The legal obligation to provide timely security patching and automatic updates

Do you use Office 365 or Windows 10? How about GoDaddy to support your website? Has it been a while since you connected your iPhone to Wi-Fi instead of merely running off your data? Or is your Samsung phone more than 2 years old? Would it surprise you to learn that some of these products no longer receive security support or automatic updates? If so, you may be surprised to hear that you are being exposed to security risks, as many cyber incidences are the direct result of an absence of security patching and automatic updates. There are many reasons for this. Most companies provide security patches, but they are not always timely and many are not automated, requiring manual effort (often unbeknownst to consumers and businesses). Timely security patching is, upon discovery or notification of a security flaw in a system or product, the release of a security update within a reasonable time that patches and updates the security of a system—sometimes this is automatic, sometimes the security patch is merely a notification that you can and should patch your own system. A contributing factor to this is that there is no legal obligation to provide security support, let alone timely security support. This means that there is no legal requirement to patch known security vulnerabilities and bugs or issue automatic updates. This paper asks whether or not Australia should have a legal obligation to ensure timely security patching and require automatic updates by default in all consumer systems. Our conclusion: yes, it should, since many companies cannot be relied on to self-regulate and put their client’s security interests first, and the stakes in cybersecurity have become too high to continue with the status quo. We conclude by presenting our recommended pathway for legal reform

The role of user behaviour in improving cyber security management

Information security has for long time been a field of study in computer science, software engineering, and information communications technology. The term ‘information security’ has recently been replaced with the more generic term cybersecurity. The goal of this paper is to show that, in addition to computer science studies, behavioural sciences focused on user behaviour can provide key techniques to help increase cyber security and mitigate the impact of attackers’ social engineering and cognitive hacking methods (i.e., spreading false information). Accordingly, in this paper, we identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Our review shows that computer system users possess different cognitive capabilities which determine their ability to counter information security threats. We identify gaps in the existing research and provide possible psychological methods to help computer system users comply with security policies and thus increase network and information security

Security risks and user perception towards adopting Wearable Internet of Medical Things

The Wearable Internet of Medical Things (WIoMT) is a collective term for all wearable medical devices connected to the internet to facilitate the collection and sharing of health data such as blood pressure, heart rate, oxygen level, and more. Standard wearable devices include smartwatches and fitness bands. This evolving phenomenon due to the IoT has become prevalent in managing health and poses severe security and privacy risks to personal information. For better implementation, performance, adoption, and secured wearable medical devices, observing users’ perception is crucial. This study examined users’ perspectives of trust in the WIoMT while also exploring the associated security risks. Data analysed from 189 participants indicated a significant variance (R2 = 0.553) on intention to use WIoMT devices, which was determined by the significant predictors (95% Confidence Interval; p < 0.05) perceived usefulness, perceived ease of use, and perceived security and privacy. These were found to have important consequences, with WIoMT users intending to use the devices based on the trust factors of usefulness, easy to use, and security and privacy features. Further outcomes of the study identified how users’ security matters while adopting the WIoMT and provided implications for the healthcare industry to ensure regulated devices that secure confidential data

Factors affecting reputational damage to organisations due to cyberattacks

The COVID-19 pandemic has brought massive online activities and increased cybersecurity incidents and cybercrime. As a result of this, the cyber reputation of organisations has also received increased scrutiny and global attention. Due to increased cybercrime, reputation displaying a more important role within risk management frameworks both within public and private institutions is vital. This study identifies key factors in determining reputational damage to public and private sector institutions through cyberattacks. Researchers conducted an extensive review of the literature, which addresses factors relating to risk management of reputation post-cyber breach. The study identified 42 potential factors, which were then classified using the STAR model. This model is an organisational design framework and was suitable due to its alignment with organisations. A qualitative study using semi-structured and structured questions was conducted with purposively selected cybersecurity experts in both public and private sector institutions. Data obtained from the expert forum were analysed using thematic analysis, which revealed that a commonly accepted definition for cyber reputation was lacking despite the growing use of the term "online reputation". In addition, the structured questions data were analysed using relative importance index rankings. The analysis results revealed significant factors in determining reputational damage due to cyberattacks, as well as highlighting reputation factor discrepancies between private and public institutions. Theoretically, this study contributes to the body of knowledge relating to cybersecurity of organisations. Practically, this research is expected to aid organisations to properly position themselves to meet cyber incidents and become more competitive in the post-COVID-19 era

Ethical Hacking

How will governments and courts protect civil liberties in this new era of hacktivism? This book discusses the attendant moral and legal issues. The first part of the 21st century will likely go down in history as the era when ethical hackers opened governments and the line of transparency moved by force. One need only to read the motto “we open governments” on the Twitter page for Wikileaks to gain a sense of the sea change that has occurred. Ethical hacking is the non-violent use of a technology in pursuit of a cause – political or otherwise – which is often legally and morally ambiguous. Hacktivists believe in two general but spirited principles: respect for human rights and fundamental freedoms, including freedom of expression and personal privacy; and the responsibility of government to be open, transparent and fully accountable to the public

From cybercrime to cyberwar : security through obscurity or security through absurdity?

Editorial. The article talks about the subjects of cyber-security and cybercrime that are addressed in this special edition

The role of Internet Service Providers in combating botnets : an examination of recent Australian initiatives and legislative reform

This article examines the role of Internet Service Providers (ISPs) in combating botnets. The first section addresses recent Australian initiatives where ISPs are called on to take a proactive security role. The first initiative is the Australian Internet Security Initiative established by ACMA. The second, and most recent, initiative is the Australian Internet Industry Association (IIA) Code of Practice consultation paper on ‘For Industry Self-Regulation in the Area of E-Security’1. The E-Security initiative involves ISP monitoring and detecting compromised computers connected to their networks, notifying customers when their computers are infected and, hence, are part of a botnet, providing links to information to disinfect a computer, and quarantining the infected computer until it is ‘fit for connection’. The article examines ISP legal liability issues and addresses the February 2010 amendments to the Telecommunications Interception Act which exempt ISPs from the obligations of the previously established interception and warrant framework when performing detection and monitoring (including interception of communications) for reasons related to network protection and security

Zombie botnets

Zombie botnets are the greatest Internet threat of the current generation. Botnets are said to be involved in most forms of cybercrime and civil wrongdoing ranging from sending spam, to denial of service attacks, to child pornography distribution to key-logging technology and traffic-sniffing which captures passwords and credit card numbers. This article traces the rhetoric of the term zombie in the world of computer security, describes the inner workings of a botnet, and argues that one method of botnet curtailment will be through Internet Service Provider bot remediation programs that slow down the propagation methods of botnets and act as a catalyst to clean up infected computers

Conditions Enabling Open Data and Promoting a Data Sharing Culture

The report provides contemporary insights to support the promotion of Open Government and Open Data. The Report analysed legislation, policy, regulatory settings, roles and responsibilities for leadership, culture and operations in leading jurisdictions as identified in the Open Data Barometer Report. Communications were made with Government agencies, Open Data departments and organisations in these jurisdictions in the period from December 2016 to the end of February 2017 to seek direct input as to how the frameworks have operated in practice. We contacted many entities in the United Kingdom, United States, France, Canada, and New Zealand. In practice the research has highlighted how diverse, inter-connected and context-specific each country’s approach has been. In particular, it is clear that precisely because of the breadth of action some leading countries have taken it is difficult to isolate the particular contribution of any one element. However, the existing legislative and policy settings have informed advances in Open Data in the jurisdictions examined

BD use by law enforcement and intelligence in the national security space : perceived benefits, risks and challenges

Big Data is being increasingly used by law enforcement and intelligence agencies to predict, investigate, understand and disrupt crime and other incidents. This article draws on the research project Big Data and National Security which was conducted as part of the Data to Decisions Cooperative Research Centre (‘D2DCRC’). This article does not argue a position nor does it provide a comprehensive analysis of issues. Rather, this article is a descriptive piece that addresses the perceived advantages, as well as the risks and challenges, that big data poses for use by law enforcement and intelligence in the national security space. In doing so, the article touches on both under-explored and unexplored issues with big data and national security, thereby highlighting areas that require further research and investigation