A framework for teaching secure coding practices through a blended learning approach

With the recent increase in cyber-related attacks, cybersecurity is becoming a key area of concern for many organisations. Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this research, however, is on technical controls with a specific focus on securing web applications. This research investigated whether third year software development students at the Nelson Mandela University adhered to secure coding practices in their capstone projects. In order to determine adherence, secure coding practices were identified from OWASP for the data access layer in web applications developed in the .NET environment. This was addressed by Secondary Objective, which was To determine what secure coding practices a web application developer should adhere to in the .NET environment. These secure coding practices were used to conduct a code review on 2015 third year capstone projects, and addressed Secondary Objective, To determine the adherence of third year software development capstone projects to the identified secure coding practices. The results for the code review were analysed and indicated low levels of adherence which led to the Problem Statement of this research, namely: Undergraduate software development students do not consistently adhere to secure coding practices when developing their third-year capstone projects, thereby leading to vulnerabilities in their web applications. In order to address this Problem Statement, the Primary Objective was identified, To develop a framework for teaching secure coding practices through a blended learning approach. Secondary Objective, To determine whether third year software development students have the requisite knowledge relating to secure coding, took the form of a questionnaire to assess students' knowledge relating to secure coding practices. This required the achievement of further sub-objectives which addressed both the knowledge and behaviour of software development students. The results of this questionnaire indicated that many of the third-year software development students lacked the requisite knowledge. This lack of knowledge and adherence was addressed through an educational intervention, meeting Secondary Objective, To design and implement an educational intervention to support software development students in the development of secure web applications. In terms of knowledge, online lessons were developed addressing each of the secure coding practices identified. In order to address adherence, students were given a checklist to monitor their adherence to the identified secure coding practices. Secondary Objective, To determine the exact of the educational intervention on both student adherence and their requisite knowledge regarding secure coding practices, involved the varication of the educational intervention, and comprised of two components, knowledge and behaviour. Knowledge varication took the form of an online questionnaire given to 2017 third year project students. To address behavioural adherence, the researcher conducted a code review on the 2017 capstone projects. The results from the varication showed a general improvement in students' knowledge and high levels of adherence to secure coding practices. Finally, a framework was developed that encompassed the key elements of this research, thereby providing guidance to support the development of se cure web applications in higher education institutions and meeting the primary objective of this study

A framework for teaching secure coding practices through a blended learning approach

With the recent increase in cyber-related attacks, cybersecurity is becoming a key area of concern for many organisations. Cybersecurity vulnerabilities are typically addressed through the implementation of various cybersecurity controls. These controls can be operational, technical or physical in nature. The focus of this research, however, is on technical controls with a specific focus on securing web applications. This research investigated whether third year software development students at the Nelson Mandela University adhered to secure coding practices in their capstone projects. In order to determine adherence, secure coding practices were identified from OWASP for the data access layer in web applications developed in the .NET environment. This was addressed by Secondary Objective, which was To determine what secure coding practices a web application developer should adhere to in the .NET environment. These secure coding practices were used to conduct a code review on 2015 third year capstone projects, and addressed Secondary Objective, To determine the adherence of third year software development capstone projects to the identified secure coding practices. The results for the code review were analysed and indicated low levels of adherence which led to the Problem Statement of this research, namely: Undergraduate software development students do not consistently adhere to secure coding practices when developing their third-year capstone projects, thereby leading to vulnerabilities in their web applications. In order to address this Problem Statement, the Primary Objective was identified, To develop a framework for teaching secure coding practices through a blended learning approach. Secondary Objective, To determine whether third year software development students have the requisite knowledge relating to secure coding, took the form of a questionnaire to assess students' knowledge relating to secure coding practices. This required the achievement of further sub-objectives which addressed both the knowledge and behaviour of software development students. The results of this questionnaire indicated that many of the third-year software development students lacked the requisite knowledge. This lack of knowledge and adherence was addressed through an educational intervention, meeting Secondary Objective, To design and implement an educational intervention to support software development students in the development of secure web applications. In terms of knowledge, online lessons were developed addressing each of the secure coding practices identified. In order to address adherence, students were given a checklist to monitor their adherence to the identified secure coding practices. Secondary Objective, To determine the exact of the educational intervention on both student adherence and their requisite knowledge regarding secure coding practices, involved the varication of the educational intervention, and comprised of two components, knowledge and behaviour. Knowledge varication took the form of an online questionnaire given to 2017 third year project students. To address behavioural adherence, the researcher conducted a code review on the 2017 capstone projects. The results from the varication showed a general improvement in students' knowledge and high levels of adherence to secure coding practices. Finally, a framework was developed that encompassed the key elements of this research, thereby providing guidance to support the development of se cure web applications in higher education institutions and meeting the primary objective of this study

Back to Basics: Towards Building Societal Resilience Against a Cyber Pandemic

Cybersecurity experts have long been discussing the potential of a cyber pandemic leading to a massive disruption of ICT operations with a devastating societal impact. Even though society has not faced yet the full potential of a cyber pandemic, the recent COVID-19 pandemic demonstrated how a cyber pandemic can look like at its initial stages. Unfortunately, citizens proofed to be unprepared to handle the COVID-19 threat landscape and how fast cyber-attacks escalated at a global scale targeting individuals, corporations, and governments, all at once. This clearly demonstrates that society, at a global scale, is not adequately prepared to defend against a cyber pandemic, despite all the efforts of the cybersecurity community. Cybersecurity awareness and training efforts have been delivered as part of a national or corporate cybersecurity strategy, aiming to promote a cyber hygiene and enhance protection against cyber-attacks on an individual, a corporate, or a national level. The current level of citizens’ cybersecurity awareness is not yet the desired and actions need to be taken to upscale it. Thus, it is time to take a step back to identify what is missing from current awareness efforts and reconsider how people learn. This knowledge can drive the redesign of the national and corporate cybersecurity awareness activities, effectively building citizens’ cyber skills and knowledge, and leading to the development of robust cyber resilient societies, capable of defending and withstanding a future cyber pandemic

Comparing the protection and use of online personal information in South Africa and the United Kingdom in line with data protection requirements

Purpose: This research investigates the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance. Design/methodology/approach: An insurance industry multi-case study within the online insurance services environment was conducted. Personal Information (PI) of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act (DPA) and Protection of Personal Information Act (POPIA). Findings: The results demonstrate that not all the websites honored the selected opt-out preferences as direct marketing material from the insurance organisations in the sample was sent to both the SA and UK consumer profiles. Forty-two unsolicited third party contacts were received by the SA consumer profiles whereas the UK consumer profiles did not re-ceive any third party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations. Research implications: As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant. Originality/value: Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicate the positive role that data protection legislation plays in a county like the UK with a more mature stance toward compliance with data protection legislation.This research is supported by the Women in Research (WiR) Grant from the University of South Africa.School of Computin

A Model for User-centric Information Security Risk Assessment and Response

Managing and assessing information security risks in organizations is a well understood and accepted approach, with literature providing a vast array of proposed tools, methods and techniques. They are, however, tailored for organizations, with little literature supporting how these can be achieved more generally for end-users, i.e. users, who are solely responsible for their devices, data and for making their own security decisions. To protect against them, technical countermeasures alone has been found insufficient as it can be misused by users and become vulnerable to various threats. This research focuses on better understanding of human behavior which is vital for ensuring an efficient information security environment. Motivated by the fact that different users react differently to the same stimuli, identifying the reasons behind variations in security behavior and why certain users could be “at risk” more than others is a step towards developing techniques that can enhance user’s behavior and protect them against security attacks. A user survey was undertaken to explore users security behavior in several domains and to investigate the correlation between users characteristics and their risk taking behavior. Analysis of the results demonstrated that user’s characteristics do play a significant role in affecting their security behavior risk levels. Based upon these findings, this study proposed a user-centric model that is intended to provide a comprehensive framework for assessing and communicating information security risks for users of the general public with the aim of monitoring, assessing and responding to user’s behavior in a continuous, individualized and timely manner. The proposed approach is built upon two components: assessing risks and communicating them. Aside from the traditional risk assessment formula, three risk estimation models are proposed: a user-centric, system-based and an aggregated model to create an individualized risk profile. As part of its novelty, both user-centric and behavioral-related factors are considered in the assessment. This resulted in an individualized and timely risk assessment in granular form. Aside from the traditional risk communication approach of one message/one-size-fits-all, a gradual response mechanism is proposed to individually and persuasively respond to risk and educate the user of his risk-taking behavior. Two experiments and a scenario-based simulation of users with varying user-centric factors has been implemented to simulate the proposed model, how it works and to evaluate its effectiveness and usefulness. The proposed approach worked in the way it was expected to. The analysis of the experiments results provided an indication that risk could be assessed differently for the same behavior based upon a number of user-centric and behavioral-related factors resulting in an individualized granular risk score/level. This granular risk assessment, away from high, medium and low, provided a more insightful evaluation of both risk and response. The analysis of results was also useful in demonstrating how risk is not the same for all users and how the proposed model is effective in adapting to differences between users offering a novel approach to assessing information security risks

A Model for Monitoring End-User Security Policy Compliance

Organisations increasingly perceive their employees as a great asset that needs to be cared for; however, at the same time, they view employees as one of the biggest potential threats to their cyber security. Organizations repeatedly suffer harm from employees who are not obeying or complying with their information security policies. Non-compliance behaviour of an employee, either unintentionally or intentionally, pose a real threat to an organization’s information security. As such, more thought is needed on how to encourage employees to be security compliant and more in line with a security policy of their organizations. Based on the above, this study has proposed a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. The proposed approach is based on two main concepts: a taxonomy of the response strategy to non-compliance behaviour, and a compliance points system. The response taxonomy is comprised of two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour, and penalise noncompliant behaviour. A prototype system has been developed to simulates the proposed model in order to provide a clear image of its functionalities and how it is meant to work. Therefore, it was developed to work as a system that responds to the behaviour of users (whether violation or compliance behaviour) in relation to the information security policies of their organisations. After designing the proposed model and simulating it using the prototype system, it was significant to evaluate the model by interviewing different experts with different backgrounds from academic and industry sectors. Thus, the interviewed experts agreed that the identified research problem is a real problem that needs to be researched and solutions need to be devised. It also can be stated that the overall feedback of the interviewed experts about the proposed model was very encouraging and positive. The expert participants thought that the proposed model addresses the research gap, and offers a novel approach for managing the information security policies

Do you bend or break?:Preventing online banking fraud victimization through online resilience

This doctoral thesis is about the human aspects of online banking safety andsecurity. Preparations for this thesis, part of The Dutch Research Program onSafety and Security of Online Banking, started when online banking fraud figures were relatively high in the Netherlands. In this thesis, online banking fraud is limited to phishing and malware attacks. This thesis investigated a specific partof the issue of how to reduce this type of fraud, namely the extent to which the safety and security of online banking can be improved from an end-userpers pective. Hence, it examined how the online resilience of end users can be enhanced; making them better able to protect themselves against onlinebanking fraud. Next to the practical goal of this thesis, it also aimed to contribute to scientific theory in the behavioural information security domain.This thesis starts with an introductory Chapter (1) in which the context of studyis described and the goal and research questions are highlighted. The empiricalpart of this thesis is divided into two smaller parts. In order to get acomprehensive overview of the human aspects of online banking safety andsecurity, it is important to study the threats as well as people-focussedsafeguards. Therefore, Part I (Chapters 2 to 5) deals with studies on end-users’perceptions of and victimization due to online banking fraud. Learning moreabout risk perceptions, how and why victimization takes place, victimcharacteristics and how victims recover from incidents may lead to moreknowledge on how to combat online banking fraud effectively. Part II of thisthesis (Chapters 6 to 9) consequently deals with studies on precautionary onlinebehaviour of end users and how that behaviour can be improved. Knowledge onthis subject may contribute to strengthening one of the most essential links inthe safety and security of online banking: the end user. The concluding Chapter(10) provides an answer to the central and main research questions and dealswith the theoretical and practical implications of the findings. The main researchquestions are:1: What are the perceptions of end users regarding the safety and security ofonline banking?2: How can online banking fraud victimization be explained from an end-userperspective?3: How can precautionary online behaviour of end users be explained andimproved?To answer these questions, several studies were conducted; these areelaborated in Part I and Part II of this thesis. The contents of the chapters areoutlined below.In Chapter 2, end-user risk perceptions of online bank fraud are studied.Secondary analysis of data based on a survey among 1,200 Dutch onlinebanking users shows that online banking fraud is not considered to be a majorrisk. End users perceive the potential impact of online banking fraud to besevere, but the chances of falling victim themselves to be slim. However, theyestimate the chances of others being victimized to be higher. Furthermore,online banking customers mainly come into contact with online banking fraudthrough media communications. Indirect victimization in the social environmentand direct victimization were less common. In addition, online banking users, ingeneral, have reasonable levels of trust in online banking. Finally, this chapterreveals – using partial least squares path modelling – that risk perceptions aremainly affected by the estimated chance of becoming a victim of online bankingfraud. The perceived impact of online banking fraud and the degree of trust inonline banking affected risk perception to some extent. Direct and indirectvictimization and demographic characteristics hardly affected risk perceptions.In Chapter 3, an analysis of 600 phishing and malware incidents obtained from aDutch bank is presented. The goal of this chapter is to shed light on thecircumstances in which bank customers are victimized in phishing and malwareattacks and how these attacks manifest in practice. This chapter shows that anessential step in the fraudulent process entails customers giving away theirpersonal information to fraudsters. Phishing victimization mainly occurred byresponding to a fraudulent e-mail, a fraudulent phone call or a combination ofthese. Malware victimization primarily occurred by responding to a maliciouspop-up and by installing a malicious application on a mobile device. Customerscooperated because the fraudulent messages were perceived to be professionaland trustworthy and because customers were not sufficiently suspicious of whatwas happening. The results suggest that victims have an unintended andsubconscious, but active role in the fraudulent process. An interesting finding isthat the victims did not always seem to trust the fraudster’s intentions, but werementally unable to stop the process. Reasons for this include not being aware ofhow fraudulent schemes manifest in practice, not being alert at the rightmoment and having insufficient knowledge of online banking procedures andprecautionary measures.Chapter 4 explores factors that may explain online banking fraud victimizationbased on interviews with 30 victims using the routine activity approach andprotection motivation theory as theoretical lenses. A qualitative approach was chosen because previous quantitative studies failed to identify such factors. Theinterview data were analysed using computer-assisted qualitative data analysissoftware. This chapter demonstrates that no specific factors from the routineactivity approach and protection motivation theory that increase the chance ofonline banking fraud victimization could be identified. Moreover, victims weredistributed across genders, age categories and levels of education. Ultimately,end-user attributes that lead to higher chances of being victimized throughonline banking fraud could not be identified. This suggests that everyone issusceptible to online banking fraud victimization to some degree.In order to find out whether victims adequately recover from phishing andmalware incidents, it is important to gain insight into its effects and impact onvictims first. However, there was not much literature available on the impact ofthese cybercrimes. This gap is addressed in Chapter 5, in which interview datafrom the above mentioned 30 victims are analysed again. Besides (initial)financial effects (most victims were reimbursed), victims also described variouskinds of psychological and emotional effects, such as feeling awful and stressed,and various kinds of secondary impact, such as time loss and not being treatedproperly during the handling of the incident. Furthermore, this chapterdemonstrates that the level of impact varies among victims, ranging from littleor no impact to severe impact. Moreover, while some victims were only affectedfor a few days, some felt the effects in the long term. The impact of thesefraudulent schemes on victims should therefore not be underestimated.In addition, the interview data provided insight into cognitive and behaviouralchange in order to cope with the incident. Cognitive strategies were mainlyconcerned with reducing psychological and emotional distress, and increasingonline resilience to future attacks. The main behavioural strategies that wereidentified are reporting the incident to the bank and the police and seekingsupport from the social environment. Furthermore, various other actions weretaken, such as enhancing the safety and security of devices and being moreattentive during online banking sessions. However, it was observed that some ofthese actions were only of limited duration. Some victims adopted avoidancebehaviours, such as making less use of online banking services. Victims whowere left with financial damages rationalized the incident, thereby minimizingvictimization for themselves. Chapter 5 concludes that the coping approach thatwas applied provides a useful framework to study the effects and impact ofcybercrime victimization and how victims recover from it.In Chapters 6 and 7, survey data on 1,200 Dutch online banking users areexamined and analysed using partial least squares path modelling. In Chapter 6,three social cognitive models are compared with respect to their ability to explain the intentions of precautionary online behaviour. The models are:protection motivation theory, the reasoned action approach and an integratedmodel comprising variables of these models. The three models were successfullyapplied to online banking. The individual models equally explain much of thevariance in precautionary online behaviour. In the integrated model, thesignificant predictors of the two models remained significant and the level ofexplained variance was highest. Precautionary online behaviour is largely drivenby response efficacy, self-efficacy and attitude towards that behaviour. Thischapter concludes that both protection motivation theory and the reasonedaction approach make a unique contribution in explaining variance forprecautionary online behavioural intention. The integrated model explained mostvariance in protection motivation, which means that integrating theoreticalperspectives from different domains is worthwhile. However, protectionmotivation theory is used as the main theoretical basis in the following chapters,because of its applicability to interventions.Chapter 7 builds on the preceding chapter and continues to study a model ofprecautionary behaviour in the domain of online banking. The aim was to gaininsight into factors that encourage customers to take measures to protectthemselves against online threats. The analyses that were conducted for thischapter provided support for most of the hypothesized relationships and showedthat the model explains high levels of variance for precautionary onlinebehaviour as well as for risk perception. Threat and coping appraisal successfullypredicted the protection motivation of online banking users; in particular,response efficacy and self-efficacy were the most important predictors for takingprecautions. Secondary predictors include locus of control, perceived severity(direct effect) and the negative predictor response costs. Finally, somedifferences in precautionary online behavioural intentions were observed basedon gender and level of education.In Chapter 8, insight is gained into what protective measures self-employedentrepreneurs take in order to protect themselves against online threats andwhat motivates them to do so. Information technology is becoming increasinglyimportant for entrepreneurs. Protecting their technical infrastructure and storeddata is, therefore, also growing in importance. Nevertheless, research into thesafety and security of entrepreneurs in general, and online threats targeted atentrepreneurs in particular, are still limited. Based on secondary analyses ondata collected from 1,622 Dutch entrepreneurs, it was observed that themajority implement technical and personal coping measures. Entrepreneurs arelikely to implement protective measures if they believe a measure is effective, ifthey are capable of using internet technology, if their attitude towardsinformation security is positive and if they believe they are responsible for their own online security. These findings are similar to those of private users outlinedin Chapters 6 and 7. Finally, some differences in precautionary online behaviourwere observed based on age and education level.Chapter 9 examines the impact of fear appeal messages on user cognitions,attitudes, behavioural attentions and precautionary behaviour regarding onlineinformation-sharing to protect against the threat of phishing attacks. A pre-testpost-test design was used in which 768 internet users filled out an onlinequestionnaire. Participants were grouped in one of three fear appeal conditions:strong-fear appeal, weak-fear appeal and control condition. Claims regardingvulnerability of phishing attacks and claims concerning response efficacy ofprotective online information-sharing behaviour were manipulated in the fearappeal messages. This chapter demonstrates positive effects of fear appeals onheightening end-users’ cognitions, attitudes and behavioural intentions.However, future studies are needed to determine how subsequent securitybehaviour can be promoted, as the effects on this crucial aspect were notdirectly observed. Nonetheless, fear appeals have great potential for promotingsecurity behaviour by making end users aware of threats and simultaneouslyproviding behavioural advice on how to mitigate these threats.All things considered, this thesis investigated online banking fraud victimizationand precautionary online behaviour. Specifically, human aspects were the focusof the present research. This thesis demonstrates that good security is inpeople’s heads. It seems easier, cheaper and more successful for criminals toattack end users using psychology rather than the technology surrounding onlinebanking. Hence, even the best security engineers cannot stop end users fromgiving away their security codes. Therefore, using psychology to defend againstonline banking attacks also makes sense. This is especially the case for attacksusing social engineering (phishing), but to some extent also for attacks usingtechnical engineering (malware). Considering the further digitization of oursociety and the increasing dependability on information systems, the case ismade that people have to ‘bend’ with these developments and become resilientwhen online. This is necessary to stop people from ‘breaking’ and potentiallybecoming victims of online banking fraud.While this thesis obtained information on how safety and security of onlinebanking can be improved from an end-user perspective, it should be noted thatend users will always be confronted with numerous potential threats. It isunrealistic to believe that people can protect themselves against all threats at alltimes. Therefore, we have to accept that bad things will continue to happenonline, but optimistically they can be kept to a minimum if end users are morevigilant about what they do online and are aware of how some people abuse the advantages that the internet offers. At the very least, the impact of theseattacks can be reduced. The following main recommendations from this thesismay be helpful:1: Continue to invest in security education, training and awareness campaignsconcerning threats aimed at online banking.2: Focus on underlying cognitive dimensions in security education, training andawareness campaigns, most notably on response efficacy and self-efficacy.3: Make clear that banks and customers are partners in keeping online bankingsafe and secure.4: Facilitate victims in their recovery process, primarily by providing feedback.5: Continue with research on the human aspects of online banking safety andsecurity.In conclusion, security education, training and awareness remain an importantpriority, especially for combatting social risks. It is very important to promoteonline resilience. The research indicates that in order to strengthen the role ofcustomers in the safety and security of online banking, threat appraisals as wellas coping appraisals should be improved. If customers or end users believe thatprotective measures make a difference (response efficacy) and if they are ableto perform these measures (self-efficacy), it is likely that end users will adoptprecautionary behaviour and become a strong link in the information securitychain. Proper information security practices should become part of our generalskill set as people in this day and age. However, it should not be forgotten thatsafety and security is something that should be worked on together, with allparties involved. And when things do go wrong, we need to help one another torecover from it. All in all, an important requirement for a safer and more secureinternet is that the human factor takes a central place in information security