A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

A Conceptual Framework for Smartphone Security Among Arab Millennials

The rapid growth of smartphone adoption and use in the Middle East has led to some critical post-adoption issues, including ensuring that smartphones are used securely. Moreover, there is a gap in the existing literature on the perceptions and behaviour of individual consumers, especially millennials, in relation to mobile security and dealing with smartphone security threats. Little research on this subject has been carried out in developing countries, particularly in the Middle East, in a cross-national context. Therefore, this research aims to analyse the factors that can affect smartphone security behaviour among millennials in a cross-national context in the Middle East. The model developed in this research is based on a combination of the protection motivation theory (PMT) and the extended unified theory of acceptance and use of technology (UTAUT2), with additional factors specifically related to millennials’ smartphone security behaviour in the Middle East. The initial findings indicate that (1) there is a gap in research on the security behaviour of Arab millennials, despite the existence of serious security threats associated with their use of these technologies; and (2) there is a gap in research on similarities and differences in smartphone security behaviour among consumers in a cross-national context. A questionnaire will be distributed online to consumers who are 18–29 years old in Iraq, Jordan and the UAE. This is the first research to study millennial Arabs’ security behaviour around smartphones and mobile applications in a cross- national context. In addition, the conceptual framework proposed in this research combines the PMT and the UTAUT2, with a further extension via the inclusion of three additional factors: privacy concerns; security threats related to smartphone-specific characteristics; and cybersecurity acculturation. Furthermore, this research bridges the gap in knowledge in terms of addressing the lack of research on millennials smartphone users in the Middle East region as they form the largest segment of the population

Mapping the Intellectual Structure of the Social Engineering: a Co-citation and Bibliographic Coupling Study.

This article’s objective is to map the intellectual structure of the Social Engineering Behavior (IS) based on the bibliometric analysis of co-citation (knowledge base) and bibliographic coupling (research front). This research presents the conceptualization of IS, social engineering in computing, safety suitability analysis, IS attack classification taxonomy and Psychological principles of IS applied to information technologies; a total of 62 Web of science research articles from the last two decades were analyzed. In the knowledge base, the analysis found co-citation articles related mainly to the training about defensive methods framework or mechanisms of work for the awareness and prevention of the IS attacks and human behavior activities. Regarding the research front, the analysis shows us a clear tendency to the methods focused mainly on the mechanisms of work for the awareness and prevention of the IS attacks, training about defensive methods in human behavioral activities. The findings are similar to the knowledge base. Future inquiries are proposed in order to make an analysis again about co-citation and compare with the results of our work for establishing any variation since the scientific knowledge increases through the time.Este artículo tiene como objetivo mapear la estructura intelectual del comportamiento de la ingeniería social (IS) basado en el análisis bibliométrico de co-citación (base de conocimiento) y acoplamiento bibliográfico (frente de investigación). Esta investigación presenta la conceptualización de IS, ingeniería social en la informática, análisis de idoneidad de seguridad, taxonomía de clasificación de ataques de IS y principios psicológicos de IS aplicado a las Tecnologías de la Información; se analizaron un total de 62 artículos de investigación de Web of Science de las últimas dos décadas. En la base del conocimiento, el análisis encontró artículos de co-citación que están relacionados principalmente con capacitación sobre métodos defensivos, marcos o mecanismos de trabajo para la concienciación y prevención de ataques de IS y actividades de comportamiento humano. En cuanto al frente de la investigación, el análisis nos muestra una clara tendencia hacia los métodos que se enfocan principalmente en componentes de trabajo para la concientización y prevención de ataques de IS, capacitación sobre métodos defensivos en las actividades del comportamiento humano. Los hallazgos son similares a la base de conocimientos. Se proponen investigaciones futuras para realizar nuevamente un análisis de co-citación y compararlo con los resultados del presente trabajo para establecer cualquier variación ya que su conocimiento científico se incrementa con el tiempo. &nbsp

Attacks On Near Field Communication Devices

For some years, Near Field Communication (NFC) has been a popularly known technology characterized by its short-distance wireless communication, mainly used in providing different agreeable services such as payment with mobile phones in stores, Electronic Identification, Transportation Electronic Ticketing, Patient Monitoring, and Healthcare. The ability to quickly connect devices offers a level of secure communication. That notwithstanding, looking deeply at NFC and its security level, identifying threats leading to attacks that can alter the user’s confidentiality and data privacy becomes obvious. This paper summarizes some of these attacks, emphasizing four main attack vectors, bringing out a taxonomy of these attack vectors on NFC, and presenting security issues alongside privacy threats within the application environment

FakeAP Detector: An Android-Based Client-Side Application for Detecting Wi-Fi Hotspot Spoofing

This research article published by IEEE Access, 2022Network spoofing is becoming a common attack in wireless networks. The trend is going high due to an increase in Internet users. Similarly, there is a rapid growth of numbers in mobile devices in the working environments and on most official occasions. The trends pose a huge threat to users since they become the prime target of attackers. More unfortunately, mobile devices have weak security measures due to their limited computational powers. Current approaches to detect spoofing attacks focus on personal computers and rely on the network hosts’ capacity, leaving guest users with mobile devices at risk. Some approaches on Android-based devices demand root privilege, which is highly discouraged. This paper presents an Android-based client-side solution to detect the presence of fake access points in a perimeter using details collected from probe responses. Our approach considers the difference in security information and signal level of an access point (AP). We present the detection in three networks, (i) open networks, (ii) closed networks and (iii) networks with captive portals. As a departure from existing works, our solution does not require root access for detection, and it is developed for portability and better performance. Experimental results show that our approach can detect fake access points with an accuracy of 99% and 99.7% at an average of 24.64 and 7.78 milliseconds in open and closed networks, respectively

BAS-VAS: A novel secure protocol for value added service delivery to mobile devices

Mobile operators offer a wide range of valueadded services (VAS) to their subscribers (i.e., mobile users), which in turn generates around 15% of the telecommunication industry revenue. However, simultaneous VAS requests from a large number of mobile devices to a single server or a cluster in an internet-of-things (IoT) environment could result in an inefficient system, if these requests are handled one at a time as the present traditional cellular network scenario is. This will not only slow down the server’s efficiency but also adversely impacts the performance of the network. The current (insecure) practice of transmitting user identity in plaintext also results in traceability. In this paper, we introduce the first known protocol designed to efficiently handle multiple VAS requests at one time, as well as ensuring the secure delivery of the services to a large number of requesting mobile users. The proposed batch verification protocol (BAS-VAS) is capable of authenticating multiple simultaneous requests received by a large number of mobile users. We demonstrate that the protocol preserves user privacy over the network. The provider’s servers ensure the privacy of the requested service’s priority by performing sorting over encrypted integer data. The simulation results also demonstrate that the proposed protocol is lightweight and efficient in terms of communication and computation overheads, protocol execution time, and batch and re-batch verification delay. Specifically, we perform batch and re-batch verification (after detecting and removing malicious requests from the batch) for multiple requests in order to improve the overall efficiency of the system, as well as discussing time, space and cost complexity analysis, along with the security proof of our protocol using Proverif

Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standards (CTC&CS)

The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Mobile device users are continually being targeted for cybersecurity threats via vectors such as public information sharing on social media, user surveillance (geolocation, camera, etc.), phishing, malware, spyware, trojans, and keyloggers. Users are often uninformed about the cybersecurity threats posed by mobile devices. Users are held responsible for the security of their device that includes taking precautions against cybersecurity threats. In recent years, financial institutions are passing the costs associated with fraud to the users because of the lack of security. The purpose of this study was to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The conceptual foundation is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This study extended the HCS framework as a model to support new criteria for cybersecurity classification and communication standards. This study involved three phases. The first phase conducted two rounds of the Delphi technique and collected quantitative data from 26 Subject Matter Experts (SMEs) in round one and 22 SMEs in round two through an anonymous online survey. Results of Phase 1 emerged with six threats categories and 62 cybersecurity threats. Phase 2 operationalized the elicited and validated criteria into pictograms, labels, and safety data sheets. Using the results of phase one as a foundation, two to three pictograms, labels, and safety data sheets (SDSs) from each of the categories identified in phase one were developed, and quantitative data were collected in two rounds of the Delphi technique from 24 and 19 SMEs respectively through an online survey and analyzed. Phase 3, the main data collection phase, empirically evaluated the developed and validated pictograms, labels, and safety data sheets for their perceived effectiveness as well as performed an analysis of covariance (ANCOVA) with 208 non-IT professional mobile device users. The results of this study showed that pictograms were highly effective; this means the participants were satisfied with the characteristics of the pictograms such as color, shapes, visual complexity, and found these characteristics valuable. On the other hand, labels and Safety Data Sheets (SDS) did not show to be effective, meaning the participants were not satisfied or lacked to identify importance with the characteristics of labels and SDS. Furthermore, the ANCOVA results showed significant differences in perceived effectiveness with SDSs with education and a marginal significance level with labels when controlled for the number of years of mobile device use. Based on the results, future research implications can observe discrepancies of pictogram effectiveness between different educational levels and reading levels. Also, research should focus on identifying the most effective designs for pictograms within the cybersecurity context. Finally, longitudinal studies should be performed to understand the aspects that affect the effectiveness of pictograms

User-side wi-fi hotspot spoofing detection on android-based devices

A Dissertation Submitted in Partial Fulfilment of the Requirements for the Degree of Master’s in Wireless and Mobile Computing of the Nelson Mandela African Institution of Science and TechnologyNetwork spoofing is becoming a common attack in wireless networks. Similarly, there is a rapid growth of numbers in mobile devices in the working environments. The trends pose a huge threat to users since they become the prime target of attackers. More unfortunately, mobile devices have weak security measures due to their limited computational powers, making them an easy target for attackers. Current approaches to detect spoofing attacks focus on personal computers and rely on the network hosts’ capacity, leaving users with mobile devices at risk. Furthermore, some approaches on Android-based devices demand root privilege, which is highly discouraged. This research aims to study users' susceptibility to network spoofing attacks and propose a detection solution in Android-based devices. The presented approach considers the difference in security information and signal levels of an access point to determine its legitimacy. On the other hand, it tests the legitimacy of the captive portal with fake login credentials since, usually, fake captive portals do not authenticate users. The detection approaches are presented in three networks: (a) open networks, (b) closed networks and (c) networks with captive portals. As a departure from existing works, this solution does not require root access for detection, and it is developed for portability and better performance. Experimental results show that this approach can detect fake access points with an accuracy of 98% and 99% at an average of 24.64 and 7.78 milliseconds in open and closed networks, respectively. On the other hand, it can detect the existence of a fake captive portal at an accuracy of 88%. Despite achieving this performance, the presented detection approach does not cover APs that do not mimic legitimate APs. As an improvement, future work may focus on pcap files which is rich of information to be used in detection

Strategies to Prevent Security Breaches Caused by Mobile Devices

Data breaches happen almost every day in the United States and, according to research, the majority of these breaches occur due to a lack of security with organizations\u27 mobile devices. Although most of the security policies related to mobile devices currently in place may meet the guidelines required by law, they often fail to prevent a data breach caused by a mobile device. The main purpose of this qualitative single case study was to explore the strategies used by security managers to prevent data breaches caused by mobile devices. The study population consisted of security managers working for a government contractor located in the southeastern region of the United States. Ludwig von Bertalanffy\u27s general systems theory was used as the conceptual framework of this study. The data collection process included interviews with organization security managers (n = 5) and company documents and procedures (n = 13) from the target organization related to mobile device security. Data from the interviews and organizational documents were coded using thematic analysis. Methodological triangulation of the data uncovered 4 major themes: information security policies and procedures, security awareness, technology management tools, and defense-in-depth. The implications for positive social change from this study include the potential to enhance the organizations\u27 security policies, cultivate a better security awareness training program, and improve the organizations data protection strategies. In addition, this study outlines some strategies for preventing data breaches caused by mobile devices while still providing maximum benefit to its external and internal customers

Empirical Studies on Secure Development and Usage of Mobile Health Applications

Mobile technologies, comprising portable devices, context-sensitive software applications, and wireless networking protocols, are being increasingly adopted to exploit services offered for pervasive computing platforms. The utilisation of mobile health (mHealth) apps in the healthcare domain has become a promising tool to improve and support delivering health services in a pervasive manner. mHealth apps enable health professionals and providers to monitor their patients remotely (e.g., managing patients with chronic diseases). mHealth apps enable expanding healthcare coverage (e.g., reaching places where little or no healthcare is available). Furthermore, mHealth apps were used to reduce the spread of disease and infection (e.g., the Covid-19 tracking apps). The use of mHealth apps will enhance the quality of healthcare, reduce the cost, and more convenient for patients. The security of mHealth apps becomes a significant concern due to the privacy and integrity of health-critical data. The interest of attackers in healthcritical data (medical records, clinical reports, disease symptoms, etc.) has increased due to its value in the ‘black market’ as well as the social, legal, and financial consequences of compromised data. This thesis focuses on understanding the security of mHealth apps based on (a) developers' and (b) end-users perspectives by conducting a set of empirical studies. To empirically investigate the existing research, a systematic literature review (SLR) was conducted to gain a deeper understanding of the security challenges, which hinder the development of secure mHealth apps. Based on the findings of the SLR, first, we conducted a survey-based study - involving 97 mHealth apps developers from 25 countries and six continents to investigate the practitioners’ perspectives on security challenges, practices, and motivational factors that help developers to ensure the security of mHealth apps. Second, we conducted survey research - involving 101 endusers from two Saudi Arabian health providers to examine their security awareness about using clinical mHealth apps. We complement the end-users research by conducting an attack simulation study - involving 105 end-users from 14 countries and five continents to investigate their security behaviours when using mHealth apps. The empirical studies in this thesis contribute to (i) providing developers' perspectives on critical challenges, best practices, and motivating factors that support the engineering and development of emerging and next-generation secure mHealth apps; (ii) providing empirical evidence and a set of guidelines to facilitate researchers, practitioners, and stakeholders to develop and adopt secure mHealth apps for clinical practices and public health; (iii) providing empirical evidence using action-driven measurement on human security behaviour when using mHealth apps, and presented the potential mechanisms that lead end-users to make improper security decisions.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202