86 research outputs found
Presenting Suspicious Details in User-Facing E-mail Headers Does Not Improve Phishing Detection
Phishing requires humans to fall for impersonated sources.
Sender authenticity can often be inferred from e-mail header
information commonly displayed by e-mail clients, such as
sender and recipient details. People may be biased by convincing
e-mail content and overlook these details, and subsequently
fall for phishing. This study tests whether people
are better at detecting phishing e-mails when they are only
presented with user-facing e-mail headers, instead of full emails.
Results from a representative sample show that most
phishing e-mails were detected by less than 30% of the participants,
regardless of which e-mail part was displayed. In fact,
phishing detection was worst when only e-mail headers were
provided. Thus, people still fall for phishing, because they do
not recognize online impersonation tactics. No personal traits,
e-mail characteristics, nor URL interactions reliably predicted
phishing detection abilities. These findings highlight the need
for novel approaches to help users with evaluating e-mail
authenticity
Checking, Nudging or Scoring? Evaluating e-Mail User Security Tools
Phishing e-mail threats are increasing in sophistication. Technical measures alone do not fully prevent users from falling
for them and common e-mail interfaces provide little support
for users to check an e-mailās legitimacy. We designed three email user security tools to improve phishing detection within
a common e-mail interface and provide a formative evaluation
of the usability of these features: two psychological nudges
to alert users of suspicious e-mails and a ācheckā button to
enable users to verify an emailās legitimacy. Professional email users (N = 27) found the āsuspicion scoreā nudge and
ācheckā button the most useful. These alerted users of suspicious e-mails, without harming their productivity, and helped
users assert trust in legitimate ones. The other nudge was too
easily ignored or too disruptive to be effective. We also found
that users arrive at erroneous judgements due to differing
interpretations of e-mail details, even though two-thirds of
them completed cybersecurity training before. These findings
show that usable and therefore effective e-mail user security tools can be developed by leveraging cues of legitimacy
that augment existing user behaviour, instead of emphasising
technical security training
Phishing to improve detection
Phishing e-mail scams continue to threaten organisations around
the world. With generative artificial intelligence, conventional
phishing detection advice such as looking out for linguistic errors and bad layouts will become obsolete. New approaches to
improve peopleās ability to detect phishing are essential. We report
on promising results from two experiments (total N = 183) that
engaging people with an adversarial mindset improves their ability
to detect phishing e-mails compared to those who received conventional or no training. Participants who completed conventional
training were nearly three times as likely to fall for a simulated
phishing attack compared to those who completed the adversarial
training, in which they watched a fictitious cybercriminal explain
how to devise a targeted phishing e-mail, and then wrote targeted
phishing e-mails themselves. Although further research is needed
to examine the trainingās long-term efficacy with larger sample
sizes, the present findings show an encouraging alternative to conventional phishing training approaches
Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer
Information leakage is a class of error that can lead to severe consequences.
However unlike other errors, it is rarely explicitly considered during the
software testing process. LeakFuzzer advances the state of the art by using a
noninterference security property together with a security flow policy as an
oracle. As the tool extends the state of the art fuzzer, AFL++, LeakFuzzer
inherits the advantages of AFL++ such as scalability, automated input
generation, high coverage and low developer intervention.
The tool can detect the same set of errors that a normal fuzzer can detect,
with the addition of being able to detect violations of secure information flow
policies.
We evaluated LeakFuzzer on a diverse set of 10 C and C++ benchmarks
containing known information leaks, ranging in size from just 80 to over 900k
lines of code. Seven of these are taken from real-world CVEs including
Heartbleed and a recent error in PostgreSQL. Given 20 24-hour runs, LeakFuzzer
can find 100% of the leaks in the SUTs whereas existing techniques using such
as the CBMC model checker and AFL++ augmented with different sanitizers can
only find 40% at best.Comment: 11 pages, 4 figure
āIt May Be a Pain in the Backside but...ā Insights into the Resilience of Business after GDPR
The General Data Protection Regulation (GDPR) came into effect
in May 2018 and is designed to safeguard European Union (EU)
citizensā data privacy. The benefits of the regulation to consumersā
rights and to regulatorsā powers are well known. The benefits to
regulated businesses are less obvious and under-researched.
We conduct exploratory research into understanding the sociotechnical impacts and resilience of business in the face of a
major new disruptive regulation. In particular, we investigate if
GDPR is all pain and no gain. Using semi-structured interviews, we
survey 14 senior-level executives responsible for business, finance,
marketing, compliance and technology drawn from six companies
in the UK and Ireland.
We find the threat of fines has focused the corporate mind and
made business more privacy aware. Organisationally, it has created
new power bases within companies to advocate GDPR. It has forced
companies to modernise their platforms and indirectly benefited
them with better risk management processes, information security
infrastructure and up to date customer databases. Compliance, for
some, is used as a reputational signal of trustworthiness.
Many implementation challenges remain. New business development and intra-company communication is more constrained.
Regulation has increased costs and internal bureaucracy. Grey areas remain due to a lack of case law. Disgruntled customers and
ex-employees weaponise Subject Access Requests (SAR) as a tool
of retaliation. All small and medium-sized businesses in our sample
see GDPR as overkill and overwhelming.
We conclude GDPR may be regarded as a pain by business but
it has made it more careful with data. It created a short-term disruption that monopolised IT budgets in the run-up to GDPR and
created a long-term disruption to company politics as Compliance
and Information Security leverage the regulation for budget and
control. The rising trend in the number of fines issued by national
data protection regulators and the establishment of new case law
will continue to reshape organisations
A Passion for Security:Intervening to Help Software Developers
While the techniques to achieve secure, privacy-preserving software are now well understood, evidence shows that many software development teams do not use them: they lack the 'security maturity' to assess security needs and decide on appropriate tools and processes; and they lack the ability to negotiate with product management for the required resources. This paper describes a measuring approach to assess twelve aspects of this security maturity; its use to assess the impact of a lightweight package of workshops designed to increase security maturity; and a novel approach within that package to support developers in resource negotiation. Based on trials in eight organizations, involving over 80 developers, this paper demonstrates that (1) development teams can notably improve their security maturity even in the absence of security specialists; and (2) suitably guided, developers can find effective ways to promote security to product management. Empowering developers to make their own decisions and promote security in this way offers a powerful grassroots approach to improving the security of software worldwide
Incorporating Software Security:Using Developer Workshops to Engage Product Managers
Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues? This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshopsā effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements. Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide
Chondrolectin mediates growth cone interactions of motor axons with an intermediate target
The C-type lectin chondrolectin (chodl) represents one of the major gene products dysregulated in spinal muscular atrophy models in mice. However, to date, no function has been determined for the gene. We have identified chodl and other novel genes potentially involved in motor axon differentiation, by expression profiling of transgenically labeled motor neurons in embryonic zebrafish. To enrich the profile for genes involved in differentiation of peripheral motor axons, we inhibited the function of LIM-HDs (LIM homeodomain factors) by overexpression of a dominant-negative cofactor, thereby rendering labeled axons unable to grow out of the spinal cord. Importantly, labeled cells still exhibited axon growth and most cells retained markers of motor neuron identity. Functional tests of chodl, by overexpression and knockdown, confirm crucial functions of this gene for motor axon growth in vivo. Indeed, knockdown of chodl induces arrest or stalling of motor axon growth at the horizontal myoseptum, an intermediate target and navigational choice point, and reduced muscle innervation at later developmental stages. This phenotype is rescued by chodl overexpression, suggesting that correct expression levels of chodl are important for interactions of growth cones of motor axons with the horizontal myoseptum. Combined, these results identify upstream regulators and downstream functions of chodl during motor axon growth
- ā¦