group work about the bring your own device phenomenon. Thank all ma teammates: MONTÉ Clément, MESSOUSSI ISMAEL, CAMBUZAT Nicolas, BOUTRY Romain.

1. The « Bring Your Own Device » BYOD phenomenon is a trend born with the birth of the
personnal devices more and more powerful which are now essential with our link to other
people. These new tools, created at the beginning for everyone, are prone to step into the
professional sphere through barrier porosity between privat and professional life. Indeed, it
seems to be vain to ignore or neglect this phenomenon linked to a true mutation that can be
qualified of sociological.
Millions of customers, in which a lot of employees, bought advanced mobile devices like
smartphones or tablets for their personal use and then download applications aimed to get
their everyday life better. This tendency of trying to perform their devices have created a new
feeling for people: they start to become dependent of these personal devices. As a
consequence, this new system obliged people to “bring their own device” in their work place
and then, make these devices not only part of their everyday private life, but also their
everyday professional life. BYOD may have some important implications regarding the way
firms manage their networks, mobile devices and even their employees. Thus, BYOD is
giving a new meaning to work at its workplace.
Group 16 : MONTÉ Clément, MESSOUSSI ISMAEL,
CAMBUZAT Nicolas, BOUTRY Romain, CÉCILE Kévin

2. INTRODUCTION
In 2013, according to a study made by VMWare, 76% of French Information System
directors planned to set up a BYOD system in their companies.
BYOD means « Bring Your Own Device ». It consists, for an employee in bringing his
personal device (laptop, smartphone…) at work and in using it for a professional purpose.
Thereby, this is a tendency that blurs the boundaries between work and private life.
It is a recent phenomenon that is becoming extremely popular among organizations
and employees. We can notice that companies are integrating BYOD in their development
strategies since several years ago, in 2011 more accurately, 40% of American companies had
already admitted that they wanted to improve their development through the Bring Your Own
Device tendency. Nowadays, firms cannot ignore the « Bring Your Own Device »
phenomenon because it is a response to a real demand from employees, indeed 62% of French
employees think that their own computers and devices provided by their company are not
effective enough to meet their needs, contrary to their personal ones. Thus, they wish to bring
their own device at work.
Therefore, we can wonder to which extents BYOD integrate itself in the professional
world.
There are several aspects to the problem. First of all, we shall have a look at why the
BYOD system? And what are the advantages of this new tendency for competitiveness. Then,
we will see if that fact of bringing its own device at work is secure? And to finish with, we
will wonder if organizations should provide any alternative concerning BYOD?

3. I/ What about the BYOD system?
1) Why has the BYOD been introduced to the market?
Surprising as it may be, even if we come to speak about the BYOD only recently,
around over the past 5 or 6 years, the BYOD started to be introduced from the Lisbon treaty
or the so called “knowledge economy”. It was ratified the 13th December by the 27 European
Union’s members in order to make the European Union, whose the France is part, the most
technologically advanced continent of the world. The aim of this treaty consisted, in some
extents, in making the European Union become the most powerful and effective continent in
terms of technology. It obviously failed because of the bubble crisis and huge delay with
respect to the USA. Nonetheless, it remains that more and more technology have been
introduced from this moment on.
But today, why is the BYOD being enforced?
The BYOD, stands for “Bring-Your-Own-Device” is more and more spreading within
firms. This praxis enables people part of the firm to use their own personal devices
(computers and mobiles). What does the BYOD represent for employees and employers?
What are the advantages? Why have firms no choice but to implement it?
With the increasing development of the informatics within firms, notably with the
cheaper access to the high speed internet, they equipped with standardised equipment to
tighten its security. Nevertheless, all this standardization has a certain cost that is why BYOD
was first enforced within the “start-ups” because they did not have enough funds to afford
such expenditures. Each employee brought his own computer and this praxis sprawled to each
person who was hired in a start-up.
Then, the development of mobiles, tablets, smartphones and computers has been
skyrocketing for a decade. According to some reports released by Ericsson the number of
mobile subscription amounted to 700 million in 2011 and is forecasted to amount to 3 billion
in 2017. The smartphone has becoming without any doubt the privileged mean to have access
to the internet. Also, previsions of Forrester for 2016 enable us to state that the proportion of
people equipped in tablets and smartphones should be in USA 126 million for the tablets and
256 million for smartphones.
As said by the Gartner “the emergence of BYOD program has necessarily been the biggest
change in the economy of computer client for the firms since computers spread to working
place.
So, as we have said previously, NTIC were introduced at first within household before being
used in working places.
The massive adoptions of new smart equipment trigger a true gap between consumers market
and tools which are available for employees by employers.
Formerly, in the study “The BYOD effect”, some smartphones, like the blackberry,
was introduced in the market essentially for firms and other were introduced for consumers,
as IPhone, tablets or android. These followings targeted the whole consumers. That is once

4. the market integrates these technologies that firms were asked by employees, became users of
them, to implement them in their everyday work.
2) How important is the BYOD within firms?
Employee disposes, for their personal use, an attracting device, which was chosen
personally, whose he perfectly masters the use and the process. He will be therefore logically
enticed to spread his use to the professional and privacy life to avoid being forced to use both
personal and private device. He is set up to take on him the maintenance of his equipment and
an interweaving or certain porosity between private and professional life.
We can that the first possible advantage of the BYOD system come up as a gain of
productivity of employees and cost reduction linked to the acquisition and the devices
maintenance. In return, the employer commits to take in charge some fixings and allocate to
employees a monthly sum of money and also to improve some software, if needed.
The BYOD phenomenon blurred the barrier between personal and professional sphere and is
highlighted by several elements as:
 New devices are easier and easier to use and more and more performing.
 The increasing mobility of some employees (nomadic employees): the use of
only one device is much more convenient.
 The very changing firms’ environment whose needs in information are
increasing.
 The development of collaborative work and the generalisation of devices
services (cloud, social networks).
But How the BYOD is used by employees?
The study Avanade released the following data led over 605 decision makers, in charge of
computers field of 17 countries in north and South America, in Europe, and in Pacific Asia.
These firms were asked which applications did they let accessible to personal devices:
 Messengers, agenda and contacts: 85%
 Social networks: 46%
 Time and expenditures management: 44%
 ERP: 38%
 CRM (customer relationship): 45%

5. This same study let it know that:
 72% of responding firms think being confronted, deliberately or not, to BYOD
 50% of responding firms deem the BYOD as inevitable, whether there are
urged or not
 .78% of computer firm’s leader state that employees already use personal
devices to professional use.
To which frequency do you use your mobile devices as part of your job (answer
to your mail included) ?
 72% of employees equipped acknowledge working of the private time (out of
the office).
 33% of responding firms (33% in France and 33 in the world) show most of
employees use their tablets for professional tasks.
That is why the BYOD has become a reality in the professional field, whether
firms are accepting it or not.
As showed above, the BYOD is now part of our everyday life, and firms which
stepped into the BYOD are quite much performing than other firms.

6. According to a worldwide study let by Dell, 70% of firms setting up a BYOD strategy noticed
a productivity improvement of their employees, notably a responding time to customers faster
whilst 59% would be less competitive without BYOD strategy. The BYOD is therefore a
factor of flexibility (working everywhere and all the time) but raises a problem of working
time because of the interconnexion of both private and professional life.
On the other hand, some employees are really sensitive to the fact of using their
personal device. That is a factor of autonomy and commitment since they use the device they
have chosen which improves the working satisfaction.
II/ BYOD : what are the risks, inconvenients and consequences ?
1) What is at stake with BYOD?
a. Its implementation is a challenge
 The main challenge brought by the BYOD holds the fact that these devices are not
conceived for the company but for the general public. According to any logic, the
most important brake for the adoption of the BYOD is the security. Every responsible
of the security will consider unacceptable to open the access to its internal network in
unknown devices by the simple way of an authentication of the user, with any control
of the IT.
The exposure at the risk could seem limited if it is a question of authorizing only the
access to the company messaging; nevertheless the risk is far from being unimportant since
the user between his information of identification (identifier and password) of the company
about an air terminal for which the reliable level is limited and being able to be compromised
by a key logger (spy program).
Furthermore, the access to the company messaging service is an open door towards the
leak of information: if the tablet or the smartphone are used by an employee, the sensitive
information which it transfers on its equipment will be at arrangement of a badly thoughtful
person in case of loss.
b. There are several risks
ENISA (European Network and Information Security Agency) in its document called
"Consumerization of IT: Top Risks and Opportunities" classifies the risks bound to the
BYOD and Consumerization of IT in three categories: the risks relative to the cost, the risks
relative to the legal and statutory aspects, and finally those affecting the data (confidentiality,
integrity, availability or respect for the private life).
 In the risks bound to the cost, the leak of information by careless behavior by the users
and its impacts in terms of image are quoted first of all. The complexity and the
variety of peripherals, the theft of equipment can be at the origin of supplementary

7. costs. Finally, costs are to be considered so that the company takes into account the
modifications in the architecture of security to pass a parametric model protection in
an end-in-end security, the adaptation of the policies of security, the sensitization and
the training of the users.
 In the legal risks category, the lack of control over terminals held by the employees
complicates the traceability of the actions towards the assets of the company, the
management of the incidents of security and the respect for the statutory conformity.
By the mixture between private life and professional life which involves the BYOD, it
becomes more difficult for the company to make sure of the respect for regulatory
requirements bound to the human resources, for instance telecommuting hidden,
overtaking of working hours. The lack of distinction between the personal and
professional data can add some difficulty in the research for proof to the electronic
form (e-discovery) and increase the probability of disputes between companies and
their employees in the field of respect for the private life.
 The last category of risks concerns the data themselves what is the focal point. The
increase of the risk of information leak is the most significant risk in case of more lose
control of the application of safety policies over peripherals; the diversity of
equipment adds difficulty for their control; their maladjustment in the constraints of
the company due to the lack of technological maturity favors the uncontrolled
distribution of critical data. By their lower level of security making them more
sensitive to malware and a strong exhibition, these terminals can become favored
targets to obtain the access to critical data of the company.
Other studies as that produced by the Cloud Security Alliance "Top threats to Mobile
Computing" raise the same types of risks concentrated around the leak of data whether it is by
loss, theft) or decommissioning of terminals, theft of data by malware or negligence in the
protection or the behavior of the users.
One of the recommendations of Symantec (company specialized in security software):
“Concentrate on the information and the places where it is visualized, passed on and stored.”
In front of these risks, the maturity of the company in terms of security is structuring:
what is the gap to pass of an infrastructure of security where all the terminals was - in the best
case - controlled and where all the efforts were concentrated on the parametric protection in a
dynamics of access control concentrated on the data? If a system of classification of the data
is already in position and if the access control in the data is based on a serious management of
the identities and strong authentication, the way to go to take into account the BYOD will be
clearly less difficult.
On the contrary, if the management of the security of the company and the protection of
the access to its data is more random, the risks to open to the BYOD concept will be more
hazardous.

8. To summarize, the challenges put by the BYOD are relative to the lack of control of
terminals bound to their diversity and to the fact that they are not the property of the
company, a mixture between the private and professional data, a maladjustment of the model
of parametric protection. This exposes to the risks of information leak and failure to respect
statutory conformity.
2) What are the reasons and the consequences
a. Architecture of secure access
The security is doubtless the main subject to be considered within the framework of
the BYOD. It implies a questioning of the approach of parametrical protection which is now
inappropriate for the security of the information system. The BYOD requires to authorize on
the internal network of the company new type of equipment whose level of security does not
correspond any more to the criteria defined by the security policy.
Transformations are to be envisaged to welcome these tablets, smartphones or terminals of
every type, while supplying them an access to the resources and the services of the company
which will be a function of various criteria as the level of security of the terminal, the strength
of the authentication of the user, asw. The infrastructure in charge of the security will have to
undergo transformations and adaptations to take into account the new scenarios authorized by
the arrival of the BYOD and the challenges in terms of security which it brings to the
foreground.
b. Structure of security policies
Security policies already in position take into account the mobility by defining a number
of requirements on workstations or telephones directly managed by the company; for example
the policy can impose the use of the encryption of disks on mobile posts to limit the leak of
information in case of loss, or the use of a PIN code and a possibility of remote disappearance
for telephones supplied by the company.
The authentication is classified according to four levels:
→The authentication of low level corresponds for example to an authentication by
password for which no restrictive security policy is imposed: the user can select a
password with a reduced number of characters, a choice among the list of the most
common passwords (for example: in 1st place for year 20121, "password ", then
"123456").
→ An average authentication will correspond to an authentication by password but to
which a more "serious" security policy is applied imposing for example least 15 characters
with criteria of complexity, a management of the history, etc.

9. → A qualified, strong authentication can lean on the use of a certificate software.
→ Finally, a multi-factor authentication will base on a solution implementing several
factors as the ownership of a smart card partner to that of its PIN code.
It is necessary to take into account the sensibility of the data and the services which are
reached and the security policies of the company which are established.
Any security policy stands out as obligation to make a classification of the assets of the
company according to their level of sensibility.
The last element of the equation is the security policy of the company: it is it which will
decide on authorized scenarios; according to the sensibility of the information or the targeted
department, it is the security policy which will decide or not to authorize the scenario of
access according to the reliable level of the context of access.
3) Protection of the device
In a company context, the level of basic security offered by the device chosen by the user
is an important criterion. Even if it is a question from mobile devices targeted for the general
public, the company can impose requirements of security on those which it would authorize to
connect on its network.
Among these requirements, we can quote:
→ The reassurance of the sequence of starting up which strengthens the resistance against
malware.
→ The robustness of the operating system and the regular update of the correctives of security
to minimize the exploitation risks of security flaws and defaults.
→The encryption of the device which guarantees in case of theft that the stored data cannot
be reached nor modified in their integrity.
→The strong authentication for the unlocking of the device.
→The authentication by certificate for the access to the Wi-Fi allows to assure a secured
access to the network of company and avoids the local storage of the identifier and the
password which the user uses.
→The architecture of the operating system of the mobile has to offer an insulation of the
applications between them to avoid that a hostile application cannot compromise the other
applications as well as the operating system.
The security is one of the major challenges bound to the transformation engendered by the
BYOD. The model of security based on a protection of the perimeter has to evolve towards a
model taking into account the notion of context; now companies have to introduce on into the
equation of the access control the reliable level in the equipment allowing to reach the
information system, the identity of the user, the strength of the authentication and the place of
connection.
III/ Should organizations provide any alternative concerning
BYOD?

10. 1) Legal aspects.
a. The context.
We have seen that BYOD presents real assets for a company, both for the development
level and the organization within the system. But today, there are still some legal constraints
preventing the entry of BYOD in the professional world. Actually, the fact is that BYOD
basically goes with a lack of control, and of course a lack of control embodies a real risk for
the company as we know. But most importantly, these risks represent also a legal breach. For
instance, it becomes more difficult to control the number of hours an employee is working
when he is using its own computer, as a result this employee may exceed its time of working,
and therefore in this context BYOD is a phenomenon leading to break the law.
We can set up the legacy model defining the best BYOD system: Employees used to work
with the equipment lent by the organization only for business purposes. Then, employees
were granted the right to work with their own devices (for instance webmail were the typical
tool used for both business and non-business purposes). As a consequence, they explicitly and
deliberately use personal assets (such as iPad or iPhone) to achieve business purposes. Then,
they were able to access customer records or a lot of other non-public files. But the problem is
that these files were potentially confidential or restricted to professional uses only. This is one
of the reason why this situation has been taken into consideration by some institutions in order
to implement a range of laws to separate privacy from professional world.
Finally, before getting into details, it is important to understand why rules have to be
implemented: this is a matter of different perception, different views as for an employee and
an enterprise. In fact, it is helpful to understand employees’ point of view towards the
perception of devices. Thus, this difference seen on the graph below explains the conflict
about the question of BYOD.
How do employee and enterprise products differ?
Enterprise Employee
Conservative Innovative
High cost Perceived low cost
Manageable Manageability? Why?
Enterprise scalability 1 user -> Global scale
Extend support Limited lifespan
High quality/robust Throw away
Security and compliance What’s security?
Gartner.

11. b. Institution’s preventions (NCIL mainly…)
In concrete terms, the judicial problems raised by BYOD which can be summed up by the
following questions: who should secure the devices? Can any organization impose the
installation of any software? Who is responsible for any intrusion? Who is the owner of those
professional data collected on this device? In order to fill out this judicial gap, the employer
has to provide a charter in which all these aspects are responded. This charter ensure
protection, control and determine the ownership of these data.
BYOD have to consider an investment in order to provide a system which is able to filter
the outgoing access of the employees since if they are dealing with illegal contents it is the
same issue whether they are using their own device or one of the company regarding the legal
aspect. We have to keep in mind that several rules have been established by the National
Commission on Informatics and Liberty (NCIL). This organization has a strong and powerful
influence on BYOD since it punishes the non-respect as well as the violation of private life
through informatics system. Indeed, using a personal computer with its personal files may
interfere to some extent with professional files because these personal files will be accessible
by the firm. That is the reason why it is highly recommended to pay attention to the way you
are using your own device in the professional area. As a consequence, the user will have to be
informed of any system being able to collect personal data.
The NCIL also grants an importance about geolocation. A structure has to take into
account that whatever informatics system they are using, they need to be secure in order not to
let their files accessible by others organizations.
c. Act of Nikon.
At the time BYOD is getting more and more importance, problems of responsibilities are
occurring. In order to react against these problems. On October 2001, the issue of Nikon’s
case led to recognize the right for all the employees to set a private place within the resources
of the company. This allowed employees to utilize their personal assets as part of their
working method.
Unfortunately, this case remained an exception but a solution was suggested to turn this
exception into a global one. The idea was to inverse this method: actually, the Freedom and
computer correspondent (FCC) introduced a new way of working outside the working place to
make it legal. It consists in creating within the private environment of the employee, a place
where he will be able to manage its professional work. As for the technical aspects, these files
must be duplicated within the company resources. Eventually, regarding the judicial aspects
to make this idea legal, first a hierarchic approval is required and then a validation from the
informatics department. According to the employee, he will have to sign a document of
utilization acceptance.
2) The alternatives.
a. COPE: Corporate Owned Personally Enabled
We have seen that BYOD could represent a “threat” for some organization but at the same
time it is a great opportunity for productivity and effectiveness. Consequently, other methods

12. need to be created not to lose efficiency and to avoid BYOD. One of this new practice is
called COPE (corporate owned personally enabled). What is COPE?
It is an IT business strategy which consists in providing to the employees computers or
any other devices coming from the company. COPE revolves around how much an
organization is able to provide informatics tools to its users. These devices are not limited: it
includes laptops, smartphone tablets… as a result, COPE is, by definition, the complete
opposite of BYOD. Of course, companies turning to the strategy of COPE detains the
ownership of the devices they lend to their employees. But this methods avoids the constraints
of mixing personal and professional data. Furthermore, the main asset remain the complete
control and monitor handled of the company. By reducing the risks coming with BYOD,
COPE seems to be a good solution because it also leaves the employee using its device for
personal activities. In such a way, there is no constraints regarding legal aspects since the
computer is owned and handled by the company. Therefore, whatever the employee is using
it, the company is able to monitor every process of these devices. On top of that, the employee
may buy the device which will be way less expensive than if we would have bought one by
itself since the company basically buy these devices less than retail price.
To conclude, COPE system benefits from the same flexibility than BYOD and even
presents advantages that cannot be find in other IS strategy. But of course, such a great system
necessarily goes with some constraints. The company must shoulder an important investment
which is the cost of all the devices provide to all the employees… Contrary to BYOD, it gives
no place to discrimination in the case where an employee is not able to afford one of the latest
smartphone or laptop. In that case, everybody is at the same level with devices provided by
the organization.
NB: A very similar system exists, it is called CYOD (choose your own device): the
employee choose and buy a device that he will be able to use for professional issues.
b. KNOX
The growth of mobility tends to push people to seek out solutions corresponding with
BYOD tendency. That is the reason why companies like Samsung are innovating by
developing new platforms conducting to security called KNOX. Samsung suggests a complete
security by incorporating an independent database within the smartphone.
Samsung KNOX allows an effective and constant management of several terminal
platforms and contents through EMM solutions (Enterprise Mobility Management) based on
the cloud computing system (it involves distributed computing over a network, where a
program or an application may run on many connected devices at the same time). This
includes an autonomous and practical use of the users. It paves the way to the access with a
simple click to all the professional applications with an additional support by “Active
Directory”.

13. c. To which extent does the BYOD should change to be totally integrated in the
professional area?
First, we have to keep in mind that BYOD is changing the way a structure is organized.
This new practice gives both more liberty and constraints by the same time. How can we
improve it?
 External factors: as we have seen above there are still some factors preventing BYOD
to spread itself in all companies. Laws mainly coming from NCIL are those trying to
limit the power of this system. Therefore, even if it remains highly recommended to
insist on security in order to avoid troubles, cyber authorities should give more
freedom to this emerging concept to facilitate industry life. On the one hand, there are
still some laws which are not really helpful for the security of documents but
considering as a real constraints for companies trying to adopt BYOD. As a
consequence, the external environment must accept the evolution of society by
delegating the power of choice to the enterprise itself and leaves it manage its way of
working rather than imposing strict rules against them.
 Internal factors: on the other hand, companies have the duty to make the effort to
consider this lack of security and find out a way to control and dissociate private and
professional life. This can come through the cloud computing system. Indeed, by
centralizing all the professional files on one unique platform, it is a way to monitor the
work done by the employees. Another alternative would be to impose the creation of
two sessions for people bringing their laptop: one session dealing with the professional
area and the other will contain the privacy of the employee. One session could be
monitor and then handled by the direction committee, besides, our technology today
leave us lock are sessions with security. To finish with, another technical solution
could be the MDM (Mobile Device Management). It is a way to resolve some
problems caused by BYOD since this software enables to manage a fleet of mobile
devices suggesting the following services: manage the applications, manage strategies,
manage security, reporting tools…

14. CONCLUSION
To conclude, we can assert that the innovative information system that is Bring Your
Own Device is not a new trend which will disappear but a real tendency that will keep on
increase and grow in the future, because it relies on information and communications
technologies. However several companies hesitate to implement it because this system raises
a lot of issues, regarding the legal aspect or the security of their data. And for employees, the
boundaries between professional and private life are blurred.
However, BYOD could integrate itself perfectly in the professional world, it
represents a major change in the management of information system and an organizational,
corporate challenge that enhance competitiveness, productivity if it has a proper framework
and structure.
Moreover, technologies are evolving quickly, that is the reason why we can forecast
that in the future BYOD will keep on develop and integrate new devices, such as wearable
devices, like smart-watches or the Google Glass which will come out early and enter the
professional world. Thereby, what are the new opportunities for users/employees and
challenges for companies that technological innovation in mobile devices can create, in order
to enhance productivity?

15. Today, BYOD is becoming an inescapable fact within organization but if we look forward,
since several years public and professional are using more and more cloud computing system
in their everyday life.
To sum up, in the future firms could implement cloud computing system like Samsung
Knox. Therefore, employees won’t bring their own devices to replace computers and devices
provide by their company but they will bring their own devices to use them with the company
devices, and create an Information System synergy gained by the use of both systems. Thus,
we can wonder, if cloud computing could be a solution in the future for BYOD. Since it
provides the advantages of BYOD and prevent some of its issues. Eventually, we can assert
that Bring Your Own Device has become a standard in today’s corporate world, because of
the opportunities that this trend offers and its future prospects.

16. Sources:
1/ Links:
1http://www.infodsi.com/articles/129050/mobiles-part-croissante-smartphones.html
Traffic and Market report, Ericsson, June 2012:
http://www.ericsson.com/res/docs/2012/traffic_and_market_report_june_2012.pdf
http://www.cnil.fr/es/english/
http://www.globalsecuritymag.fr/BYOD-ou-quand-l-exception-devient,20120201,28177.html
http://www.sans.org/reading-room/whitepapers/legal/legal-issues-corporate-bring-device-
programs-34060
http://business.financialpost.com/2014/02/03/beyond-byod-welcome-to-the-era-of-cope-
corporate-owned-personally-enabled-devices/?__lsa=8df1-c678
http://www.samsung.com/fr/business/solutions-services/mobile-solutions/security/samsung-
knox
http://www.it-news.fr/byod-letude-vmware-confirme-linteret-des-salaries-francais-a-cette-
pratique/
http://france.scc.com/news/communiques-de-presse/le-byod-vers-une-evolution-du-
phenomene?from=2
2/Book:
BYOD For You: The Guide to Bring Your Own Device to Work [Kindle Edition] Daniel J.
Lohrmann (Author).