Erklärvideo “Online-Betrug” – Nach nur fünf Minuten Phishing E-Mails nachweislich signifikant besser erkennen

Betrüger haben schon immer das Vertrauen von unvorsichtigen Personen ausgenutzt und versucht diese zu betrügen. Im Zeitalter der Computer wurden die Möglichkeiten der Betrüger erweitert und sie können nun jede beliebige Person, die im Besitz einer E-Mail Adresse ist, zu ihrem Ziel machen. Die Betrüger passen ihre Phishing-Nachrichten gezielt auf ihre Opfer an und verschleiern Täuschung und Betrug so gut wie möglich. Daraus folgernd wird die Sensibilisierung der Nutzer in Bezug auf das Thema Phishing und die erfolgreiche Erkennung dessen von immer größerer Wichtigkeit. Unsere bisher entwickelten Phishing Awareness-Programme adressieren bestehende Fehlannahmen und Missverständnisse bezüglich Phishing und können gezielt dabei helfen, die Erkennung solcher Nachrichten zu verbessern. Der größte Nachteil dieser Awareness-Programme stellt die dafür aufzuwendende Zeit dar. Deshalb haben wir ein Phishing Awareness Video entwickelt und evaluiert, welches in fünf Minuten über das Thema Phishing informiert. Nach dem Ansehen des Videos konnten Probanden in unserer Untersuchung Phishing-Nachrichten signifikant zuverlässiger erkennen (verglichen mit der Erkennung vor dem Ansehen des Videos). Diese Fähigkeit konnte auch nach einer achtwöchigen Pause in einer abschließenden Befragung nachgewiesen werden

Cybersecurity challenges: Serious games for awareness training in industrial environments

Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers’ needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages.info:eu-repo/semantics/acceptedVersio

Information Security Awareness in Public Administrations

Government digital agendas worldwide go hand in hand with the digital transformation in businesses and public administrations as well as the digital changes taking place in society. Information security (IS) and awareness (ISA) must be an integrated part of these agendas. The goal of IS is to protect information of all types and origins. Here, the employees play a necessary and significant role in the success of IS, and the entire staff of an institution need to know about their specific roles and be aware of the information security management system (ISMS). As there are still fundamental strategic deficiencies in the institutions themselves, humans should not be called “the weakest link” in the security chain. Rather, sustainable awareness-raising and training for people should be established in the institutions using interactive, authentic, and game-based learning methods. Psychological studies show the great importance of emotionalization when communicating IS knowledge and the reliable exchange of experience about IS. However, in many institutions, a change in culture is becoming necessary. IS must be integrated into all (business) processes and projects, and viable safeguards must be included. This chapter summarizes the most important scientific findings and transfers them to the practice of public administrations in Germany. Moreover, it shows examples of learning methods and provides practical assistance for IS sensitization and training

Wie repräsentativ sind die Messdaten eines Honeynet?

Zur Früherkennung von kritischen Netzphänomenen wurden in der Vergangenheit viele Arten von verteilten Sensornetze im Internet etabliert und erforscht. Wir betrachten das Phänomen Verteilung von bösartiger Software im Netz'', das punktuell etwa mit dem InMAS-Sensorsystem gemessen werden kann. Unklar war jedoch immer die Frage, wie repräsentativ die Daten sind, die durch ein solches Sensornetz gesammelt werden. In diesem Dokument wird ein methodisches Rahmenwerk beschrieben, mit dem Maßzahlen der Repräsentativität an Messungen von Malware-Sensornetzen geheftet werden können. Als methodischer Ansatz wurden Techniken der empirischen Sozialforschung verwendet. Als Ergebnis ist festzuhalten, dass ein Sensornetz mit mindestens 100 zufällig über den Netzbereich verteilten Sensoren notwendig erscheint, um überhaupt belastbare Aussagen über die Repräsentativität von Sensornetz-Messungen machen zu können

Vote Casting in Any Preferred Constituency: A New Voting Channel

In our society a rising number of people change their residence regularly. Insofar, mobility seems to be necessary even on Election Day, which is the reason why an increasing number of eligible voters use the opportunity of postal voting. Thereby, the abidance by the election principles, especially the freedom and secrecy of elections, is automatically transferred into the private sector. This would not be necessary if eligible voters had the possibility to cast their vote in any preferred constituency within the electoral area. Therefore, we investigate in this work if and how vote casting in any constituency can be constitutionally compliant, while maintaining the current electoral system. We also consider the integration of the new German electronic ID card for voter identification and authentication

Software Security Metrics for Malware Resilience

We examine the level of resistance offered by a software product against malicious software (malware) attacks. Analysis is performed on the software architecture. This is available as a result of the software design process and can hence be used at an early stage in development. A model of a generic computer system is developed, based on the internationally recognized Common Criteria for Information Technology Security Evaluation. It is formally specified in the Z modeling language. Malicious software attacks and security mechanisms are captured by the model. A repository of generic attack methods is given and the concept of resistance classes introduced to distinguish different levels of protection. We assess how certain architectural properties and changes in system architecture affect the possible resistance classes of a product. This thesis has four main contributions: A generic model of an operating system from a security perspective, a repository of typical attack methods, a set of resistance classes, and an identification of software architecture metrics pertaining to ordered security levels

Towards Managing the Migration to Post-Quantum-Cryptography

As soon as cryptographically relevant quantum computers exist, they can break today's prevalent asymmetric cryptographic algorithms. Organizations (and the IT society) have to plan on migrating to quantum-resilient cryptographic measures, also known as post-quantum cryptography (PQC). However, this is a difficult task, and to the best of our knowledge, there is no generalized approach to manage such a complex migration for cryptography used in IT systems. PMMP helps organizations manage the migration to PQC and establish crypto-agility. Having finished the initial theoretical design phase, we are now looking to promote PMMP to encourage practitioners to join the effort and work with us to develop it further.Comment: 20 page

Internet Safety and Security Surveys - A Review

www.imm.dtu.d