Your search keyword '"Human-computer interaction in information security"' showing total 653 results

1. Deconstructing Cybersecurity: From Ontological Security to Ontological Insecurity

Author

Justin Joque and S. M. Taiabul Haque

Subjects

User authentication, Digital rights management, Computer science, 05 social sciences, 020207 software engineering, 02 engineering and technology, Computer security, computer.software_genre, Cyberwarfare, Ontological security, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, Relevance (law), 0501 psychology and cognitive sciences, Deconstruction, Complement (linguistics), computer, 050107 human factors

Abstract

This paper examines the philosophical aspects of cybersecurity through the lens of deconstruction, as proposed by the French philosopher Jacques Derrida. We offer deconstruction as an analytical orientation to better understand and challenge the very philosophical concepts a security system presupposes, arguing that not only are concrete systems necessarily insecure but that the concepts and structures through which their security is understood are also insecure. By centering our discourse on instability and contradictions, we demonstrate the relevance of deconstruction in cybersecurity through four concrete examples drawn from four different areas: digital rights management, cyberwar, software vulnerability, and user authentication. We further address the concept of ontological security to draw the boundaries between beneficial and detrimental uses of deconstruction. These insights complement other HCISec efforts to conceptualize cybersecurity as a holistic discipline that incorporates art and philosophy in addition to science and technology.

Published

2020

2. An analysis of security systems for electronic information for establishing secure internet of things environments: Focusing on research trends in the security field in South Korea

Author

Seungwan Hong, Sangho Park, Hangbae Chang, Minseo Jeon, and Lee Won Park

Subjects

Computer Networks and Communications, Computer science, Standard of Good Practice, 02 engineering and technology, Computer security, computer.software_genre, Asset (computer security), Security testing, Security information and event management, Threat, Information security audit, Security association, Information security management, 0202 electrical engineering, electronic engineering, information engineering, Security management, Cloud computing security, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Security service, Hardware and Architecture, Information security standards, Human-computer interaction in information security, Security through obscurity, Security convergence, Network security policy, 020201 artificial intelligence & image processing, The Internet, business, computer, Software

Abstract

In the Internet of Things (IoT) era, a variety of devices that accumulate a range of data and electronic information are connected to the internet. This information is intelligently processed to create new services. As a result, the range of security risks is expanded, and the risk of compromise of electronic information is increasing. To combat this risk, research and investments in electronic information security technology is steadily increasing, and various security systems are being steadily developed. However, since electronic information security technology suitable for the IoT environment is not classified, many security systems perform redundant functions. The use of redundant security systems not only wastes costs in terms of security management, but also inefficiently performs security operations.

Published

2018

3. Taxonomy of mobile users' security awareness

Author

Asaf Shabtai, Lior Sidi, Ron Bitton, Andrey Finkelshtein, Rami Puzis, and Lior Rokach

Subjects

General Computer Science, Computer science, Internet privacy, Vulnerability, Covert channel, 02 engineering and technology, Asset (computer security), Computer security, computer.software_genre, Security testing, Security information and event management, Security engineering, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Cloud computing security, business.industry, Social engineering (security), Information security, Computer security model, Security awareness, Information sensitivity, Security service, Human-computer interaction in information security, Security through obscurity, 020201 artificial intelligence & image processing, business, Law, Mobile device, computer, Countermeasure (computer)

Abstract

The popularity of smartphones, coupled with the amount of valuable and private information they hold, make them attractive to attackers interested in exploiting the devices to harvest sensitive information. Exploiting human vulnerabilities (i.e., social engineering) is an approach widely used to achieve this goal. Improving the security awareness of users is an effective method for mitigating social engineering attacks. However, while in the domain of personal computers (PCs) the security awareness of users is relatively high, previous studies have shown that for the mobile platform, the security awareness level is significantly lower. The skills required from a mobile user to interact safely with his/her smartphone are different from those that are required for safe and responsible PC use. Therefore, the awareness of mobile users to security risks is an important aspect of information security. An essential and challenging requirement of assessing security awareness is the definition of measureable criteria for a security aware user. In this paper, we present a hierarchical taxonomy for security awareness, specifically designed for mobile device users. The taxonomy defines a set of measurable criteria that are categorized according to different technological focus areas (e.g., applications and browsing) and within the context of psychological dimensions (e.g., knowledge, attitude, and behavior). We demonstrate the applicability of the proposed taxonomy by introducing an expert-based procedure for deriving mobile security awareness models for different attack classes (each class is an aggregation of social engineering attacks that exploit a similar set of human vulnerabilities). Each model reflects the contribution (weight) of each criterion to the mitigation of the corresponding attack class. Application of the proposed procedure, based on the input of 17 security experts, to derive mobile security awareness models of four different attack classes, confirms that the skills required from a smartphone user to mitigate an attack are different for different attack classes.

Published

2018

4. Mobile Phone Usage Patterns, Security Concerns, and Security Practices of Digital Generation

Author

Sonya Zhang and Saree Costa

Subjects

Cloud computing security, business.industry, Computer science, 05 social sciences, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Security awareness, Computer security, computer.software_genre, Security information and event management, Human-Computer Interaction, Security engineering, Security service, Mobile phone, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 0501 psychology and cognitive sciences, business, computer, 050107 human factors, Vulnerability (computing)

Abstract

As the digital generations have grown up with high-tech gadgets and become avid users of mobile phones and apps, they are also exposed to increasing mobile security threats and vulnerability. In this paper the authors discuss the impact of recent mobile technology advancements on mobile threat environment and mobile security practices. They also conducted a survey to 262 college students to examine their mobile phone usage patterns, security concerns and practices. The results show that students use their mobile phone frequently for various productivity and entertainment purposes. They are generally aware of and concerned about mobile security, not only on losing the phone physically but also on data theft, web threat, and mobile malware. Students also practice security to some extend - most change PIN and passwords regularly, download their apps mostly from official app stores, and generally keep their OS and apps up-to-date. The authors also found significant correlations between mobile security practices and personal attributes, including major, gender, and technology aptitude.

Published

2018

5. A survey on the usability and practical applications of Graphical Security Models

Author

Chun-Jen Chung, Dong Seong Kim, Dijiang Huang, and Jin B. Hong

Subjects

021110 strategic, defence & security studies, Security analysis, General Computer Science, Computational complexity theory, business.industry, Computer science, Distributed computing, 0211 other engineering and technologies, 020206 networking & telecommunications, Cloud computing, Usability, 02 engineering and technology, Computer security model, Network topology, Theoretical Computer Science, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, business, Representation (mathematics), Software engineering

Abstract

This paper presents and discusses the current state of Graphical Security Models (GrSM), in terms of four GrSM phases: (i) generation, (ii) representation, (iii) evaluation, and (iv) modification. Although many studies focused on improving the usability, efficiency, and functionality of GrSMs (e.g., by using various model types and evaluation techniques), the networked system is evolving with many hosts and frequently changing topologies (e.g., Cloud, SDN, IoT etc.). To investigate the usability of GrSMs, this survey summarizes the characteristics of past research studies in terms of their development and computational complexity analysis, and specify their applications in terms of security metrics, availability of tools and their applicable domains. We also discuss the practical issues of modeling security, differences of GrSMs and their usability for future networks that are large and dynamic.

Published

2017

6. Security assurance assessment methodology for hybrid clouds

Author

Edgar Weippl, Paul Smith, and Aleksandar Hudic

Subjects

General Computer Science, Computer science, Standard of Good Practice, Services computing, Cloud computing, 02 engineering and technology, Asset (computer security), Computer security, computer.software_genre, Security testing, Security information and event management, Threat, Security engineering, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Human resources, Cloud computing security, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Security service, Software security assurance, Information security standards, Information and Communications Technology, Human-computer interaction in information security, Security through obscurity, business, Law, computer

Abstract

The emergence of the cloud computing paradigm has altered the delivery models for ICT services. Unfortunately, the widespread use of the cloud has a cost, in terms of reduced transparency and control over a user's information and services. In addition, there are a number of well-understood security and privacy challenges that are specific to this environment. These drawbacks are particularly problematic to operators of critical information infrastructures that want to leverage the benefits of cloud. To improve transparency and provide assurances that measures are in place to ensure security, novel approaches to security evaluation are needed. To evaluate the security of services that are deployed in the cloud requires an evaluation of complex multi-layered systems and services, including their interdependencies. This is a challenging task that involves significant effort, in terms of both computational and human resources. With these challenges in mind, we propose a novel security assessment methodology for analysing the security of critical services that are deployed in cloud environments. Our methodology offers flexibility, in that tailored policy-driven security assessments can be defined based on a user's requirements, relevant standards, policies, and guidelines. We have implemented and evaluated a system that supports online assessments using our methodology, which acquires and processes large volumes of security-related data without affecting the performance of the services in a cloud environment.

Published

2017

7. 'Security begins at home': Determinants of home computer and mobile device security behavior

Author

Nik Thompson, Xuequn Wang, and Tanya McGill

Subjects

Cloud computing security, General Computer Science, Computer science, business.industry, 05 social sciences, Internet privacy, 02 engineering and technology, Information security, Computer security model, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Threat, Security engineering, 020204 information systems, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Security through obscurity, Human-computer interaction in information security, 050211 marketing, business, Law, computer, Mobile device

Abstract

Personal computing users are vulnerable to information security threats, as they must independently make decisions about how to protect themselves, often with little understanding of technology or its implications. However, personal computing users are under-represented in security research studies, especially for mobile device use. The study described in this paper addresses this research gap by evaluating data from 629 home computer and mobile device users to improve understanding of security behavior in both contexts. The research model extends protection motivation theory by including the roles of social influences and psychological ownership, and by including actual behavior. The model was separately tested with home computer users and mobile device users and data reveals that some of the determinants of security behavior differ between home computer and mobile device use. The results show that perceived vulnerability, self-efficacy, response cost, descriptive norm and psychological ownership all influenced personal computing security intentions and behavior for both home computer users and mobile device users. However, perceived severity was only found to play a role in mobile device security behavior and neither response efficacy nor subjective norm influenced security intentions for either type of user. These findings are discussed in terms of their practical and research implications as well as generating new research opportunities into personal computing security.

Published

2017

8. Old risks, new challenges: exploring differences in security between home computer and mobile device use

Author

Tanya McGill and Nik Thompson

Subjects

Cloud computing security, business.industry, 05 social sciences, Internet privacy, General Social Sciences, 02 engineering and technology, Information security, Asset (computer security), Computer security, computer.software_genre, Security information and event management, Threat, Human-Computer Interaction, Arts and Humanities (miscellaneous), Information security management, 020204 information systems, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Developmental and Educational Psychology, Human-computer interaction in information security, 050211 marketing, Business, Mobile device, computer

Abstract

Home users are particularly vulnerable to information security threats as they must make decisions about how to protect themselves, often with little knowledge of the technology. Furthermore, information for home users tends to focus on the traditional PC and may downplay threats faced on mobile devices, transforming well-known and old risks into new challenges for information security. To address the need for more behavioural information security research that focusses on mobile devices, this paper reports on the first large-scale study comparing security perceptions and behaviours on home computer and mobile devices. Data from 629 users revealed that in addition to differences in information security behaviour, the following security-related perceptions all differ significantly between home computer and mobile device use: perceived severity, security self-efficacy, response efficacy, response cost, descriptive norm, psychological ownership and intention to perform security behaviours. In each case, the direction of the difference was such that mobile devices were more likely to be at risk than a home computer. The practical implications of these differences are discussed.

Published

2017

9. Factors in an end user security expertise instrument

Author

Prashanth Rajivan, Pablo Moriano, Timothy Kelley, and L. Jean Camp

Subjects

Information Systems and Management, Knowledge management, Operationalization, Computer Networks and Communications, business.industry, Computer science, End user, 02 engineering and technology, Security information and event management, Management Information Systems, Security engineering, Cognitive dimensions of notations, Information security audit, 020204 information systems, Management of Technology and Innovation, Computer literacy, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 020201 artificial intelligence & image processing, business, Software, Information Systems

Abstract

Purpose The purpose of this study is to identify factors that determine computer and security expertise in end users. They can be significant determinants of human behaviour and interactions in the security and privacy context. Standardized, externally valid instruments for measuring end-user security expertise are non-existent. Design/methodology/approach A questionnaire encompassing skills and knowledge-based questions was developed to identify critical factors that constitute expertise in end users. Exploratory factor analysis was applied on the results from 898 participants from a wide range of populations. Cluster analysis was applied to characterize the relationship between computer and security expertise. Ordered logistic regression models were applied to measure efficacy of the proposed security and computing factors in predicting user comprehension of security concepts: phishing and certificates. Findings There are levels to peoples’ computer and security expertise that could be reasonably measured and operationalized. Four factors that constitute computer security-related skills and knowledge are, namely, basic computer skills, advanced computer skills, security knowledge and advanced security skills, and these are identified as determinants of computer expertise. Practical implications Findings from this work can be used to guide the design of security interfaces such that it caters to people with different expertise levels and does not force users to exercise more cognitive processes than required. Originality/value This work identified four factors that constitute security expertise in end users. Findings from this work were integrated to propose a framework called Security SRK for guiding further research on security expertise. This work posits that security expertise instrument for end user should measure three cognitive dimensions: security skills, rules and knowledge.

Published

2017

10. Balancing Security and Usability in Encrypted Email

Author

Wei Bai, Doowon Kim, Michelle L. Mazurek, Yichen Qian, Patrick Gage Kelley, and Moses Namara

Subjects

021110 strategic, defence & security studies, Cloud computing security, Computer Networks and Communications, business.industry, Computer science, Internet privacy, 0211 other engineering and technologies, Data security, Client-side encryption, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Encryption, Internet security, Email encryption, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 020201 artificial intelligence & image processing, business, computer

Abstract

End-to-end encryption is the best way to protect digital messages. Historically, end-to-end encryption has been extremely difficult for people to use, but recent tools have made it more broadly accessible, largely by employing key-directory services. These services sacrifice some security properties for convenience. The authors wanted to understand how average users think about these tradeoffs. They conducted a 52-person user study and found that participants could learn to understand properties of different encryption models. Users also made coherent assessments about when different tradeoffs might be appropriate. Participants recognized that the less-convenient exchange model was more secure overall, but considered the registration model's security sufficient for most everyday purposes.

Published

2017

11. A framework for automating security analysis of the internet of things

Author

Walter Guttmann, Dong Seong Kim, Jin B. Hong, and Mengmeng Ge

Subjects

Computer Networks and Communications, Computer science, Sherwood Applied Business Security Architecture, 02 engineering and technology, Internet security, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Security association, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Cloud computing security, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Computer Science Applications, Security service, Hardware and Architecture, Software security assurance, Security through obscurity, Human-computer interaction in information security, Network security policy, 020201 artificial intelligence & image processing, business, computer

Abstract

The Internet of Things (IoT) is enabling innovative applications in various domains. Due to its heterogeneous and wide-scale structure, it introduces many new security issues. To address this problem, we propose a framework for modeling and assessing the security of the IoT and provide a formal definition of the framework. Generally, the framework consists of five phases: (1) data processing, (2) security model generation, (3) security visualization, (4) security analysis, and (5) model updates. Using the framework, we can find potential attack scenarios in the IoT, analyze the security of the IoT through well-defined security metrics, and assess the effectiveness of different defense strategies. The framework is evaluated via three scenarios, which are the smart home, wearable healthcare monitoring and environment monitoring scenarios. We use the analysis results to show the capabilities of the proposed framework for finding potential attack paths and mitigating the impact of attacks.

Published

2017

12. A model for evaluating the security and usability of e-banking platforms

Author

Mansour Alsaleh, Abdulrahman Alarifi, and Noura Alomar

Subjects

Numerical Analysis, Cognitive walkthrough, Computer science, business.industry, Usability inspection, 020207 software engineering, Usability, 02 engineering and technology, Computer security, computer.software_genre, Data science, Computer Science Applications, Theoretical Computer Science, Computational Mathematics, Usability goals, Computational Theory and Mathematics, 020204 information systems, Heuristic evaluation, Usability engineering, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, business, computer, Web usability, Software

Abstract

Convenience and the ability to perform advanced transactions encourage banks clients to use e-banking systems. As security and usability are two growing concerns for e-banking users, banks have invested heavily in improving their web portals security and user experience and trust in them. Despite considerable efforts to evaluate particular security and usability features in e-banking systems, a dedicated security and usability evaluation model that can be used as a guide in the development of e-banking assets remains much less explored. To build a comprehensive security and usability evaluation framework, we first extract security and usability evaluation metrics from the conducted literature review and then include several other evaluation metrics that were not previously identified in the literature. We then propose a structured inspection model for thoroughly evaluating the usability and security of internal and external e-banking assets. We argue that the proposed e-banking security and usability evaluation frameworks in the literature in addition to the existing standards of security best practices (e.g., NIST and ISO) are by no means comprehensive and lack some essential and key evaluation metrics that are of particular interest to e-banking portals. In order to demonstrate the inadequacy of existing models, we use the proposed framework to evaluate five major banks. The evaluation reveals several shortcomings in identifying both missing or incorrectly implemented security and privacy features. Our goal is to encourage other researchers to build upon our work.

Published

2017

13. Security knowledge representation artifacts for creating secure IT systems

Author

Antonio Maña, Carsten Rudolph, Jose Fran. Ruiz, Marcos Arjona, and Publica

Subjects

General Computer Science, Knowledge representation and reasoning, Computer science, 02 engineering and technology, Asset (computer security), Computer security, computer.software_genre, Security testing, Security information and event management, Security engineering, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Cloud computing security, business.industry, Information technology, 020207 software engineering, Computer security model, Web application security, Security service, Information security standards, Software security assurance, Human-computer interaction in information security, Security through obscurity, Web service, business, Law, computer

Abstract

The creation of secure applications is more than ever a complex task because it requires from system engineers increasing levels of knowledge in security requirements, design and implementation. In fact, the fast increasing size and volatility of this knowledge has reached a point in which it is unrealistic to expect that system engineers can keep up to date with it. The most prominent paradigm for addressing this problem is the use of security patterns to communicate security knowledge from experts to system designers. This, and other security artifacts, have proved their utility and benefits in the past years, improving the way security is taken into account by system engineers and developers. On the other hand, these artifacts have some limitations that have prevented them from becoming more widespread. In particular, security patterns are human-oriented and as such heavily based on natural language, which implies intrinsic high degrees of imprecision and ambiguity. In our opinion, we need to make the move from purely human oriented artifacts to hybrid artifacts that convey information for both humans (engineers and designers) and computer tools (engineering and development environments). Therefore, we have created a new security knowledge representation artifact that aims to cover the needs of system engineers and help them not only in applying a solution, but also in understanding the security aspects of a given domain as a highly-related set of security concepts (e.g. properties, requirements, solutions, etc.). This artifact, called Domain Security Metamodel (DSM), is, as its name suggests, domain-specific and contains information about all security aspects that are relevant in a specific domain (e.g. embedded systems, web services, etc.). The DSM contains security solutions that implement the security properties of the specific domains. That way, when users apply them into their system models the solutions for development time can be integrated directly and naturally. In order to describe our approach in a useful way we use a running example based on the Web Service Security (WS-Security) specification.

Published

2017

14. Practical Evaluation of Internet Systems' Security Mechanisms

Author

Paweł Lubomski, Tomasz Wierzbowski, and Henryk Krawczyk

Subjects

Computer Networks and Communications, Network security, Computer science, computer.internet_protocol, 0211 other engineering and technologies, Vulnerability, Access control, 02 engineering and technology, Computer security, computer.software_genre, Internet security, Security testing, Security information and event management, Security association, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Context awareness, Electrical and Electronic Engineering, 021110 strategic, defence & security studies, Authentication, Cloud computing security, business.industry, Information security, Computer security model, Web application security, Security service, Network Access Control, IPsec, Security through obscurity, Security convergence, Human-computer interaction in information security, Network security policy, The Internet, business, Law, computer

Abstract

A proposed Internet systems security layer with context-oriented security mechanisms reduces the risk associated with possible vulnerabilities. A metric of the system trust level is proposed, and then evaluated according to a university Internet system.

Published

2017

15. Trading off usability and security in user interface design through mental models

Author

Josh Dehlinger, Joyram Chakraborty, and Mona A. Mohamed

Subjects

Engineering, Knowledge management, Cognitive walkthrough, Pluralistic walkthrough, business.industry, 05 social sciences, General Social Sciences, Usability, 02 engineering and technology, Human-Computer Interaction, Usability goals, Arts and Humanities (miscellaneous), Human–computer interaction, 020204 information systems, Heuristic evaluation, 0502 economics and business, Usability engineering, 0202 electrical engineering, electronic engineering, information engineering, Developmental and Educational Psychology, Human-computer interaction in information security, business, Web usability, 050203 business & management

Abstract

The aim of this paper is to establish the foundations for developing a mental model that bridges the gap between usability and security in user-centred designs. To this purpose, a meta-model has been developed to align design features with the users’ requirements through tacit knowledge elicitation. The meta-model describes the combinatorial relationships of Security, Usability and Mental SUM and how these components can be used to design a usable and secure system. The SUM meta-model led to the conclusion that there is no antagonism between usability and security. However, the degree of usable security depends on the ability of the designer to capture and implement the user’s tacit knowledge. In fact, the SUM meta-model seeks the dilution of the trading-off effects between security and usability through compensating synergism of the tacit knowledge. A usability security cognitive map has been developed for the major constituents of usability and security to clarify the interactions and their influences on the meta-model stipulations. The three intersecting areas of the three components’ relationships are manipulated to expand the Optimal Equilibrium Solution OES δ expanse. To put the SUM meta-model into practice, knowledge management principles have been proposed for implementing user-centred security and user-centred design. This is accomplished by using collaborative brainpower from various knowledge constellations to design a system within the user’s current and future perception boundaries. Therefore, different knowledge groups, processes, techniques, tactics and practices have been proposed for knowledge transfer and transformation during the mental model development.

Published

2016

16. The usability of security – revisited

Author

Steven Furnell

Subjects

Cloud computing security, General Computer Science, business.industry, Computer science, Internet privacy, Target audience, 020206 networking & telecommunications, Usability, 02 engineering and technology, Computer security, computer.software_genre, USable, Security testing, Security information and event management, 0202 electrical engineering, electronic engineering, information engineering, Security through obscurity, Human-computer interaction in information security, 020201 artificial intelligence & image processing, business, Law, computer

Abstract

One of the long-standing challenges around security technology has been to ensure it is provided in a manner that is usable for the target audience. Usability in this context encompasses several underlying factors, including the need to be understandable for users and to avoid being unnecessarily intrusive or introduce undue performance overheads, while at the same time enabling the desired security tasks to be performed effectively. One of the long-standing challenges around security technology has been to ensure it is provided in a manner that is usable for the target audience. Unfortunately, this theory has often failed to match up with how security is presented in practice, with the result that users find it difficult to get along with security features, end up making mistakes or sometimes decide not to bother with security at all. Steven Furnell of the University of Plymouth examines the attention that usability receives within current systems and draws some comparisons to earlier assessments to see if things have changed.

Published

2016

17. Debunking Security-Usability Tradeoff Myths

Author

Cormac Herley, Matthew Smith, M. Angela Sasse, Heather Richter Lipford, Kami Vaniea, and Publica

Subjects

Computer Networks and Communications, Computer science, business.industry, Usability, 02 engineering and technology, Mythology, Computer security model, World Wide Web, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, business, Law

Abstract

Guest editors M. Angela Sasse and Matthew Smith discuss the origins of the security-usability tradeoff myth with leading academic experts Heather Lipford and Kami Vaniea and industry expert Cormac Herley.

Published

2016

18. Barriers to Usable Security? Three Organizational Case Studies

Author

Deanna D. Caputo, M. Angela Sasse, Lin Deng, Shari Lawrence Pfleeger, Paul Ammann, and Jeff Offutt

Subjects

Critical security studies, Process management, Cloud computing security, Computer Networks and Communications, Computer science, 020207 software engineering, 0102 computer and information sciences, 02 engineering and technology, Information security, Computer security model, Computer security, computer.software_genre, USable, 01 natural sciences, Security information and event management, Security engineering, Security service, 010201 computation theory & mathematics, Software security assurance, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, Security through obscurity, Electrical and Electronic Engineering, Law, computer

Abstract

Usable security assumes that when security functions are more usable, people are more likely to use them, leading to an improvement in overall security. Existing software design and engineering processes provide little guidance for leveraging this in the development of applications. Three case studies explore organizational attempts to provide usable security products.

Published

2016

19. Neural Markers of Cybersecurity: An fMRI Study of Phishing and Malware Warnings

Author

Nitesh Saxena, Jose O. Maximo, Rajesh K. Kana, and Ajaya Neupane

Subjects

Computer Networks and Communications, business.industry, Computer science, 05 social sciences, Web application security, Computer security, computer.software_genre, Internet security, Security information and event management, Phishing, Logical security, 050105 experimental psychology, Electronic mail, Cybercrime, 03 medical and health sciences, 0302 clinical medicine, Human-computer interaction in information security, Malware, 0501 psychology and cognitive sciences, Safety, Risk, Reliability and Quality, business, computer, 030217 neurology & neurosurgery

Abstract

The security of computer systems often relies upon decisions and actions of end users. In this paper, we set out to investigate users’ susceptibility to cybercriminal attacks by concentrating at the most fundamental component governing user behavior—the human brain. We introduce a novel neuroscience-based study methodology to inform the design of user-centered security systems as it relates to cybercrime. In particular, we report on an functional magnetic resonance imaging study measuring users’ security performance and underlying neural activity with respect to two critical security tasks: 1) distinguishing between a legitimate and a phishing website and 2) heeding security (malware) warnings. We identify the neural markers that might be controlling users’ performance in these tasks, and establish relationships between brain activity and behavioral performance as well as between users’ personality traits and security behavior. Our results provide a largely positive perspective on users’ capability and performance vis-a-vis these crucial security tasks. First, we show that users exhibit significant brain activity in key regions associated with decision-making, attention, and problem-solving (phishing and malware warnings) as well as language comprehension and reading (malware warnings), which means that users are actively engaged in these security tasks. Second, we demonstrate that certain individual traits, such as impulsivity measured via an established questionnaire, are associated with a significant negative effect on brain activation in these tasks. Third, we discover a high degree of correlation in brain activity (in decision-making regions) across phishing detection and malware warnings tasks, which implies that users’ behavior in one task may potentially be predicted by their behavior in the other. Fourth, we discover high functional connectivity among the core regions of the brain, while users performed the phishing detection task. Finally, we discuss the broader impacts and implications of our work on the field of user-centered security, including the domain of security education, targeted security training, and security screening.

Published

2016

20. The pathway to security – mitigating user negligence

Author

Sarah Elizabeth Kennedy

Subjects

021110 strategic, defence & security studies, Engineering, Information Systems and Management, Certified Information Security Manager, Computer Networks and Communications, business.industry, 0211 other engineering and technologies, 02 engineering and technology, Information security, Asset (computer security), Computer security, computer.software_genre, Security information and event management, Management Information Systems, Security service, Information security management, Information security standards, 020204 information systems, Management of Technology and Innovation, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, business, computer, Software, Information Systems

Abstract

PurposeThrough the use of effective training techniques and exercises, employees and users can be educated on how to make safe information security decisions. It is critical to the success of a total information security program that users are trained properly as they are a major layer of defense against malicious intent. The current methods of training people about information security are failing, and the number of user-related breaches increases every year.Design/methodology/approachBy researching and observing current methods and comparing other fields of study, this paper describes the best methodology for modifying user behavior as it pertains to information security.FindingsThrough effective training practices, user negligence can be mitigated and controlled, and the information security program can be better practiced throughout entire organizations.Originality/valueBy using an effective training method to teach employees about information security, employees become an invaluable part of a company’s overall information security strategy. By using this method, employees are no longer the weak link in information security.

Published

2016

21. Cognitive security: securing the burgeoning landscape of mobile networks

Author

Y. Thomas Hou, Wenjing Lou, Yuichi Kawamoto, Yao Zheng, and Assad Moini

Subjects

Cloud computing security, Computer Networks and Communications, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Logical security, Security information and event management, Security engineering, Security service, Hardware and Architecture, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, computer, Software, Physical security, Information Systems

Abstract

The rapid proliferation of personal wearable as well as embedded devices point to the emergence of networks of unprecedented size and complexity in the near future. Unfortunately, traditional network security solutions fall short of addressing the unique security requirements of the emerging environment given their general emphasis on administratively managed, preconfigured security context and strong physical security mechanisms. To cope with the security challenges of this emerging environment, novel cognitive-inspired security architectures have been proposed that emphasize dynamic, autonomous trust management. Cognitive security systems take advantage of sensing and computing capabilities of smart devices to analyze raw sensor data and apply machine learning techniques to make security decisions. In this article, we present a canonical representation of cognitive security architectures and examine the practicality of using these architectures to address the security challenges of rapidly growing networks of mobile/embedded autonomous devices including the ability to identify threats simply based on symptoms, without necessarily understanding attack methods. Using authentication as the main focus, we introduce our canonical representation and define various categories of contextual information commonly used by cognitive security architectures to handle authentication requirements, and highlight key advantages and disadvantages of each category. We then examine three grand challenges facing the cognitive security research including the tension between automation and security, the unintended consequences of using machine learning techniques as a basis for making security decisions, and the revocation problem in the context of cognitive security. We conclude by offering some insight into solution approaches to these challenges.

Published

2016

22. Usability and Security in User Interface Design: A Systematic Literature Review

Author

Babak Bashari Rad, Beverly Amunga Onyimbo, and Ugochi Oluwatosin Nwokedi

Subjects

Pluralistic walkthrough, Computer science, business.industry, Usability inspection, 020207 software engineering, Usability, 02 engineering and technology, World Wide Web, Usability lab, 020204 information systems, Heuristic evaluation, Usability engineering, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, business, Web usability

Abstract

Systems carry sensitive data where users are involved. There is need for security concern for the modern software applications. We can term them as „untrusted clients‟. Internet usage has rapidly grown over the years and, more users are opening their information system to their clientele, it is essential to understand users‟ data that need protecting and to control system access as well and the rights of users of the system. Because of today's increasingly nomadic lifestyle, where they allow users to connect to information systems from anywhere with all the devices in the market, the users need to carry part of the information system out of the secure infrastructure. Insecurity in user interfaces is caused by user ignoring functionalities in the system where some are not only a threat but can harm the system e.g. leaving network services active even though the user does not need them, or when a user is having little or no information of the available security measures. This research paper aims critically address through a review of existing literature, the importance of balance or trade-off between usability and the security of the system. Systematic review method involved a physical exploration of some conference proceedings and journals to conduct the literature review. Research questions relating to usability and security were asked and the criteria for usability and security evaluations were identified. This systematic literature review is valuable in closing the gap between usability and security in software development process, where usability and security engineering needs to be considered for a better quality end-user software.

Published

2016

23. Defining the e-learner’s security profile: Towards awareness improvement

Author

Danijela Milosevic and Marjan Milosevic

Subjects

021110 strategic, defence & security studies, Engineering, Multidisciplinary, User profile, Process management, Knowledge management, business.industry, E-learning (theory), 0211 other engineering and technologies, Continuous delivery, 020206 networking & telecommunications, 02 engineering and technology, Information security, Security awareness, ComputingMilieux_COMPUTERSANDEDUCATION, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Human-computer interaction in information security, Architecture, business

Abstract

The paper presents an improved e-learner model that supports monitoring of user behavior related to information security. The model is built upon standardized IMS specification, according to literature research and survey conducted among e-learners. It is positioned as key part of an extended LTSA architecture in which the learner data is used to improve learner security position by continuous delivery of important information and adapting security mechanisms. The implementation is considered in Moodle LMS.

Published

2016

24. Matchmaking semantic security policies in heterogeneous clouds

Author

Orazio Tomarchio, Giuseppe Di Modica, Di Modica G, and Tomarchio O

Subjects

Computer Networks and Communications, Computer science, Interoperability, Cloud computing, 02 engineering and technology, Security policy, Computer security, computer.software_genre, Logical security, Security information and event management, World Wide Web, Security engineering, 0202 electrical engineering, electronic engineering, information engineering, semantics, Cloud computing security, Ontology, business.industry, security policie, cloud computing, 020206 networking & telecommunications, Computer security model, security policies, Security service, Hardware and Architecture, Information security standards, Software security assurance, semantic, Security through obscurity, Human-computer interaction in information security, Semantic technology, Network security policy, 020201 artificial intelligence & image processing, business, computer, Software

Abstract

The adoption of the cloud paradigm to access IT resources and services has posed many security issues which need to be cared of. Security becomes even a much bigger concern when services built on top of many commercial clouds have to interoperate. Among others, the value of the service delivered to end customers is strongly affected by the security of network which providers are able to build in typical SOA contexts. Currently, every provider advertises its own security strategy by means of proprietary policies, which are sometimes ambiguous and very often address the security problem from a non-uniform perspective. Even policies expressed in standardized languages do not appear to fit a dynamic scenario like the SOA's, where services need to be sought and composed on the fly in a way that is compatible with the end-to-end security requirements. We then propose an approach that leverages on the semantic technology to enrich standardized security policies with an ad-hoc content. The semantic annotation of policies enables machine reasoning which is then used for both the discovery and the composition of security-enabled services. In the presented approach the semantic enrichment of policies is enforced by an automatic procedure. We further developed a semantic framework capable of matchmaking in a smart way security capabilities of providers and security requirements of customers, and tested it on a use case scenario. Semantic matchmaking of security policies in cloud environments.Security ontology for modeling security concepts.Automatic semantic annotation of WS-SecurityPolicy policies.

Published

2016

25. Game theoretical analysis of usable security and privacy

Author

Rendhir R. Prasad, Ciza Thomas, and Cynara Justine

Subjects

Mobile security, Computer science, business.industry, Human-computer interaction in information security, Usability, Usable privacy, Computer security, computer.software_genre, business, USable, computer, Game theory

Published

2018

26. Paradoxes in information security

Author

Jukka Vuorinen and Pekka Tetri

Subjects

ta113, Computer science, Strategy and Management, 02 engineering and technology, Information security, Asset (computer security), Computer security, computer.software_genre, Security information and event management, Education, Security service, Information security management, Information security standards, 020204 information systems, ta5141, 0202 electrical engineering, electronic engineering, information engineering, Security convergence, Human-computer interaction in information security, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, computer

Abstract

In this article, we approach information security from a novel perspective as we examine its unintended ramifications and its paradoxes. Information security and cybersecurity are necessities of modern societies. Simply put, services that are based on information and communication technologies would not function without information security. Thus, information security can easily tend to be thought of in only positive terms, as it ensures and facilitates our way of life.

Published

2016

27. Lesson Learned: Security is Inevitable

Author

Charles P. Pfleeger

Subjects

Cloud computing security, Computer Networks and Communications, Computer science, business.industry, Internet privacy, Cloud computing, Information security, Computer security model, Asset (computer security), Computer security, computer.software_genre, Logical security, Security information and event management, Security engineering, Security service, Software security assurance, Security through obscurity, Human-computer interaction in information security, The Internet, Electrical and Electronic Engineering, business, Law, computer

Abstract

The history of computing shows simple ideas that caught on: personal computers, the Internet, cloud computing, and smartphones were timely inventions that became successful, sometimes beyond the expectations of their original designers and developers. But ideas that work for one mode of use sometimes show serious limitations in other environments. Creators must anticipate unintended uses, even though predicting change is difficult. Designers must document expectations and limitations of products so that adapters will know when an expanded use threatens security. And developers must accept responsibility for the security of their products. The relatively small group of security professionals can no longer be assumed responsible for anticipating and countering all security threats.

Published

2015

28. Exploring the relationship between student mobile information security awareness and behavioural intent

Author

Bukelwa Ngoqo and Stephen Flowerday

Subjects

User information, Information Systems and Management, Knowledge management, Computer Networks and Communications, business.industry, Applied psychology, Psychological intervention, Information security, Security awareness, Management Information Systems, Mobile phone, Management of Technology and Innovation, Human-computer interaction in information security, Information security awareness, Action research, Psychology, business, Software, Information Systems

Abstract

Purpose – The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa. Design/methodology/approach – Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle. Findings – The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises. Originality/value – Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Published

2015

29. Information Security Behaviour Profiling Framework (ISBPF) for student mobile phone users

Author

Bukelwa Ngoqo and Stephen Flowerday

Subjects

Cloud computing security, General Computer Science, Computer science, business.industry, Internet privacy, Information security, Computer security, computer.software_genre, Security awareness, Security information and event management, Information security management, Mobile phone, Human-computer interaction in information security, Information security awareness, The Internet, business, Law, computer

Abstract

The mobile phone has become a necessity for many students; however it also exposes them to security threats that may result in a loss of information. In developing countries, large numbers of students are at a disadvantage because they have limited access to information relating to information security threats, unlike their counterparts in more developed societies who can readily access this information from sources such as the Internet. In addition, the developmental environment is plagued with challenges like access to the Internet and limited access to computers.The poor security behaviour exhibited by student users of mobile phones, which was confirmed by the findings of this study, is of particular interest in the context of the university in this study as most undergraduate students are offered a computer-related course which covers certain information security-related principles. This study addressed the problem of low information security awareness levels among student mobile phone users with the objective of levering security awareness as a way of stimulating safer security behaviours among mobile phone users. The resulting changes in awareness were then juxtaposed against behavioural intent changes in the proposed Information Security Behaviour Profiling Framework. Action research was selected as the appropriate methodology for this study, which saw mobile phone users exposed to various awareness campaigns with their behaviour observed before and after these interventions. This paper proposes a framework which can be used to forecast the information security behaviour profiles of student mobile phone users.The findings of this study uncover a possible link between information security awareness and information security behavioural intention, which translates into the security behaviour profiles exhibited by mobile phone users. By using the proposed framework to examine the association between information security awareness and mobile phone user security behavioural intent, this paper proposes a new method for tracking and categorising student mobile phone user security behavioural profiles. While the level of student information security awareness and behavioural intent were measured, no comparison was made between the awareness interventions implemented as part of this action research study.

Published

2015

30. Collaborative Security

Author

Guozhu Meng, Yang Liu, Raouf Boutaba, Alexander Pokluda, and Jie Zhang

Subjects

Cloud computing security, Process management, General Computer Science, Computer science, Information security, Computer security model, Computer security, computer.software_genre, Security information and event management, Theoretical Computer Science, Security engineering, Security service, Security through obscurity, Human-computer interaction in information security, computer

Abstract

Security is oftentimes centrally managed. An alternative trend of using collaboration in order to improve security has gained momentum over the past few years. Collaborative security is an abstract concept that applies to a wide variety of systems and has been used to solve security issues inherent in distributed environments. Thus far, collaboration has been used in many domains such as intrusion detection, spam filtering, botnet resistance, and vulnerability detection. In this survey, we focus on different mechanisms of collaboration and defense in collaborative security. We systematically investigate numerous use cases of collaborative security by covering six types of security systems. Aspects of these systems are thoroughly studied, including their technologies, standards, frameworks, strengths and weaknesses. We then present a comprehensive study with respect to their analysis target, timeliness of analysis, architecture, network infrastructure, initiative, shared information and interoperability. We highlight five important topics in collaborative security, and identify challenges and possible directions for future research. Our work contributes the following to the existing research on collaborative security with the goal of helping to make collaborative security systems more resilient and efficient. This study (1) clarifies the scope of collaborative security, (2) identifies the essential components of collaborative security, (3) analyzes the multiple mechanisms of collaborative security, and (4) identifies challenges in the design of collaborative security.

Published

2015

31. Food Security Information Platform Model Based on Internet of Things

Author

sup>Lei Zhang and sup>Shanhong Zhu

Subjects

Platform model, Food security, business.industry, Internet privacy, General Chemistry, Information security, Computer security, computer.software_genre, Internet security, Security information and event management, Industrial and Manufacturing Engineering, Web of Things, Security association, Human-computer interaction in information security, Business, computer, Food Science

Published

2015

32. The challenges facing physical layer security

Author

Wade Trappe

Subjects

Computer Networks and Communications, Computer science, Network security, Covert channel, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Security testing, Security engineering, Wireless, Electrical and Electronic Engineering, Authentication, Cloud computing security, business.industry, Physical layer, Computer security model, Computer Science Applications, Security service, Software security assurance, Network Access Control, Security through obscurity, Security convergence, Human-computer interaction in information security, Network security policy, business, computer

Abstract

There has recently been significant interest in applying the principles of information-theoretical security and signal processing to secure physical layer systems. Although the community has made progress in understanding how the physical layer can support confidentiality and authentication, it is important to realize that there are many important issues that must be addressed if physical layer security is ever to be adopted by real and practical security systems. In this article, I briefly review several different flavors of physical layer security (at least for wireless systems), and then identify aspects (a.k.a. weaknesses) where the foundation for physical layer security needs to be strengthened. I then highlight that the opportunities for applying physical layer security to real systems will be quite rich if the community can overcome these challenges. In the course of the article, I note new directions for the community to investigate, with the objective of keeping physical layer security research targeted at having a practical impact on real systems.

Published

2015

33. Scaring and Bullying People into Security Won't Work

Author

Angela Sasse

Subjects

Password, Cloud computing security, Computer Networks and Communications, Computer science, business.industry, Internet privacy, Information security, Asset (computer security), Security information and event management, Threat, Security engineering, Human-computer interaction in information security, Security through obscurity, Electrical and Electronic Engineering, business, Law, Countermeasure (computer)

Abstract

Users will pay attention to reliable and credible indicators of a risk they want to avoid. More accurate detection and better security tools are necessary to regain users' attention and respect.

Published

2015

34. Only play in your comfort zone: interaction methods for improving security awareness on mobile devices

Author

Clemens Holzmann, Rene Mayrhofer, Matthias Kranz, Andreas Möller, Florian Lettner, Marion Koelle, and Peter Riedl

Subjects

Cloud computing security, Computer science, Management Science and Operations Research, Computer security model, Asset (computer security), Security awareness, Computer security, computer.software_genre, Security policy, Security information and event management, Computer Science Applications, Security service, Hardware and Architecture, Human-computer interaction in information security, computer

Abstract

In this paper, we study the concept of security zones as an intermediate layer of compartmentalization on mobile devices. Each of these security zones is isolated against the other zones and holds a different set of applications and associated user data and may apply different security policies. From a user point of view, they represent different contexts of use for the device, e.g., to distinguish between gaming (private context), payment transactions (secure context), and company-related email (enterprise context). We propose multiple visualization methods for conveying the current security zone information to the user, and interaction methods for switching between zones. Based on an online and a laboratory user study, we evaluated these concepts from a usability point of view. One important result is that in the tension field between security and usability, additional hardware can support the user’s awareness toward their zone context.

Published

2015

35. Measuring user satisfaction with information security practices

Author

Gustavo Percio Zimmermann Montesdioca and Antonio Carlos Gastaud Maçada

Subjects

Knowledge management, General Computer Science, business.industry, Computer science, Standard of Good Practice, Equity theory, Computer user satisfaction, Information security, Enterprise information security architecture, Computer security model, Security information and event management, Security controls, Information security audit, ITIL security management, Information security management, Information security standards, Human-computer interaction in information security, Information system, business, Law

Abstract

Information security is a major concern of organizational management. Security solutions based on technical aspects alone are insufficient to protect corporate data. Successful information security depends on appropriate user behavior while using information systems. User satisfaction is widely used to measure the success of information systems. The objective of this research is to develop a model to measure user satisfaction with information security practices. An instrument was developed based on this model. A survey was conducted, and 173 valid responses were obtained. Structural equation modeling was used for the data analysis. The results indicated that users understand the benefits of information security practices, but the use of information systems with security controls is considered a complex matter, which reduces information systems productivity. The measurement of the user satisfaction with information security practices is a starting point to diagnose the behavior of users in relation to information security, providing metrics to management evaluate the investment in information security training and awareness program.

Published

2015

36. The Security-Usability Tradeoff Myth [Guest editors' introduction]

Author

Matthew Smith and M. Angela Sasse

Subjects

Authentication, Cloud computing security, Computer Networks and Communications, business.industry, Computer science, 05 social sciences, Internet privacy, Data security, Usability, 02 engineering and technology, Information security, Computer security model, 050905 science studies, Security information and event management, Security engineering, Security service, Software security assurance, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Security through obscurity, Human-computer interaction in information security, 0509 other social sciences, Electrical and Electronic Engineering, business, Law

Abstract

This special issue of IEEE Security a Privacy features three articles and a roundtable discussion that examine the relationship between security and usability in detail to identify the perceptions, processes, and practices that underlie these continuing challenges and to identify what needs to change to advance the field.

Published

2016

37. Energy-efficient mechanisms in security of the internet of things: A survey

Author

Abdelmadjid Bouabdallah, Mouloud Koudil, Hamed Hellaoui, Laboratoire de Méthodes de Conception de Systèmes (LMCS), École Nationale Supérieure d'Informatique [Alger] (ESI), Heuristique et Diagnostic des Systèmes Complexes [Compiègne] (Heudiasyc), and Université de Technologie de Compiègne (UTC)-Centre National de la Recherche Scientifique (CNRS)

Subjects

Computer Networks and Communications, Computer science, 02 engineering and technology, Asset (computer security), Computer security, computer.software_genre, Internet security, Security testing, Security information and event management, Security engineering, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Security association, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_MISCELLANEOUS, Cloud computing security, Cryptographic primitive, business.industry, 020206 networking & telecommunications, Information security, Computer security model, Web application security, Security service, Software security assurance, Human-computer interaction in information security, Security through obscurity, Security convergence, Network security policy, 020201 artificial intelligence & image processing, business, computer

Abstract

Security primitives in the IoT (Internet of Things) are energy consuming. Finding the best solutions that reduce energy consumption while ensuring the required security services is not an easy task. Many works proposed in the literature address security overhead issues by tackling some aspects such as cryptographic primitives, deployment environments, target applications, etc. This paper is a survey on energy-efficient mechanisms used in IoT security services. By studying the techniques that allow developing energy-efficient security solutions, it goes further than the previous surveys which focus more on the energy-efficient solutions themselves. To the best of our knowledge, this is the first work that tackles IoT security from this perspective. Not only security issues are addressed in this survey, but the energy impact of the solutions are also discussed. Energy consumption related to security services is first introduced. A taxonomy is then proposed for energy-efficient mechanisms in IoT security. The main factors affecting the application of an energy-saving technique for security solutions are finally analyzed.

Published

2017

38. Design as code: facilitating collaboration between usability and security engineers using CAIRIS

Author

Claudia Iacob and Shamal Faily

Subjects

Usability lab, Engineering, Usability goals, Pluralistic walkthrough, business.industry, System usability scale, Usability engineering, Systems engineering, Human-computer interaction in information security, Usability inspection, Usability, business, Software engineering

Abstract

Designing usable and secure software is hard with-\ud out tool-support. Given the importance of requirements, CAIRIS was designed to illustrate the form tool-support for specifying usable and secure systems might take. While CAIRIS supports a broad range of security and usability engineering activities,\ud its architecture needs to evolve to meet the workflows of these stakeholders. To this end, this paper illustrates how CAIRIS and its models act as a vehicle for collaboration between usability and security engineers. We describe how the modified architecture of CAIRIS facilitates this collaboration, and illustrate the tool using three usage scenarios.

Published

2017

39. Design process for usable security and authentication using a user-centered approach

Author

Eduardo B. Fernandez, Jaime Muñoz-Arteaga, César A. Collazos, Paulo Realpe-Munoz, and Toni Granollers

Subjects

Computer science, Vulnerability, 02 engineering and technology, Computer security, computer.software_genre, Security testing, Security information and event management, Logical security, Security engineering, Distributed System Security Architecture, 0202 electrical engineering, electronic engineering, information engineering, Security management, Authentication, Cloud computing security, business.industry, 020208 electrical & electronic engineering, 020206 networking & telecommunications, Usability, Information security, Computer security model, Security service, Software security assurance, Network Access Control, Human-computer interaction in information security, Security through obscurity, User interface, business, Software engineering, computer

Abstract

Computer security is one of the most important current tasks in digital applications. However, from the best of our knowledge, there is little research for designing effective interfaces in the context of security management systems. Security problems for these systems include vulnerabilities, due to difficulty using the systems and poor user interfaces because of their security constraints. Nowadays, finding a good trade-off between security and usability is a challenge, mainly for user authentication services. This paper presents a preliminary process for designing secure and usable systems using a user-centered approach. According to the above, the researchers and development team could have a process for designing and carrying out security and usability solutions for users. For the development of this process, the MPIu+a methodology to implement highly usable and accessible interactive applications is used.

Published

2017

40. An Ontological Approach to Predict Trade-Offs between Security and Usability for Mobile Application Requirements Engineering

Author

Woori Roh and Seok-Won Lee

Subjects

Usability goals, Knowledge management, Risk analysis (engineering), Cognitive walkthrough, business.industry, Computer science, Usability engineering, Human-computer interaction in information security, Usability inspection, Usability, business, Web usability, Component-based usability testing

Abstract

Solving conflicts among quality attribute requirements during the software engineering (SE) process is a complicated task. Due to their opposing characteristics, conflicts between security and usability frequently arise. However, there is a lack of research in terms of a consensus on the semantics of quality attributes, especially for security and usability, as well as the study of elim-inating or reducing the trade-offs and conflicts during the re-quirements engineering (RE) process. Therefore, we propose a novel approach to predict the conflicts between security and usability in the RE process. For this study, we construct a three-layer ontological knowledge base of security and usability. By using the proposed ontological knowledge base, we can figure out the relation between security and usability. We can discover which quality attributes cause conflicts in the RE process. We applied two case studies to validate the results which show that the proposed approach can derive more than twice as many trade-offs between security and usability compared to the num-ber of trade-offs derived by graduate students who are major in SE and computer engineering.

Published

2017

41. Empirical Studies on the Security and Usability Impact of Immutability

Author

Jonathan Aldrich, Joshua Sunshine, Brad A. Myers, Sam Weber, and Michael Coblenz

Subjects

Usability lab, Usability goals, business.industry, Computer science, Software security assurance, Usability engineering, Human-computer interaction in information security, Usability inspection, Usability, Software engineering, business, Web usability

Abstract

Although it is well-known that API design has a large and long-term impact on security, the literature contains few substantial guidelines for practitioners on how to design APIs that improve security. Even fewer of those guidelines have been evaluated empirically. Security professionals have proposed that software engineers choose immutable APIs and architectures to enhance security. Unfortunately, prior empirical research argued that immutablity decreases API usability. This paper brings together the results from a number of previous papers that together aim to show that immutability, when carefully designed using usability as a first-class requirement, can have positive effects on both usability and security. We also make observations on study design in this field.

Published

2017

42. Effects of Usability Problems on User Emotions in Human–Computer Interaction

Author

Zhongdong Xiao, Xiaojun Li, and Binbin Cao

Subjects

Interactive systems engineering, Human action cycle, business.industry, media_common.quotation_subject, 05 social sciences, Usability, macromolecular substances, 050105 experimental psychology, Arousal, Feeling, User experience design, Human–computer interaction, Human-computer interaction in information security, 0501 psychology and cognitive sciences, Valence (psychology), Psychology, business, 050107 human factors, media_common

Abstract

A two-factor mixed design with usability problem type and severity rating as experimental factors was conducted to examine the effects of usability problems on user emotions. The usability problem type was varied from full classification (FC) in artifact component to FC in task component, and severity rating of usability problem was varied from low to high. Difference in emotional dimensions, valence, arousal, and dominance were realized as dependent variables. Results showed that effects of usability problems on user emotions differed by type and severity rating. Usability problems classified into FC in task component or with higher severity rating led to more negative and less dominance subjective feelings. Effect of type of usability problems on emotional valence was stronger when their severity rating was relatively low. These investigations suggest that usability problems classified into FC in task component or with higher severity rating should be assigned to higher priority in usability test and be eliminated as far as possible in the development process. Further studies may address the issue from different construct of emotion, e.g., physiological changes.

Published

2017

43. Using Process Mining and Model-driven Engineering to Enhance Security of Web Information Systems

Author

Raul Piraces Alastuey, Simona Bernardi, and Raquel Trillo-Lado

Subjects

Cloud computing security, business.industry, Computer science, 020208 electrical & electronic engineering, 02 engineering and technology, Information security, Web application security, Computer security, computer.software_genre, Security information and event management, Security engineering, Security service, Information security management, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 020201 artificial intelligence & image processing, business, computer

Abstract

Due to the development of Smart Cities and Internet of Things, there has been an increasing interest in the use of Web information systems in different areas and domains. Besides, the number of attacks received by this kind of systems is increasing continuously. Therefore, there is a need to strengthen their protection and security. In this paper, we propose a method based on Process Mining and Model- Driven Engineering to improve the security of Web information systems. Besides, this method has been applied to the SID Digital Library case study and some preliminary results to improve the security of this system are described.

Published

2017

44. Visualizing the New Zealand Cyber Security Challenge for Attack Behaviors

Author

Janice Kho, Ryan K. L. Ko, Mark Apperley, Mark A. Will, Saidah Suwadi, and Jeffery Garae

Subjects

Cloud computing security, Computer science, business.industry, Event (computing), 0402 animal and dairy science, 04 agricultural and veterinary sciences, 02 engineering and technology, Computer security, computer.software_genre, 040201 dairy & animal science, Security information and event management, Visualization, Data visualization, Security service, Software security assurance, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, 020201 artificial intelligence & image processing, business, computer

Abstract

Datasets are important for security analytics and mitigation processes in cyber security research and investigations. "Cyber security challenge (CSC)" events provide the means to collect datasets. The New Zealand National cyber security challenge event is designed to promote cyber security education, awareness and equally as important, collect datasets for research purposes. In this paper, we present the: (1) Importance of cyber security challenge events, (2) Highlight the importance of collecting datasets, and (3) present a user-centric security visualization model of attack behaviors. User-centric features with the theoretical concept of Data Provenance as a Security Visualization Service (DPaaSVS) reused to display attacks commencing at the reconnaissance stage through to compromising a defending team machine and exploiting the systems. DPaaSVS creates the ability for users to interact and observe correlations between cyber-attacks. Finally we provide future work on Security Visualization with Augmented Reality capabilities to enhance and improve user interactions with the security visualization platform.

Published

2017

45. Robotman: A security robot for human-robot interaction

Author

Francisco Cuellar, Diego Quiroz, Gabriele Trovato, Renato Paredes, and Alexander Lopez

Subjects

0209 industrial biotechnology, User Friendly, Engineering, business.industry, media_common.quotation_subject, Patrolling, 010401 analytical chemistry, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Logical security, Human–robot interaction, 0104 chemical sciences, 020901 industrial engineering & automation, Human-computer interaction in information security, Robot, Function (engineering), business, computer, Human security, media_common

Abstract

In this paper we present the design, development and preliminary tests of Robotman, a robot that combines qualities for interaction with humans, and security patrolling services. The robot is inspired by the information obtained from a security company in which their personnel not only perform security patrolling services, but have to interact with people, providing additional information about the area they safeguard. The robot is able to perform security patrols during the night while functioning as a guide during the day. We designed and implemented a robust, easy to assemble, anthropomorphic security robot aiming to patrol large indoor areas, interact with humans, welcome, provide information and guide clients to their destination, as well as function as a telepresence platform for the human security guards. Our results suggest that Robotman is user friendly and pleasing to the people, it can perform security tasks and interact with them.

Published

2017

46. A multi-factors security key generation mechanism for IoT

Author

Paul Loh Ruen Chze, Elizabeth Sim, Kan-Siew-Leong, Kan Ee May, and Ang Khoon Wee

Subjects

Cloud computing security, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Logical security, Security information and event management, Security association, Security service, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, Network security policy, 020201 artificial intelligence & image processing, business, computer, Computer network

Abstract

This paper introduces a multi-factors security key generation mechanism for self-organising Internet of Things (IoT) network and nodes. The mechanism enables users to generate unique set of security keys to enhance IoT security while meeting various business needs. The multi-factor security keys presents an additional security layer to existing security standards and practices currently being adopted by the IoT community. The proposed security key generation mechanism enables user to define and choose any physical and logical parameters he/she prefers, in generating a set of security keys to be encrypted and distributed to registered IoT nodes. IoT applications and services will only be activated after verifying that all security keys are present. Multiple levels of authorisation for different user groups can be easily created through the mix and match of the generated multi-factors security keys. A use case, covering indoor and outdoor field tests was conducted. The results of the tests showed that the mechanism is easily adaptable to meet diverse multi-vendor IoT devices and is scalable for various applications.

Published

2017

47. What.Hack

Author

Jeffrey Huang, Reid Wade, Yiming Li, Amy Wang, and Zikai Alex Wen

Subjects

Computer science, Internet privacy, 0211 other engineering and technologies, Vulnerability, 02 engineering and technology, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Threat, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Hacker, Password, 021110 strategic, defence & security studies, Cloud computing security, business.industry, Social engineering (security), Information security, Phishing, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Information security standards, Human-computer interaction in information security, Security through obscurity, business, computer

Abstract

As information security systems become increasingly sophisticated and reliable, humans are rapidly becoming the weakest link in the security pipeline. Technological countermeasures can only be deployed if the humans depending upon them are aware of how to use them, and hackers are beginning to take advantage of the knowledge gap that exists in this area. The recent DNC hackings during the 2016 US presidential election are evidence of this, as staff were tricked into sharing passwords which granted access to confidential information by fake Google security emails. Vulnerabilities such as these are due in part to insufficient and tiresome training when it comes to information security. A potential solution is the introduction of more engaging training methods, which teach information security in an active and entertaining way. To this end, we introduce the game What.Hack to teach information security and defense methods for social engineering threats.

Published

2017

48. Big data, little security: Addressing security issues in your platform

Author

Joseph Mathews and Thomas Macklin

Subjects

021110 strategic, defence & security studies, Cloud computing security, Computer science, business.industry, Big data, 0211 other engineering and technologies, 02 engineering and technology, Information security, Enterprise information security architecture, Computer security model, Computer security, computer.software_genre, Asset (computer security), Security testing, Security information and event management, Information security management, Security service, Software security assurance, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, Security through obscurity, Network security policy, business, computer

Abstract

This paper describes some patterns for information security problems that consistently emerge among traditional enterprise networks and applications, both with respect to cyber threats and data sensitivity. We draw upon cases from qualitative studies and interviews of system developers, network operators, and certifiers of military applications. Specifically, the problems discussed involve sensitivity of data aggregates, training efficacy, and security decision support in the human machine interface. While proven techniques can address many enterprise security challenges, we provide additional recommendations on how to further improve overall security posture, and suggest additional research thrusts to address areas where known gaps remain.

Published

2017

49. Flamingo

Author

Mohammad Zulkernine and Shahrear Iqbal

Subjects

Cloud computing security, Computer science, 020207 software engineering, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, Asset (computer security), Security information and event management, Security service, Software security assurance, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Human-computer interaction in information security, Security through obscurity, computer

Abstract

The availability of powerful smartphones and the necessity of security in mobile devices have made researchers propose multiple security modes (e.g., home, office, outdoor, and financial) for such devices. In each mode, a user can install a different set of apps. However, in most of the cases, the user has to select the mode manually. If we can sense the smartphone's security context accurately, then it is possible to switch between different security modes automatically. Also, smartphone operating systems are becoming ubiquitous. As a result, mobile apps need to behave differently based on the security context (e.g., not sending the data if the network is insecure). There exist other research work that may detect the physical context of a smartphone. However, we focus on sensing different security parameters (e.g., location, is-network-encrypted) and calculating the security context from the parameters. In this paper, we propose Flamingo, a security context management framework that maintains a cache of security contexts and parameters to be used by the operating system and third-party applications. As detecting contexts requires the use of power-hungry smartphone sensors, a comprehensive framework for sharing security parameters among various applications can be beneficial in terms of energy and other resource expenses. The implementation of Flamingo as a part of the Android operating system shows that it is effective in managing security contexts and parameters.

Published

2017

50. On Privacy Protection at Networking

Author

Li Yang and ChangGen Zhu

Subjects

Engineering, Cloud computing security, business.industry, Information security, Computer security model, Internet security, Computer security, computer.software_genre, Security information and event management, Security service, Human-computer interaction in information security, Security through obscurity, business, computer

Abstract

In recent years, the networking technology, as an important part of the new generation of information technology, has been developing rapidly. It is widely used in environmental monitoring and protection, personal health care, intelligent transportation, food safety traceability, logistics supplement chain management, and many other fields. Networking technology not only makes our lives more convenient, it but also faces many challenges. One of the most important challenges is its security. Since this technology is still in the early stage of development, the security system has not formed. In addition, this can be regarded as the extension and development of the Internet, with reference to some security technologies and strategies of Internet. However, this system contains a large number of different functions, computation and communication capabilities, and a large difference of all kinds of intelligent terminal and many specific application scenarios, which makes it unique, rather through the existing Internet security technology to solve the security problem. Since the networking is still in the process of evolution, there is not unified security architecture. Previous research on the security of networking is based on certain specific things technology and application scenarios (such as sensor networks, RFID systems, etc.), respectively, providing the corresponding solutions.

Published

2017