Transferability of Privacy-related Behaviours to Shared Smart Home Assistant Devices

Smart assistant devices (such as Amazon Echo or Google Home) have notable differences to more conventional consumer computing devices. They can be used through voice control as well as physical interaction, and are often positioned as a shared device within a home environment. We conduct an exploratory online survey with 97 UK-based users of smart assistant devices, to examine the differences users perceive between smart assistants and more familiar devices (such as smartphones and computers), in terms of shared use dynamics, privacy-related behaviours, and privacy concerns. The survey explores typical usage, setup practices, perceived ease of use and control, privacy concerns for multiple users, shared usage of existing devices, and smart assistant privacy control usage. Approximately half of participants were unsure of where to access privacy settings on their smart home assistants; basic device controls and informal privacy controls saw general use. Those who had used privacy controls with previous devices used at least one smart assistant privacy control. Results have implications for supporting transferable privacy behaviours from computing devices to smart home devices, and improving privacy-related design for smart assistants.Accepted Author ManuscriptOrganisation and Governanc

A cyber-risk framework for coordination of the prevention and preservation of behaviours

Cybersecurity controls are deployed to manage risks posed by malicious behaviours or systems. What is not often considered or articulated is how cybersecurity controls may impact legitimate users (often those whose use of a managed system needs to be protected, and preserved). This oversight characterises the blunt' nature of many cybersecurity controls. Here we present a framework produced from consideration of concerns across methods from cybercrime opportunity reduction and behaviour change, and existing risk management guidelines. We illustrate the framework and its principles with a range of examples and potential applications, including management of suspicious emails in organizations, and social media controls. The framework describes a capacity to improve the precision of cybersecurity controls by examining shared determinants of negative and positive behaviours in a system. This identifies opportunities for risk owners to better protect legitimate users while simultaneously acting to prevent malicious activity in a managed system. We describe capabilities for a novel approach to managing sociotechnical cyber risk which can be integrated alongside elements of typical risk management processes. This includes consideration of user activities as a system asset to protect, and a consideration of how to engage with other stakeholders in the identification of behaviours to preserve in a system.Organisation and Governanc

The boundedly rational employee: Security economics for behaviour intervention support in organizations

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal security-related choices. Conflict arises because of information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both traditional economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. Our four stage plan to Capture, Adapt, Realign, and Enable behaviour choices provides guidance for security managers, focusing on a more effective response to the uncertainty associated with security behaviour in organizations.Organisation and Governanc

An Empirical Study of a Decentralized IdentityWallet: Usability, Security, and Perspectives on User Control

User-centric digital identity initiatives are emerging with a mission to shift control over online identity disclosures to the individual. However, there is little representation of prospective users in discussions of the merits of empowering users with new data management responsibilities and the acceptability of new technologies. We conducted a user study comprising a contextual inquiry and semi-structured interviews using a prototype decentralized identity wallet app with 30 online participants. Our usability analysis uncovered misunderstandings about decentralized identifiers (DIDs) and pain points relating to using QR codes and following the signposting of cross-device user journeys. In addition, the technology did not readily resolve questions about whether the user, identity provider, or relying party was in control of data at crucial moments. We also learned that users' judgments of data minimization encompass a broader scope of issues than simply the technical provision of the identity wallet. Our results contribute to understanding future user-centric identity technologies from the view of privacy and user acceptance.Organisation & Governanc

Change that Respects Business Expertise: Stories as Prompts for a Conversation about Organisation Security

Leaders of organisations must make investment decisions relating to the security of their organisation. This often happens through consultation with a security specialist. Consultations may be regarded as conversations taking place in a trading zone between the two domains. We propose that supporting the trading zone is a route to sustainable, workable security change improvements. Prompts for such improvements are already in place, in the security stories that reach business leaders through news media, or anecdotes from trusted peers. However, a shift in perspective is needed to view these stories and anecdotes as prompts for individual decision makers to enter into the trading zone with security specialists. We illustrate how to facilitate this shift by recasting security ontology tools, previously centred around security-specific expertise, as a support device to enrich conversations between business expertise and security advice toward finding workable security choices. We frame our proposal within a broader view of community transformation, exploring the important principle of identifying practical opportunities to inform discussions about security solutions that are appropriate in the business context. Community-level discussions have potential to lead to more lasting, effective improvements than those instigated by one-way interventions from security specialists. We extend the view, applying the paradigm to articulate the importance of two-way conversations between business peers and security specialists.Organisation and Governanc

Drivers and barriers for secure hardware adoption across ecosystem stakeholders

The decisions involved in choosing technology components for systems are poorly understood. This is especially so where the choices pertain to system security and countering the threat of cybersecurity attack. Although common in some commercial products, secure hardware chips provide security functions such as authentication, secure execution and integrity validation on system start, and are increasingly deemed to have a role in devices across sectors, such as IoT devices, autonomous vehicle systems and critical infrastructure components. To understand the decisions and opinions regarding the adoption of secure hardware, we conducted 23 semi-structured interviews with senior decision-makers from companies spanning a range of sectors, sizes and supply-chain roles. Our results consider the business propositional drivers, barriers and economic factors that influence the adoption decisions. Understanding these would help those seeking to influence the adoption process, whether as a business decision, or as a trade or national strategy.Organisation and Governanc

Executive decision-makers: a scenario-based approach to assessing organizational cyber-risk perception

The executive leadership in corporate organizations is increasingly challenged with managing cyber-risks, as an important part of wider business risk management. Cyber-risks are complex, with the threat landscape evolving, including digital infrastructure issues such as trust in networked supply chains, and emerging technologies. Moreover, engaging organizational leadership to assess for risk management is also difficult. This paper reports on a scenario-driven, workshop-based study undertaken with executive leadership to assess for cybersecurity and cyber-risk perception related to preparation for, and response to, potential incidents. The study involves leadership members at a large public-private organization. Our approach utilizes scenarios, which are structured in their design to explore and analyse aspects of business risk, risk ownership, technological complexity, and uncertainty faced by an organizational leadership. The method offers a means to engage with leadership at real-world organizations, capturing capacity and insights to manage business risks due to cyberattacks.Organisation & Governanc

‘I feel like we’re really behind the game’: perspectives of the United Kingdom’s intimate partner violence support sector on the rise of technology-facilitated abuse

Technology-facilitated abuse or ‘tech abuse’ in intimate partner violence (IPV) contexts describes the breadth of harms that can be enacted using digital systems and online tools. While the misappropriation of technologies in the context of IPV has been subject to prior research, a dedicated study on the United Kingdom’s IPV support sector has so far been missing. The present analysis summarises insights derived from semi-structured interviews with 34 UK voluntary and statutory sector representatives that were conducted over the course of two years (2018–2020). The analysis identifies four overarching themes that point out support services’ practices, concerns and challenges in relation to tech abuse, and specifically the Internet of Things (IoT). These themes include (a) technology-facilitated abuse, where interviewees outline their experiences and understanding of the concept of tech abuse; (b) IoT-enabled tech abuse, focusing on the changing dynamics of tech abuse due to the continuing rise of smart consumer products; (c) data, documentation and assessment, that directs our attention to the shortcomings of existing risk assessment and recording practices; and (d) training, support and assistance, in which participants point to the need for specialist support capabilities to be developed within and beyond existing services.Organisation and Governanc

"I needed to solve their overwhelmness": How system administration work was affected by COVID-19

The ongoing global COVID-19 pandemic made working from home – wherever working remotely is possible the norm for what had previously been office-based jobs across the world. This change in how we work created a challenging situation for system administrators (sysadmins), as they are the ones building and maintaining the digital infrastructure our world relies on. In this paper, we examine how system administration work changed early in the pandemic from sysadmins’ personal perspectives, through semi-structured interviews and thematic analysis. We find that sysadmins faced a two-sided crisis: While sysadmins’ own work environment changed, they also had to react to the new situation and facilitate stable options to work online for themselves and their colleagues, supporting their users in adapting to the crisis. This finding embeds into earlier work on the connection between IT (security) work and the notion of ‘care’, where we substantiate these earlier findings with results from a repeatable method grounded in coordination theory. Furthermore, while we find that sysadmins perceived no major changes in the way they work, by consecutively probing our interviewees, we find that they did experience several counter-intuitive effects on their work. This includes that while day-to-day communication became inherently more difficult, other tasks were streamlined by the remote working format and were seen as having become easier. Finally, by structuring our results according to a model of coordination and communication, we identify changes in sysadmins’ coordination patterns. From these we derive recommendations for how system administration work can be coordinated, ranging beyond the immediate pandemic response and the transition to any ‘new normal’ way of working.Information and Communication TechnologyOrganisation & Governanc

Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS Rules

Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge.Organisation & Governanc