A Socio-Technical Approach to Information Security

The main objective of this paper is to present a preliminary socio-technical information security (STInfoSec) framework for the development of online information security applications that addresses both social and technical aspects of information security design. The paper looks at theoretical aspects related to a view of information security as a soci0-technical system in the context of online banking. The STInfoSec framework investigates usability and security requirements for an improved online banking system that seeks to improve the adoption and continued use of the service. The STInfoSec framework proposes 12 usable security design principles that assist in addressing security and usability requirements in online applications such as online banking. The framework seeks to influence the behaviour of designers of online information security applications by incorporating principles that consider the end user behaviour of such applications. The validation of the framework is beyond the scope of this paper

Banks and Brokers and Bricks and Clicks: An Evaluation of FINRA\u27s Proposal to Modify the Bank Broker-Dealer Rule

As discussed in this article, the proposed rule change protects bank customers who may be solicited for the purchase of investment products and services, but only to a limited extent. It does not rectify sales practices of broker-dealers--affiliated with financial institutions--which tend to confuse, and even mislead, financially unsophisticated investors of modest means who can least afford to be exposed to excessive risk. Additionally, the proposed rule change adds no meaningful surveillance, inspection, enforcement, or punitive mechanisms to prevent and/or redress insidious practices that are akin to “bait and switch” tactics and are particularly effective against financially unsophisticated investors. In fact, the proposed rule change even rolls back some key regulatory provisions, an especially unsettling retreat when one considers the lack of oversight during the recent market malaise and the contribution that such abridgement may have made to the present economic contraction as a reverse “wealth effect” impinges upon consumer behavior. In short, as demonstrated below, the proposed rule change is inadequate to sufficiently protect investors and promote genuine market integrity

Enhancing Web Browsing Security

Web browsing has become an integral part of our lives, and we use browsers to perform many important activities almost everyday and everywhere. However, due to the vulnerabilities in Web browsers and Web applications and also due to Web users\u27 lack of security knowledge, browser-based attacks are rampant over the Internet and have caused substantial damage to both Web users and service providers. Enhancing Web browsing security is therefore of great need and importance.;This dissertation concentrates on enhancing the Web browsing security through exploring and experimenting with new approaches and software systems. Specifically, we have systematically studied four challenging Web browsing security problems: HTTP cookie management, phishing, insecure JavaScript practices, and browsing on untrusted public computers. We have proposed new approaches to address these problems, and built unique systems to validate our approaches.;To manage HTTP cookies, we have proposed an approach to automatically validate the usefulness of HTTP cookies at the client-side on behalf of users. By automatically removing useless cookies, our approach helps a user to strike an appropriate balance between maximizing usability and minimizing security risks. to protect against phishing attacks, we have proposed an approach to transparently feed a relatively large number of bogus credentials into a suspected phishing site. Using those bogus credentials, our approach conceals victims\u27 real credentials and enables a legitimate website to identify stolen credentials in a timely manner. to identify insecure JavaScript practices, we have proposed an execution-based measurement approach and performed a large-scale measurement study. Our work sheds light on the insecure JavaScript practices and especially reveals the severity and nature of insecure JavaScript inclusion and dynamic generation practices on the Web. to achieve secure and convenient Web browsing on untrusted public computers, we have proposed a simple approach that enables an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer

Assessing usable security of multifactor authentication

An authentication mechanism is a security service that establishes the difference between authorised and unauthorised users. When used as part of certain website processes such as online banking, it provides users with greater safety and protection against service attacks and intruders. For an e-banking website to be considered effective, it should provide a usable and secure authentication mechanism. Despite existing research on usability and security domains, there is a lack of research on synthesising the contributions of usable security and evaluating multifactor authentication methods. Without understanding the usability and security of authentication mechanisms, the authenticating process is likely to become cumbersome and insecure. This negatively affects a goal of the authentication process, convenience for the user. This thesis sought to investigate the usability and security of multifactor authentication and filled an important gap in the development of authenticating processes. It concentrated on users’ perspectives, which are crucial for the deployment of an authenticating process. To achieve the thesis goal, a systematic series of three studies has been conducted. First, an exploratory study was used to investigate the current state of the art of using multifactor authentication and to evaluate the usability and security of these methods. The study involved a survey of 614 e-banking users, who were selected because they were likely long-term users of online banking and they had two different bank accounts, a Saudi account and a foreign account (most foreign accounts were British). The study indicated that multifactor authentication has been widely adopted in e-banking in Saudi Arabia and the United Kingdom, with high levels of security and trustworthiness as compared to single factor authentication. The second study was a descriptive study of the most common authentication methods. This study aimed to learn more about commonly used methods that were identified in the previous study and sought to propose an appropriate combination of authentication methods to be evaluated in the third study. The third study was an experimental study with 100 users to evaluate the usable security of three different multifactor authentication methods: finger print, secure device and card reader. A web based system was designed specifically for this study to simulate an original UK e-banking website. One of the main contribution of this study was that the system allowed users to choose their preferred authentication method. Moreover, the study contributed to the field of usable security by proposing security evaluation criteria based on users’ awareness of security warnings. The key result obtained indicated that fingerprinting was the most usable and secure method. Additionally, the users’ level of understanding security warnings was very low, as shown by their reaction to the security indicators presented during the experiment

Usability engineering for code-based multi-factor authentication

The increase in the use of online banking and other alternative banking channels has led to improved flexibility for customers but also an increase in the amount of fraud across these channels. The industry recommendation for banks and other financial institutions is to use multi-factor customer authentication to reduce the risk of identity theft and fraud for those choosing to use such banking channels. There are few multi-factor authentication solutions available for banks to use that offer a convenient security procedure across all banking channels. The CodeSure card presented in this research is such a device offering a convenient, multi-channel, two-factor code-based security solution based on the ubiquitous Chip-and-PIN bank card. In order for the CodeSure card to find acceptance as a usable security solution, it must be shown to be easy to use and it must also be easy for customers to understand what they are being asked to do, and how they can achieve it. This need for a usability study forms the basis of the research reported here. The CodeSure card is also shown to play a role in combating identity theft. With the growing popularity of online channels, this research also looks at the threat of phishing and malware, and awareness of users about these threats. Many banks have ceased the use of email as a means to communicate with their customers as a result of the phishing threat, and an investigation into using the CodeSure card's reverse (sender) authentication mode is explored as a potential solution in regaining trust in the email channel and reintroducing it as a means for the bank to communicate with its customers. In the 8 experiments presented in this study the CodeSure card was rated acceptably high in terms of mean usability. Overall, the research reported here is offered in support of the thesis that a usable security solution predicated on code-based multi-factor authentication will result in tangible improvements to actual security levels in banking and eCommerce services, and that the CodeSure card as described here can form the basis of such a usable security solution

Automatisierte Wahl von Kommunikationsprotokollen für das heutige und zukünftige Internet

Das erfolgreiche Internet basiert auf einer großen Anzahl unterschiedlicher Kommunikationsprotokolle. Diese erfüllen wesentliche Aufgaben, wie Adressierung, Datentransport oder sichere Kommunikation. Wählt man die richtigen Protokolle aus, so können gewünschte Eigenschaften der Kommunikation erreicht werden. Die vorliegende Arbeit betrachtet die automatisierte Wahl von Kommunikationsprotokollen und die damit erreichbare Verbesserung von zum Beispiel Sicherheit

Comparative data protection and security : a critical evaluation of legal standards

This study1 addresses the key information technology issues of the age and its unintended consequences. The issues include social control by businesses, governments, and information age Star Chambers. The study focuses on a comparative analysis of data protection, data security, and information privacy (DPSIP) laws, regulations, and practices in five countries. The countries include Australia, Canada, South Africa, the United Kingdom, and the United States. The study addresses relevant international legal standards and justifications. This multidisciplinary analysis includes a systems thinking approach from a legal, business, governmental, policy, political theory, psychosocial, and psychological perspective. The study implements a comparative law and sociolegal research strategy. Historic, linguistic, and statistical strategies are applied. The study concludes with a next step proposal, based on the research, for the international community, the five countries in the study, and specifically, South Africa as it has yet to enact a sound DPSIP approach.LL. D