| 1. |
- Yasin, A., et al.
(författare)
-
Can serious gaming tactics bolster spear-phishing and phishing resilience? : Securing the human hacking in Information Security
- 2024
-
Ingår i: Information and Software Technology. - : Elsevier B.V.. - 0950-5849 .- 1873-6025. ; 170
-
Tidskriftsartikel (refereegranskat)abstract
- Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals’ limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants’ awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the “PhishDefend Quest” game successfully improved players’ comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.
|
|
| 2. |
- Bocchetti, Giovanni, et al.
(författare)
-
Dependable integrated surveillance systems for the physical security of metro railways
- 2009
-
Ingår i: 3rd ACM/IEEE International Conference on Distributed Smart Cameras, ICDSC 2009. - : IEEE. - 9781424446209
-
Konferensbidrag (refereegranskat)abstract
- Rail-based mass transit systems are vulnerable to many criminal acts, ranging from vandalism to terrorism. In this paper, we present the architecture, the main functionalities and the dependability related issues of a security system specifically tailored to metro railways. Heterogeneous intrusion detection, access control, intelligent video-surveillance and sound detection devices are integrated in a cohesive Security Management System (SMS). In case of emergencies, the procedural actions required to the operators involved are orchestrated by the SMS. Redundancy both in sensor dislocation and hardware apparels (e.g. by local or geographical clustering) improve detection reliability, through alarm correlation, and overall system resiliency against both random and malicious threats. Video-analytics is essential, since a small number of operators would be unable to visually control a large number of cameras. Therefore, the visualization of video streams is activated automatically when an alarm is generated by smart-cameras or other sensors, according to an event-driven approach. The system is able to protect stations (accesses, technical rooms, platforms, etc.), tunnels (portals, ventilation shafts, etc.), trains and depots. Presently, the system is being installed in the Metrocampania underground regional railway. To the best of our knowledge, this is the first subway security system featuring artificial intelligence algorithms both for video and audio surveillance. The security system is highly heterogeneous in terms not only of detection technologies but also of embedded computing power and communication facilities. In fact, sensors can differ in their inner hardware-software architecture and thus in the capacity of providing information security and dependability. The focus of this paper is on the development of novel solutions to achieve a measurable level of dependability for the security system in order to fulfill the requirements of the specific application. © 2009 IEEE.
|
|
| 3. |
- Provenzano, Luciana, et al.
(författare)
-
How Do Practitioners Reason About Security Requirements? : An Interview Study
- 2024
-
Ingår i: Proc. Int. Conf. Requir. Eng.. - : IEEE Computer Society. - 9798350395112 ; , s. 79-90
-
Konferensbidrag (refereegranskat)abstract
- In the development of modern software-intensive systems, security aspects are increasingly emphasized, with new laws and regulations putting more demands on manufacturers. Requirements elicitation must therefore carefully consider security aspects. The literature contains various frameworks that have been proposed to aid in the elicitation of these types of requirements. We are interested to understand how, in industrial practice, persons responsible for cybersecurity reason about so-called 'security requirements'. To find out, we perform eight semi-structured interviews with experts having leading roles in cybersecurity in large companies. We identify the concepts that they leverage when reasoning about security requirements, what other aspects they look at when identifying security requirements, how they differ between security requirements and other requirements, and what their definition of a security requirement is. In this paper, we report on this interview study and our analysis of it. We highlight the commonalities and crucial differences between experts' reasoning, and a surprising spread of conclusions regarding the identification of example requirements as being security requirements or not. Our analysis opens a new perspective on how to deal with security requirements, we hypothesize the benefits of using multiple approaches for elicitation and a single approach for requirements specification.
|
|
| 4. |
- Latifaj, Malvina, 1997-
(författare)
-
Systematic Development of Collaborative Blended Modeling Environments
- 2024
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Collaborative model-driven software engineering addresses the complexities of developing software systems by prioritizing models as core artifacts and leveraging the collective expertise of diverse stakeholders. To effectively realize this approach, the employed modeling environments must be equipped with features that support and enhance collaboration. These environments should, among other capabilities, provide support for multiple notation types, enabling stakeholders to engage with models using their preferred notation or the notation most appropriate for their tasks. Additionally, they should offer multiple views and perspectives that allow stakeholders to interact with pertinent information only, and implement access control mechanisms to ensure information security. However, the adoption of these features can be challenging, partly because of their resource-intensive and tedious development nature, as well as the necessity for continuous updates to keep up with the evolution of modeling languages. This doctoral thesis proposes a model-driven approach to address this challenge by facilitating the development of blended modeling environments featuring multiple views and ensuring modeled information security. The proposed framework leverages automation to reduce the manual effort and expertise traditionally required for i) the provision of synchronization mechanisms between graphical and textual notations for blended modeling, ii) the provision of synchronization mechanisms between view models and base model in multi-view modeling, and iii) the consistent definition and enforcement of access permissions. This research, therefore, lowers the barriers to adopting these collaborative features by facilitating their development and evolution in face of changes to underlying modeling languages.
|
|
| 5. |
- Besker, Terese, et al.
(författare)
-
Navigating the Cyber-Security Risks and Economics of System-of-Systems
- 2023
-
Ingår i: 2023 18th Annual System of Systems Engineering Conference, SoSe 2023. - : Institute of Electrical and Electronics Engineers Inc.. - 9798350327236
-
Konferensbidrag (refereegranskat)abstract
- Cybersecurity is an important concern in systems-of-systems (SoS), where the effects of cyber incidents, whether deliberate attacks or unintentional mistakes, can propagate from an individual constituent system (CS) throughout the entire SoS. Unfortunately, the security of an SoS cannot be guaranteed by separately addressing the security of each CS. Security must also be addressed at the SoS level. This paper reviews some of the most prominent cybersecurity risks within the SoS research field and combines this with the cyber and information security economics perspective. This sets the scene for a structured assessment of how various cyber risks can be addressed in different SoS architectures. More precisely, the paper discusses the effectiveness and appropriateness of five cybersecurity policy options in each of the four assessed SoS archetypes and concludes that cybersecurity risks should be addressed using both traditional design-focused and more novel policy-oriented tools.
|
|
| 6. |
- Caporuscio, Mauro, 1975-, et al.
(författare)
-
Smart-troubleshooting connected devices : Concept, challenges and opportunities
- 2020
-
Ingår i: Future Generation Computer Systems. - : Elsevier. - 0167-739X .- 1872-7115. ; 111, s. 681-697
-
Tidskriftsartikel (refereegranskat)abstract
- Today’s digital world and evolving technology has improved the quality of our lives but it has also come with a number of new threats. In the society of smart-cities and Industry 4.0, where many cyber-physical devices connect and exchange data through the Internet of Things, the need for addressing information security and solve system failures becomes inevitable. System failures can occur because of hardware failures, software bugs or interoperability issues. In this paper we introduce the industry-originated concept of “smart-troubleshooting” that is the set of activities and tools needed to gather failure information generated by heterogeneous connected devices, analyze them, and match them with troubleshooting instructions and software fixes. As a consequence of implementing smart-troubleshooting, the system would be able to self-heal and thus become more resilient. This paper aims to survey frameworks, methodologies and tools related to this new concept, and especially the ones needed to model, analyze and recover from failures in a (semi)automatic way. Smart-troubleshooting has a relation with event analysis to perform diagnostics and prognostics on devices manufactured by different suppliers in a distributed system. It also addresses management of appropriate product information specified in possibly unstructured formats to guide the troubleshooting workflow in identifying fault–causes and solutions. Relevant research is briefly surveyed in the paper in order to highlight current state-of-the-art, open issues, challenges to be tackled and future opportunities in this emerging industry paradigm.
|
|
| 7. |
- Ray, Apala
(författare)
-
Initial Trust Establishment for Heterogeneous Industrial Communication Networks
- 2014
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The severity of cyber threats towards existing and future industrial systems has resulted in an increase of security awareness in the industrial automation domain. Compared to traditional information security, industrial communication systems have different performance and reliability requirements. The safety and availability requirements can also sometimes conflict with the system security design of plants. For instance, it is not acceptable to create a secure system which may take up additional time to establish security and as a consequence disrupt the production in plants. Similarly, a system which requires authentication and authorization procedures before any emergency action may not be suitable in industrial plants.Therefore, there is a need for improvement of the security workflow in industrial plants, so that the security can be realized in practice. This also leads to the requirement of secure device deployment and secure data communication inside the industrial plants. In this thesis, the focus is on the initial trust establishment in industrial devices. The initial trust establishment is the starting point for enabling a secure communication infrastructure. Reusability analysis with financial sectors has been considered as the reuse of security solutions from this adjacent application domain can be a simple and an effective way to achieve the desired system security. Through this analysis, the reusability features have been identified and workflows have been proposed which can be used to bootstrap initial trust in the industrial process control devices and manage security workflow. A proof-of-concept implementation to prove the feasibility of the device deployment workflow has also been provided.
|
|
| 8. |
- Flammini, Francesco, Senior Lecturer, 1978-
(författare)
-
Artificial Intelligence (AI) applicata agli Autonomous Systems
- 2018
-
Bok (övrigt vetenskapligt/konstnärligt)abstract
- The study of artificial intelligence applied to autonomous systems has in recent years aroused growing interest at the international level, and it is expected that this interest will continue to grow in the coming years [34]. It is a fairly well known fact that in the past many technologies now used in the civil field have seen the light, more or less secretly, in the military sector. Consider, for example, the so-called ARPANET, developed by the US defense department, which anticipated the modern Internet, but also algorithms for data encryption, thermal cameras, and many other commonly used technologies. Today the scenario has partly changed, shifting the leadership of innovation towards other domains, since there is a considerable boost to the technological development in the civil field with the advance of connected society paradigms like Smart-City and Industry 4.0. One example is related to the self-driving vehicles, born in the military sector, which are developing more rapidly in the civil sphere with the attractive self-driving cars. It is therefore important to transfer enabling technologies from one domain to another (cross-fertilization) and to draw appropriately from the outside (open innovation). This is achieved through studies and researches such as the one addressed by this monograph. The objective of this study is to analyze the principles, the basic methodologies and the operational tools of artificial intelligence applied to autonomous systems, at the modeling and technology level, in order to replace human-controlled vehicles with autonomous or semi-autonomous vehicles (e.g. drones) in high-risk operating environments, as well as to reduce human errors and to speed up response times, for example in operations command and control centers. The study presents an overview of the information fusion approaches to enable artificial cognition, mentioning several relevant applications in the military field, already at an advanced phase of development or even at an embryonic level. These approaches can be used to strengthen weapon systems and defense means, with greater ability to adapt to the operational context for the dynamic management of uncertainties and unforeseen events, as well as for experiential evolution and learning. Future applications include not only self-driving vehicles and smart weapons, but also the strengthening of soldiers through prosthetics and exoskeletons. Many of the future projections have been formalized by the working group on Symbiotic Autonomous Systems – which the writer is a member of – of the Institute of Electrical and Electronics Engineers (IEEE), enclosed in a special White Paper [34]. The present study addresses the impact of the Artificial Intelligence (AI) on the use of the military instrument when this technology will be applied to military assets and weapon systems, taking into account the different declinations of AI, including: • deterministic (semi)autonomous systems implemented through Boolean logical operators (eg Event Trees); • (semi)Autonomous systems based on probabilistic / stochastic models for the representation of knowledge and inference (eg Bayesian Networks); • (semi)Autonomous systems based on trained artificial neuronal models (ANN, Artificial Neural Networks). These approaches are based on different models of machine learning, which can be supervised or not. They apply to classification and clustering approaches in modern data analysis approaches, particularly in the presence of large amounts of information (big data analytics). This study distinguishes between semi-autonomous AI models, which require the confirmation of decisions by human operators (DSS, Decision Support Systems), and complete autonomy, which presents predictability problems impacting the verification and validation process and therefore system safety. These are the cases in which the aforementioned ethical, procedural, normative and legal implications are more relevant [1]. The introduction of autonomous systems equipped with artificial intelligence involves transformations also at the level of military logistics, which can be interpreted in two directions. On the one hand, it is necessary to plan the procurement of enabling technologies, the so-called deployable systems based on secure wireless networks, and the updating of systems to support complete digitalisation, which is an essential pre-requisite for the adoption of the instrument. The other side of the coin is the use of a higher level of automation in military logistics, supported by the AI. Here we can mention the automatic multi-objective optimization algorithms for decision support (eg genetic and evolutionary programming), the computation of the most efficient paths (in terms of time, energy, etc.), the dynamic definition of optimization priorities, as well as aspects of resilience through automatic re-planning of the route in the event of interruptions on the predefined trajectory. For all that has been said so far, it is clear that the development of the AI will have consequences on the future organization of the armed forces, both for the conduct of the operations and for the structure and numbers of the defense sector. As in other areas subject to automation through the use of new digital technologies, even in the military one the human role of decision supervision, feedback and control of high-level operations will remain decisive for many years. At the same time, however, the need for training and specialization in line with the complete computerization will arise, with significant impacts in terms of information security (or cybersecurity), which will require increasingly specific skills. The fact that complete autonomy would be possible in the event of unavailability of personnel in control centers implies not only a higher level of security, but also the possibility of reducing organizational redundancies by dedicating resources to different and more specialized tasks. As already underlined, there are significant ethical and legal implications related to future decision-making processes for the choice of using force through a weapon system governed by an artificial intelligence, potentially endowed with a high level of autonomy. It is therefore essential to define clear and shared limitations and conditions of autonomy for the verifiability and traceability of the decision-making process. In particular, in order to govern decision-making and prevent ambiguities, it is essential to apply the well-known RACI (Responsible Accountable Consulted Informed) paradigm, which defines for each action who is responsible for its implementation, who is associated with its administrative / legal responsibility, who will have to be consulted for further information and possible approval, and finally who will have to be simply, but obligatorily, informed. All aspects related to international safety certifications that regulate design, development and verification of systems whose malfunctions can impact on the safety of people are also essential. Many of the current reference standards are no longer adequate if we consider the current and anticipated evolution of AI, and therefore they will have to be adjusted accordingly.
|
|
