| 1. |
- Aslam, Mudassar, et al.
(författare)
-
ASArP : Automated Security Assessment & Audit of Remote Platforms using TCG-SCAP synergies
- 2015. - 7
-
Ingår i: Journal of Information Security and Applications. - United Kingdom : Elsevier BV. - 2214-2134 .- 2214-2126. ; 22, s. 28-39
-
Tidskriftsartikel (refereegranskat)abstract
- Many enterprise solutions today are built upon complex distributed systems which are accessible to the users globally. Due to this global access, the security of the host platforms becomes critical. The platform administrators use security automation techniques such as those provided by Security Content Automation Protocol (SCAP) standards to protect the systems from the vulnerabilities that are reported daily; furthermore, they are responsible for keeping their systems compliant to the relevant security recommendations (governmental or industrial). Additionally, third party audit and certification processes are used to increase user trust in enterprise solutions. However, traditional audit and certification mechanisms are not continuous , that is, not frequent enough to deal with the daily reported vulnerabilities, and for that matter even auditors expect platform administrators to keep the systems updated. As a result, the end user is also forced to trust the platform administrators about the latest state of the platform. In this paper we develop an automated security audit and certification system (ASArP)(ASArP) which can be used by platform users or by third party auditors. We use security automation techniques for continuous monitoring of the platform security posture and make the results trustworthy by using trusted computing (TCG) techniques. The prototype development of ASArPASArP validates the implementation feasibility; it also provides performance benchmarks which show that the ASArPASArP based audit and certification can be done much more frequently (e.g. daily or weekly). The feasibility of ASArPASArP based continuous audits is significantly better than traditional platform audits which are dependent on the physical presence of the auditors, thus making frequent audits much more expensive and operationally infeasible.
|
|
| 2. |
- Budurushi, Jurlind, et al.
(författare)
-
Implementing and evaluating a software-independent voting system for polling station elections
- 2014
-
Ingår i: Journal of Information Security and Applications. - : Elsevier. - 2214-2134 .- 2214-2126. ; 19:2, s. 1-10
-
Tidskriftsartikel (refereegranskat)abstract
- In 2009 the German Federal Constitutional Court introduced the principle of “public nature of elections” (Federal Constitutional Court of Germany, March 2009). This principle requires that when using electronic voting systems it must be possible for the citizen to verify the essential steps in the election process and in the ascertainment of the results reliably and without special expert knowledge. Unfortunately, none of the existing systems complies with this principle. As a result, the use of electronic voting systems in Germany for parliamentary elections has stopped. Nevertheless, electronic voting systems are necessary and would improve the situation, especially for elections with complex ballots and voting rules, for example some local elections in Germany or parliamentary elections in Belgium and Luxembourg. The concept proposed by Volkamer et al. (Volkamer et al., 2011) was analyzed by a legal expert and evaluated to comply with the German legal requirements for local elections in the state of Hesse (Henning et al., 2012). In this paper we specify and concretize processes that were left open in the concept, and implement a prototype. We evaluated this prototype in a user study that was conducted alongside the university elections at the Technische Universtität Darmstadt in June 2013. The results of the study show that most of the participants were satisfied with the prototype and would support its use for the upcoming university elections. We also report some lessons learned.
|
|
| 3. |
- Budurushi, Jurlind, et al.
(författare)
-
Introduction to special issue on e-voting
- 2018
-
Ingår i: Journal of Information Security and Applications. - : Elsevier. - 2214-2134 .- 2214-2126. ; 38, s. 122-123
-
Tidskriftsartikel (refereegranskat)
|
|
| 4. |
- Chockalingam, Sabarathinam, et al.
(författare)
-
Probability elicitation for Bayesian networks to distinguish between intentional attacks and accidental technical failures
- 2023
-
Ingår i: Journal of Information Security and Applications. - : ELSEVIER. - 2214-2134 .- 2214-2126. ; 75
-
Tidskriftsartikel (refereegranskat)abstract
- Both intentional attacks and accidental technical failures can lead to abnormal behaviour in components of industrial control systems. In our previous work, we developed a framework for constructing Bayesian Network (BN) models to enable operators to distinguish between those two classes, including knowledge elicitation to construct the directed acyclic graph of BN models. In this paper, we add a systematic method for knowledge elicitation to construct the Conditional Probability Tables (CPTs) of BN models, thereby completing a holistic framework to distinguish between attacks and technical failures. In order to elicit reliable probabilities from experts, we need to reduce the workload of experts in probability elicitation by reducing the number of conditional probabilities to elicit and facilitating individual probability entry. We utilise DeMorgan models to reduce the number of conditional probabilities to elicit as they are suitable for modelling opposing influences i.e., combinations of influences that promote and inhibit the child event. To facilitate individual probability entry, we use probability scales with numerical and verbal anchors. We demonstrate the proposed approach using an example from the water management domain.
|
|
| 5. |
- Fatima, R., et al.
(författare)
-
Sharing information online rationally : An observation of user privacy concerns and awareness using serious game
- 2019
-
Ingår i: Journal of Information Security and Applications. - : Elsevier Ltd. - 2214-2134 .- 2214-2126. ; 48
-
Tidskriftsartikel (refereegranskat)abstract
- Recent studies have shown that excessive online information disclosure is a major reason of privacy breach. It makes it easy for social engineers to gather information about their targets. The objective of this study is to gather user privacy concerns reported in the literature and categorize them into themes, then design a serious game covering the categorized privacy concerns and evaluate the educational effect of the game regarding dangers associated with excessive online information disclosure. We have conducted a literature review and extracted user privacy concerns reported in 109+ publications. Then we designed a serious game and empirically evaluated the game players awareness of dangers associated with excessive online information disclosure. We find that privacy awareness has a positive long-term impact on users online behavior in terms of controlled information sharing. However, social networking needs drive users to share information online, even knowing the potential risks. The proposed serious game shows positive effect in improving the privacy awareness of participants.
|
|
| 6. |
- Fischer-Hübner, Simone, 1963-, et al.
(författare)
-
Stakeholder perspectives and requirements on cybersecurity in Europe
- 2021
-
Ingår i: Journal of Information Security and Applications. - : Elsevier. - 2214-2134 .- 2214-2126. ; 61
-
Tidskriftsartikel (refereegranskat)abstract
- This article presents an overview and analysis of the key cybersecurity problems, challenges and requirements to be addressed in the future, which we derived through 63 interviews with European stakeholders from security-critical sectors including Open Banking, Supply Chain, Privacy-preserving Identity Management, Security Incident Reporting, Maritime Transport, Medical Data Exchange, and Smart Cities. We show that common problems, challenges and requirements across these sectors exist in relation to building trust, implementing privacy and identity management including secure and useable authentication, building resilient systems, standardisation and certification, achieving security and privacy by design, secure and privacy-compliant data and information sharing, and government regulations. Our results also indicate cybersecurity trends and allow to derive directions for future research and innovation activities that will be of high importance for Europe.
|
|
| 7. |
- Gerber, Paul, et al.
(författare)
-
The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions
- 2017
-
Ingår i: Journal of Information Security and Applications. - Amsterdam : Elsevier. - 2214-2134 .- 2214-2126. ; 34:1, s. 8-26
-
Tidskriftsartikel (refereegranskat)abstract
- One of the great innovations of the modern world is the Smartphone app. The sheer multitude of available apps attests to their popularity and general ability to satisfy our wants and needs. The flip side of the functionality these apps offer is their potential for privacy invasion. Apps can, if granted permission, gather a vast amount of very personal and sensitive information. App developers might exploit the combination of human propensities and the design of the Android permission-granting interface to gain permission to access more information than they really need. This compromises personal privacy. The fact that the Android is the globally dominant phone means widespread privacy invasion is a real concern.We, and other researchers, have proposed alternatives to the Android permission-granting interface. The aim of these alternatives is to highlight privacy considerations more effectively during app installation: to ensure that privacy becomes part of the decision-making process. We report here on a study with 344 participants that compared the impact of a number of permission-granting interface proposals, including our own (called the COPING interface — COmprehensive PermIssioN Granting) and two Android interfaces. To conduct the comparison we carried out an online study with a mixed-model design.Our main finding is that the focus in these interfaces ought to be on improving the quality of the provided information rather than merely simplifying the interface. The intuitive approach is to reduce and simplify information, but we discovered that this actually impairs the quality of the decision. Our recommendation is that further investigation is required in order to find the “sweet spot” where understandability and comprehensiveness are maximised
|
|
| 8. |
- Höglund, Joel, 1979-, et al.
(författare)
-
Lightweight certificate revocation for low-power IoT with end-to-end security
- 2023
-
Ingår i: Journal of Information Security and Applications. - Amsterdam : Elsevier Ltd. - 2214-2134 .- 2214-2126. ; 73
-
Tidskriftsartikel (refereegranskat)abstract
- Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors
|
|
| 9. |
- Liu, Yongshuang, et al.
(författare)
-
Classification and recognition of encrypted EEG data based on neural network
- 2020
-
Ingår i: Journal of Information Security and Applications. - : Elsevier. - 2214-2134 .- 2214-2126. ; 54
-
Tidskriftsartikel (refereegranskat)abstract
- With the rapid development of Machine Learning technology applied in electroencephalography (EEG) signals, Brain-Computer Interface (BCI) has emerged as a novel and convenient human-computer interaction for smart home, intelligent medical and other Internet of Things (IoT) scenarios. However, security issues such as sensitive information disclosure and unauthorized operations have not received sufficient concerns. There are still some defects with the existing solutions to encrypted EEG data such as low accuracy, high time complexity or slow processing speed. For this reason, a classification and recognition method of encrypted EEG data based on neural network is proposed, which adopts Paillier encryption algorithm to encrypt EEG data and meanwhile resolves the problem of floating point operations. In addition, it improves traditional feed-forward neural network (FNN) by using the approximate function instead of activation function and realizes multi-classification of encrypted EEG data. Extensive experiments are conducted to explore the effect of several metrics (such as the hidden neuron size and the learning rate updated by improved simulated annealing algorithm) on the recognition results. Followed by security and time cost analysis, the proposed model and approach are validated and evaluated on public EEG datasets provided by PhysioNet, BCI Competition IV and EPILEPSIAE. The experimental results show that our proposal has the satisfactory accuracy, efficiency and feasibility compared with other solutions. (C) 2020 Elsevier Ltd. All rights reserved.
|
|
| 10. |
- Masmoudi, Fatma, et al.
(författare)
-
A Guiding Framework for Vetting the Internet of Things
- 2020
-
Ingår i: Journal of Information Security and Applications. - : Elsevier. - 2214-2134 .- 2214-2126. ; 55
-
Tidskriftsartikel (refereegranskat)abstract
- Like any emerging and disruptive technology, multiple obstacles are slowing down the Internet of Things (IoT) expansion for instance, multiplicity of things’ standards, users’ reluctance and sometimes rejection due to privacy invasion, and limited IoT platform interoperability. IoT expansion is also accompanied by the widespread use of mobile apps supporting anywhere, anytime service provisioning to users. By analogy to vetting mobile apps, this paper addresses the lack of principles and techniques for vetting IoT devices (things) in preparation for their integration into mission-critical systems. Things have got vulnerabilities that should be discovered and assessed through proper device vetting. Unfortunately, this is not happening. Rather than sensing a nuclear turbines steam level, a thing could collect some sensitive data about the turbine without the knowledge of users and leak these data to third parties. This paper presents a guiding framework that defines the concepts of, principles of, and techniques for thing vetting as a pro-active response to potential things vulnerabilities.
|
|
