Online Security in the Middle East and North Africa: A Survey of Perceptions, Knowledge, and Practice

Digital communication has become a more perilous activity, particularly for activists, political dissidents, and independent media. The recent surge in digital activism that has helped to shape the Arab spring has been met with stiff resistance by governments in the region intent on reducing the impact of digital organizing and independent media. No longer content with Internet filtering, many governments in the Middle East and around the world are using a variety of technological and offline strategies to go after online media and digital activists. In Tunisia, before and during the January 2011 protest movement that led to a change in government there, Internet service providers were apparently logging usernames and passwords to hack into and dismantle online organizing and information sharing among protesters. In early June 2011, Google reported a phishing attack targeted at military and human rights activists to gain access to their Gmail accounts. In Syria, a well organized effort known as the Syrian Electronic Army has been carrying out attacks to disable and compromise web sites that are critical of the Syrian regime. These stories are only a few selected from the set that have become public, and an unknown number of attacks go unnoticed and unreported. Many of these attacks are impossible to attribute to specific actors and may involve a mix of private sector and governmental actors, blurring the lines between cyber attacks and government surveillance. In such an environment, maintaining online security is a growing challenge.In this report we describe the results of a survey of 98 bloggers in the Middle East and North Africa (MENA) carried out in May 2011 in order to study bloggers' perceptions of online risk and the actions they take to address digital communications security, including both Internet and cell phone use. The survey was implemented in the wake of the Arab spring and documents a proliferation of online security problems among the respondents. In the survey, we address the respondents' perceptions of online risk, their knowledge of digital security practices, and their reported online security practices. The survey results indicate that there is much room for improving online security practices, even among this sample of respondents who are likely to have relatively high technical knowledge and experience

Security and Online learning: to protect or prohibit

The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable

Case study:exploring children’s password knowledge and practices

Children use technology from a very young age, and often have to authenticate themselves. Yet very little attention has been paid to designing authentication specifically for this particular target group. The usual practice is to deploy the ubiquitous password, and this might well be a suboptimal choice. Designing authentication for children requires acknowledgement of child-specific developmental challenges related to literacy, cognitive abilities and differing developmental stages. Understanding the current state of play is essential, to deliver insights that can inform the development of child-centred authentication mechanisms and processes. We carried out a systematic literature review of all research related to children and authentication since 2000. A distinct research gap emerged from the analysis. Thus, we designed and administered a survey to school children in the United States (US), so as to gain insights into their current password usage and behaviors. This paper reports preliminary results from a case study of 189 children (part of a much larger research effort). The findings highlight age-related differences in children’s password understanding and practices. We also discovered that children confuse concepts of safety and security. We conclude by suggesting directions for future research. This paper reports on work in progress.<br/

Users are not the enemy

Many system security departments treat users as a security risk to be controlled. The general consensus is that most users are careless and unmotivated when it comes to system security. In a recent study, we found that users may indeed compromise computer security mechanisms, such as password authentication, both knowing and unknowingly. A closer analysis, however, revealed that such behavior is often caused by the way in which security mechanisms are implemented, and users ’ lack of knowledge. We argue that to change this state of affairs, security departments need to communicate more with users, and adopt a user-centered design approach

Qualitative study exploring the phenomenon of multiple electronic prescribing systems within single hospital organisations

BACKGROUND: A previous census of electronic prescribing (EP) systems in England showed that more than half of hospitals with EP reported more than one EP system within the same hospital. Our objectives were to describe the rationale for having multiple EP systems within a single hospital, and to explore perceptions of stakeholders about the advantages and disadvantages of multiple systems including any impact on patient safety. METHODS: Hospitals were selected from previous census respondents. A decision matrix was developed to achieve a maximum variation sample, and snowball sampling used to recruit stakeholders of different professional backgrounds. We then used an a priori framework to guide and analyse semi-structured interviews. RESULTS: Ten participants, comprising pharmacists and doctors and a nurse, were interviewed from four hospitals. The findings suggest that use of multiple EP systems was not strategically planned. Three co-existing models of EP systems adoption in hospitals were identified: organisation-led, clinician-led and clinical network-led, which may have contributed to multiple systems use. Although there were some perceived benefits of multiple EP systems, particularly in niche specialities, many disadvantages were described. These included issues related to access, staff training, workflow, work duplication, and system interfacing. Fragmentation of documentation of the patient's journey was a major safety concern. DISCUSSION: The complexity of EP systems' adoption and deficiencies in IT strategic planning may have contributed to multiple EP systems use in the NHS. In the near to mid-term, multiple EP systems may remain in place in many English hospitals, which may create challenges to quality and patient safety.Peer reviewe

Risk homeostasis in information security:challenges in confirming existence and verifying impact

The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements.The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found.In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies.Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice

Anti-money laundering and counter-terrorism financing survey of regulated businesses in Australia - methodology report

This report provides a stand-alone description of how the Australian Institute of Criminology’s Anti-money Laundering/Counter-terrorism Financing Survey of regulated businesses was undertaken, emphasising the importance of understanding the methodology and design of this national census of regulated businesses in Australia. As is often the case with social scientific research of a quantitative nature, the detail of how surveys were conducted are sometimes relegated to deep within a long report, or attached in a lengthy appendix, often being overlooked by the average reader. This report provides a stand-alone description of how the Australian Institute of Criminology’s Anti-money Laundering/Counter-terrorism Financing Survey of regulated businesses was undertaken, thus emphasising the importance of understanding the methodology and design of this national census of regulated businesses in Australia. It reviews all of the procedures and steps undertaken from a data collection and methodological perspective and provides an important accompaniment to the major survey report published in conjunction with this methodological review. Both reports should be read together. The current report provides a summary of the methodological approach, consolidation of assorted reports generated throughout the study, a review of sample utilisation and response dynamics and a summary of issues for consideration for future similar surveys

Conceivable security risks and authentication techniques for smart devices

With the rapidly escalating use of smart devices and fraudulent transaction of users’ data from their devices, efficient and reliable techniques for authentication of the smart devices have become an obligatory issue. This paper reviews the security risks for mobile devices and studies several authentication techniques available for smart devices. The results from field studies enable a comparative evaluation of user-preferred authentication mechanisms and their opinions about reliability, biometric authentication and visual authentication techniques