24 research outputs found
Developing and evaluating a five minute phishing awareness video
Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video
Enforcing reputation constraints on business process workflows
The problem of trust in determining the flow of execution of business processes has been in the centre of research interst in the last decade as business processes become a de facto model of Internet-based commerce, particularly with the increasing popularity in Cloud computing. One of the main mea-sures of trust is reputation, where the quality of services as provided to their clients can be used as the main factor in calculating service and service provider reputation values. The work presented here contributes to the solving of this problem by defining a model for the calculation of service reputa-tion levels in a BPEL-based business workflow. These levels of reputation are then used to control the execution of the workflow based on service-level agreement constraints provided by the users of the workflow. The main contribution of the paper is to first present a formal meaning for BPEL processes, which is constrained by reputation requirements from the users, and then we demonstrate that these requirements can be enforced using a reference architecture with a case scenario from the domain of distributed map processing. Finally, the paper discusses the possible threats that can be launched on such an architecture
Interactive Reputation Systems - How to Cope with Malicious Behavior in Feedback Mechanisms
Early reputation systems use simple computation metrics that can easily be manipulated by malicious actors. Advanced computation models that mitigate their weaknesses, however, are non-transparent to the end-users thus lowering their understandability and the usersâ trust towards the reputation system. The paper proposes the concept of interactive reputation systems that combine the cognitive capabilities of the user with the advantages of robust metrics while preserving the systemâs transparency. Results of the evaluation show that interactive reputation systems increase both the usersâ detection ability (robustness) and understanding of malicious behavior while avoiding trade-offs in usability
Fiducia e tecnologia nelle relazioni elettroniche inter-organizzative
Il caso delle organizzazioni virtuali. Il caso LD-CAST. Il caso delle tecnologie per l'autenticazione federata: benefici attesi tangibili vs intangibili
Author's personal copy Roles in information security e A survey and classification of the research area
Motivation The growing diffusion of information technologies within all areas of human society has increased their importance as a critical success factor in the modern world. However, information processing systems are vulnerable to many different kinds of threats that can lead to various types of damage resulting in significant economic losses. Consequently, the importance of Information Security has grown and evolved in a similar manner. In its most basic definition, Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The aim of Information Security is to minimize risks related to the three main security goals confidentiality, integrity, and availability e usually referred to as "CIA" c o m p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 7 4 8 e7 6 9 0167-4048/$ e see front matter
Enhancing Problem Frames with Trust and Reputation for Analyzing Smart Grid Security Requirements *
Abstract. Smart grids are expected to scale over millions of users and provide numerous services over geographically distributed entities. Moreover, smart grids are expected to contain controllable local systems (CLS) such as fridges or heaters that can be controlled using the network communication technology of the grid. Security solutions that prevent harm to the grid and to its stakeholders from CLS are essential. Moreover, traditional security approaches such as static access control systems cause a lot of administrative workload and are difficult to maintain in fast growing and changing systems. In contrast, trust management is a soft security mechanism that can reduce this workload significantly. Even though there is not any accepted definition of trust, it is agreed that it can improve decision-making processes under risk and uncertainty, improving in turn systems' security. We use the problem frames notation to discuss requirements for a trust-based security solution concerning CLS
Cyber Threat Intelligence Exchange
The processing and exchange of Cyber Threat Intelligence (CTI) has become an increas- ingly important topic in recent years. This trend can be attributed to various factors. On the one hand, the exchange of information offers great potential to strengthen the knowledge base of companies and thus improve their protection against cyber threats. On the other hand, legislators in various countries have recognized this potential and translated it into legal reporting requirements. However, CTI is still a very young research area with only a small body of literature. Hence, there are hardly any guidelines, uniform standards, or speciïŹcations that deïŹne or support such an exchange. This dissertation addresses the problem by reviewing the methodological foundations for the exchange of threat intelligence in three focal areas. First, the underlying data formats and data structures are analyzed, and the basic methods and models are developed. In the further course of the work, possibilities for integrating humans into the analysis process of security incidents and into the generation of CTI are investigated. The ïŹnal part of the work examines possible obstacles in the exchange of CTI. Both the legal environment and mechanisms to create incentives for an exchange are studied. This work thus creates a solid basis and a structured framework for the cooperative use of CTI
SECURITY POLICY ENFORCEMENT IN APPLICATION ENVIRONMENTS USING DISTRIBUTED SCRIPT-BASED CONTROL STRUCTURES
Business processes involving several partners in different organisations impose demanding
requirements on procedures for specification, execution and maintenance. A
framework referred to as business process management (BPM) has evolved for this purpose
over the last ten years. Other approaches, such as service-oriented architecture
(SOA) or the concept of virtual organisations (VOs), assist in the definition of architectures
and procedures for modelling and execution of so-called collaborative business
processes (CBPs).
Methods for the specification of business processes play a central role in this context,
and, several standards have emerged for this purpose. Among these, Web Services
Business Process Execution Language (WS-BPEL, usually abbreviated BPEL) has
evolved to become the de facto standard for business process definition. As such, this
language has been selected as the foundation for the research in this thesis.
Having a broadly accepted standard would principally allow the specification of
business processes in a platform-independent manner, including the capability to
specify them at one location and have them executed at others (possibly spread across
different organisations). Though technically feasible, this approach has significant
security implications, particularly on the side that is to execute a process.
The research project focused upon these security issues arising when business processes
are specified and executed in a distributed manner. The central goal has been the
development of methods to cope with the security issues arising when BPEL as a
standard is deployed in such a way exploiting the significant aspect of a standard to be
platform-independent
The research devised novel methods for specifying security policies in such a manner
that the assessment of compliance with these policies is greatly facilitated such that the
assessment becomes suited to be performed automatically. An analysis of the securityrelevant
semantics of BPEL as a specification language was conducted that resulted in
the identification of so-called security-relevant semantic patterns. Based on these
results, methods to specify security policy-implied restrictions in terms of such semantic
patterns and to assess the compliance of BPEL scripts with these policies have been
developed. These methods are particularly suited for assessment of remotely defined
BPEL scripts since they allow for pre-execution enforcement of local security policies
thereby mitigating or even removing the security implications involved in distributed
definition and execution of business processes.
As initially envisaged, these methods are comparatively easy to apply, as they are based
on technologies customary for practitioners in this field. The viability of the methods
proposed for automatic compliance assessment has been proven via a prototypic
implementation of the essential functionality required for proof-of-concept.Darmstadt Node of the NRG Network at University of Applied Sciences Darmstad
Schwerpunkt-Report ĂŒber das Jahr ... / Wirtschaftsinformatik und Informationswirtschaft / Fachbereich Wirtschaftswissenschaften
Im Zentrum des Schwerpunktes stehen die Beschreibung, ErklĂ€rung und Gestaltung von Informationserstellungs- und -verarbeitungsprozessen, insbesondere soweit sie durch moderne Informations- und Kommunikationstechniken unterstĂŒtzt werden. Diese Prozesse dienen zum einen der unmittelbaren BedĂŒrfnisbefriedigung durch Information sowie zum anderen der Koordination physischer Wertschöpfung. Die schnelle Fortentwicklung der IuK-Systeme sowie die rasante Verbreitung ihrer Nutzung fĂŒhren vielfach zu tief greifenden VerĂ€nderungen der GeschĂ€ftsablĂ€ufe und darĂŒber hinaus des gesellschaftlichen Lebens. Aufgabe des Schwerpunktes ist hierbei, die Nutzenpotenziale neuer Informations- und Kommunikationstechniken sowie deren Anwendung insbesondere in Wirtschaft und Verwaltung zu analysieren und eigene GestaltungsvorschlĂ€ge zu unterbreiten. Dies gilt auch fĂŒr die Gestaltung und Auswahl der institutionellen Rahmenbedingungen von Informationserstellungs- und - verarbeitungsprozessen