Assessment of Web-based Information Security Awareness Courses

Veebipõhised Infojulgeoleku Teadlikkuse Kursused on tavapäraselt soovitatud \n\rküberjulgeoleku strateegiates, aitamaks konstrueerida julgeoleku kultuuri, mis oleks \n\rvõimeline adresseerima infosüsteemi rikkumisi, põhjustatud kasutajate vigade poolt, kelle \n\rhooletus või eeskirjade teadmatus võib ohtu seada infosüsteemide vara. Veebipõhiste \n\rInfojulgeoleku Teadlikkuse Kursuste mõju uurimises esineb lõhe - need ei muuda osavõtjate \n\rkäitumist olulisel määral, mis puudutab kuuletumist ja töökust, resulteerudes järjepidevates \n\rnõrkustes. Käesoleva töö eesmärk on panustada teoreetilise ja empiirilise analüüsiga \n\rVeebipõhiste Infojulgeoleku Teadlikkuse Kursuste potentsiaalsete tugevuste ja nõrkuste \n\rkohta. Samuti panustada kahe valmis rakendatava praktilise töövahendiga veebipõhiste või \n\rvahendatud andmejulgeoleku teadlikkuse ning õpetuse kursuste kujundajatele ja \n\rarvustajatele. Uuringu disain püüab vastata kahele uurimisküsimusele. Esimene on \n\rmiinimumkriteeriumi formuleerimise kohta, mida saaks rakendada Veebipõhistes \n\rAndmeturbe Teadlikkuse Kursustes, et toetada nende tõelist mõju töötajate kuuletumisele \n\rja töökusele, andes tulemuseks üksteist kriteeriumit kursuste hinnanguks ning \n\rkontrollnimekirja. Teine küsimus puudutab olemasoleva kursuse kuuletumise ja töökuse \n\rsuhtes tõelist mõju uurivat reguleeritud katset, kasutades kalastusründe meile hariduslike \n\rvahenditena, mis kinnitab eelnevalt tehtud teoreetilisi oletusi. Miinimumkriteeriumi \n\rarendamine ning selle süstemaatiline rakendamine taotleb muutusi käitumises, rõhutab \n\rditsiplinaarintegratsiooni tähtsust küberjulgeoleku uurimistegevuses ning propageerib \n\rkindla kuuletumise ja töökuse julgeoleku kultuuri, mis oleks võimeline toetama \n\rorganisatsioonide kaitset infosüsteemi ohtude eest. Selles uurimuses näidatud tulemused \n\rpakuvad, et positiivsete tulemuste saavutamine olemasolevates infojulgeoleku testides, \n\rmis järgnevad julgeoleku kursustele, ei näita tingimata, et need töökust või infojulgeoleku \n\reeskirjadele kuuletust mõjutaks. Need esialgsed järeldused koguvad tõendeid käesolevas \n\rtöös sõnastatud soovituste rakendamise tähtsuse kohta.\n\rVõtmesõnad:Information security awareness web-based courses are commonly recommended in cyber security strategies to help build a security culture capable of addressing information systems breaches caused by user mistakes whose negligence or ignorance of policies may endanger information systems assets. A research gap exists on the impact of Information Security Awareness Web-Based Courses: these are failing in changing to a significant degree the behavior of participants regarding compliance and diligence, which translates into continuous vulnerabilities. The aim of this work is to contribute with a theoretical and empirical analysis on the potential strengths and weaknesses of Information Security Awareness Web-Based Courses and with two practical tools readily applicable for designers and reviewers of web-based or mediatized courses on information security awareness and education. The research design seeks to respond two research questions. The first on the formulation of a minimum set of criteria that could be applied to Information Security Awareness Web-Based Courses, to support their real impact on employee’s diligence and compliance, resulting in eleven criteria for courses’ assessment and a checklist. The second, about a controlled experiment to explore the actual impact of an existing course, in respect to diligence and compliance using phishing emails as educational tools, that reaffirms the theoretical assumptions arrived to earlier. The development of minimum criteria and their systematic implementation pursue behavioral change, emphasizes the importance of disciplinary integration in cyber security research, and advocates for the development of a solid security culture of diligence and compliance, capable of supporting the protection of organizations from information system threats. The results gathered in this study suggest that achieving positive results in the existing information security tests that follow security awareness courses does not necessarily imply that diligence or information security policies compliance are affected. These preliminary findings accumulate evidence on the importance of implementing the recommendations formulated in this work

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape

One year ago, Russia invaded Ukraine. Since then, tens of thousands of people have been killed, millions of Ukrainians have fled and the country has sustained tens of billions of dollars worth of damage. Importantly, this marks the first time that cyber operations have played such a prominent role in a world conflict. Since the war began, governments, companies, civil society groups, and countless others have been working around the clock to support the Ukrainian people and their institutions. At Google, we support these efforts and continue to announce new commitments and support to Ukraine. This includes a donation of 50,000 Google Workspace licenses for the Ukrainian government and a rapid Air Raid Alerts system for Android phones in Ukraine, support for refugees, businesses, and entrepreneurs, and measures to indefinitely pause monetization and significantly limit recommendations globally for a number of Russian state news media across our platforms. One of the most pressing challenges, however, is that the Ukrainian government is under nearconstant digital attack. That’s why one of our most important contributions to date has been our ongoing work to provide cybersecurity assistance to Ukraine. Shortly after the invasion, for example, we expanded eligibility for Project Shield, our free protection against distributed denial of service attacks (DDoS), so that Ukrainian government websites and embassies worldwide could stay online and continue to offer their critical services. We continue to provide direct assistance to the Ukrainian government and critical infrastructure entities under the Cyber Defense Assistance Collaborative — including compromise assessments, incident response services, shared cyber threat intelligence, and security transformation services — to help the Ukrainian government detect, mitigate, and defend against cyber attacks. In addition, we continue to implement protections for users and track and disrupt cyber threats to help raise awareness among the security community and high risk users and maintain information quality. This level of collective defense — between governments, companies, and security stakeholders across the world — is unprecedented in scope. It is important then to pause and reflect on this work and our learnings one year later, and share those with the global security community to help prepare better defenses for the future. This report outlines our analysis of these issues and includes the following three observations, informed by over two decades of experience managing complex global security events

Understanding the rhythms of email processing strategies in a network of knowledge workers

Scope and Method of Study: While emails have improved the communication effectiveness of knowledge workers, they have also started to negatively impact their productivity. Emails have long been known to provide value to the organization, but the influence of the overwhelming amount of information shared through emails and the inefficiencies surrounding the everyday use of emails at work has remained almost completely unanalyzed so far. Frequent announcements of new emails and then a user's checking her email leads to an escalation in the interruption issues, the resulting overall effectiveness derived from email communication needs to be re-explored. This study uses a computational modeling approach to understand how various combinations of timing-based and frequency-based email processing strategies adopted within different types of knowledge networks can influence average email response time, average primary task completion time, and the overall effectiveness, comprising value-effectiveness and time-effectiveness, in the presence of interruptions. Earlier research on the topic has focused on individual knowledge workers. This study performs a network-level analysis to compare different sender-receiver relationships to assess the impact of different overall email policies on the entire network. Computational models of three different email exchange networks were developed, namely, homogeneous networks with higher users of email, homogeneous networks with low users of email and heterogeneous networks utilizing various combinations of email strategies. A new method, referred to as forward and reverse method, to evaluate and validate model parameters is also developed.Findings and Conclusions: Findings suggest the choice of email checking policy can impact time and value effectiveness. For example, rhythmic email processing strategies lead to lower value-effectiveness but higher time-effectiveness for all types of networks. Email response times are generally higher with rhythmic policies than with arrhythmic policies. On the other hand, primary task completion times are usually lower with rhythmic policies. On an average, organizations could potentially save 3 to 6 percent of overall time spent per day by using email strategies that are more time effective but could lose 2.5 to 3.5 percent in the communication-value. These values cumulate into significant time saving or value loss for large organizations

Cybersecurity, an approach via Pentesting; Ciberseguretat, una aproximació via Pentesting

This work is an approach to pentesting, an area of cybersecurity that consists of attacking computer environments to discover and exploit vulnerabilities, with the ultimate goal of documenting the attack and being able to gather information about the security of the system. A review of the basic concepts of information security and cybersecurity is included, i.e. types of malware such as viruses or Trojans, possible vulnerabilities such as 0- day or cross-site scripting (XSS) and finally concepts such as social engineering or brute force attacks. The details of the Kali Linux GNU/Linux distribution are described and some com mands and recommendations for optimizing pentesting are presented. The study of pentesting covers the legal bases, types, phases of execution, the most common tools and the OWASP organization and its role. As a practical part, a series of attack vectors are detailed with real examples and a pentesting test is performed on a machine in a controlled environment.Aquest treball és una aproximació al pentesting, una àrea de ciberseguretat que con sisteix en atacar entorns informàtics per descobrir i explotar vulnerabilitats, amb l’objectiu final de documentar l’atac i poder recopilar informació sobre la seguretat del sistema. S’inclou una revisió dels conceptes bàsics de seguretat de la informació i ciberse guretat, és a dir, tipus de malware com virus o troians, possibles vulnerabilitats com ara les 0-day o els cross-site scripting (XSS) i finalment conceptes com l’enginyeria social o els atacs de força bruta. Es descriuen els detalls de la distribució de Kali Linux de GNU/Linux i es presenten algunes ordres i recomanacions per optimitzar el pentesting. L’estudi de pentesting tracta les seves bases legals, els tipus, les fases d’execució, les eines més comunes, l’organització OWASP i el seu rol. Com a part pràctica, es detallen una sèrie de vectors d’atac amb exemples reals i es realitza una prova de pentesting en una màquina en un entorn controlat

Analysis of obligatory disclosure regarding individual’s privacy

Disclosure of personal information online has raised concerns about individuals’ privacy. In order to protect personal information users undertake measures, such as configuring privacy settings and referring to the privacy policies of the organisation’s website before engaging in a transaction. This demonstrates users’ concerns with the availability of their personal information online. Besides the individuals themselves, organisations are also exposing the personal information of their staff to the general public by publishing it on their official website. The practice of publishing employees’ information on such websites is nominally to offer better services to customers, and it is one of the steps taken to improve governmental transparency. However, there are only limited studies on individuals’ (i.e. employees’) privacy issues in the context of organisational disclosure, and their internal responses to the relevant factors. To date, far too little attention has been paid to the disclosure of personal information by organisational websites. This research addresses this phenomenon, where the issue of third-party disclosure by an entity that has a direct relationship with the individuals is investigated in the Malaysian context. For this purpose, this research introduces ‘obligatory disclosure’ as a conceptual framework for this study and adds to the knowledge of privacy-in-public in the context of public administration. The results of the study indicate that while obligatory disclosure was commonly believed to be a normal phenomenon, it creates a vulnerable environment for individuals. The study also found that employees’ concerns with privacy were influenced by the specific context. In addition, low levels of privacy concern and lack of privacy awareness regarding this phenomenon were identified. The study recommends that there is a need for a regulatory approach to protect employees’ information on organisation websites, and privacy should be incorporated as an important element of obligatory disclosure practice

On the adoption of end-user IT security measures

[no abstract

The Proceedings of the 23rd Annual International Conference on Digital Government Research (DGO2022) Intelligent Technologies, Governments and Citizens June 15-17, 2022

The 23rd Annual International Conference on Digital Government Research theme is “Intelligent Technologies, Governments and Citizens”. Data and computational algorithms make systems smarter, but should result in smarter government and citizens. Intelligence and smartness affect all kinds of public values - such as fairness, inclusion, equity, transparency, privacy, security, trust, etc., and is not well-understood. These technologies provide immense opportunities and should be used in the light of public values. Society and technology co-evolve and we are looking for new ways to balance between them. Specifically, the conference aims to advance research and practice in this field. The keynotes, presentations, posters and workshops show that the conference theme is very well-chosen and more actual than ever. The challenges posed by new technology have underscored the need to grasp the potential. Digital government brings into focus the realization of public values to improve our society at all levels of government. The conference again shows the importance of the digital government society, which brings together scholars in this field. Dg.o 2022 is fully online and enables to connect to scholars and practitioners around the globe and facilitate global conversations and exchanges via the use of digital technologies. This conference is primarily a live conference for full engagement, keynotes, presentations of research papers, workshops, panels and posters and provides engaging exchange throughout the entire duration of the conference

Cyberstalking Victimization Model Using Criminological Theory: A Systematic Literature Review, Taxonomies, Applications, Tools, and Validations

Cyberstalking is a growing anti-social problem being transformed on a large scale and in various forms. Cyberstalking detection has become increasingly popular in recent years and has technically been investigated by many researchers. However, cyberstalking victimization, an essential part of cyberstalking, has empirically received less attention from the paper community. This paper attempts to address this gap and develop a model to understand and estimate the prevalence of cyberstalking victimization. The model of this paper is produced using routine activities and lifestyle exposure theories and includes eight hypotheses. The data of this paper is collected from the 757 respondents in Jordanian universities. This review paper utilizes a quantitative approach and uses structural equation modeling for data analysis. The results revealed a modest prevalence range is more dependent on the cyberstalking type. The results also indicated that proximity to motivated offenders, suitable targets, and digital guardians significantly influences cyberstalking victimization. The outcome from moderation hypothesis testing demonstrated that age and residence have a significant effect on cyberstalking victimization. The proposed model is an essential element for assessing cyberstalking victimization among societies, which provides a valuable understanding of the prevalence of cyberstalking victimization. This can assist the researchers and practitioners for future research in the context of cyberstalking victimization

Rethinking Boundaries and Revisiting Borders : Conditions for innovation, entrepreneurship and economic integration in and interconnected world

En antologi som belyser den geopolitiska friktionen mellan ekonomisk integration och nationell politisk suveränitet i en sammankopplad värld