Why do People Adopt, or Reject, Smartphone Security Tools?

A large variety of security tools exist for Smartphones, to help their owners to secure the phones and prevent unauthorised others from accessing their data and services. These range from screen locks to antivirus software to password managers. Yet many Smartphone owners do not use these tools despite their being free and easy to use. We were interested in exploring this apparent anomaly. A number of researchers have applied existing models of behaviour from other disciplines to try to understand these kinds of behaviours in a security context, and a great deal of research has examined adoption of screen locking mechanisms. We review the proposed models and consider how they might fail to describe adoption behaviours. We then present the Integrated Model of Behaviour Prediction (IMBP), a richer model than the ones tested thus far. We consider the kinds of factors that could be incorporated into this model in order to understand Smartphone owner adoption, or rejection, of security tools. The model seems promising, based on existing literature, and we plan to test its efficacy in future studies

A Review of Smishing Attaks Mitigation Strategies

Mobile Smishing crime has continued to escalate globally due to technology enhancements and people's growing dependence on smartphones and other technologies. SMS facilitates the distribution of crucial information that is principally important for non-digital savvy users who are typically underprivileged. Smishing, often known as SMS phishing, entails transmitting deceptive text messages to lure someone into revealing individual information or installing malware. The number of incidences of smishing has increased tremendously as the internet and cellphones have spread to even the most remote regions of the globe

Smartphone security awareness, perceptions and practices:a Welsh higher education case study

Higher Education students are purported to be heavy users of technology; specifically smartphones, which represent the “Internet of Things” (IoT). These have revolutionized every sector of public and personal lives, and also revolutionised teaching and learning within Higher Education, providing students a 21st century learning experience. The way students engage with each other, with institutions of higher learning, and with their own learning, has changed dramatically. The smartphone is used to assist with all areas of their lives; however, a plethora of security issues accompanies its use. Cybersecurity perceptions are said to inform security practices and precautionary-related behaviours. If perceptions are skewed, the necessary security behaviours might be inadequate. The main objective of this quantitative study was to investigate the level of smartphone security awareness of Higher Education students undertaking a Business degree at a Welsh University during the 2016-17 and 2018-19 academic years. Understanding whether students have acquired prior cybersecurity knowledge through formal means was key to understanding whether there was a link between security education, security awareness, smartphone security behaviours, perceptions and practices.This research therefore aimed to investigate:1) The level of smartphone security awareness depicted in the attitudes, behaviours, knowledge and competences of these university students;2) Any gender differences in terms of attitudes, behaviours, knowledge and competences regarding smartphone security awareness;3) The importance of cybersecurity awareness training.Participants in this study were largely male, with half of the participants having undertaken a prior information communication technology related type courses. Almost all participants recognised that there were security related issues with social networking and location based applications. The majority of participants did not deploy measures to prevent viruses, this being the case for significantly more females. More than half of the participants used some mechanisms to protect their data. However, significantly more of the 2018-19 participant group compared to the 2016-17 participant group indicated that they did not do this. Moreover, a large proportion of the participants were unaware of the liability linked to the use of social media and the related rules applicable. This study suggests that students who received some formal information communication technology training prior to university entry were more aware of the security risks and their behaviours reflect this. Despite this, the level of smartphone security awareness is not as high as it should be which is in keeping with other research findings. This study suggests that as technology and digital literacy gain further importance, smartphone security literacy training should not be left to chance. . It is clear that education and training should occur early in the education life cycle, and should be a lifelong learning activity

Addressing Misconceptions About Password Security Effectively

Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions\u27 effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees

Secure and Usable User Authentication

Authentication is a ubiquitous task in users\u27 daily lives. The dominant form of user authentication are text passwords. They protect private accounts like online banking, gaming, and email, but also assets in organisations. Yet, many issues are associated with text passwords, leading to challenges faced by both, users and organisations. This thesis contributes to the body of research enabling secure and usable user authentication, benefiting both, users and organisations. To that end, it addresses three distinct challenges. The first challenge addressed in this thesis is the creation of correct, complete, understandable, and effective password security awareness materials. To this end, a systematic process for the creation of awareness materials was developed and applied to create a password security awareness material. This process comprises four steps. First, relevant content for an initial version is aggregated (i.e. descriptions of attacks on passwords and user accounts, descriptions of defences to these attacks, and common misconceptions about password and user account security). Then, feedback from information security experts is gathered to ensure the correctness and completeness of the awareness material. Thereafter, feedback from lay-users is gathered to ensure the understandability of the awareness material. Finally, a formal evaluation of the awareness material is conducted to ensure its effectiveness (i.e. whether the material improves participant\u27s ability to assess the security of passwords as well as password-related behaviour and decreases the prevalence of common misconceptions about password and user account security). The results of the evaluation show the effectiveness of the awareness material: it significantly improved the participants\u27 ability to assess the security of password-related behaviour as well as passwords and significantly decreased the prevalence of misconceptions about password and user account security. The second challenge addressed in this thesis is shoulder-surfing resistant text password entry with gamepads (as an example of very constrained input devices) in shared spaces. To this end, the very first investigation of text password entry with gamepads is conducted. First, the requirements of authentication in the gamepad context are described. Then, these requirements are applied to assess schemes already deployed in the gamepad context and shoulder-surfing resistant authentication schemes from the literature proposed for non-gamepad contexts. The results of this assessment show that none of the currently deployed and only four of the proposals in the literature fulfil all requirements. Furthermore, the results of the assessment also indicate a need for an empirical evaluation in order to exactly gauge the shoulder-surfing threat in the gamepad context and compare alternatives to the incumbent on-screen keyboard. Based on these results, two user studies (one online study and one lab study) are conducted to investigate the shoulder-surfing resistance and usability of three authentication schemes in the gamepad context: the on-screen keyboard (as de-facto standard in this context), the grid-based scheme (an existing proposal from the literature identified as the most viable candidate adaptable to the gamepad context during the assessment), and Colorwheels (a novel shoulder-surfing resistant authentication scheme specifically designed for the gamepad context). The results of these two user studies show that on-screen keyboards are highly susceptible to opportunistic shoulder-surfing, but also show the most favourable usability properties among the three schemes. Colorwheels offers the most robust shoulder-surfing resistance and scores highest with respect to participants\u27 intention to use it in the future, while showing more favourable usability results than the grid-based scheme. The third challenge addressed in this thesis is secure and efficient storage of passwords in portfolio authentication schemes. Portfolio authentication is used to counter capture attacks such as shoulder-surfing or eavesdropping on network traffic. While usability studies of portfolio authentication schemes showed promising results, a verification scheme which allows secure and efficient storage of the portfolio authentication secret had been missing until now. To remedy this problem, the (t,n)-threshold verification scheme is proposed. It is based on secret sharing and key derivation functions. The security as well as the efficiency properties of two variants of the scheme (one based on Blakley secret sharing and one based on Shamir secret sharing) are evaluated against each other and against a naive approach. These evaluations show that the two (t,n)-threshold verification scheme variants always exhibit more favourable properties than the naive approach and that when deciding between the two variants, the exact application scenario must be considered. Three use cases illustrate as exemplary application scenarios the versatility of the proposed (t,n)-threshold verification scheme. By addressing the aforementioned three distinct challenges, this thesis demonstrates the breadth of the field of usable and secure user authentication ranging from awareness materials, to the assessment and evaluation of authentication schemes, to applying cryptography to craft secure password storage solutions. The research processes, results, and insights described in this thesis represent important and meaningful contributions to the state of the art in the research on usable and secure user authentication, offering benefits for users, organisations, and researchers alike

NEMISA Digital Skills Conference (Colloquium) 2023

The purpose of the colloquium and events centred around the central role that data plays today as a desirable commodity that must become an important part of massifying digital skilling efforts. Governments amass even more critical data that, if leveraged, could change the way public services are delivered, and even change the social and economic fortunes of any country. Therefore, smart governments and organisations increasingly require data skills to gain insights and foresight, to secure themselves, and for improved decision making and efficiency. However, data skills are scarce, and even more challenging is the inconsistency of the associated training programs with most curated for the Science, Technology, Engineering, and Mathematics (STEM) disciplines. Nonetheless, the interdisciplinary yet agnostic nature of data means that there is opportunity to expand data skills into the non-STEM disciplines as well.College of Engineering, Science and Technolog