Transparent password policies: A case study of investigating end-user situational awareness

Transparent password policies are utilized by organizations in an effort to ease the user from the burden of configuring authentication settings while maintaining a high level of security. However, authentication transparency can challenge security and usability and can impact the awareness of the end-users with regards to the protection level that is realistically achieved. For authentication transparency to be effective, the triptych security – usability – situational awareness should be considered when designing relevant security solutions. Although various efforts have been made in the literature, the usability aspects of the password selection process are not well understood or addressed in the context of end-user situational awareness. This research work specifies three security and usability-related strategies that represent the organizations’, the end users’ and the attackers’ objectives with regards to password construction. Understanding each actor’s perspective can greatly assist in increasing situational awareness with regards to the authentication controls usage and effectiveness. Furthermore, a case study is presented to evaluate if, and in what way, transparent password policies, that isolate users’ involvement can affect the perspective of the end-user with regards to the security situation. Results showed that the transparent approached utilized has created a negative situation, users were not aware and never dealt with changing or trying to alter default security settings, leaving their home network vulnerable to external attacks. Finally, initial recommendations are made to organizations that would like to implement and evaluate transparent authentication controls

WSN operability during persistent attack execution

Wireless Sensor Networks (WSNs) are utilized in a number of critical infrastructures, e.g. healthcare, disaster and relief. In sensitive environments, it is vital to maintain the operability of the network in an effort to support the decision-making process that depends on the sensors’ observations. The network’s operability can be maintained if observations can reach the specified destination and also if the sensors have adequate energy resources. The operability is negatively affected by security attacks, such as the selective forward and the denial of service (DoS), that can be executed against the WSN. The attacks’ impact greatly depends on the attackers’ capabilities such as their knowledge and the number of malicious nodes they hold. Currently, the research community focuses on addressing casual attackers that don’t persist with their attack strategy. However, the proposed solutions cannot address persistent attackers that continue with their attack execution after the network has applied appropriate recovery countermeasures. Designing an adaptive recovery strategy is challenging as a number of issues need to be taken into consideration such as the network’s density, the number of malicious nodes and the persistent attack strategy. This research work formulates a persistent attack strategy and investigates the integration of different recovery countermeasures in WSNs. The evaluation results demonstrate that an adaptive recovery strategy can enhance the network’s recovery benefits, in terms of increased packet delivery and decreased energy consumption, and prolong its operability. Moreover, the observations made are envisioned to encourage new contributions in the area of adaptive intrusion recovery in WSNs

Situation aware intrusion recovery policy in WSNs

Wireless Sensor Networks (WSNs) have been gaining tremendous research attention the last few years as they support a broad range of applications in the context of the Internet of Things. WSN-driven applications greatly depend on the sensors’ observations to support decision-making and respond accordingly to reported critical events. In case of compromisation, it is vital to recover compromised WSN services and continue to operate as expected. To achieve an effective restoration of compromised WSN services, sensors should be equipped with the logic to take recovery decisions and self-heal. Self-healing is challenging as sensors should be aware of a variety of aspects in order to take effective decisions and maximize the recovery benefits. So far situation awareness has not been actively investigated in an intrusion recovery context. This research work formulates situation aware intrusion recovery policy design guidelines in order to drive the design of new intrusion recovery solutions that are operated by an adaptable policy. An adaptable intrusion recovery policy is presented taking into consideration the proposed design guidelines. The evaluation results demonstrate that the proposed policy can address advanced attack strategies and aid the sensors to recover the network’s operation under different attack situations and intrusion recovery requirements

Back to Basics: Towards Building Societal Resilience Against a Cyber Pandemic

Cybersecurity experts have long been discussing the potential of a cyber pandemic leading to a massive disruption of ICT operations with a devastating societal impact. Even though society has not faced yet the full potential of a cyber pandemic, the recent COVID-19 pandemic demonstrated how a cyber pandemic can look like at its initial stages. Unfortunately, citizens proofed to be unprepared to handle the COVID-19 threat landscape and how fast cyber-attacks escalated at a global scale targeting individuals, corporations, and governments, all at once. This clearly demonstrates that society, at a global scale, is not adequately prepared to defend against a cyber pandemic, despite all the efforts of the cybersecurity community. Cybersecurity awareness and training efforts have been delivered as part of a national or corporate cybersecurity strategy, aiming to promote a cyber hygiene and enhance protection against cyber-attacks on an individual, a corporate, or a national level. The current level of citizens’ cybersecurity awareness is not yet the desired and actions need to be taken to upscale it. Thus, it is time to take a step back to identify what is missing from current awareness efforts and reconsider how people learn. This knowledge can drive the redesign of the national and corporate cybersecurity awareness activities, effectively building citizens’ cyber skills and knowledge, and leading to the development of robust cyber resilient societies, capable of defending and withstanding a future cyber pandemic

A password generator tool to increase users’ awareness on bad password construction strategies

Cybersecurity education and training activities are essential to empower end users to take informed decisions and address cyber threats. An ongoing problem that still troubles the cybersecurity community is the selection of weak passwords. Users keep using weak passwords, cultivating the risk of compromisation. Users often choose passwords that appear to be strong. This creates a false sense of security as users have the belief that their passwords cannot be guessed. Unfortunately, given that attackers are aware of the users’ habits, they often recover users’ passwords. Therefore, it is imperative to educate people about the bad password construction strategies and empower them to select stronger passwords. Educational activities should be enhanced by integrating practical aspects that will assist the users to realize the problem. This work identifies and combines a range of bad password construction strategies and designs a relevant tool to practically demonstrate the strategies to the users

The Development of a Multidisciplinary Cybersecurity Workforce: An Investigation

The unexpected digital transformation that was forced due to COVID-19 found many citizens and organizations unprepared to deal with the relevant technological advances and the cyber threat landscape. This outcome high-lighted once more the cybersecurity skills shortage and the necessity to ad-dress this gap. A solution to this, is to consider a multidisciplinary cybersecurity workforce with professionals originating from different backgrounds, beyond the traditional ones such as computing and IT. To be able to engage people though, they need to be aware of the possibilities that exist in cyber-security for those that originate from non-traditional disciplines. Moreover, cybersecurity professionals need to be aware of the added value when collaborating with these professionals. These are aspects that need to be extensively investigated to provide insights to academia and industry, to develop education and training curricula towards building a multidisciplinary cyber-security workforce. This paper investigated these aspects in a Further Education and Higher Education College in the UK, where 88 students from 5 disciplines were surveyed, providing valuable observations as to the interest of students, and future professionals, to work in cybersecurity industry and their perception on the subject disciplines relevant to cybersecurity jobs

Cybersecurity-related Curriculum for Diverse Postgraduate Cohorts: A Case Study

Cyber threats have highly increased over the last decade, including ransomware, identity stealing, etc. Ensuring the security of cyberspace is imperative and should constitute a top priority for society to promote its growth and support its sustainability. Educational organizations, worldwide, have recognized the need to educate people on cybersecurity. This need has driven educational organizations to design postgraduate cybersecurity curriculums to educate and train recent graduates and IT professionals. Having a diverse audience, with different experiences and backgrounds with regards to knowledge and practical skills, can greatly challenge the design and delivery of a cybersecurity curriculum. Moreover, the fact that blended environments are promoted, where a curriculum is delivered to both face-to-face and distance learning students, can challenge the curriculum design and delivery even further. This paper presents a case study, critically discussing the challenges in the design and delivery of an ethical hacking curriculum targeting diverse postgraduate cohorts in conventional and distance learning. Moreover, the utilized practices that have successfully addressed the challenges are discussed. The aim of this work is to assist curriculum planners and developers to deliver an enhanced teaching and learning cybersecurity environment

TOWARDS A UNIFIED MODEL OF CYBERSECURITY LITERACY: BLENDING PEDAGOGICAL, PROFESSIONAL, CONCEPTUAL AND EMPIRICAL INSIGHTS

Recent technological advances illuminate the perplexing nature of cybersecurity which prevails as a rapidly expanding scientific field and a growing social concern, alike. Despite the wide diffusion of mobile technologies and wireless Internet connectivity, fundamental challenges and gaps still exist in terms of end-users’ cybersecurity awareness, knowledge, skills, and behaviours. This study portrays a holistic understanding of cybersecurity literacy among non-experts, specifically in Wi-Fi contexts, by blending (i) innovative pedagogical approaches, (ii) professional cybersecurity frameworks, (iii) core cybersecurity knowledge areas and skills, and (iv) empirical insights gathered in the field from end-users, administrators of Wi-Fi networks, and cybersecurity experts. This four-tiered approach has informed the development of a unified model which can serve as a foundation for self-directed and personalised educational endeavours aiming to promote cybersecurity literacy among novice end-users

Empowering Professionals: A Generative AI Approach to Personalized Cybersecurity Learning

We are navigating an era of ongoing technological transformations characterized by a growing need for developing digital skills, including cybersecurity and Artificial Intelligence (AI) literacy. The skills gap in cybersecurity has been acknowledged by the academic and business community at large, which faces an ongoing challenge in terms of finding and attaining talents. Even though different initiatives have been launched to upskill and reskill individuals, they are either ineffective in developing the required competencies or fail to motivate participants to learn and advance their competencies in relation to a cybersecurity job role. A key factor hindering these efforts is the adoption of a generic training approach rather than tailoring learning to the needs of individual learners. It is imperative to identify novel ways to motivate and engage learners, fostering a lifelong learning mindset that is essential for cybersecurity professional development and progression. This work aims to investigate how generative AI can be leveraged to empower professionals to take ownership of their learning by assisting them to create a personalized cybersecurity study plan. The objective is to inspire the design of innovative solutions focusing on accelerating skills development and contributing to increasing the supply of skilled cybersecurity professionals. Copyright: © 2023 IEE