An Empirical Assessment of the Use of Password Workarounds and the Cybersecurity Risk of Data Breaches

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks, and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. The increased use of IS as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as ‘password workarounds’ or ‘shadow security.’ These deviant password behaviors can put individuals and organizations at risk, resulting in data privacy. This study, engaging 303 IS users and 27 Subject Matter Experts (SMEs), focused on designing, developing, and empirically validating Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT)—a model supported on perceived cybersecurity risks from Password Workarounds (PWWA) techniques and their usage frequency. A panel of SMEs validated the PWWA list from existing literature with recommended adjustments. Additionally, the perception level of the cybersecurity risks of each technique was measured from the 27 SMEs and 303 IS users. They also provided their self-reported and reported on coworkers\u27 engagement frequencies related to the PWWA list. Noteworthy, significant differences were found between SMEs and IS users in their aggregated perceptions of cybersecurity risks of the PWWAs, with IS users perceiving higher risks. Engagement patterns varied between the groups, as well as factors like years of IS experience, gender, and job level had significant differences among groups. The PaWoCyRiT was developed to provide insights into password-related risks and behaviors

Organizational Architecture, Resilience, and Cyberattacks

This study develops a unique model of organizational resilience architecture with an emphasis on the ways in which organizations respond to cyber-attacks. The model elucidates the dynamics and approaches through which organizations mobilize and utilize expertise and resources to combat the effects of cyber-attackson normal business operations. Drawing on recent cases of cyber-attacks against organizations, the study identifies a host of strategic and tactical responses victims usedto aid recoveryand return to daily activities. The responses are grouped into three stages to demonstrate the steps that organizations can take to enhance their resilience: Stage 1 focuses on proactive environmental scanning and locating potential threatsand attacks, Stage 2 emphasizes neutralizing threats and attacks,and Stage 3 focuses on re-designing, upgrading and updating human, technological and financial resources. On this basis, the study sheds light on levels of organizational resilience and strategies for organizational design in withstanding cyber-attacks and security breaches. The theoretical and practical implications of these findings are discussed

PIDE: physical intrusion detection for personal mobile devices

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2015Os dispositivos móveis pessoais, como smartphones e tablets, permitem guardar e aceder a dados pessoais a qualquer hora e em qualquer lugar. Estes dispositivos contêm cada vez mais informação sensível sobre os seus proprietários, incluindo códigos de acesso, mensagens de texto, registo de chamadas, contactos, fotos, vídeos e informações sobre a localização geográfica. Os utilizadores parecem conscientes do risco que estes dispositivos trazem à sua privacidade. As investigações dos problemas de segurança em dispositivos móveis são, em grande parte, sobre ameaças de software malicioso. No entanto, uma vez que os dispositivos móveis são frequentemente utilizados na presença de outros, a ameaça colocada por pessoas próximas, fisicamente ou socialmente, tem vindo a levantar vários problemas de privacidade. Um estudo aferiu que os dispositivos móveis de 14% dos utilizadores inquiridos já foi utilizado por outra pessoa sem a sua permissão. O mesmo estudo indicou que 9% dos utilizadores confessou ter utilizado o smartphone de outra pessoa com a finalidade de adquirir informações pessoais. Atualmente, o mecanismo de segurança mais comum contra intrusão física é a autenticação no ato de desbloqueio do dispositivo, seja por palavra-passe, PIN, padrão ou mesmo biométrica. Estes mecanismos de segurança são úteis quando um dispositivo é perdido ou roubado, mas ineficazes quando se trata de prevenir os amigos e a família de explorarem conteúdos num dispositivo. Os mecanismos de autenticação são vulneráveis a ataques de observação, que podem ser facilmente realizados por pessoas que pertencem ao mesmo círculo social. Por exemplo, um individuo próximo consegue facilmente descobrir um código de acesso, observando-o quando é introduzido, ou observando as marcas deixadas no ecrã tátil. Por outro lado, alguns utilizadores consideram que a autenticação é por vezes fastidiosa, já que as interações com estes dispositivos são curtas e frequentes. Por esse motivo, muitos utilizadores nunca chegam a configurar o mecanismo, ou apenas o utilizam temporariamente. Muitas vezes, por conveniência, necessidade ou até mesmo práticas sociais, os utilizadores de dispositivos móveis são encorajados a partilhá-los com outros. Normalmente, estes dispositivos são partilhados para tarefas muitos especificas, tais como fazer chamadas telefónicas, enviar mensagens de texto, navegar na internet e até mesmo jogar. Nestas situações, os utilizadores vêm-se muitas das vezes forçados a partilhar os seus códigos de desbloqueio. Por vezes, a recusa em fazê-lo conduz a situações sociais embaraçosas, A principal característica deste sistema é que executa as tarefas de deteção de intrusões e gravação de interações, de forma inconspícua, o que significa que o utilizador não se apercebe da sua execução. Assim, esta aplicação torna-se num mecanismo de segurança que não requer nenhuma interação explícita. Para concretizar o mecanismo de reconhecimento facial, utilizou-se a biblioteca Open- CV, que oferece algoritmos otimizados de deteção e reconhecimento facial, e a biblioteca JavaCV, que é uma interface em Java para OpenCV. Para registar as ações do utilizador, foram desenvolvidos dois mecanismos de gravação distintos: screencast e event-based recording. O mecanismo screencast captura screenshots; o proprietário visualiza posteriormente as ações dos utilizadores intrusos numa sequência de imagens. O mecanismo event-based recording é baseado em eventos de acessibilidade, que são mensagens lançadas pelo sistema operativo enquanto o utilizador interage com o dispositivo. Através destes eventos é possível adquirir dados suficientes para conhecer as interações que o utilizador executou no dispositivo e produzir uma lista de aplicações utilizadas e ações executadas em cada uma das aplicações. Para validar este sistema de deteção de intrusões, foram realizados dois estudos com utilizadores. Um estudo de laboratório que tinha como objetivo, não só examinar preocupações emergentes dos utilizadores em relação à privacidade e ao uso dos seus dispositivos por terceiros, mas também identificar mecanismos de defesa e, finalmente, demonstrar a aplicação desenvolvida e compreender de que forma os participantes planeariam utilizar esta ferramenta e se a consideram útil e adequada às suas necessidades. Posteriormente foi elaborado um estudo de campo, que permitiu aos participantes utilizarem a aplicação durante um período alargado de tempo, com o objetivo de compreender como é que os utilizadores adotaram a aplicação. Os resultados indicam que a abordagem dos Sistemas de Deteção de Intrusões se adequa à proteção de conteúdos em situações de partilha do dispositivo e em situações em que a autenticação é insuficiente. Por um lado, funciona como um mecanismo dissuasor, por outro funciona como uma ferramenta que informa o proprietário de quem utilizou o dispositivo e com que propósito. Esta abordagem também é adequada às necessidades dos utilizadores em termos de segurança usável, nomeadamente através da oferta de uma medida de segurança que não exige que os utilizadores despendam esforço em cada interação com o dispositivo.Authentication mechanisms are useful when a device is lost or stolen, but ineffective when it comes to preventing friends and family from snooping through contents. Most unlock authentication methods are vulnerable to observation attacks than can easily be performed by those in a close social circle. Moreover, unlock authentication does not address the common use case of device sharing. Intrusion Detection and Response Systems (IDRS) are based on the assumption that a system will eventually be attacked, and are widely used in network systems as an additional security measure that works around authentication flaws. The main contribution of this work was the design and development of an inconspicuous IDRS for Android smartphones, called Auric. A parallel contribution was the evaluation of the adequacy of that approach, intended to dissuade socially-close adversaries from snooping through device contents. This system runs on the background and attempts to determine, through face recognition, if the device is being operated by the owner. If it is not, it starts recording user actions, which can later be reviewed by the owner. We conducted a laboratory study to examine users concerns over other people looking through their data, and to present the system to participants. We also conducted a field study, where participants used the system for an extended period of time, in order to understand how they adopted it. Results indicate that the IDRS approach addresses previously unmet needs, namely by offering a security measure that does not require users to expend effort in every interaction with the device

Non-Intrusive Subscriber Authentication for Next Generation Mobile Communication Systems

Merged with duplicate record 10026.1/753 on 14.03.2017 by CS (TIS)The last decade has witnessed massive growth in both the technological development, and the consumer adoption of mobile devices such as mobile handsets and PDAs. The recent introduction of wideband mobile networks has enabled the deployment of new services with access to traditionally well protected personal data, such as banking details or medical records. Secure user access to this data has however remained a function of the mobile device's authentication system, which is only protected from masquerade abuse by the traditional PIN, originally designed to protect against telephony abuse. This thesis presents novel research in relation to advanced subscriber authentication for mobile devices. The research began by assessing the threat of masquerade attacks on such devices by way of a survey of end users. This revealed that the current methods of mobile authentication remain extensively unused, leaving terminals highly vulnerable to masquerade attack. Further investigation revealed that, in the context of the more advanced wideband enabled services, users are receptive to many advanced authentication techniques and principles, including the discipline of biometrics which naturally lends itself to the area of advanced subscriber based authentication. To address the requirement for a more personal authentication capable of being applied in a continuous context, a novel non-intrusive biometric authentication technique was conceived, drawn from the discrete disciplines of biometrics and Auditory Evoked Responses. The technique forms a hybrid multi-modal biometric where variations in the behavioural stimulus of the human voice (due to the propagation effects of acoustic waves within the human head), are used to verify the identity o f a user. The resulting approach is known as the Head Authentication Technique (HAT). Evaluation of the HAT authentication process is realised in two stages. Firstly, the generic authentication procedures of registration and verification are automated within a prototype implementation. Secondly, a HAT demonstrator is used to evaluate the authentication process through a series of experimental trials involving a representative user community. The results from the trials confirm that multiple HAT samples from the same user exhibit a high degree of correlation, yet samples between users exhibit a high degree of discrepancy. Statistical analysis of the prototypes performance realised early system error rates of; FNMR = 6% and FMR = 0.025%. The results clearly demonstrate the authentication capabilities of this novel biometric approach and the contribution this new work can make to the protection of subscriber data in next generation mobile networks.Orange Personal Communication Services Lt

Motivating Information Security Awareness (isa): An Action Research Study

The goal of the study was to identify and analyze specific environmental and social conditions that motivate middle management to advocate for Information Security Awareness (ISA), as well as to see if exposure to new information security knowledge would change their behavior. Using a mixed-method action research approach, a group of managers shared their awareness knowledge, advocacy behaviors, and challenges influencing their engagement in information security awareness advocacy. Post workshop feedback confirmed the effectiveness of the Action Research workshops in increasing ISA advocacy behaviors. The action research workshops provided an opportunity for the participants to increase their security knowledge and recommend improvements in ISA advocacy practices. Thirty-eight (38) managers, divided among four workshops, participated in the study. Within the research activities, I presented the group with an awareness knowledge self-assessment survey, which captured the managers\u27 view of their own information security knowledge, a sample information security awareness presentation brought context to the workshop, and a group discussion similar to a focus group provided the environment for discussions. During these activities, the managers expressed recommended changes they could drive to improve ISA advocacy. The workshop activities concluded with a closing discussion seeking commitment from the managers to act on the recommendations to improve ISA advocacy. These engagements of learning, and sharing their awareness, supported the main goal of leveraging action research. The findings support the Action Research workshops were an effective tool to increase the participants learning, to improve the practice of ISA advocacy, and to socialize the topic of information security. The key lessons learned from the research contribute to the overall body of knowledge in the information security awareness discipline as follows. Key finding 1: the feedback on self-reflective levels of knowledge in information security awareness indicated managers are not sufficiently exposed to ISA content. Key finding 2: the self-reflection on advocacy behaviors projected positive attitudes and increased motivation to propose and take actions toward sharing ISA with employees and peers. Key finding 3: the main challenges discovered show that managers need more guidance, increased awareness knowledge, more organizational support, and the creation of a climate that supports advocacy behaviors. Key finding 4: the Action Research workshop contributed to participants learning, and to improvements to information security practices through participants\u27 new behaviors to increase ISA advocacy. Participants reported they learned and used the ISA topics discussed during the workshop with their friends, family, peers, and employees after the workshop. The key thesis findings led to the following recommendations to help organizations foster a climate that supports ongoing advocacy behaviors. The recommended activities include: helping managers understand the importance of their engagement in advocacy behavior; obtaining resources that increase information security awareness and knowledge; planning and sharing activities that promote ISA sharing; and, communication the expectation for advocacy behaviors and the resources available to support sharing information security awareness

U.S. strategic cyber deterrence options

The U.S. government appears incapable of creating an adequate strategy to alter the behavior of the wide variety of malicious actors seeking to inflict harm or damage through cyberspace. This thesis provides a systematic analysis of contemporary deterrence strategies and offers the U.S. the strategic option of active cyber defense designed for continuous cybered conflict. It examines the methods and motivations of the wide array of malicious actors operating in the cyber domain. The thesis explores how the theories of strategy and deterrence underpin the creation of strategic deterrence options and what role deterrence plays with respect to strategies, as a subset, a backup, an element of one or another strategic choice. It looks at what the government and industry are doing to convince malicious actors that their attacks will fail and that risk of consequences exists. The thesis finds that contemporary deterrence strategies of retaliation, denial and entanglement lack the conditions of capability, credibility, and communications that are necessary to change the behavior of malicious actors in cyberspace. This research offers a midrange theory of active cyber defense as a way to compensate for these failings through internal systemic resilience and tailored disruption capacities that both frustrate and punish the wide range of malicious actors regardless of origin or intentions. The thesis shows how active cyber defense is technically capable and legally viable as an alternative strategy in the U.S. to strengthen the deterrence of cyber attacks

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp