208 research outputs found
MORI: An Innovative Mobile Applications Data Risk Assessment Model
The daily activities of mobile device users range
from making calls and texting to accessing mobile
applications, such as mobile banking and online
social networks. Mobile phones are able to create,
store, and process different types of data, and these
data, whether personal, business, or governmental,
are related to the owner of the mobile device. More
specifically, user activities, such as posting on
Facebook, is sensitive and confidential processes
with varying degrees of social risk. The current
point-of-entry authentication mechanisms,
however, consider all applications on the mobile
device as if they had the same level of importance;
thus maintaining a single level of security for all
applications, without any further access control
rules. In this research, we argue that on a single
mobile application there are different processes
operating on the same data, with different social
risks based on the user’s actions. More specifically,
the unauthorised disclosure or modification of
mobile applications data has the potential to lead
to a number of undesirable consequences for the
user, which in turn means that the risk is changing
within the application. Thus, there is no single risk
for using a single application. Accordingly, there is
a severe lack of protection for user data stored in
mobile phones due to the lack of further
authentication or differentiated protection beyond
the point-of-entry. To remedy that failing, this
paper has introduced a new risk assessment model
for mobile applications data, called MORI (Mobile
Risk) that determines the risk level for each process
on a single application. The findings demonstrate
that this model has introduced a risk matrix which
helps to move the access control system from the
application level to the intra- process application
level, based on the risk for the user action being
performed on these processes
Best Effort and Practice Activation Codes
Activation Codes are used in many different digital services and known by
many different names including voucher, e-coupon and discount code. In this
paper we focus on a specific class of ACs that are short, human-readable,
fixed-length and represent value. Even though this class of codes is
extensively used there are no general guidelines for the design of Activation
Code schemes. We discuss different methods that are used in practice and
propose BEPAC, a new Activation Code scheme that provides both authenticity and
confidentiality. The small message space of activation codes introduces some
problems that are illustrated by an adaptive chosen-plaintext attack (CPA-2) on
a general 3-round Feis- tel network of size 2^(2n) . This attack recovers the
complete permutation from at most 2^(n+2) plaintext-ciphertext pairs. For this
reason, BEPAC is designed in such a way that authenticity and confidentiality
are in- dependent properties, i.e. loss of confidentiality does not imply loss
of authenticity.Comment: 15 pages, 3 figures, TrustBus 201
Gamification techniques for raising cyber security awareness
Due to the prevalence of online services in modern society, such as internet banking and social media, it is important for users to have an understanding of basic security measures in order to keep themselves safe online. However, users often do not know how to make their online interactions secure, which demonstrates an educational need in this area. Gamification has grown in popularity in recent years and has been used to teach people about a range of subjects. This paper presents an exploratory study investigating the use of gamification techniques to educate average users about password security, with the aim of raising overall security awareness. To explore the impact of such techniques, a role-playing quiz application (RPG) was developed for the Android platform to educate users about password security. Results gained from the work highlightedthat users enjoyed learning via the use of the password application, and felt they benefitted from the inclusion of gamification techniques. Future work seeks to expand the prototype into a full solution, covering a range of security awareness issues
Device- versus Network-Centric Authentication Paradigms for Mobile Devices: Operational and Perceptual Trade-Offs
The increasing capability and functionality of mobile devices is leading to a corresponding increase in the need for security to prevent unauthorised access. Indeed, as the data and services accessed via mobile devices become more sensitive, the existing method of user authentication (predominately based upon Personal Identification Numbers) appears increasingly insufficient. An alternative basis for authentication is offered by biometric approaches; which have the potential to be implemented in a non-intrusive manner and also enable authentication to be applied in an ongoing manner, beyond initial point-of-entry. However, the implementation of any authentication mechanism, particularly biometric approaches, introduces considerations of where the main elements of functionality (such as the processing of authentication data, decisions making, and storing user templates/profiles) should reside. At the extremes, there are two alternatives: a device-centric paradigm, in which the aforementioned aspects are handled locally; or a network-centric paradigm, in which the actions occur remotely and under the jurisdiction of the network operator. This paper examines the alternatives and determines that each context introduces considerations in relation to the privacy of user data, the processing and storage of authentication data, network bandwidth demands, and service availability. In view of the various advantages and disadvantages, it is concluded that a hybrid approach represents the most feasible solution; enabling data storage and processing to be split between the two locations depending upon individual circumstances. This represents the most flexible approach, and will enable an authentication architecture to be more adaptable to the needs of different users, devices and security requirements
Evaluating the Usability Impacts of Security Interface Adjustments in Word 2007
Prior research has suggested that integrating security features with user goals and increasing their visibility would improve the usability of the associated functionalities. This paper investigates how these approaches affect the efficiency of use and the level of user satisfaction. The user interface of Word 2007 was modified according to these principles, with usability tests being conducted with both the original and the modified user interfaces. The results suggest that integrating security features with user goals improves the efficiency of use, but the impacts upon user satisfaction cannot be clearly identified based on the collected data. No indications of any major improvements in the efficiency of use or user satisfaction are found when the visibility of security features is increased. The combination of these two methods seems to improve both the efficiency of use and the resulting user satisfaction
Assessing end-user awareness of social engineering and phishing
Social engineering is a significant problem involving technical and nontechnical ploys in order to acquire information from unsuspecting users. This paper presents an assessment of user awareness of such methods in the form of email phishing attacks. Our experiment used a webbased survey, which presented a mix of 20 legitimate and illegitimate emails, and asked participants to classify them and explain the rationale for their decisions. This assessment shows that the 179 participants were 36% successful in identifying legitimate emails, versus 45% successful in spotting illegitimate ones. Additionally, in many cases, the participants who identified illegitimate emails correctly could not provide convincing reasons for their selections
The Feasibility of Using Behavioural Profiling Technique for Mitigating Insider Threats: Review
Insider threat has become a serious issue to the many organizations. Various companies are increasingly deploying many information technologies to prevent unauthorized access to getting inside their system. Biometrics approaches have some techniques that contribute towards controlling the point of entry. However, these methods mainly are not able to continuously
validate the users reliability. In contrast behavioral profiling is one of the biometrics technologies but it focusing on the activities of the users during using the system and comparing that with a previous history. This paper presents a comprehensive analysis, literature review and limitations on behavioral profiling approach and to what extent that can be used for mitigating insider misuse
Towards An Automated Forensic Examiner (AFE) Based Upon Criminal Profiling & Artificial Intelligence
Digital forensics plays an increasingly important role within society as the approach to the identification of criminal and cybercriminal activities. It is however widely known that a combination of the time taken to undertake a forensic investigation, the volume of data to be analysed and the number of cases to be processed are all significantly increasing resulting in an ever growing backlog of investigations and mounting costs. Automation approaches have already been widely adopted within digital forensic processes to speed up the identification of relevant evidence – hashing for notable files, file signature analysis and data carving to name a few. However, to date, little research has been undertaken in identifying how more advanced techniques could be applied to perform “intelligent” processing of cases. This paper proposes one such approach, the Automated Forensic Examiner (AFE) that seeks to apply artificial intelligence to the problem of sorting and identifying relevant artefacts. The proposed approach utilises a number of techniques, including a technical competency measure, a dynamic criminal knowledge base and visualisation to provide an investigator with an in depth understanding of the case. The paper also describes how its implementation within a cloud based infrastructure will also permit a more timely and cost effective solution
The Design of a Multimedia-Forensic Analysis Tool (M-FAT)
Digital forensics has become a fundamental
requirement for law enforcement due to the growing
volume of cyber and computer-assisted crime. Whilst
existing commercial tools have traditionally focused
upon string-based analyses (e.g., regular
expressions, keywords), less effort has been placed
towards the development of multimedia-based
analyses. Within the research community, more focus
has been attributed to the analysis of multimedia
content; they tend to focus upon highly specialised
specific scenarios such as tattoo identification,
number plate recognition, suspect face recognition
and manual annotation of images. Given the everincreasing volume of multimedia content, it is
essential that a holistic Multimedia-Forensic
Analysis Tool (M-FAT) is developed to extract, index,
analyse the recovered images and provide an
investigator with an environment with which to ask
more abstract and cognitively challenging questions
of the data. This paper proposes such a system,
focusing upon a combination of object and facial
recognition to provide a robust system. This system
will enable investigators to perform a variety of
forensic analyses that aid in reducing the time, effort
and cognitive load being placed on the investigator to
identify relevant evidence
Cyber crime: A portrait of the landscape
This paper reviews current evidence in relation to scale and impacts of cyber crime, including various approaches to defining and measuring the problem. A review and analysis of survey evidence is used to enable an understanding of the scope and scale of the cyber crime problem, and its effect upon those experiencing it. The analysis evidences that cyber crime exists in several dimensions, with costs and harms that can be similarly varied. There is also a sense that, moving forward, the 'cyber' label will become somewhat redundant as many crimes have the potential to have a technology component. The key evidence in this particular discussion has some geographic limitations, with much of the discussion focused upon data drawn from the the Crime Survey or England and Wales, as well as other UK-based sources. However, many of the broader points still remain more wider relevant. - A better understanding of the range and scale of cyber crime threats - Understanding of how the cyber element fits into the wider context of crime - Improving the appreciation of what cyber crime can mean for potential victims. - Recognition of the cost dimensions, and the implications for protection and response. The discussion will help businesses and individuals to have a better appreciation of the cyber crime threat, and what ought to be considered in response to it. The discussion is based upon recent evidence, and therefore represents a more up-to-date view of the cyber crime landscape than reviews already available in earlier literature
- …