Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures

Onumo, Aristotle, Awan, Irfan U., Cullen, Andrea J.

31 March 2022

Yes / The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms. / National Information Technology Development Agency, Nigeria

Structural equation modelling

Cybersecurity

Organisational culture

Compliance

Threat Detection in Program Execution and Data Movement: Theory and Practice

Shu, Xiaokui

25 June 2016

Program attacks are one of the oldest and fundamental cyber threats. They compromise the confidentiality of data, the integrity of program logic, and the availability of services. This threat becomes even severer when followed by other malicious activities such as data exfiltration. The integration of primitive attacks constructs comprehensive attack vectors and forms advanced persistent threats. Along with the rapid development of defense mechanisms, program attacks and data leak threats survive and evolve. Stealthy program attacks can hide in long execution paths to avoid being detected. Sensitive data transformations weaken existing leak detection mechanisms. New adversaries, e.g., semi-honest service provider, emerge and form threats. This thesis presents theoretical analysis and practical detection mechanisms against stealthy program attacks and data leaks. The thesis presents a unified framework for understanding different branches of program anomaly detection and sheds light on possible future program anomaly detection directions. The thesis investigates modern stealthy program attacks hidden in long program executions and develops a program anomaly detection approach with data mining techniques to reveal the attacks. The thesis advances network-based data leak detection mechanisms by relaxing strong requirements in existing methods. The thesis presents practical solutions to outsource data leak detection procedures to semi-honest third parties and identify noisy or transformed data leaks in network traffic. / Ph. D.

Cybersecurity

Program Anomaly Detection

Data Leak Detection

Securing the Public Cloud: Host-Obscure Computing with Secure Enclaves

Cain, Chandler Lee

12 January 2021

As the practice of renting remote computing resources from a cloud computing platform becomes increasingly popular, the security of such systems is a subject of continued scrutiny. This thesis explores the current state of cloud computing security along with critical components of the cloud computing model. It identifies the need to trust a third party with sensitive information as a substantial obstacle for cloud computing customers. It then proposes a new model, Host-Obscure Computing, for a cloud computing service using secure enclaves and encryption that allows a customer to execute code remotely without exposing sensitive information, including program flow control logic. It presents a proof of concept for a secure cloud computing service using confidential computing technology, cryptography, and an emulator that runs in a secure memory space. It then provides an analysis of its effectiveness at reducing data exposure and its performance impact. Finally, it analyzes this model's advantages and its potential impact on the cloud computing industry. / Master of Science / The use of public cloud computing services continues to rise as a solution to many of the problems associated with on-premises data centers. Customers who would otherwise move to the cloud have resisted this change for security reasons. This research investigates what these security barriers are. Then, it proposes a novel model for a cloud computing service, referred to as Host-Obscure Computing, that is designed to mitigate these issues. Specifically, it addresses the need of a customer to share their program code and working data with the cloud provider. It outlines the development of a prototype implementation of this model. It then presents an analysis of this new service model from both a performance and security perspective. Finally, it suggests how the adoption of a service model similar to Host-Obscure Computing could improve the state of the cloud computing industry.

Cloud computing

cybersecurity

encryption

secure enclaves

The Rhetoric of Commoditized Vulnerabilities: Ethical Discourses in Cybersecurity

Hoskins, Brittany Noel

15 June 2015

The field of cybersecurity is relatively uncharted by rhetoricians and sociologists but nevertheless laden with terminological assumptions, violent metaphors, and ethical conflicts. This study explores the discourse surrounding the morally contentious practice of hackers selling software vulnerabilities to third parties instead of disclosing them to the affected technology companies. Drawing on grounded theory, I utilize a combination of quantitative word-level analysis and qualitative coding to assess how notions of right and wrong on this topic are framed by three groups: 1) the hackers themselves, 2) technology companies, and 3) reporters. The results show that the most commonly constructed argument was based on a "greater good" ethic, in which rhetors argue for reducing risk to "us all" or to innocent computer users. Additionally, the technology companies and hackers assiduously build their ethos to increase their trustworthiness in the public mind. Ultimately, studying this unexplored area of "gray hat hacking" has important implications for policymakers creating new cybersecurity legislation, reporters attempting to accurately frame the debate, and information technology professionals whose livelihoods are affected by evolving social norms. / Master of Arts

Rhetoric

Cybersecurity

Hacking

Business Ethics

Gray Hat

Frequent Inventory of Network Devices for Incident Response: A Data-driven Approach to Cybersecurity and Network Operations

Kobezak, Philip D.

22 May 2018

Challenges exist in higher education networks with host inventory and identification. Any student, staff, faculty, or dedicated IT administrator can be the primary responsible personnel for devices on the network. Confounding the problem is that there is also a large mix of personally-owned devices. These network environments are a hybrid of corporate enterprise, federated network, and Internet service provider. This management model has survived for decades based on the ability to identify responsible personnel when a host, system, or user account is suspected to have been compromised or is disrupting network availability for others. Mobile devices, roaming wireless access, and users accessing services from multiple devices has made the task of identification onerous. With increasing numbers of hosts on networks of higher education institutions, strategies such as dynamic addressing and address translation become necessary. The proliferation of the Internet of Things (IoT) makes this identification task even more difficult. Loss of intellectual property, extortion, theft, and reputational damage are all significant risks to research institution networks. Quickly responding to and remediating incidents reduces exposure and risk. This research evaluates what universities are doing for host inventory and creates a working prototype of a system for associating relevant log events to one or more responsible people. The prototype reduces the need for human-driven updates while enriching the dynamic host inventory with additional information. It also shows the value of associating application and service authentications to hosts. The prototype uses live network data which is de-identified to protect privacy. / Master of Science

Cybersecurity

Log Analysis

Network Inventory

Host Inventory

MITRE Attack framework adaptation in UAV usage during surveillance and reconnaissance missions

Greer, Jeffrey, IV

10 May 2024

As unmanned aerial vehicles (UAVs) increasingly become integral to surveillance and reconnaissance (S&R) operations, their susceptibility to cyber threats poses significant risks to operational integrity. The current cybersecurity protocols often fail to address UAV operations’ unique vulnerabilities and challenges in S&R contexts, highlighting a gap in specialized cybersecurity strategies. This research adapts the MITRE ATTACK framework to enhance cybersecurity approaches, safeguarding UAVs against evolving cyber threats. This thesis maps existing vulnerabilities against comprehensive tactics, techniques, and procedures (TTPs) through a scenario-based analysis. Hypothetical and practical S&R operation case studies demonstrate the applicability of proposed cybersecurity strategies, validating their effectiveness in mitigating specific threats and the need for more specified cybersecurity protocols. The findings advocate for continuous innovation and vigilance in UAV cybersecurity, contributing to the protection of UAVs in S&R missions and emphasizing the dynamic nature of cybersecurity challenges in UAV operations.

Kybernetická bezpečnost / Cybersecurity

Fleischmannová, Veronika

January 2013

This master thesis entitled Cybersecurity deals with cybersecuriy issue. The theoretical part defines basic concepts related to cybersecurity and cyber threats classification. The practical part deals with a case study regarding disputes between China and the US in cyberspace. The goal will be to test a hypothesis that China and the United States are at cyberwar with each other.

An Empirical Assessment of Senior Citizens’ Cybersecurity Awareness, Computer Self-Efficacy, Perceived Risk of Identity Theft, Attitude, and Motivation to Acquire Cybersecurity Skills

Blackwood-Brown, Carlene G.

01 January 2018

Cyber-attacks on Internet users have caused billions of dollars in losses annually. Cybercriminals launch attacks via threat vectors such as unsecured wireless networks and phishing attacks on Internet users who are usually not aware of such attacks. Senior citizens are one of the most vulnerable groups who are prone to cyber-attacks, and this is largely due to their limited cybersecurity awareness and skills. Within the last decade, there has been a significant increase in Internet usage among senior citizens. It was documented that senior citizens had the greatest rate of increase in Internet usage over all the other age groups during the past decade. However, whenever senior citizens use the Internet, they are being targeted and exploited particularly for financial crimes, with estimation that one in five becoming a victim of financial fraud, costing more than $2.6 billion per year. Increasing the cybersecurity awareness and skills levels of Internet users have been recommended to mitigate the effects of cyber-attacks. However, it is unclear what motivates Internet users, particularly senior citizens, to acquire cybersecurity skills so that they can identify as well as mitigate the effects of the cyber-attacks. It is also not known how effective cybersecurity awareness training are on the cybersecurity skill level of senior citizens. Therefore, the main goal of this quantitative study was to empirically investigate the factors that contributed to senior citizens’ motivation to acquire cybersecurity skills so that they would be able to identify and mitigate cyber-attacks, as well as assess their actual cybersecurity skills level. This was done by assessing a model of contributing factors identified in prior literature (senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, & older adults’ computer technology attitude) on the motivation of senior citizens to acquire cybersecurity skills. This study utilized a Web-based survey to measure the contributing factors and a hands-on scenarios-based iPad app called MyCyberSkills™ that was developed and empirically validated in prior research to measure the cybersecurity skills level of the senior citizens. All study measures were done before and after cybersecurity awareness training (pre- & post-test) to uncover if there were any differences on the assessed models and scores due to such treatment. The study included a sample of 254 senior citizens with a mean age of about 70 years. Path analyses using Smart PLS 3.0 were done to assess the pre- and post-test models to determine the contributions of each contributing factor to senior citizens’ motivation to acquire cybersecurity skills. Additionally, analysis of variance (ANOVA) and analysis of covariance (ANCOVA) using SPSS were done to determine significant mean difference between the pre-and post-test levels of the senior citizens’ cybersecurity skill level. The path analysis results indicate that while all paths on both models were significant, many of the paths had very low path coefficients, which in turn, indicated weak relationships among the assessed paths. However, although the path coefficients were lower than expected, the findings suggest that both intrinsic and extrinsic motivation, along with antecedents such as senior citizens’ cybersecurity awareness, computer self-efficacy, perceived risk of identity theft, and older adults’ computer technology attitude significantly impact the cybersecurity skill levels of senior citizens. The analysis of variance results indicated that there was a significant increase in the mean cybersecurity skills scores from 59.67% to 64.51% (N=254) as a result of the cybersecurity awareness training. Hence, the cybersecurity awareness training was effective in increasing the cybersecurity skill level of the senior citizens, and empowered them with small but significant improvement in the requisite skills to take mitigating actions against cyberattacks. The analysis of covariance results indicated that, except for years using computers, all the other demographic indicators were not significant. Contributions from this study add to the body of knowledge by providing empirical results on the factors that motivate senior citizens to acquire cybersecurity skills, and thus, may help in reducing some of the billions of dollars in losses accrued to them because of cyber-attacks. Senior citizens will also benefit in that they will be better able to identify and mitigate the effects of cyber-attacks should they attend cybersecurity awareness trainings. Additionally, the recommendations from this study can be useful to law enforcement and other agencies that work with senior citizens in reducing the number of cases relating to cybersecurity issues amongst senior citizens, and thus, free up resources to fight other sources of cybercrime for law enforcement agencies.

Gerontology Cyber-attack

Cybersecurity Awareness

Cybersecurity Skill

Identity Theft

Motivation

Senior Citizen

Computer Sciences

CYBERSECURITY INDUSTRY NEEDS AND THE CSEC ABET CURRICULUM ANALYSIS

Sienna J Bates (13107504)

19 July 2022

<p>In the recent years, companies in the IT/cybersecurity industry have expressed their concerns about the lack of knowledge entry level cybersecurity employees are experiencing after graduating from a four-year cybersecurity program. Organizations such as National Initiative for Cybersecurity Education (NICE) which is led by the National Institute of Standards and Technology (NIST) provides a framework to map certain knowledge, skills, and tasks that have provided a way for universities to build their cybersecurity course curriculums. By following this framework at the competency level, it can be used to ensure students are adequately prepared for industry level jobs upon graduation from a four-year cybersecurity program.The goal of this study was to explore if there are gaps in terms of workforce development for cybersecurity competencies that graduates from ABET-accredited four-year bachelor’s cybersecurity -IT programs (Degrees and Majors) have? For this research, therewere three phases: a gap analysis, a survey, and a comparison. A gap analysis was conducted to assess the current cybersecurity curriculum for Purdue University’s undergraduate four-year program. The survey was conducted amongst a list of companies, obtained from Purdue University’s Center for Career Opportunities (CCO) who have previously hired students from the four-year cybersecurity program in the Polytechnic Institute. Finally,a comparison was done toshow what the gap analysis was, what was originally thought to be missing from the current curriculum, what industry said was missing, what was the same and what was different.Ithas been determined that a gap does exist, and this survey's results concluded there were three common issues with hiring newcybersecurity talent as well as identified what competencies wereoriginally thought to be missing based on the gap analysis and the industry survey. Also, while industry certifications are not required to secure entry level positions at the companies whoresponded to the survey, they certainly are preferred.This research can help make students from the four-year undergraduate cybersecurity program at Purdue University be more competitive when applying for entry-level cybersecurity industry positions upongraduation.</p>

Cybersecurity

curriculum development

four-year undergraduate programs

Internal Auditing in a digitalised world : A qualitative study about the internal auditor´s approach in providing assurance of cybersecurity

Poddar, Priyanka

January 2022

This study aims to contribute to internal auditing´s body of knowledge. This will be done by identifying and evaluating the approaches taken by internal auditors in assuring in the management of an organisation's cybersecurity. Qualitative research has been undertaken for this study by collecting data through semistructured interviews. A total of five internal auditors, also members of the IIA, were interviewed for the data. Thematic analysis was used to analyse the data. Previous literature was examined, and four concepts were identified to analyse the data. These are internal auditing, cybersecurity, information security and assurance. Data collected through the interviews have been studied through these concepts and the theory of the Three Lines of Defence Model. Results showed that internal auditors assure reasonable cybersecurity through their audits from an independent position. Both internal auditors and information security are critical for cybersecurity. Assuring cybersecurity is challenging due to the people factor. Furthermore, internal auditors exert huge influence within organisations which should be used with integrity and objectivity. The study shows that internal auditors should expand their skills and competencies to assure cybersecurity in today´s new risk landscape. Internal auditors should also use their influence actively to assist in building a cybersecurity-aware culture.

cybersecurity activity

cybersecurity assurance

internal auditing

information security

Economics and Business

Ekonomi och näringsliv