Assessing Risk In IoT Devices

The explosive growth of the Internet of Things ecosystem has thrust these devices into the center of our lives. Unfortunately, the desire to create these devices has been stronger than the one to secure them. Recent attacks have shown us ignoring security in Internet of Things devices can cause severe harm in both a digital and physical sense. This thesis outlines a framework for developers and managers to assess the risk of IoT devices using a weighted scoring system across five different categories. Our case studies suggest that devices with higher security considerations have a better security posture and lower risk than those without

Design Principles of Mobile Information Systems in the Digital Transformation of the Workplace - Utilization of Smartwatch-based Information Systems in the Corporate Context

During the last decades, smartwatches emerged as an innovative and promising technology and hit the consumer market due to the accessibility of affordable devices and predominant acceptance caused by the considerable similarity to common wristwatches. With the unique characteristics of permanent availability, unobtrusiveness, and hands-free operation, they can provide additional value in the corporate context. Thus, this thesis analyzes use cases for smartwatches in companies, elaborates on the design of smartwatch-based information systems, and covers the usability of smartwatch applications during the development of smartwatch-based information systems. It is composed of three research complexes. The first research complex focuses on the digital assistance of (mobile) employees who have to execute manual work and have been excluded so far from the benefits of the digitalization since they cannot operate hand-held devices. The objective is to design smartwatch-based information systems to support workflows in the corporate context, facilitate the daily work of numerous employees, and make processes more efficient for companies. During a design science research approach, smartwatch-based software artifacts are designed and evaluated in use cases of production, support, security service, as well as logistics, and a nascent design theory is proposed to complement theory according to mobile information system research. The evaluation shows that, on the one hand, smartwatches have enormous potential to assist employees with a fast and ubiquitous exchange of information, instant notifications, collaboration, and workflow guidance while they can be operated incidentally during manual work. On the other hand, the design of smartwatch-based information systems is a crucial factor for successful long-term deployment in companies, and especially limitations according to the small form-factor, general conditions, acceptance of the employees, and legal regulations have to be addressed appropriately. The second research complex addresses smartwatch-based information systems at the office workplace. This broadens and complements the view on the utilization of smartwatches in the corporate context in addition to the mobile context described in the first research complex. Though smartwatches are devices constructed for mobile use, the utilization in low mobile or stationary scenarios also has benefits due they exhibit the characteristic of a wearable computer and are directly connected to the employee’s body. Various sensors can perceive employee-, environment- and therefore context-related information and demand the employees’ attention with proactive notifications that are accompanied by a vibration. Thus, a smartwatch-based and gamified information system for health promotion at the office workplace is designed and evaluated. Research complex three provides a closer look at the topic of usability concerning applications running on smartwatches since it is a crucial factor during the development cycle. As a supporting element for the studies within the first and second research complex, a framework for the usability analysis of smartwatch applications is developed. For research, this thesis contributes a systemization of the state-of-the-art of smartwatch utilization in the corporate context, enabling and inhibiting influence factors of the smartwatch adoption in companies, and design principles as well as a nascent design theory for smartwatch-based information systems to support mobile employees executing manual work. For practice, this thesis contributes possible use cases for smartwatches in companies, assistance in decision-making for the introduction of smartwatch-based information systems in the corporate context with the Smartwatch Applicability Framework, situated implementations of a smartwatch-based information system for typical use cases, design recommendations for smartwatch-based information systems, an implementation of a smartwatch-based information system for the support of mobile employees executing manual work, and a usability-framework for smartwatches to automatically access usability of existing applications providing suggestions for usability improvement

A Lightweight Attribute-Based Access Control System for IoT.

The evolution of the Internet of things (IoT) has made a significant impact on our daily and professional life. Home and office automation are now even easier with the implementation of IoT. Multiple sensors are connected to monitor the production line, or to control an unmanned environment is now a reality. Sensors are now smart enough to sense an environment and also communicate over the Internet. That is why, implementing an IoT system within the production line, hospitals, office space, or at home could be beneficial as a human can interact over the Internet at any time to know the environment. 61% of International Data Corporation (IDC) surveyed organizations are actively pursuing IoT initiatives, and 6.8% of the average IT budgets is also being allocated to IoT initiatives. However, the security risks are still unknown, and 34% of respondents pointed out that data safety is their primary concern [1]. IoT sensors are being open to the users with portable/mobile devices. These mobile devices have enough computational power and make it di cult to track down who is using the data or resources. That is why this research focuses on proposing a dynamic access control system for portable devices in IoT environment. The proposed architecture evaluates user context information from mobile devices and calculates trust value by matching with de ned policies to mitigate IoT risks. The cloud application acts as a trust module or gatekeeper that provides the authorization access to READ, WRITE, and control the IoT sensor. The goal of this thesis is to offer an access control system that is dynamic, flexible, and lightweight. This proposed access control architecture can secure IoT sensors as well as protect sensor data. A prototype of the working model of the cloud, mobile application, and sensors is developed to prove the concept and evaluated against automated generated web requests to measure the response time and performance overhead. The results show that the proposed system requires less interaction time than the state-of-the-art methods

Privacy-aware Security Applications in the Era of Internet of Things

In this dissertation, we introduce several novel privacy-aware security applications. We split these contributions into three main categories: First, to strengthen the current authentication mechanisms, we designed two novel privacy-aware alternative complementary authentication mechanisms, Continuous Authentication (CA) and Multi-factor Authentication (MFA). Our first system is Wearable-assisted Continuous Authentication (WACA), where we used the sensor data collected from a wrist-worn device to authenticate users continuously. Then, we improved WACA by integrating a noise-tolerant template matching technique called NTT-Sec to make it privacy-aware as the collected data can be sensitive. We also designed a novel, lightweight, Privacy-aware Continuous Authentication (PACA) protocol. PACA is easily applicable to other biometric authentication mechanisms when feature vectors are represented as fixed-length real-valued vectors. In addition to CA, we also introduced a privacy-aware multi-factor authentication method, called PINTA. In PINTA, we used fuzzy hashing and homomorphic encryption mechanisms to protect the users\u27 sensitive profiles while providing privacy-preserving authentication. For the second privacy-aware contribution, we designed a multi-stage privacy attack to smart home users using the wireless network traffic generated during the communication of the devices. The attack works even on the encrypted data as it is only using the metadata of the network traffic. Moreover, we also designed a novel solution based on the generation of spoofed traffic. Finally, we introduced two privacy-aware secure data exchange mechanisms, which allow sharing the data between multiple parties (e.g., companies, hospitals) while preserving the privacy of the individual in the dataset. These mechanisms were realized with the combination of Secure Multiparty Computation (SMC) and Differential Privacy (DP) techniques. In addition, we designed a policy language, called Curie Policy Language (CPL), to handle the conflicting relationships among parties. The novel methods, attacks, and countermeasures in this dissertation were verified with theoretical analysis and extensive experiments with real devices and users. We believe that the research in this dissertation has far-reaching implications on privacy-aware alternative complementary authentication methods, smart home user privacy research, as well as the privacy-aware and secure data exchange methods

Individual values of GenZ in managing their Internet Privacy: a decision analytic assessment

A nossa investigação coloca a importância dos valores individuais como o centro de qualquer discussão sobre questões de privacidade. Os valores têm um papel essencial no discurso científico. Notamos que o conceito de valores é um dos poucos discutidos e utilizados em várias disciplinas das ciências sociais. Para isso, nesta investigação, apresentamos objetivos baseados em valores para a privacidade na Internet da GenZ. Os objetivos são classificados em duas categorias - os objetivos fundamentais e os meios para os atingir. Em síntese, os nossos seis objetivos fundamentais orientam a gestão das questões de privacidade da Internet da GenZ. Os objetivos são: Aumentar a confiança nas interações online; Maximizar a responsabilidade dos detentores de dados; Maximizar o direito à privacidade; Maximizar a capacidade individual de gerir o controlo da privacidade; Maximizar a percepção da funcionalidade da plataforma; Garantir que os dados pessoais não são alterados. Coletivamente, os objetivos fundamentais e de meios são uma base valiosa para a GenZ avaliar a sua postura de privacidade. Os objetivos também são úteis para que as empresas de media social e outras plataformas relacionadas elaborem as suas políticas de privacidade de acordo com o que a GenZ deseja. Finalmente, os objetivos são uma ajuda útil para o desenvolvimento de leis e regulamentos; Individual values of GenZ in managing their Internet Privacy: a decision analytic assessment Abstract: Online privacy is a growing concern. As individuals and businesses connect, the problem of privacy continues to remain significant. In this thesis, we address three primary questions - What are the individual values of GenZ concerning online privacy? What are the fundamental objectives of GenZ in terms of protecting their online privacy? What are the means objectives GenZ consider for protecting their online privacy? We argue that online privacy for GenZ is vital to protect. We also argue that protection can be ensured if we understand and know what privacy-related values behold GenZ and define their objectives accordingly. Our research brings the importance of individual values to be central to any discussion of privacy concerns. Values have an essential place in scientific discourse. We note that the concept of values is one of the very few discussed and employed across several social science disciplines. To that effect, in this research, we present value-based objectives for GenZ internet privacy. The objectives are classified into two categories – the fundamental objectives and the means to achieve them. In a final synthesis, our six fundamental objectives guide the management of GenZ Internet Privacy Concerns. The objectives are: Increase trust in online interactions; Maximize responsibility of data custodians; Maximize right to be left alone; Maximize individual ability to manage privacy controls; Maximize awareness of platform functionality; Ensure that personal data does not change. Collectively our fundamental and means objectives are a valuable basis for GenZ to evaluate their privacy posture. The objectives are also helpful for the social media companies and other related platforms to design their privacy policies according to the way GenZ wants. Finally, the objectives are a helpful policy aid for developing laws and regulations

Privacy-aware Smart Home Interface Framework

Smart home user interfaces are pervasive and shared by multiple users who occupy the space. Therefore, they pose a risk to interpersonal privacy of occupants because an individual’s sensitive information can be leaked to other co-occupants (information privacy), or they can be disturbed by intrusions into their personal space (physical privacy) when the co-occupant interacts with the smart home user interfaces. This thesis hypothesises that interpersonal privacy violations can be mitigated by adapting the user interface layer and presents insights into how to achieve usable user interface adaptation to mitigate or minimise interpersonal privacy violations in smart homes. The thesis reports two case studies and two user studies. The first case study identifies the key characteristics needed to model the rich context of interpersonal privacy violations scenarios. Then it presents knowledge representation models that are required to represent the identified characteristics and evaluates them for adequacy in modelling the context information of interpersonal privacy violation scenarios. The second case study presents a software architecture and a set of algorithms that can detect interpersonal privacy violations and generate usable user interface adaptations. Then it evaluates the architecture and the algorithms for adequacy in generating usable privacy-aware user interface adaptations. The first user study (N=15) evaluates the usability of the adaptive user interfaces generated from the framework where storyboards were used as the stimulant. Extending the findings from the usability study and expanding the coverage of example scenarios, the second user study (N=23) evaluates the overall user experience of the adaptive user interfaces, using video prototypes as the stimulant. The research demonstrates that the characteristics identified, and the respective knowledge representation models adequately captured the context of interpersonal privacy violation scenarios. Furthermore, the software architecture and the algorithms could detect possible interpersonal privacy violations and generate usable user interface adaptations to mitigate them. The two user studies demonstrate that the adaptive user interfaces, when used in appropriate situations, were a suitable solution for addressing interpersonal privacy violations while providing high usability and a positive user experience. The thesis concludes by providing recommendations for developing privacy-aware user interface adaptations and suggesting future work that can extend this research