MORI: An Innovative Mobile Applications Data Risk Assessment Model

The daily activities of mobile device users range from making calls and texting to accessing mobile applications, such as mobile banking and online social networks. Mobile phones are able to create, store, and process different types of data, and these data, whether personal, business, or governmental, are related to the owner of the mobile device. More specifically, user activities, such as posting on Facebook, is sensitive and confidential processes with varying degrees of social risk. The current point-of-entry authentication mechanisms, however, consider all applications on the mobile device as if they had the same level of importance; thus maintaining a single level of security for all applications, without any further access control rules. In this research, we argue that on a single mobile application there are different processes operating on the same data, with different social risks based on the user’s actions. More specifically, the unauthorised disclosure or modification of mobile applications data has the potential to lead to a number of undesirable consequences for the user, which in turn means that the risk is changing within the application. Thus, there is no single risk for using a single application. Accordingly, there is a severe lack of protection for user data stored in mobile phones due to the lack of further authentication or differentiated protection beyond the point-of-entry. To remedy that failing, this paper has introduced a new risk assessment model for mobile applications data, called MORI (Mobile Risk) that determines the risk level for each process on a single application. The findings demonstrate that this model has introduced a risk matrix which helps to move the access control system from the application level to the intra- process application level, based on the risk for the user action being performed on these processes

Best Effort and Practice Activation Codes

Activation Codes are used in many different digital services and known by many different names including voucher, e-coupon and discount code. In this paper we focus on a specific class of ACs that are short, human-readable, fixed-length and represent value. Even though this class of codes is extensively used there are no general guidelines for the design of Activation Code schemes. We discuss different methods that are used in practice and propose BEPAC, a new Activation Code scheme that provides both authenticity and confidentiality. The small message space of activation codes introduces some problems that are illustrated by an adaptive chosen-plaintext attack (CPA-2) on a general 3-round Feis- tel network of size 2^(2n) . This attack recovers the complete permutation from at most 2^(n+2) plaintext-ciphertext pairs. For this reason, BEPAC is designed in such a way that authenticity and confidentiality are in- dependent properties, i.e. loss of confidentiality does not imply loss of authenticity.Comment: 15 pages, 3 figures, TrustBus 201

Gamification techniques for raising cyber security awareness

Due to the prevalence of online services in modern society, such as internet banking and social media, it is important for users to have an understanding of basic security measures in order to keep themselves safe online. However, users often do not know how to make their online interactions secure, which demonstrates an educational need in this area. Gamification has grown in popularity in recent years and has been used to teach people about a range of subjects. This paper presents an exploratory study investigating the use of gamification techniques to educate average users about password security, with the aim of raising overall security awareness. To explore the impact of such techniques, a role-playing quiz application (RPG) was developed for the Android platform to educate users about password security. Results gained from the work highlightedthat users enjoyed learning via the use of the password application, and felt they benefitted from the inclusion of gamification techniques. Future work seeks to expand the prototype into a full solution, covering a range of security awareness issues

Device- versus Network-Centric Authentication Paradigms for Mobile Devices: Operational and Perceptual Trade-Offs

The increasing capability and functionality of mobile devices is leading to a corresponding increase in the need for security to prevent unauthorised access. Indeed, as the data and services accessed via mobile devices become more sensitive, the existing method of user authentication (predominately based upon Personal Identification Numbers) appears increasingly insufficient. An alternative basis for authentication is offered by biometric approaches; which have the potential to be implemented in a non-intrusive manner and also enable authentication to be applied in an ongoing manner, beyond initial point-of-entry. However, the implementation of any authentication mechanism, particularly biometric approaches, introduces considerations of where the main elements of functionality (such as the processing of authentication data, decisions making, and storing user templates/profiles) should reside. At the extremes, there are two alternatives: a device-centric paradigm, in which the aforementioned aspects are handled locally; or a network-centric paradigm, in which the actions occur remotely and under the jurisdiction of the network operator. This paper examines the alternatives and determines that each context introduces considerations in relation to the privacy of user data, the processing and storage of authentication data, network bandwidth demands, and service availability. In view of the various advantages and disadvantages, it is concluded that a hybrid approach represents the most feasible solution; enabling data storage and processing to be split between the two locations depending upon individual circumstances. This represents the most flexible approach, and will enable an authentication architecture to be more adaptable to the needs of different users, devices and security requirements

Evaluating the Usability Impacts of Security Interface Adjustments in Word 2007

Prior research has suggested that integrating security features with user goals and increasing their visibility would improve the usability of the associated functionalities. This paper investigates how these approaches affect the efficiency of use and the level of user satisfaction. The user interface of Word 2007 was modified according to these principles, with usability tests being conducted with both the original and the modified user interfaces. The results suggest that integrating security features with user goals improves the efficiency of use, but the impacts upon user satisfaction cannot be clearly identified based on the collected data. No indications of any major improvements in the efficiency of use or user satisfaction are found when the visibility of security features is increased. The combination of these two methods seems to improve both the efficiency of use and the resulting user satisfaction

Assessing end-user awareness of social engineering and phishing

Social engineering is a significant problem involving technical and nontechnical ploys in order to acquire information from unsuspecting users. This paper presents an assessment of user awareness of such methods in the form of email phishing attacks. Our experiment used a webbased survey, which presented a mix of 20 legitimate and illegitimate emails, and asked participants to classify them and explain the rationale for their decisions. This assessment shows that the 179 participants were 36% successful in identifying legitimate emails, versus 45% successful in spotting illegitimate ones. Additionally, in many cases, the participants who identified illegitimate emails correctly could not provide convincing reasons for their selections

The Feasibility of Using Behavioural Profiling Technique for Mitigating Insider Threats: Review

Insider threat has become a serious issue to the many organizations. Various companies are increasingly deploying many information technologies to prevent unauthorized access to getting inside their system. Biometrics approaches have some techniques that contribute towards controlling the point of entry. However, these methods mainly are not able to continuously validate the users reliability. In contrast behavioral profiling is one of the biometrics technologies but it focusing on the activities of the users during using the system and comparing that with a previous history. This paper presents a comprehensive analysis, literature review and limitations on behavioral profiling approach and to what extent that can be used for mitigating insider misuse

Towards An Automated Forensic Examiner (AFE) Based Upon Criminal Profiling & Artificial Intelligence

Digital forensics plays an increasingly important role within society as the approach to the identification of criminal and cybercriminal activities. It is however widely known that a combination of the time taken to undertake a forensic investigation, the volume of data to be analysed and the number of cases to be processed are all significantly increasing resulting in an ever growing backlog of investigations and mounting costs. Automation approaches have already been widely adopted within digital forensic processes to speed up the identification of relevant evidence – hashing for notable files, file signature analysis and data carving to name a few. However, to date, little research has been undertaken in identifying how more advanced techniques could be applied to perform “intelligent” processing of cases. This paper proposes one such approach, the Automated Forensic Examiner (AFE) that seeks to apply artificial intelligence to the problem of sorting and identifying relevant artefacts. The proposed approach utilises a number of techniques, including a technical competency measure, a dynamic criminal knowledge base and visualisation to provide an investigator with an in depth understanding of the case. The paper also describes how its implementation within a cloud based infrastructure will also permit a more timely and cost effective solution

Cyber crime: A portrait of the landscape

This paper reviews current evidence in relation to scale and impacts of cyber crime, including various approaches to defining and measuring the problem. A review and analysis of survey evidence is used to enable an understanding of the scope and scale of the cyber crime problem, and its effect upon those experiencing it. The analysis evidences that cyber crime exists in several dimensions, with costs and harms that can be similarly varied. There is also a sense that, moving forward, the 'cyber' label will become somewhat redundant as many crimes have the potential to have a technology component. The key evidence in this particular discussion has some geographic limitations, with much of the discussion focused upon data drawn from the the Crime Survey or England and Wales, as well as other UK-based sources. However, many of the broader points still remain more wider relevant. - A better understanding of the range and scale of cyber crime threats - Understanding of how the cyber element fits into the wider context of crime - Improving the appreciation of what cyber crime can mean for potential victims. - Recognition of the cost dimensions, and the implications for protection and response. The discussion will help businesses and individuals to have a better appreciation of the cyber crime threat, and what ought to be considered in response to it. The discussion is based upon recent evidence, and therefore represents a more up-to-date view of the cyber crime landscape than reviews already available in earlier literature