128,007 research outputs found
Designing computer security assessments to reduce plagiarism
Plagiarism and other forms of academic dishonesty for computing science assessments is a well documented issue. A common mode of dealing with this is to apply plagiarism detector software to code submissions to check for suspected plagiarism based on how similar submissions are. However, it arguably is less well established how to design computing science specifc assessments which aim to reduce the possibility of plagiarism, whilst not disadvantaging students who may struggle with some aspects of an assessment. This paper aims to report on the design and practice of such an assessment within a computer security course
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems
There is a growing threat to the cyber-security of safety-critical systems.
The introduction of Commercial Off The Shelf (COTS) software, including
Linux, specialist VOIP applications and Satellite Based Augmentation Systems
across the aviation, maritime, rail and power-generation infrastructures has created
common, vulnerabilities. In consequence, more people now possess the technical
skills required to identify and exploit vulnerabilities in safety-critical systems.
Arguably for the first time there is the potential for cross-modal attacks
leading to future ‘cyber storms’. This situation is compounded by the failure of
public-private partnerships to establish the cyber-security of safety critical applications.
The fiscal crisis has prevented governments from attracting and retaining
competent regulators at the intersection of safety and cyber-security. In particular,
we argue that superficial similarities between safety and security have led
to security policies that cannot be implemented in safety-critical systems. Existing
office-based security standards, such as the ISO27k series, cannot easily be integrated
with standards such as IEC61508 or ISO26262. Hybrid standards such as
IEC 62443 lack credible validation. There is an urgent need to move beyond
high-level policies and address the more detailed engineering challenges that
threaten the cyber-security of safety-critical systems. In particular, we consider
the ways in which cyber-security concerns undermine traditional forms of safety
engineering, for example by invalidating conventional forms of risk assessment.
We also summarise the ways in which safety concerns frustrate the deployment of
conventional mechanisms for cyber-security, including intrusion detection systems
XML Schema-based Minification for Communication of Security Information and Event Management (SIEM) Systems in Cloud Environments
XML-based communication governs most of today's systems communication, due to
its capability of representing complex structural and hierarchical data.
However, XML document structure is considered a huge and bulky data that can be
reduced to minimize bandwidth usage, transmission time, and maximize
performance. This contributes to a more efficient and utilized resource usage.
In cloud environments, this affects the amount of money the consumer pays.
Several techniques are used to achieve this goal. This paper discusses these
techniques and proposes a new XML Schema-based Minification technique. The
proposed technique works on XML Structure reduction using minification. The
proposed technique provides a separation between the meaningful names and the
underlying minified names, which enhances software/code readability. This
technique is applied to Intrusion Detection Message Exchange Format (IDMEF)
messages, as part of Security Information and Event Management (SIEM) system
communication hosted on Microsoft Azure Cloud. Test results show message size
reduction ranging from 8.15% to 50.34% in the raw message, without using
time-consuming compression techniques. Adding GZip compression to the proposed
technique produces 66.1% shorter message size compared to original XML
messages.Comment: XML, JSON, Minification, XML Schema, Cloud, Log, Communication,
Compression, XMill, GZip, Code Generation, Code Readability, 9 pages, 12
figures, 5 tables, Journal Articl
National curriculum assessments review report: 2010 key stage 2 tests
Executive summary
The Office of Qualifications and Examinations Regulation (Ofqual) is the regulator of qualifications, examinations and assessments in England, and is committed to ensuring that standards are maintained and that learners get the results they deserve. We keep under review the National Curriculum assessments developed by the Qualifications and Curriculum Development Agency (QCDA), in relation to a Regulatory Framework and Code of Practice.
This report presents the findings of our review of the 2010 National Curriculum key stage 2 tests, with a particular focus on the marking and standards setting processes. It considers the various meetings and other activity reviewed in 2010, and concludes as follows
Adding Salt to Pepper: A Structured Security Assessment over a Humanoid Robot
The rise of connectivity, digitalization, robotics, and artificial
intelligence (AI) is rapidly changing our society and shaping its future
development. During this technological and societal revolution, security has
been persistently neglected, yet a hacked robot can act as an insider threat in
organizations, industries, public spaces, and private homes. In this paper, we
perform a structured security assessment of Pepper, a commercial humanoid
robot. Our analysis, composed by an automated and a manual part, points out a
relevant number of security flaws that can be used to take over and command the
robot. Furthermore, we suggest how these issues could be fixed, thus, avoided
in the future. The very final aim of this work is to push the rise of the
security level of IoT products before they are sold on the public market.Comment: 8 pages, 3 figures, 4 table
Building in web application security at the requirements stage : a tool for visualizing and evaluating security trade-offs : a thesis presented in partial fulfilment of the requirements for the degree of Master of Information Science in Information Systems at Massey University, Albany, New Zealand
One dimension of Internet security is web application security. The purpose of this Design-science study was to design, build and evaluate a computer-based tool to support security vulnerability and risk assessment in the early stages of web application design. The tool facilitates risk assessment by managers and helps developers to model security requirements using an interactive tree diagram. The tool calculates residual risk for each component of a web application and for the application overall so developers are provided with better information for making decisions about which countermeasures to implement given limited resources tor doing so. The tool supports taking a proactive approach to building in web application security at the requirements stage as opposed to the more common reactive approach of putting countermeasures in place after an attack and loss have been incurred. The primary contribution of the proposed tool is its ability to make known security-related information (e.g. known vulnerabilities, attacks and countermeasures) more accessible to developers who are not security experts and to translate lack of security measures into an understandable measure of relative residual risk. The latter is useful for managers who need to prioritize security spending. Keywords: web application security, security requirements modelling, attack trees, threat trees, risk assessment
- …