Securing Personal Information Assets: Testing Antecedents of Behavioral Intentions

Due to the increased global reliance on information technology, and the prominence of information resources value, identity theft is a problem domain effecting millions of computer users annually. The realities of identity theft are highly visible in the global media, although empirical investigations on the topic are limited. The purpose of this study is to identify and analyze perceptions of personal information (e.g., identity) as it relates to perceived threats, mitigation, perceived risks, and intended safe information practice intentions. We propose a risk analysis model based on theoretical variables that have been researched and extensively used in both government and private sector organizations. The model is empirically tested using LISREL to perform structural equation modeling. Findings indicate support for a relationship between risk and both 1) behavioral intentions to perform safe information practices and 2) personal information asset value

Divorcing and checking out of the mortal and physical world domain – online assets in limbo: A call for the regulation of the digital legacy

For the majority of people, an online existence has currently become an incontrovertible reality. This article explores the various ways of handling digital or online assets both before and after death. The article starts by describing possible definitions of digital or online assets, followed by a close and critical examination of the efficacy of measures initially put in place by service providers to regulate their relationship with online users. Various legislative provisions recently promulgated in a number of states in America are compared, critically evaluated and discussed, whereafter the existing provisions of the Matrimonial Property Act No. 88 of 1984, the Divorce Act No. 70 of 1979 and the Administration of Estates Act No. 66 of 1965 are closely examined with a view to testing and evaluating their effectiveness in dealing with digital assets both before and after death. The discussion culminates with a call for the amendment of the relevant South African provisions, while giving possible suggestions to the same effect

Implementation and Evaluation of A Low-Cost Intrusion Detection System For Community Wireless Mesh Networks

Rural Community Wireless Mesh Networks (WMN) can be great assets to rural communities, helping them connect to the rest of their region and beyond. However, they can be a liability in terms of security. Due to the ad-hoc nature of a WMN, and the wide variety of applications and systems that can be found in such a heterogeneous environment there are multiple points of intrusion for an attacker. An unsecured WMN can lead to privacy and legal problems for the users of the network. Due to the resource constrained environment, traditional Intrusion Detection Systems (IDS) have not been as successful in defending these wireless network environments, as they were in wired network deployments. This thesis proposes that an IDS made up of low cost, low power devices can be an acceptable base for a Wireless Mesh Network Intrusion Detection System. Because of the device's low power, cost and ease of use, such a device could be easily deployed and maintained in a rural setting such as a Community WMN. The proposed system was compared to a standard IDS solution that would not cover the entire network, but had much more computing power but also a higher capital cost as well as maintenance costs. By comparing the low cost low power IDS to a standard deployment of an open source IDS, based on network coverage and deployment costs, a determination can be made that a low power solution can be feasible in a rural deployment of a WMN

A Cybersecurity review of Healthcare Industry

Antecedentes La ciberseguridad no es un concepto nuevo de nuestros días. Desde los años 60 la ciberseguridad ha sido un ámbito de discusión e investigación. Aunque los mecanismos de defensa en materia de seguridad han evolucionado, las capacidades del atacante también se han incrementado de igual o mayor manera. Prueba de este hecho es la precaria situación en materia de ciberseguridad de muchas empresas, que ha llevado a un incremento de ataques de ransomware y el establecimiento de grandes organizaciones criminales dedicadas al cibercrimen. Esta situación, evidencia la necesidad de avances e inversión en ciberseguridad en multitud de sectores, siendo especialmente relevante en la protección de infraestructuras críticas. Se conoce como infraestructuras críticas aquellas infraestructuras estratégicas cuyo funcionamiento es indispensable y no permite soluciones alternativas, por lo que su perturbación o destrucción tendría un grave impacto sobre los servicios esenciales. Dentro de esta categorización se encuentran los servicios e infraestructuras sanitarias. Estas infraestructuras ofrecen un servicio, cuya interrupción conlleva graves consecuencias, como la pérdida de vidas humanas. Un ciberataque puede afectar a estos servicios sanitarios, llevando a su paralización total o parcial, como se ha visto en recientes incidentes, llevando incluso a la pérdida de vidas humanas. Además, este tipo de servicios contienen multitud de información personal de carácter altamente sensible. Los datos médicos son un tipo de datos con alto valor en mercados ilegales, y por tanto objetivos de ataques centrados en su robo. Por otra parte, se debe mencionar, que al igual que otros sectores, actualmente los servicios sanitarios se encuentran en un proceso de digitalización. Esta evolución, ha obviado la ciberseguridad en la mayoría de sus desarrollos, contribuyendo al crecimiento y gravedad de los ataques previamente mencionados. - Metodología e investigación El trabajo presentado en esta tesis sigue claramente un método experimental y deductivo. Está investigación se ha centrado en evaluar el estado de la ciberseguridad en infraestructuras sanitarias y proponer mejoras y mecanismos de detección de ciberataques. Las tres publicaciones científicas incluidas en esta tesis buscan dar soluciones y evaluar problemas actuales en el ámbito de las infraestructuras y sistemas sanitarios. La primera publicación, 'Mobile malware detection using machine learning techniques', se centró en desarrollar nuevas técnicas de detección de amenazas basadas en el uso de tecnologías de inteligencia artificial y ‘machine learning’. Esta investigación fue capaz de desarrollar un método de detección de aplicaciones potencialmente no deseadas y maliciosas en entornos móviles de tipo Android. Además, tanto en el diseño y creación se tuvo en cuenta las necesidades específicas de los entornos sanitarios. Buscando ofrecer una implantación sencilla y viable de acorde las necesidades de estos centros, obteniéndose resultados satisfactorios. La segunda publicación, 'Interconnection Between Darknets', buscaba identificar y detectar robos y venta de datos médicos en darknets. El desarrollo de esta investigación conllevó el descubrimiento y prueba de la interconexión entre distintas darknets. La búsqueda y el análisis de información en este tipo de redes permitió demostrar como distintas redes comparten información y referencias entre ellas. El análisis de una darknet implica la necesidad de analizar otras, para obtener una información más completa de la primera. Finalmente, la última publicación, 'Security and privacy issues of data-over-sound technologies used in IoT healthcare devices' buscó investigar y evaluar la seguridad de dispositivos médicos IoT ('Internet of Things'). Para desarrollar esta investigación se adquirió un dispositivo médico, un electrocardiógrafo portable, actualmente en uso por diversos hospitales. Las pruebas realizadas sobre este dispositivo fueron capaces de descubrir múltiples fallos de ciberseguridad. Estos descubrimientos evidenciaron la carencia de certificaciones y revisiones obligatorias en materia ciberseguridad en productos sanitarios, comercializados actualmente. Desgraciadamente la falta de presupuesto dedicado a investigación no permitió la adquisición de varios dispositivos médicos, para su posterior evaluación en ciberseguridad. - Conclusiones La realización de los trabajos e investigaciones previamente mencionadas permitió obtener las siguientes conclusiones. Partiendo de la necesidad en mecanismos de ciberseguridad de las infraestructuras sanitarias, se debe tener en cuenta su particularidad diseño y funcionamiento. Las pruebas y mecanismos de ciberseguridad diseñados han de ser aplicables en entornos reales. Desgraciadamente actualmente en las infraestructuras sanitarias hay sistemas tecnológicos imposibles de actualizar o modificar. Multitud de máquinas de tratamiento y diagnostico cuentan con software y sistemas operativos propietarios a los cuales los administradores y empleados no tienen acceso. Teniendo en cuenta esta situación, se deben desarrollar medidas que permitan su aplicación en este ecosistema y que en la medida de los posible puedan reducir y paliar el riesgo ofrecido por estos sistemas. Esta conclusión viene ligada a la falta de seguridad en dispositivos médicos. La mayoría de los dispositivos médicos no han seguido un proceso de diseño seguro y no han sido sometidos a pruebas de seguridad por parte de los fabricantes, al suponer esto un coste directo en el desarrollo del producto. La única solución en este aspecto es la aplicación de una legislación que fuerce a los fabricantes a cumplir estándares de seguridad. Y aunque actualmente se ha avanzado en este aspecto regulatorio, se tardaran años o décadas en sustituir los dispositivos inseguros. La imposibilidad de actualizar, o fallos relacionados con el hardware de los productos, hacen imposible la solución de todos los fallos de seguridad que se descubran. Abocando al reemplazo del dispositivo, cuando exista una alternativa satisfactoria en materia de ciberseguridad. Por esta razón es necesario diseñar nuevos mecanismos de ciberseguridad que puedan ser aplicados actualmente y puedan mitigar estos riesgos en este periodo de transición. Finalmente, en materia de robo de datos. Aunque las investigaciones preliminares realizadas en esta tesis no consiguieron realizar ningún descubrimiento significativo en el robo y venta de datos. Actualmente las darknets, en concreto la red Tor, se han convertido un punto clave en el modelo de Ransomware as a Business (RaaB), al ofrecer sitios webs de extorsión y contacto con estos grupos

THE CONSUMER CHOICE OF E-CHANNELS AS A PURCHASING AVENUE: AN INVESTIGATION OF THE COMMUNICATIVE ASPECTS OF INFORMATION QUALTIY

A conspicuous paradox is evident in the statistics concerning purchases over the internet. While a majority of the US population uses the internet to seek product information for purchasing decisions, less than two percent of actual retail sales occur on the Internet. To explain this small ratio of e-channel choice for purchase, a comprehensive model that extends DeLone and McLean\u27s (2004) e-commerce success model was developed. The model centers on the importance of perceived information quality and its relationship to e-channel choice as a purchasing channel. Using the overarching theoretical frame of motivation, two questions were examined: (a) what influences consumers\u27 perception of the quality of information in e-channels, and (b) how information quality influences the consumers\u27 choice of e-channels in purchasing products. Four constructs, based on dimensions of communication theories, are put forward to be important determinants in consumers\u27 perception of information quality in e-channels, which ultimately shape their decision to purchase over the internet. Telepresence and screening capability in the message dimension, and channel trust in receiver dimension are theorized to positively affect perceived information quality. It is also hypothesized that as consumers experience higher levels of cognitive overhead as they use the internet, this will negatively impact perceived information quality in e-channels. Since telepresence is potentially the most manipulative among these factors through current web technologies, this study further investigates its antecedents. Based on human information processing styles, standardization of specification, sensory descriptiveness, feedback quality, and interactivity are presented as technological design elements to increase telepresence. The methodology used combined survey and a quasi-experiment, where several important parameters of the experiment were controlled to measure the research model. Several pilot studies were conducted to validate the quasi-experimental design and construct measurement. Analysis using structured equation modeling on a useable sample frame of 309 students provided support that perceived information quality has a positive effect on consumers\u27 choice of e-channels over physical channels for product purchase. Support was found for all factors to information quality and telepresence except feedback quality\u27s effect on telepresence. Overall, this study presents a framework of e-channel choice that combines motivation theory with the e-commerce success model, and enables better understanding of online consumer behavior. A common belief about the inadequacy of experience goods for electronic transaction is challenged. The results of this study provide insight into the pivotal role of information quality in addressing performance risk, thereby shedding a light on what makes consumers to use e-channels mostly as an information source rather than a purchasing point. Information quality is revealed as a key link between the evaluation aspects of the information search stage and the purchasing aspects of the choice stage. Four effective levers to increase information quality are identified, and telepresence is identified as the most promising tool to increase perceived information quality

An analysis of the use of the Social Security Number as Veteran Identification as it relates to identity theft : a cost benefit analysis of transitioning the Department of Defense and Veterans Administration to a Military Identification Number

Identity theft has become one of the fastest growing crimes in America and stems from the widespread and growing reliance of organizations across the nation to use Social Security Numbers (SSN) as a primary personal identifier. Originally intended for the very limited purpose of tracking social security benefits, the value of the SSN as a unique identifier was quickly recognized, and its use rapidly grew. This â functionality creepâ has led to the SSN becoming an almost de facto national ID number. Employers, universities, credit agencies and financial institutions began using the SSN as a unique personal identifier. The military started to use the SSN as a personal identifier in 1969 in place of the Military Serial Number. Today, the SSN is used pervasively throughout the military, from personnel rosters to medical records, from administrative records to operational orders. This thesis analyzes the elimination of the SSN as the primary personal identifier within the Department of Defense and the Veteransâ Administration, replacing it with a Military Identification Number (MIN). The elimination of the SSN at all but one critical location (pay related matters at the Defense Finance and Accounting System), would render all lost or stolen data useless to an identity thief. A Cost/Benefit Analysis of the transition from SSN to MIN using six methods of analysispayback period method, discounted payback period, benefit cost ratio, net present value, internal rate of return, and a probabilistic NPV were examined. Each methodâ s benefits and drawbacks are discussed and the findings are summarized. The CBA shows that the transition to a MIN is a cost effective solution with a Net Present Value that falls between $701 million and$554 million over a 10 year period.http://archive.org/details/annalysisofuseof109453633US Marine Corps (USMC) authors.Approved for public release; distribution is unlimited

The moral milieu of information technology: using domain and affordance theory to explain situational and technological effects on ethical IT decision making

Unethical behavior in the use of IT may result in significant negative impacts on the productivity, profitability, and reputation of the organization. IT exacerbates moral problems through its constant evolution, multi-faceted nature and encroachment into our personal and professional lives. People have difficulty recognizing moral characteristics, applying moral decision-making heuristics, and anticipating consequences of ethical problems when IT is present. These qualities highlight the moral milieu of ethical IT problems in organizations. The dissertation investigates this phenomenon through three perspectives. First, while moral development in childhood and adolescence predispose people toward particular moral reasoning, situational and contextual factors of ethical IT dilemmas may unearth other different moral reasoning patterns. The deviation of people's situational moral reasoning from broader moral dispositions is explored. Second, the scenario-specific situational moral reasoning is further framed into patterns of decision-making heuristics using the domain theory of moral development. Third, research in IT ethics has largely ignored the properties and characteristics of IT artifacts in ethical decision-making. Using affordance theory from ecological psychology, the dissertation proposes a framework of moral affordances, including ownership, anonymity, reproducibility, etc. that shapes ethical IT decision-making, intentions and behaviors. The study surveys 321 individuals across three ethical IT dilemmas of varying moral character and technology use. Ethical intentions and decisions deviated significantly from when situational moral judgments were considered, emphasizing utilitarian and relativist judgments. These decision-making models are transformed when ethical IT dilemmas were attributed to different domains of morality, exhibiting not only different patterns of moral reasoning but also an entirely different moral character. Finally, the salience of IT moral affordances varied between ethical dilemmas and demonstrated some influence on ethical IT decisions and intentions; however, these moral affordances lacked predictive efficacy within the broader ethical IT decision-making model

The Legal Aspects of Cybercrime in Nigeria: An Analysis with the UK Provisions

Cybercrime offences know no limits to physical geographic boundaries and have continued to create unprecedented issues regarding to the feasibility and legitimacy of applying traditional legislations based on geographic boundaries. These offences also come with procedural issues of enforcement of the existing legislations and continue to subject nations with problems unprecedented to its sovereignty and jurisdictions. This research is a critical study on the legal aspects of cybercrime in Nigeria, which examines how laws and regulations are made and applied in a well-established system to effectively answer questions raised by shortcomings on the implementation of cybercrime legislations, and critically reviews various laws in Nigeria relating or closely related to cybercrime. This research will provide insight into current global cybercrime legislations and the shortfalls to their procedural enforcement; and further bares the cybercrime issues in Nigeria while analysing and proffering a critique to the provisions as provided in the recently enacted Nigerian Cybercrime (Prohibition and Prevention) Act 2015, in contradistinction to the existing legal framework in the United Kingdom and the other regional enactments like the Council of Europe Convention on Cybercrime, African Union Convention on Cybersecurity and Personal Data Protection 2014, and the ECOWAS Directive on Cybercrime 2011

Android at risk: current threats stemming from unprotected local and external resources

Android is an open source platform derived from Linux OS. It utilizes a plethora of resources both local and external. Most of its local resources (e.g procfs nodes) were inherited from Linux with some of them being even- tually removed, while new ones were added to meet the requirements of a mobile multi-purpose platform. Moreover, such a platform compels the in- troduction of external resources which can be used in tandem with a variety of sensors (e.g Bluetooth and NFC) that the device is equipped with. This thesis demonstrates the subtlety involved in this adaptation which, if not performed correctly, can lead to severe information leaks stemming from un- protected local and external resources. It also presents new defense solutions and mitigation strategies that successfully tackle the found vulnerabilities. In particular, this thesis unearths three new side channels on Android OS. Prior to this work, these side channels were considered to be innocuous but here we illustrate that they can be used maliciously by an adversary to infer a user’s identity, geo-location, disease condition she is interested in, invest- ment information and her driving route. These information leaks, stem from local resources shared among all installed apps on Android: per-app data- usage statistics; ARP (Address Resolution Protocol) information; and speaker status (on or off). While harmless on a different setting, these public local resources can evidently disclose private information on a mobile platform and thus we maintain that they should not be freely available to all third-party apps installed on the system. To this end, we present mitigation strategies which strike a balance between the utility of apps that legitimately need to access such information and the privacy leakage risk involved. Unfortunately the design assumptions made while adapting Linux to cre- ate Android is not the only flaw of the latter. Specifically this work is also concerned with the security and privacy implications of using external to the OS resources. Such resources generate dynamic, hard to mediate channels of communication between the OS and an external source through usually a wireless protocol. We explore such implications in connecting smartphones with external Bluetooth devices. This thesis posits that Android falls short in providing secure Bluetooth connections with external devices; ergo its appli- cation in privacy critical domains is at the very least premature. We present a new threat, defined as external-device mis-bonding or DMB for short. To demonstrate the severity of the threat, we perform realistic attacks on popular medical Bluetooth devices. These attacks delineate how an unau- thorized app can capture private data from Bluetooth external devices and how it can help an adversary spoof those devices and feed erroneous data to legitimate applications. Furthermore, we designed an OS-level defense mechanism dubbed Dabinder, that addresses the system’s shortcomings, by guaranteeing that a Bluetooth connection is established only between a legitimate app and its respective accessory. Nevertheless, Bluetooth is not the only inadequately protected external resource with grave privacy ramifications. We have also studied NFC, Au- dio and SMS as potential channels of communication with alarmingly low confidentiality guarantees. We show with real world attacks, that Android’s permission model is too coarse-grained to safeguard such channels while pre- serving the utility of the apps. To better understand the prevalence of the problem we perform a measurement study on the Android ecosystem and discuss our findings. Finally this work presents SEACAT, a novel defense strategy, enhancing Android with flexible security capabilities. SEACAT is a scalable, effective and efficient solution, built on top of SELinux on Android, that enables the protection of channels used to communicate with external to Android re- sources. It achieves both MAC and DAC protection through straightforward and SELinux-compatible policies as the policy language and structure used, is in accordance with the current policy specifications. The system’s design encompasses mirror caching on both the kernel and the middleware layer which facilitates rapid policy enforcement through appropriate and carefully positioned hooks in the system

Suspect Until Proven Guilty, a Problematization of State Dossier Systems via Two Case Studies: The United States and China

This dissertation problematizes the state dossier system (SDS): the production and accumulation of personal information on citizen subjects exceeding the reasonable bounds of risk management. SDS - comprising interconnecting subsystems of records and identification - damage individual autonomy and self-determination, impacting not only human rights, but also the viability of the social system. The research, a hybrid of case-study and cross-national comparison, was guided in part by a theoretical model of four primary SDS driving forces: technology, political economy, law and public sentiment. Data sources included government documents, academic texts, investigative journalism, NGO reports and industry white papers. The primary analytical instrument was the juxtaposition of two individual cases: the U.S. and China. Research found that constraints on the extent of the U.S. SDS today may not be significantly different from China\u27s, a system undergoing significant change amidst growing public interest in privacy and anonymity. Much activity within the U.S., such as the practice of suspicious activity reporting, is taking place outside the domain of federal privacy laws, while ID systems appear to advance and expand despite clear public opposition. Momentum for increasingly comprehensive SDS appears to be growing, in part because the harms may not be immediately evident to the data subjects. The future of SDS globally will depend on an informed and active public; law and policy will need to adjust to better regulate the production and storage of personal information. To that end, the dissertation offers a general model and linguistic toolkit for the further analysis of SDS