1 |
A Behavioral Economics Perspective on Cognitive Biases in CybersecurityAlecse, Cristian 01 January 2022 (has links) (PDF)
As the complexity of technology and information systems constantly increases, the human component becomes ever more prone to cybersecurity errors. Nevertheless, the existing information security policies created to prevent cybersecurity incidents show very little account of human behavior. This corresponds with the view of the neoclassical economics model that regards humans as rational agents who have perfect self-control and who make only rational choices when provided with adequate information. Behavioral economics introduced quantifiable irrationalities in the model, allowing for an explanation of why humans are often taking decisions that are not in their best interest. This dissertation comprises three studies that explore the influence of cognitive biases and heuristics in cybersecurity. Findings from Study 1 confirm that when presented with a large assortment of choices individuals are more likely to defer their decision than when presented with a small assortment of choices. Also, time constraints are acting as a moderator in the relationship between the number of choices and decision deferral caused by choice overload. Study 2 revealed that the level of fear of missing out is positively correlated with the level of social engineering vulnerability and a negative correlation of information security awareness with social engineering vulnerability was confirmed. Also, an analysis of the influence of information security awareness on the relationship between the level of fear of missing out and the level of social engineering vulnerability indicated a moderation effect. Study 3 emphasized the importance of integrating the habit concept into research on information systems security by revealing a positive correlation between the level of habits in daily life and the level of ISS compliance habits. Also, the study confirmed that ISS training participation is positively correlated with the level of ISS compliance habits strength.
|
2 |
Interdisciplinary Cybersecurity for Resilient CyberdefenseAit Maalem Lahcen, Rachid 01 January 2020 (has links)
Cybersecurity's role is to protect confidentiality, integrity, and availability of enterprise assets. Confidentiality secures data from theft, integrity mitigates modification of data in a malicious way, and availability assures continuation of systems' access and services. However, achieving these goals is difficult due to the mushrooming of various cyber attackers that come from individuals or state actors with motives ranging from ideological, financial, state-sponsored espionage, revenge, or simple curiosity and boredom. The difficulty also lies in the complexity of the cyber layers that are not well studied. Layers that interconnect and require effective communication and collaboration. This effectiveness is still lacking in cyber programs. To understand this complexity, one must seek an interdisciplinary approach to cybersecurity. Interdisciplinary study requires understanding of technology, mathematics, engineering, psychology, economics, human factors, and political science. Hence, this dissertation is proposing an Interdisciplinary Cybersecurity for Resilient Cyberdefense or ICRC model that includes (1) building behavioral aspects of cybersecurity with insider threat insights, (2) mastering encryption standards and requirements through developing a novel encryption method, (3) understanding different cyberdefense strategies' costs and payoffs by using game theory, (4) assessing vulnerabilities in the networks and plan ethical hacking in an audit, (5) studying machine learning challenges in cybersecurity to improve tools and set new ontologies for different threats, including the insider threat risk, and (6) address trustworthiness by aligning overall requirements of cybersecurity. ICRC is more than the sum of the above parts; it is a new approach for cybersecurity professionals to consider expanding their expertise to be interdisciplinary. Since cybersecurity is a complex task it requires a team that can handle its complexity. However, a given team's structure, team's hierarchy, and team members' characteristics could affect negatively that team's performance. With executing ICRC, both the team and the individuals seek interdisciplinary approaches to contribute to enterprise's resilience.
|
3 |
Human-out-of-the-Loop Swarm-based IoT Network Penetration Testing By IoT DevicesSchiller, Thomas 15 August 2023 (has links) (PDF)
Networks of IoT devices are becoming increasingly important, but these networks are prone to cybersecurity issues. This work provides a novel approach for safer IoT networks: swarm-based IoT cybersecurity penetration testing by other IoT devices in the same network. To test this scenario, a simulation environment including three different penetration testing algorithms was developed. A linear penetration testing algorithm mimics human penetration testing activities and is used with a single agent and with multiple agents. A swarm-based algorithm utilizing queues adds communication between agents. The third algorithm is a swarm algorithm that uses Particle Swarm Optimization (PSO), thus adding a nature-based approach. All three algorithms are used to find vulnerabilities in simulated IoT networks of two different sizes. The networks are a smart home with 30 IoT devices and a smart building with 250 IoT devices. This study's results show the superiority of multi-agent approaches over linear, single-agent approaches to detecting unique vulnerabilities in a network. The swarm algorithms, which used communication between agents, outperformed the multi-agent approach with no communication. Additionally, the swarm algorithm utilizing queues demonstrated faster detection of vulnerabilities than the PSO algorithm. However, over time, the PSO outperformed the queue-based algorithm on the smart home scale. The smart building scale also provided faster detection for the queue-based algorithm than for the PSO. However, the PSO approach again provides better results over time and uses less computation time and memory resources.
|
4 |
Detection of Jamming Attacks in VANETsJustice, Thomas 01 May 2024 (has links) (PDF)
A vehicular network is a type of communication network that enables vehicles to communicate with each other and the roadside infrastructure. The roadside infrastructure consists of fixed nodes such as roadside units (RSUs), traffic lights, road signs, toll booths, and so on. RSUs are devices equipped with communication capabilities that allow vehicles to obtain and share real-time information about traffic conditions, weather, road hazards, and other relevant information. These infrastructures assist in traffic management, emergency response, smart parking, autonomous driving, and public transportation to improve roadside safety, reduce traffic congestion, and enhance the overall driving experience. However, communication between the vehicles and the infrastructure devices could be deliberately disrupted by cyber attackers to cause fatal traffic accidents or congestion. One of the common methods used by such attackers is the wireless jamming attack, where the attacker uses a jamming device to transmit high-power radio signals on the same frequency that the vehicular network is using. This causes interference, delays, or prevents legitimate communications to the vehicles, disabling them from responding to obstacles, emergency services, and warning messages, resulting in serious consequences and posing a significant threat to the safety and efficiency of transportation systems. These safety concerns could be mitigated or avoided by implementing appropriate security measures to protect against jamming. This thesis will provide an overview of the vehicular network system and discuss security measures and methods needed to ensure the safe and reliable operation of the vehicular communication system.
|
5 |
Deep Reinforcement Learning for Automated Cybersecurity Threat DetectionMüller, Daniel 01 January 2023 (has links) (PDF)
Cybersecurity is a technological focus of individuals, businesses, and governments due to increasing threats, the sophistication of attacks, and the growing number of smart devices. Planning, assessment, and training in cybersecurity operations have also grown to combat these threats, resulting in a boom in cyber defense software and services, workforce development and career opportunities, and research in automated cyber technologies. However, building and maintaining a new workforce and developing innovative cyber-threat solutions are expensive and time-consuming. This thesis introduces a configurable machine-learning environment tailored for training agents that uses different reinforcement learning algorithms within the cybersecurity domain. The environment allows agents to learn simulated cyber-attacks, which act as opposition forces in a realistic, controlled setting that reduces the risk to real computer networks. The thesis also investigates relevant research on machine learning agents for cybersecurity, discusses the simulation architecture, and describes experiments utilizing the Proximal Policy Optimization and Advantage Actor-Critic algorithms. The objective of the thesis is to determine the superior algorithm for automatically identifying exploitable vulnerabilities by evaluating the performance based on accuracy, detected vulnerabilities, and time efficiency.
|
6 |
Establishing an information security awareness and cultureKorovessis, Peter January 2015 (has links)
In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.
|
7 |
The antecedents of information security policy complianceBulgurcu, Burcu 11 1900 (has links)
Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security.
This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.
|
8 |
The antecedents of information security policy complianceBulgurcu, Burcu 11 1900 (has links)
Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security.
This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.
|
9 |
The antecedents of information security policy complianceBulgurcu, Burcu 11 1900 (has links)
Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security.
This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP. / Business, Sauder School of / Graduate
|
10 |
Personalising information security educationTalib, Shuhaili January 2014 (has links)
Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.
|
Page generated in 0.0381 seconds