Interventions for Long Term Software Security:Creating a Lightweight Program of Assurance Techniques for Developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

The human factor in cybersecurity: An experimental approach to cyber-risk and cyberinsurance

Este trabajo de investigación tiene como objetivo el desarrollo y validación experimental de modelos conductuales, con sólido fundamento teórico, capaces de explicar y prever la adopción de ciberseguro, así como los de los elementos clave de ciberseguridad detrás de dicha adopción. Con este fin, la presente disertación se centra en tres dimensiones clave en ciberseguridad: ciberseguro (adopción de productos de seguros que cubren parcialmente el impacto de posibles ataques), ciberprotección (adopción de medidas capaces de reducir el riesgo de sufrir un ataque) y comportamiento online (nivel de riesgo asumido por los usuarios cuando navegan en Internet). Estas dimensiones recogen aspectos conductuales relevantes que condicionan la adopción de ciberseguro, tales como: (i) la racionalidad en el reparto del presupuesto disponible para ciberseguridad entre productos de ciberprotección y seguros, (ii) posibles efectos negativos causados por la asimetría de información intrínseca a cualquier tipo de seguro (incluido el ciberseguro) y; (iii) formación de creencias sobre cibervulnerabilidad, especialmente en la percepción del nivel riesgo de recibir un ataque intencional, así como los métodos de elicitación de dichas creencias. Cumpliendo este objetivo, nuestra investigación contribuye a llenar un vacío en la literatura sobre la toma de decisión de compra de ciberseguros y la formación de percepciones sobre el ciber-riesgo. Tal y como se muestra en la sección de discusión de esta disertación, esta aportación tiene un papel relevante tanto científico como de formulación de políticas y de desarrollo empresarial. Este trabajo de investigación está estructurado en 3 capítulos: (i) Este estudio está dedicado a comprender y modelar las componentes conductuales críticas en el proceso de adopción del ciberseguro. En concreto, comenzamos analizando las posibles desviaciones de la racionalidad perfecta y las principales características conductuales durante la compra de ciberseguros. También analizamos cómo la adopción del ciberseguro puede afectar al comportamiento de los agentes en otras dimensiones estratégicas de la ciberseguridad, como la ciberprotección y el nivel de seguridad al navegar online. Para validar nuestros resultados, llevamos a cabo un experimento económico online con 4.800 sujetos en cuatro países de la UE. Nuestra principal conclusión es que los modelos de elección racional no pueden predecir la decisión sobre ciberseguridad de los agentes. Específicamente, encontramos que las personas muestran una tendencia a optar por una estrategia de ciberseguridad sobreprotectora al garantizar niveles de protección y cobertura más altos que aquellos que maximizan su utilidad esperada. Este resultado motiva la aplicación de un enfoque de economía conductual para analizar el ciberseguro, motivando el desarrollo de modelos conductuales alternativos que no asuman una racionalidad perfecta y sean capaces de explicar nuestros datos observacionales. Además, este resultado destaca la componente humana de la ciberseguridad y la necesidad de desarrollar intervenciones orientadas al comportamiento basadas en mecanismos conductuales y capaces de aprovechar la componente no racional de la toma de decisiones sobre ciberseguridad. (ii) La interrupción del negocio por ataques cibernéticos es una preocupación reconocida y creciente, sin embargo, la aceptación del ciberseguro ha sido relativamente baja. Este estudio propone y prueba un modelo predictivo de adopción de ciberseguros, incorporando elementos de la Teoría de la Motivación de la Protección (PMT) y la Teoría del Comportamiento Planificado (TPB), así como factores relacionados con la propensión al riesgo y el precio. Los datos se obtuvieron de un experimento de economía del comportamiento online con 4.800 participantes en cuatro países de la UE. Durante el experimento, los participantes tuvieron la oportunidad de comprar diferentes medidas de protección y productos de ciberseguro antes de realizar una tarea online. Seguidamente, algunos participantes sufrieron un ciberataque dentro del experimento, cuya probabilidad dependía de la adopción de medidas de protección y su comportamiento durante la tarea online. Las consecuencias de este ataque, a su vez, dependían de sus decisiones de compra de ciberseguro. El modelo utilizado se basa en ecuaciones estructurales (SEM) en el cual se incluye elementos del ecosistema de seguridad. El modelo resultante muestra que todos los factores TPB y únicamente el factor eficacia de respuesta de la PMT, predijeron positivamente la adopción de ciberseguro premium. La adopción de seguros premium también se vio influenciada por la adopción de medidas de seguridad, la propensión individual al riesgo y la diferencia de precio entre productos básicos y premium. Curiosamente, la adopción de medidas de ciberseguridad se asoció con un comportamiento más seguro online, contrariamente a las preocupaciones de "riesgo moral". Los hallazgos destacan la necesidad de considerar un ecosistema de ciberseguridad más amplio al diseñar intervenciones para aumentar la adopción de ciberseguros y / o promover un comportamiento online más seguro. (iii) En dominios como la seguridad nacional, la ciberseguridad y el marketing competitivo, es frecuente que los analistas necesiten pronosticar acciones adversas que afectan nuestras decisiones. Las técnicas estructuradas estándar de obtención del juicio de expertos son insuficientes porque no tienen en cuenta la intencionalidad. Una técnica de descomposición basada en el análisis de riesgo de confrontación seguida de reglas de recomposición basadas en modelos de elección discreta permite tal proceso facilitando tales evaluaciones.This research work aims at developing and experimentally validate theoretically-sound behavioural models capable to explain and foresee the adoption of cyberinsurance and related human cybersecurity behaviour. Specifically, this dissertation focus on three critical and interrelated dimensions of cybersecurity: cyberinsurance (adoption of insurance products partially covering the impact of potential attacks), cyberprotection (adoption of measures able to reduce the risk level of suffering an attack) and online behaviour (level of cyber-risk assumed by users when navigating online). Such dimensions take into the game most of the relevant behavioural issues related to cyberinsurance adoption, such as (i) the rationality of the allocation of the available cybersecurity budget between the adoption of protection and insurance products, (ii) the potential negative effect coming from the information asymmetry intrinsic to any field of insurance (including cyberinsurance) and; (iii) belief formation on cybervulnerability, especially on risk perception and risk assessment methods in case of intentional attacks. By achieving this objective, our research contributes to fill the critical existing gap on how agents do actually make their decisions on cyberinsurance adoption and form their perceptions on their own cyber-risks, which has relevant scientific as well as policy-making and business development role as shown in the discussion section of this dissertation. This research work is structured in 3 chapters: (i) This study is devoted to understanding and modelling critical behavioural insights in the process of cyberinsurance adoption. Specifically, we start by analysing potential deviations from perfect rationality and the main behavioural features in the purchase of cyberinsurance polices. We also analyse how the adoption of cyberinsurace may affect agents’ behaviours in other dimensions of their cybersecurity strategy, such as cyberprotection and safety level when navigating online. To validate our findings, we run an online economic experiment with 4,800 subjects in four EU countries. Our main conclusion is that Rational Choice Models fail to predict agents’ cybersecurity decision. Specifically, we found that individuals show a tendency to opt for an overprotective cybersecurity strategy by ensuring higher protection levels and insurance coverage than those maximising their expected utility. This result motivates the application of a behavioural economics approach to analyse the cyberinsurance, motivating the development of alternative behavioural models not assuming perfect rationality and capable to explain our observational data. Moreover, this result highlights the focus on the human component of cybersecurity and the need to develop behavioural-oriented interventions based in sound behavioural insights and capable to take advantage of the non-rational component of cybersecurity decision-making. (ii) Business disruption from cyberattacks is a recognised and growing concern, yet the uptake of cyberinsurance has been relatively low. This study proposed and tested a predictive model of cyberinsurance adoption, incorporating elements of Protection Motivation Theory (PMT) and the Theory of Planned Behaviour (TPB) as well as factors in relation to risk propensity and price. Data was obtained from an online behavioural economics experiment with 4,800 participants across four EU countries. During the experiment, participants were given the opportunity to purchase different protection measures and cyberinsurance products before performing an online task. Some participants then suffered a cyberattack in the experimental setup, the probability of which was dependent upon their adoption of protection measures and their behaviour during the online task. The consequences of this attack were in turn dependent upon their cyberinsurance purchase decisions (i.e., basic vs premium insurance purchase). Structural Equation Modelling (SEM) was applied and the model was further developed to include elements of the wider security ecosystem. The resulting model shows that all TPB factors, but only response efficacy from the PMT factors positively predicted adoption of premium cyberinsurance. Premium insurance adoption was also influenced by security measure adoption, individual propensity for risk, and the price differential between basic and premium products. Interestingly, adoption of cybersecurity measures was associated with safer behaviour online, contrary to concerns of ‘moral hazard’. The findings highlight the need to consider the larger cybersecurity ecosystem when designing interventions to increase adoption of cyberinsurance and/or promote more secure online behaviour. (iii) In domains such as homeland security, cybersecurity and competitive marketing it is frequently the case that analysts need to forecast adversarial actions that impact our decisions. Standard structured expert judgement elicitation techniques fall short as they do not take into account intentionality. A decomposition technique based on adversarial risk analysis followed by recomposition rules based on discrete choice models enable such process facilitating such assessments

Towards Detecting Compromised Accounts on Social Networks

Compromising social network accounts has become a profitable course of action for cybercriminals. By hijacking control of a popular media or business account, attackers can distribute their malicious messages or disseminate fake information to a large user base. The impacts of these incidents range from a tarnished reputation to multi-billion dollar monetary losses on financial markets. In our previous work, we demonstrated how we can detect large-scale compromises (i.e., so-called campaigns) of regular online social network users. In this work, we show how we can use similar techniques to identify compromises of individual high-profile accounts. High-profile accounts frequently have one characteristic that makes this detection reliable -- they show consistent behavior over time. We show that our system, were it deployed, would have been able to detect and prevent three real-world attacks against popular companies and news agencies. Furthermore, our system, in contrast to popular media, would not have fallen for a staged compromise instigated by a US restaurant chain for publicity reasons

Measuring adaptation in middle childhood: The development of the Hampstead Child Adaptation Measure (HCAM)

Despite the important developmental tasks and prevalence of psychopathology encountered during middle childhood, this aspect of maturity remains relatively neglected, particularly in the area of treatment effectiveness. In the absence of such research findings, statutory authorities responsible for health, education and social services are currently funding therapy interventions for children, with little evidence of which interventions are most effective for specific disturbances and age groups. Although research in this area is increasing, one significant obstacle prevails, the absence of psychometrically sound measures appropriate for outcome assessment. This thesis presents the development of the Hampstead Child Adaptation Measure (HCAM), an interview-based protocol designed to address this issue by measuring adaptive and maladaptive behaviour, while remaining sensitive to change due to therapeutic intervention. A review of the literature concerning adaptive and maladaptive development in middle childhood is presented as are the issues concerning assessment of functioning in children. Manualisation of the HCAM ratings and interview protocol is introduced including reliability between raters. Psychometric properties of this measure are established, including consistency over time; an attempt at the standardisation of the HCAM on a normative UK population. Concurrent validity of the HCAM in relation to measures of symptomatology, mood, psycho-social adjustment and adaptation are also investigated. Two longitudinal studies, following children over two, then three years, are presented and finally discriminant validity is investigated in a study comparing the normative sample with a clinically referred sample of children. These findings are discussed in relation to evaluation needs in evidence based service delivery and alternative measures of the functioning and adaptational domains

Rethinking mental health and wellbeing interventions in disaster and conflict affected communities: case studies from Sri Lanka, Sudan and Malawi

This thesis examines the traditional knowledge and capabilities that disaster, conflict and unplanned development affected communities utilise to deal with uncertainties and dangers inherent in their lives. The key question is whether a model of individual care, core to the tradition of western disciplines, is appropriate for humanitarian assistance largely delivered to ‘non-western’ countries. The methodology uses both quantitative and qualitative techniques, and moves beyond a conventional science approach. Guided by a broader ontology and epistemology, it engages an evaluative judgement of three project based case studies in Sri Lanka, Sudan and Malawi. These evaluative judgements build on the adapted OECD/DAC criteria of relevance, efficiency, effectiveness and impact. The “lived experiences” of mental health and wellbeing for individuals amongst these communities are then further examined through their personal stories. The outcomes of this process are used to inform a discussion on mainstream interventions and to provide a basis for exploring improved practice in this field. The scope of the study presented here was limited to Sri Lanka, Sudan and Malawi. These countries were selected based on their geographical locations, nature of the disaster, conflict or development problem and most importantly access to communities through Disaster and Development Centre’s (DDC) research work with United Nations Refugee Agency (UNHCR) and Green Movement of Sri Lanka (GMSL). The researcher trained one colleague each from Sudan, Malawi and Sri Lanka to assist in the translation of Arabic, Swahili, Tamil and tribal dialects. This process was conducted by explaining the objectives of the research, refreshing basic interviewing skills, concepts of translation and addressing the research ethical framework. The findings of the study indicate that most disaster, development and conflict-affected communities are positively dealing with uncertainties and dangers in life without outside‘expert’ help. Although there are evident levels of mental health and wellbeing related issues that are visible to the outside view of a community, the inside view is that there are traditional knowledge systems, religions, cultures, attitudes and values that address uncertainty and dangers in a sophisticated though pragmatic manner. The conclusion of this research process is that suffering through danger and uncertainty is part of human experience; it is an attribute of the human condition. However, disaster and development experts, psychologists, psychiatrists and sociologists are occupied in documenting, describing, analysing and diagnosing risks, vulnerabilities, coping strategies, and post-traumatic stress. Along with the costs of murder, rape, torture, and other forms of human malice, a deeper understanding of mental health and wellbeing in adversity is little understood. This is complicated by the varying nature of events that take place and the variable ways they are experienced by individuals and communities. The onset of uncertainty and danger are sometimes sudden, like the brutal attacks in Western Darfur. At other times they take the form of a continuous reign of suffering like the failed development, disaster reduction and conflict mitigation strategies witnessed in Sri Lanka. Even when suffering is not present in such striking forms, there can be slow deterioration of communities through policies that severely disrupt the lives of people, such as experienced by refugees in Malawi. However, in the middle of the worst circumstances, communities continue to carry on with their livelihood regimes, to celebrate, and to enjoy. This is an achievement beyond everyday life. The thesis findings and conclusions point to the need for collaboration with disaster, conflict and unplanned development affected communities to retrieve their knowledge systems to improve their mental health and wellbeing. This can create new processes to deal with suffering..

Networked Governance of Freedom and Tyranny

This book offers a new approach to the extraordinary story of Timor-Leste. The Indonesian invasion of the former Portuguese colony in 1975 was widely considered to have permanently crushed the Timorese independence movement. Initial international condemnation of the invasion was quickly replaced by widespread acceptance of Indonesian sovereignty. But inside Timor-Leste various resistance networks maintained their struggle, against all odds. Twenty-four years later, the Timorese were allowed to choose their political future and the new country of Timor-Leste came into being in 2002. This book presents freedom in Timor-Leste as an accomplishment of networked governance, arguing that weak networks are capable of controlling strong tyrannies. Yet, as events in Timor-Leste since independence show, the nodes of networks of freedom can themselves become nodes of tyranny. The authors argue that constant renewal of liberation networks is critical for peace with justice – feminist networks for the liberation of women, preventive diplomacy networks for liberation of victims of war, village development networks, civil society networks. Constant renewal of the separation of powers is also necessary. A case is made for a different way of seeing the separation of powers as constitutive of the republican ideal of freedom as non-domination. The book is also a critique of realism as a theory of international affairs and of the limits of reforming tyranny through the centralised agency of a state sovereign. Reversal of Indonesia’s 1975 invasion of Timor-Leste was an implausible accomplishment. Among the things that achieved it was principled engagement with Indonesia and its democracy movement by the Timor resistance. Unprincipled engagement by Australia and the United States in particular allowed the 1975 invasion to occur. The book argues that when the international community regulates tyranny responsively, with principled engagement, there is hope for a domestic politics of nonviolent transformation for freedom and justice. John Braithwaite and Hilary Charlesworth work in the Centre for International Justice and Governance, Regulatory Institutions Network, The Australian National University. Adérito Soares is the Anti-Corruption Commissioner for Timor-Leste

Forests for a Better Future Sustainability, Innovation and Interdisciplinarity

This book highlights the role of research in innovation and sustainability in the forest sector. The contributions included fall within the broad thematic areas of forest science and cover crucial topics such as biocontrol, forest fire risk, harvesting and logging practices, quantitative and qualitative assessments of forest products, urban forests, and wood treatments—topics that have also been addressed from an interdisciplinary perspective. The contributions also have practical applications, as they deal with the ecological and economic importance of forests and new technologies for the conservation, monitoring, and improvement of services and forest value

African Politics in the Digital Age: A Study of Political Party-Social Media Campaign Strategies in Ghana

Digital media is transforming politics. It has made it imperative for political stakeholders to come up with new strategies that respond to challenges triggered by the new digital communication platforms. Equally, the technological developments have affected communication processes and strategies in transitional political contexts, with varying impacts on democratic governance, political participation and forms of deliberation for citizens. However, the actual impact of social media on political processes remains debatable. Many issues emerge including not only how communications technologies revitalise campaign techniques but also how they influence actors, organisations and reorient political campaigning environments. In Africa, it is important to ask in specific contexts how the new technologies are reconfiguring the relationship between the rulers and the ruled, between politicians and the electorate. In particular, how has digital media facilitated new forms of political communications to individuals and groups? Has it gone beyond geography, class, gender, language or race? What has been the specific impact on campaign strategies, and their process and impact on electoral politics in countries such as Ghana, an emerging democracy? Through a case study, this research has explored the changing dynamics of election campaigning in Ghana in the context of social media. By examining the influence of Facebook, Twitter Instagram and other Social Network Sites (SNSs) for political campaigning, the research produces an original analysis of digital political communication, organization and mobilization, among others, as they are deployed by the main political parties, namely, the National Democratic Congress (NDC) and the New Patriotic Party (NPP), with a focus on the 2012 and 2016 elections. The study has adopted a qualitative research methodology, based on in-depth interviews (formal and informal), focus group discussions, as well as informal observation techniques, which were applied to gather original evidence. The main findings are that social media is implicated in political campaigns in multiple ways, with its ability to change, and are dependent on the availability of resources and policy frameworks that regulate and streamline their usages. The study shows how the campaign process is also implicated by political organizations, actors and voters, rather than just by the technologies. The research has uncovered the role of offline/digital ‘serial callers’, those quasi political communicators hired by political parties to influence political campaigning. Challenges and limitations notwithstanding, the research provides an invaluable insight into the relationship between the use of social media for political communication and its ramifications for democratization in Ghana. It contributes original insights on the shifts and impact of political communication within the African context