What are the gaps in teaching the cybersecurity threats landscape, and what teachers need to include the subject in their curriculum?

Abdirizak, Mohamed, Abobaker, Ivan

January 2024

This thesis examines the current gaps in cybersecurity education in junior high and high schools in Sweden, with a focus on the challenges of integration and the resources required for teachers to effectively instruct on cybersecurity topics. Despite the critical importance of cybersecurity in protecting digital interactions and personal data, existing curricula often lack deep and systematic integration of this essential subject. Based on qualitative interviews with 12 teachers from junior high and high schools, the researchers’ findings underscore a significant need for structured cybersecurity curricula and enhanced teacher training. The research reveals that while students are extensively engaged with digital technologies, their vulnerability to various cybersecurity threats remains due to inadequate educational frameworks. The study highlights the urgent need for curricular improvements to include comprehensive cybersecurity courses, aligned with current technological threats and the digital behaviors of students.

Cybersecurity education

educational gaps

digital literacy

cybersecurity curricula integration

upper secondary

high school

junior high school

Information Systems, Social aspects

An Electroencephalogram (EEG) Based Biometrics Investigation for Authentication: A Human-Computer Interaction (HCI) Approach

Rodriguez, Ricardo J.

01 January 2015

Encephalogram (EEG) devices are one of the active research areas in human-computer interaction (HCI). They provide a unique brain-machine interface (BMI) for interacting with a growing number of applications. EEG devices interface with computational systems, including traditional desktop computers and more recently mobile devices. These computational systems can be targeted by malicious users. There is clearly an opportunity to leverage EEG capabilities for increasing the efficiency of access control mechanisms, which are the first line of defense in any computational system. Access control mechanisms rely on a number of authenticators, including “what you know”, “what you have”, and “what you are”. The “what you are” authenticator, formally known as a biometrics authenticator, is increasingly gaining acceptance. It uses an individual’s unique features such as fingerprints and facial images to properly authenticate users. An emerging approach in physiological biometrics is cognitive biometrics, which measures brain’s response to stimuli. These stimuli can be measured by a number of devices, including EEG systems. This work shows an approach to authenticate users interacting with their computational devices through the use of EEG devices. The results demonstrate the feasibility of using a unique hard-to-forge trait as an absolute biometrics authenticator by exploiting the signals generated by different areas of the brain when exposed to visual stimuli. The outcome of this research highlights the importance of the prefrontal cortex and temporal lobes to capture unique responses to images that trigger emotional responses. Additionally, the utilization of logarithmic band power processing combined with LDA as the machine learning algorithm provides higher accuracy when compared against common spatial patterns or windowed means processing in combination with GMM and SVM machine learning algorithms. These results continue to validate the value of logarithmic band power processing and LDA when applied to oscillatory processes.

Authentication

BCI

Biometrics

cybersecurity

HCI

Security

Computer engineering

Computer science

Information science

Computer Sciences

Computer Security

Development of Peer Instruction Material for a Cybersecurity Curriculum

Johnson, William

19 May 2017

Cybersecurity classes focus on building practical skills alongside the development of the open mindset that is essential to tackle the dynamic cybersecurity landscape. Unfortunately, traditional lecture-style teaching is insufficient for this task. Peer instruction is a non-traditional, active learning approach that has proven to be effective in computer science courses. The challenge in adopting peer instruction is the development of conceptual questions. This thesis presents a methodology for developing peer instruction questions for cybersecurity courses, consisting of four stages: concept identification, concept trigger, question presentation, and development. The thesis analyzes 279 questions developed over two years for three cybersecurity courses: introduction to computer security, network penetration testing, and introduction to computer forensics. Additionally, it discusses examples of peer instruction questions in terms of the methodology. Finally, it summarizes the usage of a workshop for testing a selection of peer instruction questions as well as gathering data outside of normal courses.

Information Security

Automated Learning of Event Coding Dictionaries for Novel Domains with an Application to Cyberspace

Radford, Benjamin James

January 2016

<p>Event data provide high-resolution and high-volume information about political events. From COPDAB to KEDS, GDELT, ICEWS, and PHOENIX, event datasets and the frameworks that produce them have supported a variety of research efforts across fields and including political science. While these datasets are machine-coded from vast amounts of raw text input, they nonetheless require substantial human effort to produce and update sets of required dictionaries. I introduce a novel method for generating large dictionaries appropriate for event-coding given only a small sample dictionary. This technique leverages recent advances in natural language processing and deep learning to greatly reduce the researcher-hours required to go from defining a new domain-of-interest to producing structured event data that describes that domain. An application to cybersecurity is described and both the generated dictionaries and resultant event data are examined. The cybersecurity event data are also examined in relation to existing datasets in related domains.</p> / Dissertation

Political science

Cyber Conflict

Cybersecurity

Event Data

International Relations

Machine Learning

Natural Language Processing

Implementing Bayesian Networks for online threat detection

Pappaterra, Mauro José

January 2018

Cybersecurity threats have surged in the past decades. Experts agree that conventional security measures will soon not be enough to stop the propagation of more sophisticated and harmful cyberattacks. Recently, there has been a growing interest in mastering the complexity of cybersecurity by adopting methods borrowed from Artificial Intelligence (AI) in order to support automation. Moreover, entire security frameworks, such as DETECT (Decision Triggering Event Composer and Tracker), are designed aimed to the automatic and early detection of threats against systems, by using model analysis and recognising sequences of events and other tropes, inherent to attack patterns. In this project, I concentrate on cybersecurity threat assessment by the translation of Attack Trees (AT) into probabilistic detection models based on Bayesian Networks (BN). I also show how these models can be integrated and dynamically updated as a detection engine in the existing DETECT framework for automated threat detection, hence enabling both offline and online threat assessment. Integration in DETECT is important to allow real-time model execution and evaluation for quantitative threat assessment. Finally, I apply my methodology to some real-world case studies, evaluate models with sample data, perform data sensitivity analyses, then present and discuss the results.

Cybersecurity

Bayesian Networks

Threat Detection

Attack Trees

DETECT

Risk Evaluation

Threat Assessment

CPS

Computer Systems

Datorsystem

Microservices-based approach for Healthcare Cybersecurity

Unknown Date

Healthcare organizations, realizing the potential of the Internet of Things (IoT) technology, are rapidly adopting the technology to bring signi cant improvements in the quality and e ectiveness of the service. However, these smart and interconnected devices can act as a potential \back door" into a hospital's IT network, giving attack- ers access to sensitive information. As a result, cyber-attacks on medical IoT devices have been increasing since the last few years. It is a growing concern for all the stakeholders involved, as the impact of such attacks is not just monetary or privacy loss, but the lives of many patients are also at risk. Considering the various kinds of IoT devices one may nd connected to a hospital's network, traditional host-centric security solutions (e.g. antivirus, software patches) are at odds with realistic IoT infrastructure (e.g. constrained hardware, lack of proper built-in security measures). There is a need for security solutions which consider the challenges of IoT devices like heterogeneity of technology and protocols used, limited resources in terms of battery and computation power, etc. Accordingly, the goals of this thesis have been: (1) to provide an in-depth understanding of vulnerabilities of medical IoT devices; (2) to in- troduce a novel approach which uses a microservices-based framework as an adaptive and agile security solution to address the issue. The thesis focuses on OS Fingerprint- ing attacks because of its signi cance for attackers to understand a target's network. In this thesis, we developed three microservices, each one designed to serve a speci c functionality. Each of these microservices has a small footprint with RAM usage of approximately 50 MB. We also suggest how microservices can be used in a real-life scenario as a software-based security solution to secure a hospital's network consisting of di erent IoT devices. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2018. / FAU Electronic Theses and Dissertations Collection

Cybersecurity

Healthcare

Internet of things--Security measures

Détection d'intrusions pour les systèmes de contrôle industriels / Intrusion detection for industrial control systems

Koucham, Oualid

12 November 2018

L’objectif de ce travail de thèse est le développement de techniques de détection d’intrusions et de corrélation d’alertes spécifiques aux systèmes de contrôle industriels (ICS). Cet intérêt est justifié par l’émergence de menaces informatiques visant les ICS, et la nécessité de détecter des attaques ciblées dont le but est de violer les spécifications sur le comportement correct du processus physique.Dans la première partie de nos travaux, nous nous sommes intéressés à l’inférence automatique de spécifications pour les systèmes de contrôle séquentiels et ce à des fins de détection d’intrusions. La particularité des systèmes séquentiels réside dans leur logique de contrôle opérant par étapes discrètes. La détection d’intrusions au sein de ces systèmes a été peu étudiée malgré leur omniprésence dans plusieurs domaines d’application. Dans notre approche, nous avons adopté le formalisme de la logique temporelle linéaire (LTL) et métrique (MTL) permettant de représenter des propriétés temporelles d’ordre qualitatif et quantitatif sur l’état des actionneurs et des capteurs. Un algorithme d’inférence de propriétés a été développé afin d’automatiser la génération des propriétés à partir de motifs de spécifications couvrant les contraintes les plus communes. Cette approche vise à pallier le nombre conséquent de propriétés redondantes inférées par les approches actuelles.Dans la deuxième partie de nos travaux, nous cherchons à combiner l’approche de détection d’intrusions développée dans le premier axe avec des approches de détection d’intrusions classiques. Pour ce faire, nous explorons une approche de corrélation tenant compte des spécificités des systèmes industriels en deux points: (i) l’enrichissement et le prétraitement d’alertes venant de domaines différents (cyber et physique), et (ii) la mise au point d’une politique de sélection d’alertes tenant compte du contexte d’exécution du processus physique. Le premier point part du constat que, dans un système industriel, les alertes qui sont remontées au corrélateur sont caractérisées par des attributs hétérogènes (attributs propres aux domaines cyber et physique). Cependant, les approches de corrélation classiques présupposent une certaine homogénéité entre les alertes. Afin d’y remédier, nous développons une approche d’enrichissement des alertes du domaine physique par des attributs du domaine cyber sur la base d’informations relatives aux protocoles supportés par les contrôleurs et à la distribution des variables du processus au sein des contrôleurs. Le deuxième point concerne le développement d’une politique de sélection d’alertes qui adapte dynamiquement les fenêtres de sélection des alertes selon l’évolution des sous-processus.Les résultats de l’évaluation de nos approches de détection et de corrélation montrent des performances améliorées sur la base de métriques telles que le nombre de propriétés inférées, le taux de réduction des alertes et la complétude des corrélations. / The objective of this thesis is to develop intrusion detection and alert correlation techniques geared towards industrial control systems (ICS). Our interest is driven by the recent surge in cybersecurity incidents targeting ICS, and the necessity to detect targeted attacks which induce incorrect behavior at the level of the physical process.In the first part of this work, we develop an approach to automatically infer specifications over the sequential behavior of ICS. In particular, we rely on specification language formalisms such as linear temporal logic (LTL) and metric temporal logic (MTL) to express temporal properties over the state of the actuators and sensors. We develop an algorithm to automatically infer specifications from a set of specification patterns covering the most recurring properties. In particular, our approach aims at reducing the number of redundant and unfalsifiable properties generated by the existing approaches. To do so, we add a pre-selection stage which allows to restrict the search for valid properties over non redundant portions of the execution traces. We evaluate our approach on a complex physical process steered by several controllers under process oriented attacks. Our results show that a significant reduction in the number of inferred properties is possible while achieving high detection rates.In the second part of this work, we attempt to combine the physical domain intrusion detection approach developed in the first part with more classical cyber domain intrusion detection approaches. In particular, we develop an alert correlation approach which takes into account some specificities of ICS. First, we explore an alert enrichment approach that allows to map physical domain alerts into the cyber domain. This is motivated by the observation that alertscoming from different domains are characterized by heterogeneous attributes which makes any direct comparison of the alerts difficult. Instead, we enrich the physical domain alerts with cyber domain attributes given knowledge about the protocols supported by the controllers and the memory mapping of process variables within the controllers.In this work, we also explore ICS-specific alert selection policies. An alert selection policy defines which alerts will be selected for comparison by the correlator. Classical approaches often rely on sliding, fixed size, temporal windows as a basis for their selection policy. Instead, we argue that given the complex interdependencies between physical subprocesses, agreeing on analert window size is challenging. Instead, we adopt selection policies that adapt to the state of the physical process by dynamically adjusting the size of the alert windows given the state of the subprocesses within the physical process. Our evaluation results show that our correlator achieves better correlation metrics in comparison with classical temporal based approaches.

Détection d'intrusions

Système de contrôle industriels

Cybersécurité

Intrusion detection

Industrial control systems

Cybersecurity

004

620

Security and Verification of Unmanned Vehicles

James M. Goppert (5929706)

17 January 2019

This dissertation investigates vulnerabilities in unmanned vehicles and how to successfully detect and counteract them. As we entrust unmanned vehicles with more responsibilities (e.g. fire-fighting, search and rescue, package delivery), it is crucial to ensure their safe operation. These systems often have not been designed to protect against an intelligent attacker or considering all possible interactions between the physical dynamics and the internal logic. Robust control strategies can verify that the system behaves normally under bounded disturbances, and formal verification methods can check that the system logic operates normally under ideal conditions. However, critical vulnerabilities exist in the intersection of these fields that are addressed in this work. Due to the complex nature of this interaction, only trivial examples have previously been pursued. This work focuses on efficient real-time methods for verification and validation of unmanned vehicles under disturbances and cyberattacks. The efficiency of the verification and validation algorithm is necessary to run it onboard an unmanned vehicle, where it can be used for self diagnosis. We begin with simple linear systems and step to more complex examples with non-linearities. During this progression, new methods are developed to cope with the challenges introduced. We also address how to counter the threat of unmanned aerial systems (UASs) under hostile control by developing and testing an estimation and control scheme for an air-to-air counter UAS system.<br>

Aerospace Engineering

verification

validation

security

UAS

UAV

cyberattack

cybersecurity

model checking

lyapunov

Measuring the State of Indiana's Cybersecurity

James E. Lerums (5929946)

16 January 2019

<p>This dissertation introduces a scorecard to enable the State of Indiana to measure the cybersecurity of its public and private critical infrastructure and key resource sector organizations. The scorecard was designed to be non-threatening and understandable so that even small organizations without cybersecurity expertise can voluntarily self-asses their cybersecurity strength and weaknesses. The scorecard was also intended to enable organizations to learn, so that they may identify and self-correct their cybersecurity vulnerabilities. The scorecard provided quantifiable feedback to enable organizations to benchmark their initial status and measure their future progress.</p><p><br></p><p>Using the scorecard, the Indiana Executive Council for Cybersecurity launched a Pilot to measure cybersecurity of large, medium, and small organizations across eleven critical infrastructure and key resources sectors. This dissertation presents the analysis and results from scorecard data provided by the Pilot group of 56 organizations. The cybersecurity scorecard developed as part of this dissertation has been included in the Indiana Cybersecurity Strategy Plan published September 21, 2018.</p><p></p>

Computer System Security

Critical Infrastrucure

Key Resource

Scorecard

Evaluation

Cybersecurity

Strategic Plan

Cybersecurity and non-state actors : a historical analogy with mercantile companies, privateers, and pirates

Egloff, Florian J.

January 2018

The thesis investigates how the historical analogy to mercantile companies, privateers, and pirates between the 16th and 19th century can elucidate the relationship between non-state actors and states in cyber(in-)security, and how such an application changes our understanding of cyber(in-)security. It contributes to a better integration of non-state actors into the study of cyber(in-)security and international security by clarifying the political challenges raised by the interaction between these players and states. Drawing on the literature of non-state armed actors, the thesis defines a spectrum of state proximity to develop an analytical framework categorizing actors as state, semi-state, and non-state. The historical investigation utilizes primary and secondary sources to explore three periods in British naval history: the late 16th, late 17th, and mid-19th centuries. A comparison of the two security domains - the sea and cyberspace - identifies the pre-18th century periods as the most useful analogues for cyber(in-)security. The thesis evaluates the analogy by conducting empirical case studies. First, the case of the attacks against Estonia (2007) and three criminal court cases against Russian hackers (2014/2017) examine the analogy to pirates and privateers. Second, the analogy to mercantile companies focuses on the attacks against Google (2009), the attacks against Sony Pictures Entertainment (2014), and the collaboration between large technology companies and Five-Eyes signals intelligence agencies. The thesis makes three main claims: first, the analogy to piracy and privateering provides a new understanding of how state proximity is used politically by attackers and defenders, and offers lessons for understanding attribution in cyberspace. Second, the longevity of historical privateering sheds light on the long-term risks and rewards of state collaboration with cyber criminals, and offers insight into the political constitution of cyber(in-)security. Third, the mercantile company lens improves our understanding of how cooperative and conflictive relations between large technology companies and states influence cyber(in-)security.

320