The economics of user effort in information security

A significant number of security breaches result from employees' failures to comply with security policies. The cause is often an honest mistake, such as when an employee enters their password in a phishing website, believing it to be a legitimate one.1 It can also be a workaround when faced with an impossible task, such as when an employee has so many different passwords that they must be written down

Information security as organizational power: A framework for re-thinking security policies

Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies

A technique for using employee perception of security to support usability diagnostics

Problems of unusable security in organisations are widespread, yet security managers tend not to listen to employees' views on how usable or beneficial security controls are for them in their roles. Here we provide a technique to drive management of security controls using end-user perceptions of security as supporting data. Perception is structured at the point of collection using Analytic Hierarchy Process techniques, where diagnostic rules filter user responses to direct remediation activities, based on recent research in the human factors of information security. The rules can guide user engagement, and support identification of candidate controls to maintain, remove, or learn from. The methodology was incorporated into a prototype dashboard tool, and a preliminary validation conducted through a walk-through consultation with a security manager in a large organisation. It was found that user feedback and suggestions would be useful if they can be structured for review, and that categorising responses would help when revisiting security policies and identifying problem controls

Studies on Inequalities in Information Society. Proceedings of the Conference, Well-Being in the Information Society

Siirretty Doriast

Looking towards the future: the changing nature of intrusive surveillance and technical attacks against high-profile targets

In this thesis a novel Bayesian model is developed that is capable of predicting the probability of a range of eavesdropping techniques deployed, given an attacker's capability, opportunity and intent. Whilst limited attention by academia has focused on the cold war activities of Soviet bloc and Western allies' bugging of embassies, even less attention has been paid to the changing nature of the technology used for these eavesdropping events. This thesis makes four contributions: through the analysis of technical eavesdropping events over the last century, technological innovation is shown to have enriched the eavesdropping opportunities for a range of capabilities. The entry barrier for effective eavesdropping is lowered, while for the well resourced eavesdropper, the requirement for close access has been replaced by remote access opportunities. A new way to consider eavesdropping methods is presented through the expert elicitation of capability and opportunity requirements for a range of present-day eavesdropping techniques. Eavesdropping technology is shown to have life-cycle stages with the technology exploited by different capabilities at different times. Three case studies illustrate that yesterday’s secretive government method becomes today’s commodity. The significance of the egress transmission path is considered too. Finally, by using the expert elicitation information derived for capability, opportunity and life-cycle position, for a range of eavesdropping techniques, it is shown that it is possible to predict the probability of particular eavesdropping techniques being deployed. This novel Bayesian inferencing model enables scenarios with incomplete, uncertain or missing detail to be considered. The model is validated against the previously collated historic eavesdropping events. The development of this concept may be scaled with additional eavesdropping techniques to form the basis of a tool for security professionals or risk managers wishing to define eavesdropping threat advice or create eavesdropping policies based on the rigour of this technological study.Open Acces

Remote hearing aid fitting

Includes abstract.Includes bibliographical references.Hearing aid fitting is a costly process due to the cost of hearing aids, audiologists' hourly rates, and large travelling distances caused by regionally sparse audiologist populations. This dissertation is focused on the development of a system which aims at reducing the severity of this problem

The Proceedings of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia

Conference Foreword This is the fifth year that the Australian Digital Forensics Conference has been held under the banner of the Security Research Institute, which is in part due to the success of the security conference program at ECU. As with previous years, the conference continues to see a quality papers with a number from local and international authors. 11 papers were submitted and following a double blind peer review process, 8 were accepted for final presentation and publication. Conferences such as these are simply not possible without willing volunteers who follow through with the commitment they have initially made, and I would like to take this opportunity to thank the conference committee for their tireless efforts in this regard. These efforts have included but not been limited to the reviewing and editing of the conference papers, and helping with the planning, organisation and execution of the conference. Particular thanks go to those international reviewers who took the time to review papers for the conference, irrespective of the fact that they are unable to attend this year. To our sponsors and supporters a vote of thanks for both the financial and moral support provided to the conference. Finally, to the student volunteers and staff of the ECU Security Research Institute, your efforts as always are appreciated and invaluable. Yours sincerely, Conference Chair Professor Craig Valli Director, Security Research Institut

Learning from Digital Natives: Bridging Formal and Informal Learning. Final Report

Overview This report suggests that students are increasingly making use of a variety of etools (such as mobile phones, email, MSN, digital cameras, games consoles and social networking sites) to support their informal learning within formalised educational settings, and that they use the tools that they have available if none are provided for them. Therefore, higher education institutions should encourage the use of these tools. Aims and background This study aimed to explore how e-tools (such as mobile phones, email, MSN, digital cameras, games consoles and social networking sites) and the processes that underpin their use can support learning within educational institutions and help improve the quality of students’ experiences of learning in higher education (pgs 9-11). Methodology The study entailed: (i) desk research to identify related international research and practice and examples of integration of e-tools and learning processes in formal educational settings; (ii) a survey of 160 engineering and social work students across two contrasting Scottish universities (pre- and post-1992) – the University of Strathclyde and Glasgow Caledonian University – and follow-up interviews with eight students across the two subject areas to explore which technologies students were using for both learning and leisure activities within and outside the formal educational settings and how they would like to use such technologies to support their learning in both formal and informal settings; and (iii) interviews with eight members of staff from across the institutions and two subject areas to identify their perceptions of the educational value of the e-tools. (pgs 24-27). Key findings • Students reported making extensive use of a variety of both e-tools (such as mobile phones, email, MSN, digital cameras) and social networking tools (such as Bebo, MySpace, Wikipedia and YouTube) for informal socialisation, communication, information gathering, content creation and sharing, alongside using the institutionally provided technologies and learning environments. • Most of the students owned their own computer or had access to a sibling or parent’s computer. Many students owned a laptop but preferred not to bring it onto campus due to security concerns and because they found it too heavy to carry about. • Ownership of mobile phones was ubiquitous. • Whilst the students’ information searching literacy seemed adequate, the ability of these students to harness the power of social networking tools and informal processes for their learning was low. Staff reported using a few Web 2.0 and social software tools but they were generally less familiar with how these could be used to support learning and teaching. There were misconceptions surrounding the affordances of the tools and fears expressed about security and invasion of personal space. Considerations of the costs and the time it would take staff to develop their skills meant that there was a reluctance to take up new technologies at an institutional level. • Subject differences emerged in both staff and student perceptions as to which type of tools they would find most useful. Attitudes to Web 2.0 tools were different. Engineers were concerned with reliability, using institutional systems and inter-operability. Social workers were more flexible because they were focused on communication and professional needs. • The study concluded that digital tools, personal devices, social networking software and many of the other tools explored all have a large educational potential to support learning processing and teaching practices. Therefore, use of these tools and processes within institutions, amongst staff and students should be encouraged. • The report goes on to suggest ways in which the use of such technologies can help strengthen the links between informal and formal learning in higher education. The recommendations are grouped under four areas – pedagogical, socio-cultural, organisational and technological