“Passwords protect my stuff” - a study of children’s password practices

Children use technology from a very young age and often have to authenticate. The goal of this study is to explore children’s practices, perceptions, and knowledge regarding passwords. Given the limited work to date and that the world’s cyber posture and culture will be dependent on today’s youth, it is imperative to conduct cyber-security research with children. We conducted surveys of 189 3rd to 8th graders from two Midwest schools in the USA. We found that children have on average two passwords for school and three to four passwords for home. They kept their passwords private and did not share with others. They created passwords with an average length of 7 (3rd to 5th graders) and 10 (6–8th graders). But, only about 13% of the children created very strong passwords. Generating strong passwords requires mature cognitive and linguistic capabilities which children at this developmental stage have not yet mastered. They believed that passwords provide access control, protect their privacy and keep their “stuff” safe. Overall, children had appropriate mental models of passwords and demonstrated good password practices. Cyber-security education should strive to reinforce these positive practices while continuing to provide and promote age-appropriate developmental security skills. Given the study’s sample size and limited generalizability, we are expanding our research to include children from 3rd to 12th graders across multiple US school districts

Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk

Digital Architecture as Crime Control

This paper explains how theories of realspace architecture inform the prevention of computer crime. Despite the prevalence of the metaphor, architects in realspace and cyberspace have not talked to one another. There is a dearth of literature about digital architecture and crime altogether, and the realspace architectural literature on crime prevention is often far too soft for many software engineers. This paper will suggest the broad brushstrokes of potential design solutions to cybercrime, and in the course of so doing, will pose severe criticisms of the White House\u27s recent proposals on cybersecurity. The paper begins by introducing four concepts of realspace crime prevention through architecture. Design should: (1) create opportunities for natural surveillance, meaning its visibility and susceptibility to monitoring by residents, neighbors, and bystanders; (2) instill a sense of territoriality so that residents develop proprietary attitudes and outsiders feel deterred from entering a private space; (3) build communities and avoid social isolation; and (4) protect targets of crime. There are digital analogues to each goal. Natural-surveillance principles suggest new virtues of open-source platforms, such as Linux, and territoriality outlines a strong case for moving away from digital anonymity towards psuedonymity. The goal of building communities will similarly expose some new advantages for the original, and now eroding, end-to-end design of the Internet. An understanding of architecture and target prevention will illuminate why firewalls at end points will more effectively guarantee security than will attempts to bundle security into the architecture of the Net. And, in total, these architectural lessons will help us chart an alternative course to the federal government\u27s tepid approach to computer crime. By leaving the bulk of crime prevention to market forces, the government will encourage private barricades to develop - the equivalent of digital gated communities - with terrible consequences for the Net in general and interconnectivity in particular

Sony, Cyber Security, and Free Speech: Preserving the First Amendment in the Modern World

Reprinted from 16 U.C. Davis Bus. L.J. 309 (2016). This paper explores the Sony hack in 2014 allegedly launched by the North Korean government in retaliation over Sony’s production of The Interview and considers the hack’s chilling impact on speech in technology. One of the most devastating cyber attacks in history, the hack exposed approximately thirty- eight million files of sensitive data, including over 170,000 employee emails, thousands of employee social security numbers and unreleased footage of upcoming movies. The hack caused Sony to censor the film and prompted members of the entertainment industry at large to tailor their communication and conform storylines to societal standards. Such censorship cuts the First Amendment at its core and exemplifies the danger cyber terror poses to freedom of speech by compromising Americans’ privacy in digital mediums. This paper critiques the current methods for combatting cyber terror, which consist of unwieldy federal criminal laws and controversial information sharing policies, while proposing more promising solutions that unleash the competitive power of the free market with limited government regulation. It also recommends legal, affordable and user-friendly tools anyone can use to secure their technology, recapture their privacy and exercise their freedom of speech online without fear of surreptitious surveillance or retaliatory exposure

Case study:exploring children’s password knowledge and practices

Children use technology from a very young age, and often have to authenticate themselves. Yet very little attention has been paid to designing authentication specifically for this particular target group. The usual practice is to deploy the ubiquitous password, and this might well be a suboptimal choice. Designing authentication for children requires acknowledgement of child-specific developmental challenges related to literacy, cognitive abilities and differing developmental stages. Understanding the current state of play is essential, to deliver insights that can inform the development of child-centred authentication mechanisms and processes. We carried out a systematic literature review of all research related to children and authentication since 2000. A distinct research gap emerged from the analysis. Thus, we designed and administered a survey to school children in the United States (US), so as to gain insights into their current password usage and behaviors. This paper reports preliminary results from a case study of 189 children (part of a much larger research effort). The findings highlight age-related differences in children’s password understanding and practices. We also discovered that children confuse concepts of safety and security. We conclude by suggesting directions for future research. This paper reports on work in progress.<br/

Identifying attack surfaces in the evolving space industry using reference architectures

The space environment is currently undergoing a substantial change and many new entrants to the market are deploying devices, satellites and systems in space; this evolution has been termed as NewSpace. The change is complicated by technological developments such as deploying machine learning based autonomous space systems and the Internet of Space Things (IoST). In the IoST, space systems will rely on satellite-to-x communication and interactions with wider aspects of the ground segment to a greater degree than existing systems. Such developments will inevitably lead to a change in the cyber security threat landscape of space systems. Inevitably, there will be a greater number of attack vectors for adversaries to exploit, and previously infeasible threats can be realised, and thus require mitigation. In this paper, we present a reference architecture (RA) that can be used to abstractly model in situ applications of this new space landscape. The RA specifies high-level system components and their interactions. By instantiating the RA for two scenarios we demonstrate how to analyse the attack surface using attack trees