The Forgotten Password: A Solution to Selecting, Securing and Remembering Passwords

Internet passwords are required of us more and more. Personal experience and research shows us that it is difficult to create and remember unique passwords that meet security requirements. This study tested a unique method of password generation based on a selection of mnemonic aids aimed at increasing the usability, security and memorability of passwords. Fifty-one engineers, accountants and university students aged between 17 - 61 years participated in the study. They were randomly assigned to one of three groups: mnemonic, self-selection and random. All passwords in the study had to meet the following criteria: they had to be unique, at least eight characters long with a mixture of letters and numbers, and not include complete words or personal identifiers, sequential or repetitive numbers, and the passwords could not be written down or recorded anywhere. The mnemonic group created passwords based on a variety of mnemonic processes, the self-selection group generated passwords that complied with the above criteria, and the random group were assigned random passwords generated by the experimenter. Password recall was tested online once a week for three weeks, and then the passwords were renewed, with participants staying within the same groups for the length of the study. The second password was tested weekly for three weeks, then the passwords were renewed for the third and final time and tested for a further three weeks. The expectation was that the use of mnemonics in password creation would improve accurate recall of passwords, more so than if the password was 'self-selected' or a random password was assigned. The results showed that participants in the mnemonic group were able to accurately recall all three passwords significantly more often than participants in the self-selection and random groups. Furthermore, passwords created by the mnemonic group were more secure than passwords created by the self-selection group, as their passwords generated had a greater number of characters in them, slightly larger alphabet size, and a higher degree of entropy. The results are discussed in terms of the practical relevance of the findings

Click Surveillance of Your Partner! Digital Violence among University Students in England

Information and communication technologies (ICTs) have given rise to new forms of contact as well as new forms of violence. This research analyses whether ICTs are the cause of a new form of digital violence and studies the prevalence of this digital violence exercised through screens among university couples. A quantitative and qualitative methodology was applied in this study: a non-probabilistic purposive or discretionary sample of 303 (Age = 22.79; SD = 47.32; 58.7% male), with the use of an ad hoc questionnaire, and two focus groups of students studying in the same country. The results reveal a prevalence of 51.04% in the perception of digital violence through electronic devices in dating relationships among young people; 15.84% in the prevalence of digital violence in young couples’ relationships; 9.36% in the prevalence of traditional violence; and 35.78% in the tolerance of digital violence among young people. The results highlight a slightly higher prevalence of women compared with men in digital violence. We conclude that there is a significant prevalence of digital violence among these young couples in the university context, which should be the subject of the creation of different awareness-raising, prevention and specific training programmes against it

Evaluating readability as a factor in information security policies

This thesis was previously held under moratorium from 26/11/19 to 26/11/21Policies should be treated as rules or principles that individuals can readily comprehend and follow as a pre-requisite to any organisational requirement to obey and enact regulations. This dissertation attempts to highlight one of the important factors to consider before issuing any policy that staff members are required to follow. Presently, there is no ready mechanism for estimating the likely efficacy of such policies across an organisation. One factor that has a plausible impact upon the comprehensibility of policies is their readability. Researchers have designed a number of software readability metrics that evaluate how difficult a passage is to comprehend; yet, little is known about the impact of readability on the interpretation of information security policies and whether analysis of readability may prove to be a useful insight. This thesis describes the first study to investigate the feasibility of applying readability metrics as an indicator of policy comprehensibility through a mixed methods approach, with the formulation and implementation of a seven phase sequential exploratory fully mixed methods design. Each one was established in light of the outcomes from the previous phase. The methodological approach of this research study is one of the distinguishing characteristics reported in the thesis, which was as follows: * eight policies were selected (from a combination of academia and industry sector institutes); * specialists were requested their insights on key policy elements; * focus group interviews were conducted; * comprehension tests were developed (Cloze tests); * a pilot study of comprehension tests was organised (preceded by a small-scale test); * a main study of comprehension tests was performed with 600 participants and reduce that for validation to 396; * a comparison was made of comprehension results against readability metrics. The results reveal that the traditional readability metrics are ineffective in predicting human estimation. Nevertheless, readability, as measured using a bespoke readability metric, may yield useful insight upon the likely difficulty that end-users may face in comprehending a written text. Thereby, our study aims to provide an effective approach to enhancing the comprehensibility of information security policies and afford a facility for future research in this area. The research contributes to our understanding of readability in general and offering an optimal technique to measure the readability in particular. We recommend immediate corrective actions to enhance the ease of comprehension for information security policies. In part, this may reduce instances where users avoid fully reading the information security policies, and may also increase the likelihood of user compliance. We suggest that the application of appropriately selected readability assessment may assist policy makers to test their draft policies for ease of comprehension before policy release. Indeed, there may be grounds for a readability compliance test that future information security policies must satisfy.Policies should be treated as rules or principles that individuals can readily comprehend and follow as a pre-requisite to any organisational requirement to obey and enact regulations. This dissertation attempts to highlight one of the important factors to consider before issuing any policy that staff members are required to follow. Presently, there is no ready mechanism for estimating the likely efficacy of such policies across an organisation. One factor that has a plausible impact upon the comprehensibility of policies is their readability. Researchers have designed a number of software readability metrics that evaluate how difficult a passage is to comprehend; yet, little is known about the impact of readability on the interpretation of information security policies and whether analysis of readability may prove to be a useful insight. This thesis describes the first study to investigate the feasibility of applying readability metrics as an indicator of policy comprehensibility through a mixed methods approach, with the formulation and implementation of a seven phase sequential exploratory fully mixed methods design. Each one was established in light of the outcomes from the previous phase. The methodological approach of this research study is one of the distinguishing characteristics reported in the thesis, which was as follows: * eight policies were selected (from a combination of academia and industry sector institutes); * specialists were requested their insights on key policy elements; * focus group interviews were conducted; * comprehension tests were developed (Cloze tests); * a pilot study of comprehension tests was organised (preceded by a small-scale test); * a main study of comprehension tests was performed with 600 participants and reduce that for validation to 396; * a comparison was made of comprehension results against readability metrics. The results reveal that the traditional readability metrics are ineffective in predicting human estimation. Nevertheless, readability, as measured using a bespoke readability metric, may yield useful insight upon the likely difficulty that end-users may face in comprehending a written text. Thereby, our study aims to provide an effective approach to enhancing the comprehensibility of information security policies and afford a facility for future research in this area. The research contributes to our understanding of readability in general and offering an optimal technique to measure the readability in particular. We recommend immediate corrective actions to enhance the ease of comprehension for information security policies. In part, this may reduce instances where users avoid fully reading the information security policies, and may also increase the likelihood of user compliance. We suggest that the application of appropriately selected readability assessment may assist policy makers to test their draft policies for ease of comprehension before policy release. Indeed, there may be grounds for a readability compliance test that future information security policies must satisfy

Strategic framework to minimise information security risks in the UAE

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirements for the PhD degreeThe transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work

Collaborative practice in enhancing the first year student experience in higher education

Transition into higher education presents challenges for students, whatever their age or previous educational history. An emerging issue on an undergraduate programme in England was how to support students who self reported educational histories of continual formative feedback, model answers, revision guides and limited use of the library. This article reports findings from an action research project which considered whether there was a mismatch between students’ previous educational histories and the academic expectations of the university. Findings indicated that academic expectations did not fully take account of previous student experiences. Student responses also indicated little previous guidance around effective internet searching and libraries were rarely used prior to starting university. Transitional scaffolding was positively evaluated, students reporting greater confidence levels in accessing appropriate resources, high levels of student completion, retention and satisfactio

Educating the effective digital forensics practitioner: academic, professional, graduate and student perspectives

Over the years, digital forensics has become an important and sought-after profession where the gateway of training and education has developed vastly over the past decade. Many UK higher education (HE) institutions now deliver courses that prepare students for careers in digital forensics and, in most recent advances, cyber security. Skills shortages and external influences attributed within the field of cyber security, and its relationship as a discipline with digital forensics, has shifted the dynamic of UK higher education provisions. The implications of this now sees the route to becoming a digital forensic practitioner, be it in law enforcement or business, transform from on-the-job training to university educated, trained analysts. This thesis examined courses within HE and discovered that the delivery of these courses often overlooked areas such as mobile forensics, live data forensics, Linux and Mac knowledge. This research also considered current standards available across HE to understand whether educational programmes are delivering what is documented as relevant curriculum. Cyber security was found to be the central focus of these standards within inclusion of digital forensics, adding further to the debate and lack of distinctive nature of digital forensics as its own discipline. Few standards demonstrated how the topics, knowledge, skills and competences drawn were identified as relevant and effective for producing digital forensic practitioners. Additionally, this thesis analyses and discusses results from 201 participants across five stakeholder groups: graduates, professionals, academics, students and the public. These areas were selected due to being underdeveloped in existing literature and the crucial role they play in the cycle of producing effective practitioners. Analysis on stakeholder views, experiences and thoughts surrounding education and training offer unique insight, theoretical underpinnings and original contributions not seen in existing literature. For example, challenges, costs and initial issues with introducing graduates to employment for the employers and/or supervising practitioners, the lack of awareness and contextualisation on behalf of students and graduates towards what knowledge and skills they have learned and acquired on a course and its practical application on-the-job which often lead to suggestions of a lack of fundamental knowledge and skills. This is evidenced throughout the thesis, but examples include graduates: for their reflections on education based on their new on-the-job experiences and practices; professionals: for their job experiences and requirements, academics: for their educational practices and challenges; students: their initial expectations and views; and, the public: for their general understanding. This research uniquely captures these perspectives, bolstering the development of digital forensics as an academic discipline, along with the importance these diverse views play in the overall approach to delivering skilled practitioners. While the main contribution to knowledge within this thesis is its narrative focusing on the education of effective digital forensic practitioners and its major stakeholders, this thesis also makes additional contributions both academically and professionally; including the discussion, analysis and reflection of: - improvements for education and digital forensics topics for research and curriculum development; - where course offerings can be improved for institutions offering digital forensic degree programmes; - the need for further collaboration between industry and academia to provide students and graduates with greater understanding of the real-life role of a digital forensic practitioner and the expectations in employment; - continuous and unique challenges within both academia and the industry which digital forensics possess and the need for improved facilities and tool development to curate and share problem and scenario-based learning studies

The establishment of a mobile phone information security culture: linking student awareness and behavioural intent

The information security behaviour of technology users has become an increasingly popular research area as security experts have come to recognise that while securing technology by means of firewalls, passwords and offsite backups is important, such security may be rendered ineffective if the technology users themselves are not information security conscious. The mobile phone has become a necessity for many students but, at the same time, it exposes them to security threats that may result in a loss of information. Students in developing countries are at a disadvantage because they have limited access to information relating to information security threats, unlike their counterparts in more developed societies who can readily access this information from sources like the Internet. The developmental environment is plagued with challenges like access to the Internet or limited access to computers. The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context as most undergraduate students are offered a computer-related course which covers certain information security-related principles. During the restructuring of the South African higher education system, smaller universities and technikons (polytechnics) were merged to form comprehensive universities. Thus, the resultant South African university landscape is made up of traditional and comprehensive universities as well as universities of technology. Ordinarily, one would expect university students to have similar profiles. However in the case of this study, the environment was a unique factor which had a direct impact on students’ learning experiences and learning outcomes. Mbeki (2004) refers to two economies within South Africa the first one is financially sound and globally integrated, and the other found in urban and rural areas consists of unemployed and unemployable people who do not benefit from progress in the first economy. Action research was the methodological approach which was chosen for the purposes of this study to collect the requisite data among a population of university students from the ‘second economy’. The study focuses on the relationship between awareness and behavioural intention in understanding mobile phone user information security behaviour. The study concludes by proposing a behaviour profile forecasting framework based on predefined security behavioural profiles. A key finding of this study is that the security behaviour exhibited by mobile phone users is influenced by a combination of information security awareness and information security behavioural intention, and not just information security awareness

PERSONALISING INFORMATION SECURITY EDUCATION

Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.Ministry Of Higher Education Malaysi

How to increase ethical awareness in cybersecurity decision-making

Cybersecurity technologies offer secure channels to enable the confidentiality, integrity, and availability of data and services. Human factors; e.g. demographics, personality traits, and human values, which are linked with greater cybersecurity vulnerabilities, have drawn less attention. It is important to understand how to increase ethical awareness for cybersecurity professionals via training. This ethical awareness helps professionals make better moral judgments prior to final decisions and reduces the risk of unexpected human implications. To sensitise players to five cybersecurity ethical principles (beneficence, non-maleficence, justice, autonomy, and explicability), we created a serious game. This game allows players to explore multiple cybersecurity scenarios based on these five cybersecurity ethical principles. Although the analysis does not support the claim that the game increased ethical awareness in general, it did help promote better ethical understanding in some cases where players advanced from providing non-ethical to ethical justifications in a cybersecurity scenario after playing the game