IAES International Journal of Artificial Intelligence (IJ-AI)

Received Jun 5, 2021 Revised Dec 28, 2021 Accepted Jan 27, 2022 The significant enhancement in demand for bring your own device (BYOD) mechanism in several organizations has sought the attention of several researchers in recent years. However, the utilization of BYOD comes with a high risk of losing crucial information due to lesser organizational control on employee-owned devices. The purpose of this article is to review and analyze the various security threats in BYOD; further we review the existing work that was developed in order to reduce the risks present in BYOD. A detailed review is presented to detect BYOD security threats and their respective security policies. A phase-by-phase mitigation strategy is developed based on the components and crucial elements identified using review policy. Managerial-level, social-level and technical level issues are identified such as illegal access, leaking delicate company data, lower flexibility, corporate data breaching, and employee privacy. It is analyzed that collaboration of people, security policy factors and technology in an effective manner can mitigate security threats present in the BYOD mechanism. This article initiates a move towards filling the security gap present the BYOD mechanism. This article can be utilized for providing guidelines in various organizations. Ultimately, successful implementation of BYOD depends upon the balance created between usability and security.


INTRODUCTION
In last decade we have seen revolution in personal device, especially in number of smartphone, tablets and laptops; moreover, the number of users has increased enormously; these smartphones and tablets work with high-speed internet. The high-tech functionalities of these smartphones and tablets have motivated many organizations to utilize these smart devices in their workspace [1], [2], The high utilization of these smartphones is mainly due to two reasons. First, end users can have access through a massive number of apps and can easily install them according to their requirement using demand-based mobile distribution model (MDM), which is a public application store for various platforms [3]- [6]. Second, the development of advanced mobile operating systems like Android, iOS and Windows which has given strength to the development of extensive varieties of powerful devices. A new mechanism bring your own device (BYOD) has emerged in the market especially in workplaces. Using this mechanism, organization staff can easily link their smartphones and tablets with organization network to get access to their business information, client details and corporate data and conduct daily corporate activities [7]- [9]. Moreover, employees can utilize their devices for both corporate activities and personal use. This motivates employees to involve more incorporate functionalities and work activities by utilizing their smartphones, tablets. BYOD has tremendous benefits and convenience to a variety of business functionalities such as the high amount of work efficiency, Int J Artif Intell ISSN: 2252-8938  An efficient security analysis of bring your own device (Pullagura Soubhagyalakshmi) 697 flexibility, organization staff satisfaction, and cost reduction, reduction in IT acquisition and many productivity advantages [10]- [13]. In recent years, the utilization of BYOD mechanism has become "hot tech trend". Recently, a survey claims that almost 95% of organizational staff utilize at least one personal device for finishing their corporate works at the work station or any remote location [14]- [16]. Some reports show that almost 70% of the enterprises in many developed countries like USA, Australia, Spain, Germany and Malaysia has already adopted BYOD [17]. However, the high utilization of smartphones and tablets in corporate institutions in recent years has led to various security issues in the organization. The staff-owned and controlled devices access organization intranet and work on several networks. Thus, sensitive corporate information and details may be compromised unintentionally while sending emails to the clients via public mail services, by utilizing public cloud storage facilities like Samsung cloud, Apple's iCloud and Dropbox for storing corporate documents or by interacting with voice assistants through smartphones [18]. Further, a corporate employee may intentionally or wickedly incorporate malware to the corporate network using his or her own virus-infected smartphones. Numerous researchers have provided a significant amount of work to provide an efficient and secure BYOD mechanism and some of the literature. In [18], a passive security mechanism is presented for reducing threats in the BYOD devices. Here, a non-intrusive big-data technique is adopted for tracking usage patterns. In [19], a smart risk management framework is introduced for BYOD technique to deal with data breaches in a corporate environment. In [20], a BYOD security enhancement method is introduced based on techniques such as software-defined networking (SDN), enterprise mobile management (EMM) and network function virtualization (NFV). In [21], a machine learning technique is introduced in which faulty and suspicious URL's can be detected using supervised machine learning techniques. However, the malicious activities and security threats have widely enhanced in recent time hence the efficiency of these above techniques is reduced in practical implementation for a BYOD environment. BYOD can enhance a significant amount of productivity of an enterprise. Moreover, this technique can reduce the cost of the organization, enhances flexibility as well as increases employee productivity. It gives a new interaction medium to the staff for communicating with clients as well as their colleagues resulting in productivity enhancement and permits staff to work from any remote location efficiently. This technique can become a bridge to fulfil the gap between corporate technologies and client solutions. Hence, this review article provides a detailed analysis of security. Further, this research focuses on various security issues, which can be experienced while utilizing BYOD policies are discussed and several secured methods are discussed to eliminate these issues. In addition, an effort has been made to provide guidelines for various organizations about several security policies and their proficient implementation. A discussion on the effects, which can be seen in various organizations in terms of security threats and their reduction by implementing these guidelines, has been presented.
This paper is organized: in section 2, security-related issues in BYOD policies are discussed and tackling these issues through various approach has been highlighted. In section 3, a detailed analysis of security issues, how to mitigate those issues and various security policies is discussed. In section 4, a detailed analysis about mentioned security policies in BYOD mechanism is presented and section 5 concludes the paper.

RELATED WORK
BYOD mechanism has been the demand of hour in recent days due to various situation, one of them being pandemic related. This technique can reduce the high costs required for the institutional set up to work in a company as well as a hefty investment needed for the distribution of hardware devices to employees from companies. However, security is the major concern for BYOD technique as both corporate and personal information remain on stake due to daily enhancement in malicious activities, which may concern employees as well as company authorities. Moreover, there are several mechanisms that have been proposed as a BYOD security solution, some of them were light weighted less complex with easy policy which follows the integration into other hardware domain such as given [22]- [31]; although these method does provide a fair and secure integration, they ignored some of the basic protocol of security due to major focus on IoT-domain. Furthermore, we have reviewed some of the important work that has mainly focused on the BYOD Security policy. In [32], a border patrol technique is adopted which works upon fine-grained contextual data to secure BYOD network. This method avoids unwanted functionalities like advertisements, analytical functionalities and unwanted cookies by blocking their packets. In [33], a virtual micro security technique is introduced for BYOD mechanism based on information protection abstraction, which can track malicious data packages. Throughput is considered high using this phenomenon. In [34], a deep learning context-based framework is introduced to reduce the security threats in BYOD environment. Here, artificial neural network and machine learning techniques are adopted to identify threat attacks and suspicious activities in smartphones. In [35], a BYOD evaluation mechanism is introduced to assess dynamic security threats in smartphones. This assessment mechanism is utilized for BYOD vulnerability evaluation based on their vulnerability score. However, tracking and accessing an extensive amount of relevant information is a very challenging process. In [36], security threats, challenges, policies and their solutions for a BYOD mechanism are reviewed. Here, an inclusive security policy mechanism is introduced which tells about characteristics of a flexible and secured policy. In [37], a behaviour identification model is adopted for BYOD mechanism using theoretical determinants. This model evaluates that certain activities are malicious or not based on their behaviour patterns. This model is tested upon various employees of Oman. In [38], some necessary factors for the implementation of BYOD mechanism in schools are discussed. The data of 204 teachers are tested which is collected from 5 different schools. This study discusses the factors such as network security, content filtering and training for the maintenance of BYOD mechanism. Few researchers provided solutions to counter these threats which are associated with high overhead. And most of the researchers have provided review and evaluation model for BYOD mechanism. These issues are illegal access policies, leaking delicate company data, lower flexibility, corporate data breaching, employee privacy compromised, misuse, stolen device, and security unbalancing. Based on above factors, a detailed analysis of security issues present in the BYOD mechanism, their effects, mitigation strategies, various security policies and implementation of those policies in future work are discussed. Moreover, security guidelines are provided for organizations to mitigate security threats occur in BYOD mechanism.

SECURITY ANALYSIS IN BYOD MECHANISM
A comprehensive security analysis of BYOD framework is presented in the following section: in general BYOD has the security policy which helps in minimizing the threat, hence we have named it as security threat reduction policy framework aka security threat reduction policy (STRP) and analyze the different security framework, along with various challenges. A security threat reduction policy framework for BYOD mechanism is presented for the identification of security issues present in BYOD and provide solutions to mitigate these issues. STRP framework combines seven steps to form a decisive and proficient solution to reduce security threats in BYOD and incorporates a comprehensive life cycle of BYOD mechanism. The life cycle of a BYOD mechanism starts from granting permission to an employee from the organization to use their devices for corporate activities and work. This BYOD life cycle ends when those particular devices are revoked. STRP framework is designed to introduce a risk assessment system for BYOD security threats. These seven steps are strategize, recognize, defend, detect, retaliate, retrieve, evaluate and observe. These steps help to design a security threat reduction policy framework which can mitigate security threats in BYOD mechanism. Several crucial elements of the STRP framework can be identified based on the mechanism which mainly depends upon three categories. First, people involved in security procedures. Second, the security policy factors which helps to design a security guideline manual for ideal employee behavior concerning BYOD security. Third, a technology which holds up security procedures. The following section discusses major security challenges faced in the BYOD mechanism which are identified from various literature.

Security challenges identified in BYOD
Security challenges in BYOD plays a major role, security challenges identification helps in reducing the different kind of threats. Although there are number of security challenges, this section discusses several security challenges which has major impact while designing the BYOD security framework. Furthermore, this section mostly focuses from data center perspective.

Recognition, validation and access control challenges
BYOD implies that several employees of an organization perform various corporate activities with their own devices. For security reasons, these devices need to be protected using very essential in-built device authentication and locking mechanism such as PIN, passwords, patterns, face recognition and fingerprint access to protect crucial information present in the employee devices. However, various surveys show that a massive number of employees do not utilize this type of authentication security features [39]. There is minimal control of an organization on their employees in the way they access their devices, which is a reason for excess information breach in several organizations. Moreover, the possibilities of information breaching may enhance when employees work from a remote location or access corporate functionalities from outside the company perimeter. Moreover, cybercriminals can easily hack these BYOD devices and can utilize employee details to access unauthorized information of an organization and cause harm to their business activities.

Device and information security problems
Employee-owned devices are susceptible to various malicious activities like malware, virus, worms, and spyware. Additionally, organizational authorities have no clue what type of applications or programs, employees are running on their devices. In contrast, company-maintained devices generally have all the applications or programs prior installed with severe security policies incorporated in those devices. Therefore, the possibility of data leakage of an organization is more in employee-owned devices than company-maintained devices. Recently, several applications, websites and software utilizes 'caches' which is a temporal repository for storing information. The 'caches' may keep crucial information about the organization and may expose to unauthorized people. Moreover, employees can attract well-designed programs or applications, which have minimal security encryption policies, enhancing the possibility of information leakage. The utilization of BYOD mechanism means several devices, which are owned by employees, are connected to a single organization network in which many devices may consist of malicious software and applications. Finally, employee-owned devices may get stolen or lost which remain unprotected and unencrypted in major cases and can be easily exposed by intruders which may cause severe security threats. Most information breach cases are registered at the time of device lost or stolen.

Network security challenges
The utilization of BYOD mechanism shows the possibility of malicious software and applications in employee-owned devices links to the same network is much higher than in company-owned devices due to restricted access. This may lead to a high-level security threat and crucial client information may leak. A hacker can easily expose these security drawbacks of BYOD mechanism by accessing organizational network whenever employees connect to a local network in the organization. Recently, several employees have demanded data center access while work from outside company premises or work from home. This shows that risks are higher while using BYOD mechanism.

Management challenges
Strict guidelines and security policies are very essential for enhancing security structures in the BYOD model for employee-owned devices. Absence of these security policies and guidelines may cause higher security threats as well as misinterpretation of data, resulting in immoral security practices. Additionally, lack of knowledge in employees about secured policies may lead to severe security threats. Security enhancement in devices requires additional cost. Certain organization imposes guidelines on employees such as the utilization of long and intricate passwords, automatic session expired functionalities in certain time-period. However, these strict guidelines can affect usability and can irritate many employees.

Compliance challenges
The utilization of BYOD in many organizations is a very complex process. First, these organizations do not have any control on employee-owned devices. Second, all organizations need to follow several legal laws and guidelines. This shows that these organizations need to impose severe security guidelines to save their customer's crucial information.

BYOD security policy
A comprehensive discussion of a proficient and secure BYOD security policy is presented here. The seven steps mentioned in review of security threat reduction policy (STRP) framework, which are strategy, recognize, defend, detect, retaliate, retrieve, evaluate and observe. These security policies have been discussed througoghly later in the section. − Strategy This phase is very crucial for authorities (higher management) in an organization for the design and implementation of BYOD mechanism. Several steps require to design the BYOD mechanism which is: At first, higher management authorities have to design a strong and efficient BYOD model by establishing a strong relationship with all the people who are involved in this BYOD model such as all the managers, employees, shareholders, managerial authorities and they need to work as one link and follow every compulsory guideline given by higher authorities. To design such a BYOD policy which works in a streamline with an organization's mission and vision. Thus, initially, a clear picture of that organization's capabilities, their functionalities and their requirement is necessary for design a proficient BYOD policy. A mobile device management (MDM) can be utilized which can control all the mobile devices linked to the internal network of the organization and can comprehensively manage their information. BYOD awareness program can be placed for employees so that their understanding of BYOD improves. − Recognize This phase majorly discusses the device registration of employees and their training about BYOD policy guidelines and security. Employees submit their request for registration of their devices. Then, the IT department analyzes that the requested device is permitted or not under the guidelines of BYOD policy. All the devices will have a minor background check for security measures and the people with higher access to organization resources will have a major background check. The organizational authorities can install certain Defend This phase discusses the factors which can impact BYOD policy and how to deal with them; an authentication system should incorporate to defend from cybersecurity threats. The utilization of passwords, patterns and biometric authentication in BYOD devices need to make mandatory for protecting information. One-time authenticate mechanism will have to be incorporated in BYOD policy that means once an employee is authenticated to utilize one functionality of the enterprise then no need to authenticate again for other functionalities of the organization for that particular session so that they can focus more on work. An internal application and software store can be incorporated so that only trusted application or software are used which are prior tested by the IT authorities. The organizational network needs to be protected with high layer advanced encryption protocol to protect from any kind of malicious activities. Retaliate This particular phase highlights the actions required for a security breach or data leakage; High-security firewalls and anti-virus software can be installed in affected device and malware can be removed after successful detection. If particular application or website is infected, then it should be blacklisted for further used. In case of any malicious activities, MDM should be utilized to wipe out all the corporate details with employee properties. − Retrieve This phase will describe the prevention methods of a security breach from employee-owned devices. An organization should prevent employees to utilize shared or public data storage platforms for corporate details and activities. Maximum protection can be provided by incorporating their private cloud for data storage based on the organization's budget. Virtualization can be utilized so that the personal space of employee-owned devices is not used and employee can directly store and access information from the organization data storage center where security remains extremely high. − Evaluate and observe The last phase describes how crucial is feedback when the security policies and environment and technology is continuously changing. Therefore, certainly taken into consideration while developing any security policy. With the rise of technology and utilization of BYOD devices, regular checkups, security updates and feedbacks become very crucial. The organization has to review the entire system in a certain period and detect security gaps present in the system; further, Table 1 represents problem identification in BYOD mechanism and their solutions.

ANALYSIS OF BYOD SECURITY POLICY
The main aim of this review article is to find out all the security issues faced by an organization using BYOD mechanism and required security policies to reduce those issues. The STRP framework is extremely helpful in understanding all the issues faced by an organization, their effects and their respective mitigation policies. Moreover, very few articles have comprehensively analyzed security issues and their respective policies phase by phase, which is done in this article. This review work can be utilized for providing guidelines in various organizations. Furthermore, considering the analysis of security work in BYOD, there are other two work which has done empirical survey and strengths, weaknesses, opportunities, and threats (SWOT) analysis in [40] and [41] respectively.

CONCLUSION AND FUTURE WORK
BYOD is a crucial and important trend of recent time to enhance the productivity of an organization while reducing cost and establishing a stronger bond between company employees and an organization. However, security threats present in BYOD mechanism has always is a cause of concern to the authorities of the organization. However, these threats can be mitigated by following certain guidelines, installing highly-secured software and by designing a secured policy for BYOD. Several issues have been identified such as manageriallevel, social-level and technical level and their effects also explained comprehensively. All the crucial elements like people, security policy factors and technology used are considered and a mitigation strategy is explained comprehensively phase by phase. It is analyzed that collaboration of people, security policy factors and technology in an effective manner can mitigate security threats present in the BYOD mechanism. Future work may involve a work on following aspects such as How BYOD is implemented in several organizations in realtime? How it remains secure from security threats and what kind of security policies and technologies are utilized? What are the security threats and how information is not compromised while working from home by employees in their own devices due to COVID-19 pandemic in 2021? Moreover, this research review article has limitations in conducting review as we have focused only on the review of BYOD security policy relevant to our work and there is other area such as efficient and productive security.