements are continually being made (5).

Facial Scanning:

These applications are most often used in conjunction with other verification methods such as identification cards systems or with existing security cameras and monitors. This method utilizes high resolution images of distinct facial features such as eye sockets, shape of the nose, and/or the position of certain features relative to each other (1). Problems arise with this application if the subject is not properly positioned for the camera or if environmental changes such as lighting changes prevent an accurate read. (Nanavati. S, (2002)).

2.4.2 Behavioural Biometrics:

Behavioural biometrics is said to be the ability for a system to be able to recognizing, identifying and authenticating a users based on there behavioural characteristic, which are unique to them. Basically this type of biometric can be learnt or developed over a period of time, and may follow a particular pattern of usage by the individual. Example of some behavioural traits used in biometrics is as follows: handwriting, speech, keystroke, walking pattern, e.t.c. In the nutshell, this type of biometric identification over a certain period can be changed due to some factors like age, weather etc. As a result of the changes in this type of biometric application, for the system to still maintain a secured system training or registering repetitions is to be carried out from time to time. Some of the behavioural biometrics are stated here below and will be explained further as we proceed in this research work.( Nanavati. S, (2002))

Signature Verification:

This verification means has been existing for a long time, they are mostly used in the banking sectors to identify individual who make use of there services. They are used mostly to give authorisations to documents like cheques, contracts and sensitive documents. Despite its long time existence, automating the recognition process remains a challenge because peoples' signatures are not always identical and can change drastically over time. These changes could be as a result of some factors like old age, mental or physical state e.t.c

Voice Recognition:

Is a behavioural biometrics which is mainly based on an individual's speech pattern. Here a persons voice is compared or recognized based on its previously recorded stored voice output. Voice verification is a sensitive biometric type of approach because of its acceptability by a lot of user and also high rated error could be significant since it is not really invasive like the physiological biometrics, an example of its use is in “telephone transactions”. (Nanavati. S, (2002))

Keystroke Biometrics:

This type of behavioural biometrics is an automated method of examining and monitoring the typing patterns of an individual on a keyboard. The technology examines and determines the dynamics characteristic rhythms, speed, and pressure, also calculating the total time used in typing a particular word, the time the individual or user takes to hitting certain keys. This technique could be combined with the traditional password system to improve security when accessing sensitive information on computer systems using keyboards or mouse .Basically this method of verification is quite new and still in it development stage, but not to say it has not been in use. Also the “keystroke biometrics is of high flexibility” because it can accommodate the changing of password over a time when users observes behavioural changes. The keystroke biometrics as it has advantages so does it have its disadvantages as well. In the nutshell these said biometrics applications (Keystroke biometrics) will be talked about more as we proceed in the research work.

2.5.0 Advantages and Disadvantages of the Different Identification Mechanisms.

The pros and cons associated with specific devices are highlighted below:

Fingerprint Readers

Pros

· Not much storage space is required for the biometric template

Cons

· Has traditionally been associated with criminal activities and thus users could be reluctant to adopt this form of biometric authentication

Hand Scans

Pros

· Low data storage requirements for templates

Cons

· Not unique to every user

Voice Authentication

Pros

·Morereadilyacceptedbyusers(non-intrusive)

· Additional hardware is cheap and readily available (Microphone)

Cons

·Backgroundnoisemustbecontrolledforaccurateverification

·Large storage space required for template between 2,000 and 10,000 bytes

·easily influenced by extraneous circumstances such as sore throat, common cold

· for remote access phone lines may not be of high enough quality to transmit voice traits accurately

Retina Scans

Pros

·HighAccuracyinidentifyingusers

· Low data storage requirements for templates

Cons

·extremelyintrusive,lowuseracceptancerate

· extremely expensive, special hardware required

Iris Scans

Pros

·Non-intrusive,cameracanbeupto12"away

·Highaccuracyinidentifyingusers

· Low data storage requirements for template

Cons

Low user acceptance rate

Facial Scans

Pros

· Data acquisition non-intrusive

Cons

· Data acquisition difficult, user must position face in same position each access

·Backgroundlightingimportantforaccurateverification

· Users may feel violation of privacy as data may be captured verified and user without their knowledge

2.6.0 Biometric application and Uses

Biometric systems are used to control virtual and physical access. A virtual access system provides security for access of data while a physical biometric system guards against unwanted physical access to a particular area. The importance of protecting personal, financial and institutional data and facilities grows every day. Although this technology are still relatively new in terms of their general application, many industries - banking, retail sales, law enforcement, health, social services, and governments - are utilizing the technology of biometrics. As biometric technologies advance, uses and applications become more prevalent and relevant to many different industries and organizations. The most common use of biometric technology today is mostly in physical security through controlled access to secure locations. This is more prevalent in governmental, financial and corporate offices, prisons and correctional facilities, and in the airline industry. Some other facilities protected via biometric devices include hospitals, casinos, and health clubs. From a virtual access point of view, biometric-based networks have traditionally been expensive and difficult to integrate into existing systems. However, the recent decreases in price and advancements in design have led to increased use. Experts predict that virtual access applications will provide the critical mass necessary to move biometric security for network and computer access from the world of the imaginary to the environments of regular use. In choosing a biometric technology for a particular application, the following must be considered (R. Joyce and G. Gupta ):

Ease of use -

Some applications is more user friendly than others. The desired simplicity and required level of training should be part of the decision criteria.

• Error Incidence - Environmental changes or disruptions, such as a changing characteristics or interference from background noises, can cause error and tend to be a challenge with regard to biometric security.
• Accuracy - Accuracy is a measure of the system's ability to protect access against unwanted users and/or allow admittance of certified users. The level of accuracy varies across the technologies and should be considered according to the required level of security.
• Cost - Cost varies by biometric technology. However, the components include: purchase of capture hardware, establishment of back-end processing power, system testing, installation, training, system integration, exception processing, measurement of productivity losses, and system maintenance.
• User Acceptance - Privacy concerns, perceived difficulty of use, and intrusive biometric measures affect user acceptance.
• Required Security Level - As technologies vary in cost, accuracy, and ease of use, the required security level is a primary determinant of the type of biometric technology needed.
• Long-term Stability - The stability of each biometric technology - maturity, support from vendors, and level of standardization - should be considered.

2.7 Social Impact and Biometric challenges:

A number of recognition systems are based on various types of biometrics traits as fingerprint, human face, hand shape, iris pattern and voice are commercially available, biometric recognition is not yet generally accepted as a reliable building block in security systems. Despite its advantages over other commonly used authentication systems (as previously noted), its implementation authentication controls has a number of risks and disadvantages. The rate of error and types of error will vary to the specific biometrics deployed and the circumstances of deployment. Errors, such as false matches, may pose fundamental, critical risks to business and security. And those like failure to enrol, false non-match, can hinder business productivity and also affect security access, efficiency is reduce and cost is on the high side. In any security planning, biometrics implementation will need to consider the acceptable error threshold (Harris, A.J. & Yen, D.C. (2002).). Certain biometric systems (e.g., iris scanning) are fairly impervious to fraud, while others (especially behaviour-based systems) are much more susceptible to it this was another setback, according to Anderson (2001) findings that many Christian fundamentalists “are uneasy about biometric technology” because of its association with the mark of the Antichrist in Revelations 13:16-18 (p. 275). Not withstanding users' beliefs and perceptions about the biometric system, in many cases the operating environment will influence the successful implementation and effectiveness of the biometric system. Individuals with arthritis and/or certain other disabilities and physical limitations may be unable to enrol in systems. For example, the user with severe hand arthritis may be unable to place his/her hand firmly as required on the hand geometry sensor, and the user with migraines and associated photophobia may find it physically too uncomfortable to look straight into the light sensor for the iris scan. (Kleist, V.F., Riley, R.A., & Pearson, T.A). However, even the least expensive biometrics systems are likely to cost more than simpler versions of traditional authentication systems. Many of the problems and difficulties with biometrics systems are likely and can be corrected with technological improvements, better user and administrator training, and good control of environmental conditions. In other cases, problems can be overcome or minimised with the use of countermeasures such as combining different types of biometrics, combining biometrics with traditional authentication systems, etc. The two major concerns that will continue to be a disturbing issue and deserve closer examination is biometric identity theft and user privacy.

2.8 Conclusion:

Currently, the present of biometric technology has been of positive impact towards security and the society at large. This chapter is been focused on the general application of biometrics and also its physiological and behavioural implementation likewise the traits associated with them. As we proceed in this project work, the next chapter we will focus on the general importance of biometric security on information system technology and the associated security treats faced by some organizations and some possible solutions which can be applied to eliminate or reduce the threats.

Chapter 3

3.0 Introduction to Information Database security

Database information security is a very important issue to look into in every organisational system. In recent times, businesses are known to dealing with risks involving information accessing in most sectors of operation in an organisation. With the application of modern technologies into organisational day to day activities, a need for new security measure is needed. This technologies application has greatly contributed towards business development in various ways, and also it has introduced new uncertainties into the world of business, which has also been accompanied with trends of exposure to error vulnerability, i.e frauds and various kinds of malicious attacks. With all this recent short coming over the years, this has lead for the general improvement of organisations information database system, which involves the creating and searching for a better security measures. Every organisation information/ data system is a valuable resource to the entire system which must and are meant to be kept strictly confidential, controlled and properly managed at all level. The term ‘security' basically refers to the protection and guidance of a system which enable restriction of unauthorised access, be it intentional or accidentally, regardless of the services provided by the database management system. Where by ‘privacy' can be said to be the right an individual have over the control of information about themselves. However in present times the enhancing of information security has become a major issue in organisation database system. There are now new and highly protective measures in search for towards improvement of the growing security threats in a computer database system.( Connolly T., Begg C. (2004),) According to “John Gordon” ‘2006', in his definition about database security/computer security he stated that: ‘This is concerned with protecting the confidentiality, integrity and availability of the IT assets to an organisation' .Where by ‘Catherine Ricardo' in her definition, stated that it means protecting the database from unauthorised access, modification, or destruction, since it represents an essential corporate resource and which makes security an important goal. With all this arising issues and problems, likes of Robert L. Patrick, and John. P Haverty were among the first people that got concerned, that the computer installed security system might not be good enough to protect themselves and their information/data against intrusive and destructive attacks. The development that boosted security aspect of computer was that of the National Security Agency (NSA) of a remote-access time-sharing system with a full set of security access controls, running on a Univac 494 machine.(Ref) A committee was formed by the defence science board which roles were to study the issue of computer system security control. One of the aims of this committee was to produce a written document that could help towards the formulation of policies on the security of computer systems and information protections. Over the period of this policy formation, the software aspect of the computer security was poorly understood, and more researches where been carried out on some risk that might cause system malfunction. (SagemMorphoInc,(2001),) And for information to be held for a longer and more secured period, more research is to be carried out to new security measures.

3.1.0 Database Security and Enhanced Systems.

During the securing of information in a computer system , which can also be known as ‘database security', could be said to be the method and mechanism of which information /data in a database is been protected from either intentional or accidental threats, also unauthorised access and modification of an information database system in an organisation. As it is known that an information database system in an organisation, represents a vital corporate resource and requires a strong security application. A database designer or administrator has the responsibility of ensuring that information system of an organisation is been protected, preserved and functions smoothly. Also the privacy of the individual whose information are kept or held in the database system is to be secured. From my research and findings, it has been noticed that different countries have legal statues designed to protect certain matters of privacy, and every organisation that collect and stores information about individuals is legally obliged to adhere to policies which is in acceptance to that of the countries privacy and protection legislation method.( Ricardo, Catherine M 1990). Security issues in the nutshell should not just only be applied on the information held in an organisations database, because security breaches could also affect other part of the system in the organisation. If an effective implementation of information security in need to be carried out, it is important that the appropriate controls be carried out so as to ensure successful out come and will be looked into as we proceed. Information system security has over the years been undermined and overlooked, but with the recently increase and occurring breaches of computer system security, it has now led for a urgent need for the protection of information database system to be looked into. Generally to have a well secured information database system in an organisation, the need for an appropriate control measure should be introduced, in which biometric inclusion in some aspect is mostly recognised as one of the measures.

3.1.1 Need for Database Information Security

In the nutshell to apply any security solution, the organisation must satisfy the following criteria:

Theft and fraud

Loss of confidentiality

Loss of privacy

Loss of Integrity

Loss of availability

The above listed areas are to be critically looked into and satisfied by organisations, so as to be able to reduce the possibility of incurring loss or damages in the organisation information system. In certain areas they are all closely related, in the sense that activity which leads to loss in an area can lead to loss in another location. I will briefly explain the above list sources of security breaches.

Theft and Fraud: Here not just the information database environment is affected but the whole organisation at large. The event may be caused or arise due to an intentional act, and may not showcase any noticeable changes to the computer information database system. In the nutshell attention should be focused on the reduction for these occurrences, and as said they do not alter the data information, as in the case of the activity which occurs in either confidentiality or loss of privacy.

Confidentiality: This can also be called secrecy, and it is the most recognized of all the criteria. This based on total trust in the system user, for instance a customer gives out their credit card information within their account to an online retailer. If the database system is faulted or compromised, either as a result to poor design or application system, the customer information is made vulnerable to attackers available. Confidentiality is the act of assurance of information safe keeping with access limited to appropriate persons. This can be lost if data is disclosed, either deliberately or accidentally and here when information leaks out its original is usually not altered. The basic security measures used to protect confidentiality includes cryptography and access control.

Privacy:

This is generally referred to as the protection of data/ information about individuals, and also the right for individuals to have some control over information about themselves. This can be done by using the individual's peculiar characteristic or pin to gain entrance.

Integrity:

This is basically about the assurance of the correctness, consistency and timelines of information in a storage system. It could be said to be the proper use of information, for the right reason which it was intended for and also it could be lost if it is not properly managed. The loss of integrity is a serious issue to many organisations information system and may seriously affect organisation operation credibility. Here most operation availability and integrity are mainly protected by backups, operation procedures, access control and audit as well as by certain aspects of cryptography. (Connolly T., Begg C., (2005))

Availability:

This is the assurance that the information database system is accessible when it is needed and where it is needed. Generally, the loss of availability may be due to network issues, power supply break down, or evacuation from main area of system location. In some cases the events which cause a system to be unavailable may also cause data corruption. (Connolly T., Begg C., (2005)) Information availability can be protected by standby facilities, backups, personal identification facilities, disaster recovery procedures and so forth.

3.2.0 Database System Security Threats

Database security is aims to minimise losses caused by anticipated events in a cost effective manner without unduly constraining the users. In this present time computer-based criminal activities which also involves internet have increased significantly and forecast to continue to rise over the next few years has been highlighted. In the book written by Beggs and Connolly 2005, they defined threat as a situation or event which could be intentional or accidental, and could adversely affect an organisation database system partially or fully. After my research studies, I will say threat is a potential violation of security, which can occur knowingly or unknowingly.

3.2.1 Security Threats:

This can either be accidentally or deliberately occurrences which has a great impact on the system. Shirey .R divided these threats into four broad classes: Disclosure or unauthorized access to information; Deception or acceptance of false data; Interruption and prevention of correct operation; finally unauthorized control of some part of a system. (Shirey.R)

The increasing hacker activity has led to a serious problem in our today economy which affects both the private and public sectors. Like in the dailies news when a man called “Willie Sutton” was asked why he robs banks, he replied, “Because that was where the money he needed was hidden.” People attack computers systems because that is where the information they are seeking is been found. Nevertheless, current losses due to external attacks are significantly smaller compared to losses due to insider theft and sabotage; this is not to say that external attack is not widely spread and serious. Another major issue is that, people gather data for proprietary purposes “Espionage”. “Organisational espionage is the act of collecting vital and useful information/ data from a company for aiding another company.” This is mostly an inside threat and could be faulted when companies are trying to improve their competitive advantage over the other. In situation like this, high computer security can help to protect against such threats. The focus of most database security management efforts is on keeping attacks from external intruders which are mainly done through physical and technical measures such as creating barriers, guards, locks, firewalls, passwords, data encryption, and use of unique identification (Biometric) Etc. The computer Security Institute (CSI) and FBI cooperate conducted an annual CSI/FBI Computer Crime and Security Survey of United State (U.S) corporations, government agencies, financial institutions, and universities. Result from qualified information security professionals who responded to this survey, 80% cited dodgy and dishonest employees as the most likely source of attack on their computer system. “A basic question we need to put into consideration is how to prevent and ensure authorised employee are honest.

3.3.0 Enhancing database system:

With the recent rise in security threats and breaches issues in our day-to-day operations, every organisation now seek to increase its levels of accountability and security among its employees, partners and customers. A sensible way to handle risk is to have a security policy, whereby the centralising of the identity management functions of the organisation needs to be applied in a single place, this is to ensure effectiveness in management and the appropriate level of trust can be maintained in the authentication process. In the nutshell, to achieve this high level of security the appropriate type of study to carry out is known as ‘Risk analyses'. When the nature of the risk involved is known, a decision can be made by the management towards solving it, either by deciding to live with the risk or not. In order to create awareness a known precaution, which can be appropriate training programs, a comprehensive set of counter measures including cryptography and access control, a contingency and disaster recovery plan, personal policies, physical security policies and also a large measures of insurance coverage and so on .During the implementation of the security policy measures, an organisation needs to identify the types of threats it may be subjected to and this will help in the initiation of an appropriate plans and countermeasures towards system enhancement. The research by “Daon”, showed that the most secure and effective method of authenticating an individual involves the verification of a unique and personal characteristic which is called biometrics. This could also be done in combination with a PIN or token (known as multi-factor authentication). The right way of managing a biometric information system, including its registration, storage, protection and verification is known as “Biometric Identity Management”. My research work will outlines some of the key functions to consider in improving the biometric security system in organisations. This will help provides basis on which organisations looking to deploy large scale, long-lived biometric security systems could base their product evaluations on. I will like to highlight this; authentication is a key part of any security implementation in biometric security solution. A well implemented biometric identity management system will enable an organisation to improve its security, also helping it towards the significant reduction in its “Total Cost of Ownership for it”.

3.3.1 Security policy and Enhancement Implementation

The security policy and enhancement implementation can be seen as the processes in which an organisation uses to achieve its basic security objectives. It is a process which helps one to achieve a secured or enhanced information system, whereby been able to identify, measure, manage, and control the risks encountered in database system availability, integrity, and confidentiality, and to ensure the accountability for system's actions. The process includes five basic areas which will stand as the framework for this research work which are details gotten from: “FFIEC IT Examination Handbook Page 4, Information Security Booklet - July 2006”.

Information Security Risk Assessment:

A process which is used to identify, assess threats, vulnerabilities, attacks, probabilities of occurrence, and its general impact on the system.

Information Security Strategy:

It is known as way which is used to mitigate risk that integrates technology, policies, procedures, and training.

Security Controls Implementation:

This is basically the acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the assurance that management and staff understand their responsibilities and have the knowledge, skills, fulfilled their duties.

Security Monitoring:

It is the general application of different types of methodologies towards gaining assurance that risks are appropriately assessed and mitigated. These methodologies should be able to acknowledge that the intended controls are effective and well performing as planned.

Security Process Monitoring and Updating:

This is generally the process which involves the continuously gathering and analyzing of information regarding new threats, its vulnerabilities, and actual attacks on the institution combined with the effectiveness of the existing security controls. The obtained information is used to update the risk assessment, strategy, and controls. In monitoring and updating makes the process continuous instead of a one-time event. Therefore, an organisation's management system for risks requires an ongoing process.

3.4 Database security breaches and discuss case Studies

Security in a database system is said to be the protection and guidance of the information in the database against unauthorised access, be it intentional or accidentally, regardless of the service provided by the database management system. Security breach; on the other hand is understood to be situation in which the protection of an organisational policy or its legal requirement, regarding Information security has been contravened by an unauthorised violation. This has been on the increasing side form the recent security breach statistic taken. And most of these causes are mainly connected with internal factors, directly or indirectly. (Ashbourn, J. (2004)) However every incident which suggests that the confidentiality, integrity and availability of a database information system have been inappropriately altered without the proper authorisation, this can be said to be a security incident. As it is understood that every security breach is always initiated during the occurrence a ‘Security Incident', and once it is confirmed does it become a security breach. The breach of security is a very serious offence by law, and the database security can be breached in different ways which will be discussed as a case study below. Some recent event (case study) of internal security breaches are as follows;

Case study:

I will like to highlight on the recent security issue, which was published on the Sun newspaper dated 19th March 2010, where a worker in the inland revenue (tax office) accessed information containing taxpayer details and sold it to fraud star, who then use them for theft identity to claim tax return .It was a serious security breach which millions of pounds of taxpayers where stolen. At times the internal staffs do not deliberately expose its organisation to such security flaws like this incident which happened in an academic setting which I witnessed. This a case scenario that happened in one of the University of Technology in Nigeria, where an administrative staff gave his institutional login password to a friend so as to assist in entering of student records and information. First and foremost a breach has occurred which the security of the institutions database system has been subject to external threat with the assistant of an internal staff. The individual now has access to the institutions database system, which he could assess any vital information which is confidential and if the login detail is not change he can gain unauthorized access any other time. This is another experience which happening everyday in University of east London, some students give there users name and password to friends who are not student and they make use of the school system even when the owners are not there. At times close friend can know colleague details and use them with out authorisation, which subject the system to a breach of security and threat.

This kind of security breaches happens everyday, examples like giving your bank detail to a family member, authorisation code to a work member, all this are known as a breach of security in the highest order. A report released in April 2008, sponsored by the Department of Trade & Industry, highlighted fact that most businesses are a long way from having a security awareness culture. Although three quarters of UK businesses rate Information Technology Security as a high priority, with the protection of customer information becoming increasingly important, it is worryingly just 1 firm in 8 has IT security qualified staff to put the right management procedures in place. ‘Silicon .com', published a big hit which happened to one of the big financial service industry in the united kingdom, as follows: Morgan Stanley customers in the UK are the latest to have been hit by a major security breach that has resulted in thousands of MasterCard credit card details being stolen by fraudsters.Silicon.comrevealedhttp://www.silicon.com/financialservices/0,3800010322,39158371,00.htm how at least 2,000 MasterCard holders have had their credit card details compromised. MasterCard notified card issuers of the breach and they have been calling affected customers to cancel their cards, close accounts and issue new cards and details. According to Information Security Breaches Survey, it has been gathered that most security breaches are caused by internal sources compared to the external hacking. From the general survey I gathered that most frequently attacked organizations are usually financial, academics,and immigration unit etc.

3.5.0 Database security measures and possible use of Biometrics

Security Measures:

it is a general way where by an information database security system can be protected from internal or external attackers. These are some of the different types of measure which can be applied to prevent information security threat: (Connolly T., Begg C., (2005))

Authorisation

User Authentication

Access control

Views

Backup and recovery

Integrity

Users Authentication:

A database security system is best used as a boarder security control plan. The plan is designed to start with the physical security measures for the system, which a special care is used for the access of the database system. The system administrator is responsible for the granting of users access to the database system, this could be by badges, handprint, sign in, or other mechanism. The problem been experienced in the physical security has lead to the inclusion of more advance authentication mechanism (biometrics) that determines whether a user is really who they claim they are. (Connolly T., Begg C., (2005))

Authorisation:

The word authorization is basically said to be the right or privilege which enables a subject to have legitimate access to a system or system's object. This solution is suitable for the control of theft and fraud, loss of confidentiality, and loss of integrity of data in the database systems. (Connolly T., Begg C., (2005))

Access control:

It is the means of implementing authorization by assurance. Authentication is made and the information data or resources to be obtained only by authorised means, we have different way which this could be done for example biometrical inclusion for identification. (Connolly T., Begg C., (2005))

Views:

This security mechanism provides a very good and flexible security measure by restricting certain areas of the information database from certain users. And the subject (user) is not aware of the existence of any columns or rows that are missing from the view. This security measure is appropriate in restricting subjects to data in the database that are very important to organizations. Loss of data integrity, loss of confidentiality, loss of privacy, and loss of availability could be controlled by implementing views. (Connolly T., Begg C. (2005))

Backup and recovery:

“The process of periodically taking copies of the database and log file onto offline storage media&rdquo