Addressing review comments for chapter 3, sections 3.2 and 3.3. Refer…

…ences #5

Chapters/02-byodSotA.tex

@@ -46,12 +46,12 @@ \section{Preliminary concepts and background about enterprise security}
 \section{Adoption of BYOD}
 \label{sec:byodadoption}
 
-Once the main concepts about why the companies need additional security, we now need to understand the size of the problem, in terms of the diffusion of the BYOD philosophy. We need to establish, in terms of number of employees that use their personal devices at work and in which other places this philosophy is being adopted, how urgent is to provide solutions. After that, in the following chapter, we will review what solutions there exist and the possibilities they offer.
+Once the main concepts about why the companies need additional security have been discussed, we now need to understand the size of the problem, in terms of the diffusion of the BYOD philosophy. We need to establish, in terms of number of employees that use their personal devices at work and in which other places this philosophy is being adopted, how urgent is to provide solutions. This could help us to set the basis of the scenario we are going to deal with when building our methodology as a solution. After that, in the following chapter, we will review what solutions there exist and the possibilities they offer.
 
 \subsection{BYOD in the enterprise}
 \label{subsec:byodcompany}
 
-The company Cisco made in 2012 a report that they have called ``Connected World Technology Report'' \cite{cisco2012}. In this report they interviewed 1800 people from 18 different countries and ages 18 to 30 about their personal and work life around their devices. The key results of this study are summarised as follows:
+The company Cisco made in 2012 a report called ``Connected World Technology Report'' \cite{cisco2012}. In this report they interviewed 1800 people from 18 different countries and ages from 18 to 30 about their personal and work life around their devices. The key results of this study are summarised as follows:
 
 \begin{itemize}
 	\item The 90\% of people said that they normally look at their smartphones as part of their waking up daily routine. This means that they like to be informed about any important matters before going to work and it is seen as positive by the IT professionals.
@@ -64,16 +64,16 @@ \subsection{BYOD in the enterprise}
 	\item Finally, a 66\% of the people who responded in the survey agree with the statement ``employers should not track employees' online activities -- it's none of their business''.
 \end{itemize}
 
-Thomson \cite{thomson2012byod} also talks about this report in his article, adding some detailed graphs in order to extract more conclusions. In his article, the author talks, on the one hand, about the users -- employees who demand BYOD -- and , on the other hand, about how the companies can adapt to them. Therefore, Thompson remarks that BYOD is important because only 39\% of the people suryeved by Cisco see themselves as responsible for securing their work devices and data. The rest think it is a matter for the IT department, the service provider, or both. With regard to the policies, a 12\% agreed with the IT policies being unfair or not being useful, and mostly half of the people surveyed asked for the company to understand their needs and to make flexible security policies. As suggestions, the author stands for intrusion prevention systems, reputation filtering, and user training in security.
+Thomson \cite{thomson2012byod} also talks about this report, adding some detailed graphs in order to extract more conclusions. In his article, the author talks, on the one hand, about the users -- employees who demand BYOD -- and, on the other hand, about how the companies can adapt to them. Therefore, Thompson remarks that BYOD is important because only 39\% of the people suryeved by Cisco see themselves as responsible for securing their work devices and data. The rest think it is a matter for the IT department, the service provider, or both. With regard to the policies, a 12\% agreed with the IT policies being unfair or not being useful, and mostly half of the people surveyed asked for the company to understand their needs and to make flexible security policies. As suggestions, the author stands for intrusion prevention systems, reputation filtering, and user training in security.
 
 The latest found report from Cisco is from 2014 \cite{cisco2014}. In this one they also interviewed people from 31 to 40 years old, in order to establish the differences between these two generations. However, the numbers are closely the same as in the report from 2012 \cite{cisco2012}.
 
 On the other hand, a series of interviews and surveys were carried out during the MUSES project. They are detailed in \cite{musesD41, musesD42}.
 
-The first document is devoted to identify what is called a ``Persona'', i.e. a user archetypes \cite{adlin2010essential}. To this end, both employees and CSOs were interviewed or presented a questionnaire about the devices they used and the security policies of their companies. Thus, the main conclusions from the study are these:
+The first document is devoted to identify what is called a ``Persona'', i.e. a user archetypes \cite{adlin2010essential}. To this end, both employees and CSOs were interviewed or presented a questionnaire about the devices they used and the security policies of their companies. Thus, the main conclusions from the study are summarised in what follows:
 
 \begin{itemize}
-	\item From the employees side, the study includes focus groups and an online questionnaire. In total, there were 21 people in the focus groups and 448 people responded to the online questionnaires. All reported to be experienced with technology and are from different countries.
+	\item From the employees side, the study includes focus groups and an online questionnaire. In total, there were 21 people in the focus groups and 448 people responded to the online questionnaires, from different countries. All participants reported to be experienced with the use of technology.
 	\begin{itemize}
 		\item Half of the participants have company used devices, and when asked which ones, the most named were desktops, laptops, and smartphones in that order.
 		\item It was observed that freelancers and self-employers were the ones who mostly tend to use their private devices for work purposes. Everyone agreed with their companies liking this practice because the employees are reachable beyond working time.
@@ -96,20 +96,20 @@ \subsection{BYOD in the enterprise}
 	\end{itemize}
 \end{itemize}
 
-In this scenario we can see that the employees demand the adoption of BYOD by the companies, and usually do not care about security policies, as they think that only the IT department is responsible for security. We can also conclude that the companies tend to allow BYOD practices without properly securing the environment. For these reasons, there is room for the development of a tool that helps companies in adopting BYOD, protecting important and valuable company assets at the time it makes the employees aware of the security and data loss.
+In this scenario we can see that the employees demand the adoption of BYOD by these companies, and usually do not care about security policies, as they think that only the IT department is responsible for security. We can also conclude that the surveyed companies tend to allow BYOD practices without properly securing the environment. For these reasons, there is room for the development of a tool that helps companies in adopting BYOD, protecting important and valuable company assets at the time it makes the employees aware of the security and data loss.
 
 \subsection{Other fields that have adopted BYOD}
 \label{subsec:byodother}
 
-The advantages BYOD brings makes security policies gain traction in the education sector with an increasing number of schools around the world choosing to implement their own BYOD policies. In such environment, BYOD (also called Bring Your Own Technology) refers to a technology model that allows students to bring their own devices to school for learning in the classroom [\cite{sangani2013byod, song2014bring}]. The adoption of BYOD in schools is supported by the fact that technology plays a leading role in
+The advantages BYOD brings make security policies gain traction in the education sector with an increasing number of schools around the world choosing to implement their own BYOD policies. In such environment, BYOD (also called Bring Your Own Technology or BYOT) refers to a technology model that allows students to bring their own devices to school for learning in the classroom \cite{sangani2013byod, song2014bring}. The adoption of BYOD in schools is supported by the fact that technology plays a leading role in
 pupils/students' everyday lives and should, therefore, be an integral part of their learning. However, for most schools it is financially unsustainable to provide every student with the most appropriate up-to-date device. BYOD is therefore considered an attractive, cost-effective alternative, provided that many students usually own
 devices that are superior and more up-to-date than those available in schools. BYOD at schools has several benefits as well such as personalising learning experiences, encouraging students' independent learning, and promoting anytime, anywhere learning opportunities.
 
 \section{Research lines in BYOD}
 
-Since BYOD policies started to appear in companies' day-to-day policies a lot of research has been done about the advantages and disadvantages of this approach [\cite{singh2012byod}], as well as about how to properly implement it in order to respect privacy while trying to secure the resources [\cite{scarfo2012new, ali2015analysis, de2015corporate}]. These issues can be approached in different ways; Scarfo differentiates in [\cite{scarfo2012new}] two main ones: allowing the device to connect via desktop or application virtualisation, meaning enough control to avoid employee's devices monitorisation; or allowing the company to control devices via Mobile Device Management (MDM), which has to be legally agreed with the employee.
+Since BYOD policies started to appear in companies' day-to-day policies a lot of research has been done about the advantages and disadvantages of this approach \cite{singh2012byod}, as well as about how to properly implement it in order to respect privacy while trying to secure the resources \cite{scarfo2012new, ali2015analysis, de2015corporate}. These issues can be approached in different ways; Scarfo differentiates in \cite{scarfo2012new} two main ones: allowing the device to connect via desktop or application virtualisation, meaning enough control to avoid employee's devices monitorisation; or allowing the company to control devices via Mobile Device Management (MDM), which has to be legally agreed with the employee.
 
-Ali et al. expand from Scarfo's study in [\cite{ali2015analysis}] reviewing both BYOD access control  and security models. The authors further distinguish between MDM and Kernel Modifications inside the security models, and conclude with the description of a proposed model which combines most of the reviewed solutions, i.e. MDM and Virtual Private Network (VPN) access together with an encrypted container for the accessed information depending on the level of restriction. However, from all the papers in [\cite{ali2015analysis}] claimed to enforce policies, only in [\cite{rhee2013high}] the authors actually describe how the policies are enforced by describing which data is monitored. In any case, none of the papers mention the application of GP to the enforcement of the security policies, but other techniques such as the implementation of
+Ali et al. expand from Scarfo's study in \cite{ali2015analysis} reviewing both BYOD access control  and security models. The authors further distinguish between MDM and Kernel Modifications inside the security models, and conclude with the description of a proposed model which combines most of the reviewed solutions, i.e. MDM and Virtual Private Network (VPN) access together with an encrypted container for the accessed information depending on the level of restriction. However, from all the papers in \cite{ali2015analysis} claimed to enforce policies, only in \cite{rhee2013high} the authors actually describe how the policies are enforced by describing which data is monitored. In any case, none of the papers mention the application of GP to the enforcement of the security policies, but other techniques such as the implementation of
 blacklists to avoid the installation of forbidden applications, or whitelists to allow only certain ones. These techniques can be useful with respect to the implementation of already defined security policies, but our method allows to discover new security policies, which in the case of black and white lists, can evolve them to include new and/or malicious applications.
 There is an emerging research area in the field of BYOD. This is because, it is becoming a growing trend \cite{Garba15organisational}. There exist several methodological works on this subject. Samaras \cite{Samaras13SaaS} proposes a methodology design of a security architecture taking into account their logical design, logical architecture, security mechanisms and physical architecture. First, the business processes are studied and legal and security requirements are analyzed. After applying several controls the architecture is validated using different criteria: Correctness, Completeness, Usability and Flexibility. Romer \cite{Romer14BestPractices} proposes a set of best practices for BYOD security: centralize control and monitoring, protect confidential devices, increase trust with private clouds, connect to important services (such as Dropbox), block risky services and choose proven solutions.
 h some works present studies on the impact of BYOD in privacy \cite{Miller12Privacy} or relationship between workers productivity and stress \cite{Haejung12Door}, the most of them are focused in describing new systems and concepts in this paradigm. Scarfo presents in \cite{Scarfo12survey} a survey about the coming up methods in BYOD security. This survey summarises the research in two different approaches: {\em hands-off} versus {\em hand-on} devices. The first one proposes the use of some kind of virtualization or wrapping of the applications, while the latter is based in a tight control and monitoring of the device by the company.

FrontBackmatter/Bibliography.tex

@@ -11,4 +11,4 @@
 %\bibliographystyle{plainnat}
 \bibliographystyle{babplain-fl}
 \label{app:bibliography}
-\bibliography{tesis,review_muses,data_mining_urls}
+\bibliography{tesis,review_muses,data_mining_urls,GPrules}