Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

Does HIPAA Provide Enough Protection for Healthcare in the Age of Ransomware and Current Cybersecurity Threats

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was released the same year the term “phishing” was coined. The Act provided administrative, physical, and technical safeguards to implement for security standards with “required” and “addressable” implementation specifications. Since that time, the healthcare technology landscape has tremendously changed. This study explores four questions: What is the observed (reported) trajectory (frequency) of cases of ransomware attacks compared to other types of data breaches? What are examples of ransomware cases that are not reportable based on HIPAA regulations? What are the examples of the “worst-case” consequences of inadequate protection against ransomware attacks? Which HIPAA regulations should be changed or updated to protect against ransomware? The data shows a significant increase by year in ransomware p\u3c.026, malware p\u3c.006, phishing p\u3c.008, unauthorized access p\u3c.000 and hacking incidents p\u3c.000. Also, 24% of the National Institute of Standards and Technology (NIST)1.1. Cybersecurity Framework did not map to HIPAA Security. The study suggests that healthcare organizations should adopt and implement a cybersecurity framework, and the United States Department of Health & Human Services (HHS) should consider an update to the HIPAA Security standards

Gamificação aplicada à formação em cibersegurança de profissionais de saúde: uma prova de conceito

Mestrado em Gestão e Avaliação de Tecnologias em SaúdeIntrodução: O sector da saúde é fortemente afetado pelo cibercrime, com as principais técnicas de ataque a serem direcionadas para os utilizadores. Por isso, os profissionais de saúde têm um papel fundamental na minimização destes ataques, quando devidamente treinados. As estratégias de formação gamificada em cibersegurança têm resultados bastante positivos ao nível da aquisição e retenção de conhecimento, tendo vantagens ao nível da gestão dos recursos e do tempo. Objetivos: Descrever o estado da arte relacionado com o impacto da cibersegurança no sector da saúde e com a gamificação; identificar os componentes associados ao desenvolvimento de soluções de gamificação; comparar as plataformas de gamificação existentes; definir uma metodologia de gamificação adequada para a formação em cibersegurança de profissionais de saúde e desenvolver uma ferramenta de gamificação para a sensibilização em cibersegurança de profissionais de saúde. Metodologia: Desenvolveu-se uma metodologia de gamificação para a formação em cibersegurança dos profissionais de saúde. Foi igualmente desenvolvido um protótipo da estratégia de formação gamificada, específica para o setor da saúde, onde consta um piloto da aplicação (Health-Cy-Game). Resultados: Desenvolvimento do protótipo da estratégia de formação gamificada – Health-Cy-Game – de acordo com o perfil de conhecimentos estabelecido: conhecimento geral de tecnologia; autenticação e gestão de palavras-passe; técnicas de ciberataques dirigidas ao sector da saúde; gestão da informação; manutenção e atualização de software, e procedimentos e regulamentos em cibersegurança das instituições de saúde. Disposições finais: No setor da saúde, a cibersegurança deverá constituir uma preocupação central dos planos estratégicos de segurança e qualidade dos cuidados. Para atingir este estado de segurança, é preciso munir os utilizadores da tecnologia de conhecimento adequados. “Health-Cy-Game” foi construído tendo em conta o perfil de competências destes profissionais e as especificidades deste sector, de acordo com o Referencial de Competências e Conhecimentos do Centro Nacional de Cibersegurança e as escalas Risky Cybersecurity Behaviours Scale (RsCB) e Security Behaviour Intentions Scale (SeBIS).ABSTRACT - Introduction: The healthcare sector is heavily affected by cybercrime, with the majority of techniques used being addressed to its users. Health professionals have a key role in minimizing these attacks when properly trained. Gamified training strategies in cybersecurity have very positive results in terms of knowledge acquisition and retention, with advantages in terms of resources and time management. Objectives: To describe the state-of-the-art related to the impact of cybersecurity in the health sector and with gamification; identify the components associated with the development of gamification solutions; compare existing gamification platforms; define an appropriate gamification methodology for training health professionals in cybersecurity and develop a gamification tool to raise awareness of cybersecurity among health professionals. Methodology: A gamification methodology was developed for training health professionals in cybersecurity. A prototype of the gamified training strategy, specific for the health sector, was also developed, which contains a pilot application (Health-Cy-Game). Results: Development of the prototype of the gamified training strategy – Health-Cy-Game – according to the knowledge profile established: general knowledge of technology; authentication and password management; cyberattack techniques targeting the health sector; information management; maintenance and updating of software, and procedures and regulations in cybersecurity of health institutions. Final Provisions: In the healthcare sector, cybersecurity must be a central concern of strategic plans addressed to safety and quality of care. To achieve this state of security, it is necessary to provide adequate training to healthcare professionals. “Health-Cy-Game” was built taking into account the skills profile of these professionals and the specificities of this sector, in accordance with Centro Nacional de Cibersegurança’s roadmap “Competências e Conhecimentos”, the Risky Cybersecurity Behaviours Scale (RsCB) and Security Behaviour Intentions Scale (SeBIS).N/

The vulnerability to Online Scamming in contemporary Tongan Society

This research explores the cybersecurity vulnerabilities of Tongan people to the rapid growth of Information, Communication, and Technology (ICT). A research conducted by Laulaupea‘alu and Keegan in 2016 revealed that Tongan people were vulnerable to the influence of rapid ICT development (Laulaupea‘alu and Keegan, 2016). The cybersecurity vulnerabilities that were identified among the Tongan people in 2016 assisted in informing this research, which is to investigate the current susceptibilities in contemporary Tongan society. The aim of this research is to investigate the reasons why Tongans are vulnerable to ICT development specifically Online Scamming (OS) and find possible solutions to mitigate these susceptibilities. This research is the first to explore and narrow the scope to focus specifically on OS in Tonga. This research also focuses on the technical features of cybersecurity and then extends it to cover the cultural practices that would make Tongan people more susceptible to online scamming. Laulaupea‘alu and Keegan (2019) directly conveyed these cybersecurity susceptibilities to the Government of Tonga (GoT) in 2018. This report confirmed that the actual position of cybersecurity in Tonga was that at least 73 percent of the organisations were vulnerable to cybercrime and cyberattacks. These organisations were victims of malicious software, spam, unauthorized access, social engineering, ransomware, data theft/data loss, stolen account, and other types of cybercrimes. This report also provided eleven (11) recommendations and suggested to the GoT to deploy these cybersecurity prevention and awareness features to assist in slowing down the issues of cyberattacks in Tonga. One of the modern ICT accomplishments in Tonga was the installation of fibre-optic cable in 2013. Again, Laulaupea'alu and Keegan (2018) warned Tongans about the issue of succeeding in the fast internet speed of fibre-optic cable. The “high speed internet brings opportunities such as jobs and business but it also brings malicious cyber actors who can target victims in the nation” (p. 255). Drawn by the awareness of ICT issues that may arise and could lead to a stage where is unable to control, this research is undertaken to identify the root cause of these vulnerabilities, further looking for cybersecurity issues that are currently incurred and discovering appropriate defensive tools to counter these vulnerabilities. The COVID-19 pandemic disrupted and became a major obstacle to this research. Due to border restrictions, there was no opportunity to travel to Tonga for data collection. To solve these issues, e-fanongonongo tokoto (e-ft) methodology was adopted to challenge the worldwide issues of COVID-19. The implementation of e-ft enabled effective communication from Hamilton to the survey participants in Tonga. E-mail, Facebook, Messenger, and Zoom are the communication methods deployed by e-ft to communicate and collect data from one hundred and thirty-nine (139) participants ranging from 16 to 70 years of age. Participants were selected from government ministries, organisations, boards, businesses and ICT grassroots computer users from all five main regions of Tonga (Tongatapu, Vava‘u, Ha‘apai, ‘Eua and Ongo Niua). Although the e-ft process encountered many obstacles in collecting data from the survey participants, it was able to generate responses and data that have been analysed in this research. The findings of this research reveal that Tonga is vulnerable to ICT development, and Tongan people are victims of cyberattacks due to the impact of rapid ICT development. These vulnerabilities relate to cybersecurity technical weaknesses, human behaviours, culture, and the personal beliefs of Tongans. This research also indicated that the people’s vulnerabilities were caused by five main elements: greed, romance/love/empathy, lack of cybersecurity training, lack of ICT knowledge, and unwillingness to report to authorities. These vulnerabilities have resulted in the loss of credential information and the loss of money to cybercriminals from the people of Tonga

The Effect of Personality on SMS Phishing Vulnerability

In the last decade, cybercrime has sought to bypass technical security in place by focusing in people. Recently more attention has been given to the security of mobile devices. However, very little research has investigated the human factors of mobile phishing. This thesis investigates human aspects in relation to SMS phishing. Based on our findings, we present recommendations and opportunities for research that will help the security community to better understand phishing attacks and educate mobile users against them. The first study reports the results of a qualitative investigation of what people think and feel about mobile security. The study presents this investigation temporally by means of a series of interviews performed sequentially in multiple stages. A variation was noted in the users' responses and a theory was developed to explain such variation. The study proposed a grounded theory that suggested that human security attitude is strongly influenced by their agreeableness, conscientiousness and extraversion personality traits. The developed theory suggested that this general behaviour is moderated by individuals’ knowledge and past error-in-judgement experiences. The theory was tested via three further studies (one lab study and two experimental studies). The results suggest that the personality traits Assertiveness and Extraversion affect humans’ phishing vulnerability. To the best of our knowledge, the three studies are the first empirical studies of the human aspects involved in SMS phishing. The thesis embraces both quantitative and qualitative analysis approaches. The quantitative analysis helped in isolating the personality traits Assertiveness and Extraversion while the qualitative analysis helped us understand how individuals reason about their behaviour

The Honeypot Stings Back: Entrapment in the Age of Cybercrime and a Proposed Pathway Forward

Cybercrime’s transnational nature has rendered conventional methods of domestic policing ineffective. The international community must cooperate to combat cross-border cybercriminals. Law enforcement efforts to respond to the threat through cyber sting operations call into question the degree to which individuals are protected by the entrapment defense. There is disagreement in the international community about the validity of the defense. The lack of consensus threatens effective law enforcement cooperation in responding to cybercrime, posing a global security risk. Furthermore, if countries with dissimilar entrapment rights cooperate to share data and carry out cyber stings, there is a heightened risk of the rights of the private citizen being diluted. After summarizing existing international agreements that discuss transnational crime and cybercrime, this Comment proposes that the international community modify the Budapest Convention to establish a “minimum floor” of entrapment rights. This approach would require countries, at a minimum, to consider entrapment as grounds for mitigation at sentencing or discretionary exclusion of evidence. While countries have been hesitant to explicitly codify entrapment in legislation, there has been an observed acceptance of entrapment-based rights in practice

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

Cybersecurity Legislation and Ransomware Attacks in the United States, 2015-2019

Ransomware has rapidly emerged as a cyber threat which costs the global economy billions of dollars a year. Since 2015, ransomware criminals have increasingly targeted state and local government institutions. These institutions provide critical infrastructure – e.g., emergency services, water, and tax collection – yet they often operate using outdated technology due to limited budgets. This vulnerability makes state and local institutions prime targets for ransomware attacks. Many states have begun to realize the growing threat from ransomware and other cyber threats and have responded through legislative action. When and how is this legislation effective in preventing ransomware attacks? This dissertation investigates the effects of state cybersecurity legislation on the number of ransomware attacks on state and local institutions from 2015-2019. I review various arguments linking cybersecurity legislation to cybersecurity vulnerability and develop a set of hypotheses about the features of legislation that should deter and prevent ransomware attacks. The cybersecurity literature suggests increased training is a key mechanism to prevent ransomware attacks. However, I find no relationship between direct state legislation on cybersecurity training and ransomware. Instead, the statistical evidence suggests that there are fewer ransomware attacks in states with legislation that indirectly encourages training by shifting the responsibility for a cyber failure back onto vulnerable institutions. This legislation typically focuses on data breaches and often requires the institution to disclose failures, which increases reputational costs. The threat of increased costs for a cybersecurity failure changes these institutions’ cost benefit analysis and encourages these institutions to proactively improve their cybersecurity, such as through increased training. I further examine data breach laws in California and find evidence that these types of laws can promote increased cybersecurity measures. Thus, future legislation should focus on holding institutions responsible for cybersecurity failures, which should in turn lead to increased cybersecurity

Exploring the Darkverse: A Multi-Perspective Analysis of the Negative Societal Impacts of the Metaverse

The Metaverse has the potential to form the next pervasive computing archetype that can transform many aspects of work and life at a societal level. Despite the many forecasted benefits from the metaverse, its negative outcomes have remained relatively unexplored with the majority of views grounded on logical thoughts derived from prior data points linked with similar technologies, somewhat lacking academic and expert perspective. This study responds to the dark side perspectives through informed and multifaceted narratives provided by invited leading academics and experts from diverse disciplinary backgrounds. The metaverse dark side perspectives covered include: technological and consumer vulnerability, privacy, and diminished reality, human–computer interface, identity theft, invasive advertising, misinformation, propaganda, phishing, financial crimes, terrorist activities, abuse, pornography, social inclusion, mental health, sexual harassment and metaverse-triggered unintended consequences. The paper concludes with a synthesis of common themes, formulating propositions, and presenting implications for practice and policy