543 research outputs found
Exploring The Role Of Cyber Security Measures (Encryption, Firewalls, And Authentication Protocols) In Preventing Cyber-Attacks On E-Commerce Platforms
The present study seeks to examine the significance of cybersecurity measures, specifically encryption strength (ES), firewall configuration (FC), and authentication protocols (AP), in protecting e-commerce platforms against cyber-attacks. The data collection process involved the administration of a survey to IT professionals responsible for overseeing e-commerce operations in a range of organisations located in Saudi Arabia. A convenience sampling method was employed to distribute a total of 300 questionnaires, out of which 190 completed responses were selected for analysis. The measurement model, which encompassed variables such as ES, FC, AP, security training (ST), cyber-attack incidents (CAI), customer trust (CT), and incident response time (IRT), was estimated using the structural equation model in Amos. The results of this study provide insights into the relationship between cybersecurity measures and their influence on the frequency of cyberattacks. The study highlights the significance of encryption, firewall configuration, and authentication protocols in strengthening e- commerce platforms. Additionally, this study examines the impact of security training on the improvement of overall cybersecurity posture and its subsequent effect on customer trust. The examination also takes into account the duration of incident response as a critical element in minimising the consequences of cyber incidents. The findings obtained from this study contribute to a more comprehensive comprehension of the cybersecurity environment within the realm of electronic commerce
Exploring Current Trends and Challenges in Cybersecurity: A Comprehensive Survey
Cyber security is the process of preventing unauthorized access, theft, damage, and interruption to computers, servers, networks, and data. It entails putting policies into place to guarantee the availability, confidentiality, and integrity of information and information systems. Cyber security seeks to protect against a variety of dangers, including as hacking, data breaches, malware infections, and other nefarious actions. Cyber security has grown to be a major worry as a result of the quick development of digital technology and the growing interconnection of our contemporary society. In order to gain insight into the constantly changing world of digital threats and the countermeasures put in place to address them, this survey seeks to study current trends and issues in the area of cyber security. The study includes responses from end users, business executives, IT administrators, and experts across a wide variety of businesses and sectors. The survey gives insight on important problems such the sorts of cyber threats encountered, the efficacy of current security solutions, future technology influencing cyber security, and the human elements leading to vulnerabilities via a thorough analysis of the replies. The most important conclusions include an evaluation of the most common cyber dangers, such as malware, phishing scams, ransom ware, and data breaches, as well as an investigation of the methods and tools used to counter these threats. The survey explores the significance of staff education and awareness in bolstering cyber security defenses and pinpoints opportunities for development in this area. The survey also sheds insight on how cutting-edge technologies like cloud computing, artificial intelligence, and the Internet of Things (IoT) are affecting cyber security practices. It analyses the advantages and disadvantages of using these technologies while taking into account issues like data privacy, infrastructure security, and the need for specialized skills. The survey also looks at the compliance environment, assessing how industry norms and regulatory frameworks affect cyber security procedures. The survey studies the obstacles organizations encounter in attaining compliance and assesses the degree of knowledge and commitment to these requirements. The results of this cyber security survey help to better understand the current status of cyber security and provide organizations and individual’s useful information for creating effective policies to protect digital assets. This study seeks to promote a proactive approach to cyber security, allowing stakeholders to stay ahead of threats and build a safe digital environment by identifying relevant trends and concerns
Identity Management and Authorization Infrastructure in Secure Mobile Access to Electronic Health Records
We live in an age of the mobile paradigm of anytime/anywhere access, as the mobile device
is the most ubiquitous device that people now hold. Due to their portability, availability, easy
of use, communication, access and sharing of information within various domains and areas of
our daily lives, the acceptance and adoption of these devices is still growing. However, due to
their potential and raising numbers, mobile devices are a growing target for attackers and, like
other technologies, mobile applications are still vulnerable.
Health information systems are composed with tools and software to collect, manage, analyze
and process medical information (such as electronic health records and personal health records).
Therefore, such systems can empower the performance and maintenance of health services,
promoting availability, readability, accessibility and data sharing of vital information about a
patients overall medical history, between geographic fragmented health services. Quick access
to information presents a great importance in the health sector, as it accelerates work processes,
resulting in better time utilization. Additionally, it may increase the quality of care.
However health information systems store and manage highly sensitive data, which raises serious
concerns regarding patients privacy and safety, and may explain the still increasing number
of malicious incidents reports within the health domain.
Data related to health information systems are highly sensitive and subject to severe legal
and regulatory restrictions, that aim to protect the individual rights and privacy of patients.
Along side with these legislations, security requirements must be analyzed and measures implemented.
Within the necessary security requirements to access health data, secure authentication,
identity management and access control are essential to provide adequate means to
protect data from unauthorized accesses. However, besides the use of simple authentication
models, traditional access control models are commonly based on predefined access policies
and roles, and are inflexible. This results in uniform access control decisions through people,
different type of devices, environments and situational conditions, and across enterprises, location
and time.
Although already existent models allow to ensure the needs of the health care systems, they still
lack components for dynamicity and privacy protection, which leads to not have desire levels
of security and to the patient not to have a full and easy control of his privacy. Within this
master thesis, after a deep research and review of the stat of art, was published a novel dynamic
access control model, Socio-Technical Risk-Adaptable Access Control modEl (SoTRAACE),
which can model the inherent differences and security requirements that are present in this
thesis. To do this, SoTRAACE aggregates attributes from various domains to help performing
a risk assessment at the moment of the request. The assessment of the risk factors identified
in this work is based in a Delphi Study. A set of security experts from various domains were
selected, to classify the impact in the risk assessment of each attribute that SoTRAACE aggregates.
SoTRAACE was integrated in an architecture with requirements well-founded, and based
in the best recommendations and standards (OWASP, NIST 800-53, NIST 800-57), as well based in
deep review of the state-of-art. The architecture is further targeted with the essential security
analysis and the threat model. As proof of concept, the proposed access control model was implemented within the user-centric
architecture, with two mobile prototypes for several types of accesses by patients and healthcare
professionals, as well the web servers that handles the access requests, authentication and
identity management.
The proof of concept shows that the model works as expected, with transparency, assuring privacy
and data control to the user without impact for user experience and interaction. It is clear
that the model can be extended to other industry domains, and new levels of risks or attributes
can be added because it is modular. The architecture also works as expected, assuring secure
authentication with multifactor, and secure data share/access based in SoTRAACE decisions.
The communication channel that SoTRAACE uses was also protected with a digital certificate.
At last, the architecture was tested within different Android versions, tested with static and
dynamic analysis and with tests with security tools.
Future work includes the integration of health data standards and evaluating the proposed system
by collecting users’ opinion after releasing the system to real world.Hoje em dia vivemos em um paradigma móvel de acesso em qualquer lugar/hora, sendo que
os dispositivos móveis são a tecnologia mais presente no dia a dia da sociedade. Devido à sua
portabilidade, disponibilidade, fácil manuseamento, poder de comunicação, acesso e partilha
de informação referentes a várias áreas e domÃnios das nossas vidas, a aceitação e integração
destes dispositivos é cada vez maior. No entanto, devido ao seu potencial e aumento do número
de utilizadores, os dispositivos móveis são cada vez mais alvos de ataques, e tal como outras
tecnologias, aplicações móveis continuam a ser vulneráveis.
Sistemas de informação de saúde são compostos por ferramentas e softwares que permitem
recolher, administrar, analisar e processar informação médica (tais como documentos de saúde
eletrónicos). Portanto, tais sistemas podem potencializar a performance e a manutenção dos
serviços de saúde, promovendo assim a disponibilidade, acessibilidade e a partilha de dados
vitais referentes ao registro médico geral dos pacientes, entre serviços e instituições que estão
geograficamente fragmentadas. O rápido acesso a informações médicas apresenta uma grande
importância para o setor da saúde, dado que acelera os processos de trabalho, resultando assim
numa melhor eficiência na utilização do tempo e recursos. Consequentemente haverá uma
melhor qualidade de tratamento. Porém os sistemas de informação de saúde armazenam e
manuseiam dados bastantes sensÃveis, o que levanta sérias preocupações referentes à privacidade
e segurança do paciente. Assim se explica o aumento de incidentes maliciosos dentro do
domÃnio da saúde.
Os dados de saúde são altamente sensÃveis e são sujeitos a severas leis e restrições regulamentares,
que pretendem assegurar a proteção dos direitos e privacidade dos pacientes, salvaguardando
os seus dados de saúde. Juntamente com estas legislações, requerimentos de segurança
devem ser analisados e medidas implementadas. Dentro dos requerimentos necessários
para aceder aos dados de saúde, uma autenticação segura, gestão de identidade e controlos de
acesso são essenciais para fornecer meios adequados para a proteção de dados contra acessos
não autorizados. No entanto, além do uso de modelos simples de autenticação, os modelos
tradicionais de controlo de acesso são normalmente baseados em polÃticas de acesso e cargos
pré-definidos, e são inflexÃveis. Isto resulta em decisões de controlo de acesso uniformes para
diferentes pessoas, tipos de dispositivo, ambientes e condições situacionais, empresas, localizações
e diferentes alturas no tempo. Apesar dos modelos existentes permitirem assegurar
algumas necessidades dos sistemas de saúde, ainda há escassez de componentes para accesso
dinâmico e proteção de privacidade , o que resultam em nÃveis de segurança não satisfatórios e
em o paciente não ter controlo directo e total sobre a sua privacidade e documentos de saúde.
Dentro desta tese de mestrado, depois da investigação e revisão intensiva do estado da arte,
foi publicado um modelo inovador de controlo de acesso, chamado SoTRAACE, que molda as
diferenças de acesso inerentes e requerimentos de segurança presentes nesta tese. Para isto,
o SoTRAACE agrega atributos de vários ambientes e domÃnios que ajudam a executar uma avaliação
de riscos, no momento em que os dados são requisitados. A avaliação dos fatores de risco
identificados neste trabalho são baseados num estudo de Delphi. Um conjunto de peritos de
segurança de vários domÃnios industriais foram selecionados, para classificar o impacto de cada
atributo que o SoTRAACE agrega. O SoTRAACE foi integrado numa arquitectura para acesso a
dados médicos, com requerimentos bem fundados, baseados nas melhores normas e recomendações (OWASP, NIST 800-53, NIST 800-57), e em revisões intensivas do estado da arte. Esta
arquitectura é posteriormente alvo de uma análise de segurança e modelos de ataque.
Como prova deste conceito, o modelo de controlo de acesso proposto é implementado juntamente
com uma arquitetura focada no utilizador, com dois protótipos para aplicações móveis,
que providênciam vários tipos de acesso de pacientes e profissionais de saúde. A arquitetura é
constituÃda também por servidores web que tratam da gestão de dados, controlo de acesso e
autenticação e gestão de identidade. O resultado final mostra que o modelo funciona como esperado,
com transparência, assegurando a privacidade e o controlo de dados para o utilizador,
sem ter impacto na sua interação e experiência. Consequentemente este modelo pode-se extender
para outros setores industriais, e novos nÃveis de risco ou atributos podem ser adicionados
a este mesmo, por ser modular. A arquitetura também funciona como esperado, assegurando
uma autenticação segura com multi-fator, acesso e partilha de dados segura baseado em decisões
do SoTRAACE. O canal de comunicação que o SoTRAACE usa foi também protegido com
um certificado digital.
A arquitectura foi testada em diferentes versões de Android, e foi alvo de análise estática,
dinâmica e testes com ferramentas de segurança.
Para trabalho futuro está planeado a integração de normas de dados de saúde e a avaliação do
sistema proposto, através da recolha de opiniões de utilizadores no mundo real
Mobile Application to support Scientific Conferences - UO ISEP
This dissertation aims to develop a mobile application for Instituto Superior de Engenharia
do Porto (ISEP), to support scientific conferences. With the increase in the use of mobile
devices and the growing trend of providing mobile applications for scientific conferences,
the need for a mobile application that can enhance the conference experience and provide
a convenient and user-friendly way to access information about a conference is becoming
more important. This application is designed to be used for live conferences and includes
features such as an interactive event schedule, speaker bios, ticket management, and rating
of events among others. The attendees can have a seamless conference experience and
make the most of the time spent at the conference.
The application also includes features for conference organizers such as event registration,
attendee management, and real-time analytics. Organizers are able to manage attendees,
track attendance, and access analytics on attendee behavior and preferences, and use these
features to evaluate the success of the conference, gather insights for future conferences,
and improve the attendee’s experience.
The development of this application is based on best practices and guidelines for the design
and development of mobile applications and user-centered design methodologies. The de sign process is based on user research, interviews, and usability testing, to ensure that the
application meets the needs and expectations of the users.
The impact of this application on the conference experience is evaluated through user test ing and feedback. The evaluation is focused on measuring the usability, usefulness, and
user satisfaction of the application. The results of this evaluation are used to improve the
application and ensure that it provides a high-quality user experience.
Overall, this thesis aims to contribute to the field of mobile applications for conferences by
providing a comprehensive solution that can enhance the attendee experience and improve
the overall effectiveness of the conference.Esta dissertação tem como objectivo desenvolver uma aplicação móvel para o ISEP com
o intuito de auxiliar nas conferências cientÃficas que o mesmo Instituto organiza. Com o
aumento do uso de dispositivos móveis e a crescente tendência de fornecer aos visitantes de
conferências aplicações móveis, a necessidade de uma aplicação móvel que permita melhorar
a experiência e fornecer uma maneira conveniente e amigável de aceder informações sobre
uma conferência organizada pelo ISEP é imperativo. A aplicação desenvolvida no âmbito
desta dissertação é projectada para ser usada em conferências ao vivo e incluirá recursos
como uma programação interactiva de eventos, biografias dos oradores e materiais de apresentação, além de um directório de participantes e oportunidades de networking. Com esta
aplicação, o objectivo é que os participantes tenham uma experiência bastante positiva e
que consigam aproveitar ao máximo o tempo gasto na conferência.
A aplicação também inclui recursos para os organizadores da conferência, como registo de
eventos, gestão de participantes e análises em tempo real. Os organizadores podem gerir
os participantes, acompanhar a presença e ter acesso a análises sobre o seu comportamento
e preferências, usando essa informação para avaliar o sucesso da conferência, coleccionar e
analisar métricas relativas à conferência a fim de melhorar a experiência do participante.
O desenvolvimento desta aplicação é baseado nas melhores práticas e directrizes para o
desenho e desenvolvimento de aplicações móveis e metodologias de desenho centrada na
experiência do utilizador. O processo de desenho é baseado em entrevistas com os organizadores actuais de conferências no ISEP e testes de usabilidade, para garantir que a aplicação
atenda às necessidades e expectativas dos utilizadores.
O impacto desta aplicação na experiência da conferência é avaliado por meio de testes e
feedback dos visitantes e organizadores da conferência. A avaliação é focada em medir a
usabilidade, utilidade e satisfação dos utilizadores com a aplicação. Os resultados desta
avaliação são utilizados para melhorar a aplicação e garantir que esta proporcione uma
experiência de utilizador de alta qualidade.
Em geral, esta dissertação quer contribuir para o campo de aplicações móveis para conferências cientÃficas, fornecendo uma solução abrangente que possa melhorar a experiência do
participante e melhorar a eficácia geral da conferência. Além disso, a dissertação pretende
apresentar uma abordagem de desenho centrado no utilizador e que possa ser utilizada como
referência para o desenvolvimento de futuras aplicações móveis em outros domÃnios
A Design Approach to IoT Endpoint Security for Production Machinery Monitoring
The Internet of Things (IoT) has significant potential in upgrading legacy production machinery with monitoring capabilities to unlock new capabilities and bring economic benefits. However, the introduction of IoT at the shop floor layer exposes it to additional security risks with potentially significant adverse operational impact. This article addresses such fundamental new risks at their root by introducing a novel endpoint security-by-design approach. The approach is implemented on a widely applicable production-machinery-monitoring application by introducing real-time adaptation features for IoT device security through subsystem isolation and a dedicated lightweight authentication protocol. This paper establishes a novel viewpoint for the understanding of IoT endpoint security risks and relevant mitigation strategies and opens a new space of risk-averse designs that enable IoT benefits, while shielding operational integrity in industrial environments
Security Monitoring in Production Areas
Teses de mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasSince the late 1960s, a different set of technologies has been designed and implemented in parallel to assist
in automating industrial and manufacturing processes. These systems, created parallel to IT (Information
Technologies), became known as OT (Operational Technologies).
Unlike IT technologies, these were developed with a different set of requirements. With a focus
on resilience to adverse environmental conditions – such as temperature, humidity, and electromagnetic
interference – and a need for high availability and near-real-time performance, these technologies took a
back seat to other requirements. Such as information integrity and confidentiality. However, the need to
automate processes has developed. Today, it is not only industrial areas – such as heavy manufacturing,
oil and gas industries, electrical networks, water distribution processes, or sewage treatment – that need
to increase their efficiency. The production areas of a manufacturing company also benefit from these
two types of technologies – IT and OT. Furthermore, it is on the shop floor – i.e., in a production area –
that the two meet and merge and interconnect the two networks to become a blended system.
Often the requirements for the operation of one technology are the weak point of the other. A good
example is an increasing need for IT devices to connect to the Internet. On the other hand, OT devices that
often have inherent difficulty with authentication and authorization processes are exposed to untrusted
networks.
In recent years, and aggravated by the socio-political changes in the world, incidents in industrial
and production areas have become larger and more frequent. As the impact of incidents in these areas
has the potential to be immense, companies and government organizations are increasingly willing to
implement measures to defend them. For information security, this is fertile ground for developing new
methodologies or experimenting and validating existing ones.
This master’s work aims to apply a threat model in the context of a production area, thus obtaining
a set of the most relevant threats. With the starting point of these threats, the applicability and value of
two security monitoring solutions for production areas will be analyzed.
In this dissertation’s first part, and after reviewing state-of-the-art with the result of identifying the
most mentioned security measures for industrial and manufacturing areas, a contextualization of what a
production area will be performed—followed by an example, based on what was observed in the course
of this work. After giving this background, a threat model will be created using a STRIDE methodology
for identifying and classifying potential threats and using the DREAD methodology for risk assessment.
The presentation of an attack tree will show how the identified threats can be linked to achieving the goal
of disrupting a production area. After this, a study will be made on which security measures mentioned
initially best mitigate the threats identified. In the final part, the two solutions will be analyzed with the functionalities of detecting connected
devices and their vulnerabilities and monitoring and identifying security events using network traffic
observed in an actual production area. This observation aims to verify the practical value of these tools
in mitigating the threats mentioned above.
During this work, a set of lessons learned were identified, which are presented as recommendations
in a separate chapter
Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations
The urgent need to protect sensitive patient data and preserve the integrity of
healthcare services has propelled the exploration of cybersecurity and privacy within
healthcare organizations [1]. Recognizing that advanced technology and robust security
measures alone are insufficient [2], our research focuses on the often-overlooked
human element that significantly influences the efficacy of these safeguards. Our
motivation stems from the realization that individual behaviors, decision-making
processes, and organizational culture can be both the weakest link and the most potent
tool in achieving a secure environment. Understanding these human dimensions is
paramount as even the most sophisticated protocols can be undone by a single lapse in
judgment. This research explores the impact of human behavior on cybersecurity and
privacy within healthcare organizations and presents a new methodological approach
for measuring and raising awareness among healthcare employees. Understanding the
human influence in cybersecurity and privacy is critical for mitigating risks and
strengthening overall security posture. Moreover, the thesis aims to place emphasis on
the human aspects focusing more on the often-overlooked factors that can shape the
effectiveness of cybersecurity and privacy measures within healthcare organizations.
We have highlighted factors such as employee awareness, knowledge, and behavior that
play a pivotal role in preventing security incidents and data breaches [1]. By focusing on
how social engineering attacks exploit human vulnerabilities, we underline the necessity
to address these human influenced aspects. The existing literature highlights the crucial
role that human factors and awareness training play in strengthening cyber resilience,
especially within the healthcare sector [1]. Developing well-customized training
programs, along with fostering a robust organizational culture, is vital for encouraging a
secure and protected digital healthcare setting [3]. Building on the recognized
significance of human influence in cybersecurity within healthcare organizations, a
systematic literature review became indispensable. The existing body of research might
not have fully captured all ways in which human factors, such as psychology, behavior,
and organizational culture, intertwined with technological aspects. A systematic
literature review served as a robust foundation to collate, analyze, and synthesize
existing knowledge, and to identify gaps where further research was needed. In
complement to our systematic literature review and investigation of human factors, our
research introduced a new methodological approach through a concept study based on
an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and
psychology in the context of cybersecurity, we designed this survey to probe the
multifaceted dimensions of cybersecurity awareness. The exploratory nature of the
survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing
information that is often overlooked in conventional analyses. By employing this tailored
survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures
Security in Computer and Information Sciences
This open access book constitutes the thoroughly refereed proceedings of the Second International Symposium on Computer and Information Sciences, EuroCybersec 2021, held in Nice, France, in October 2021. The 9 papers presented together with 1 invited paper were carefully reviewed and selected from 21 submissions. The papers focus on topics of security of distributed interconnected systems, software systems, Internet of Things, health informatics systems, energy systems, digital cities, digital economy, mobile networks, and the underlying physical and network infrastructures. This is an open access book
- …