Zajištění bezpečnosti online platebních služeb / Ensuring security of online payment services

Havlíková, Nikola

January 2019

Ensuring security of online payment services Abstract The thesis is devoted to the topic of ensuring security of online payment services, especially in the context of identification and authentication of the client in the Internet when performing acts related to the provision of payment services. The issue of the customer identity is described especially in the context of know your customer principle governed by legal regulation in the area of combating money laundering and financing of terrorism, and in the context of the obligation to carry out a strong customer authentication (SCA) brought by the PSD2 directive and related RTS. The aim of the thesis is to describe and critically evaluate the legislation in the area of ensuring security of online payment services, meaning the binding legislation, soft law and rules created by entities operating on the payment services market. In this context, the thesis also deals with the question of proportionality of legislation in connection to the positive user experience and the possibility of implementing innovative FinTech solutions. The thesis is divided into four chapters, supplemented by introduction to the respective subject matter and conclusion summarizing the observations made in the thesis. The first chapter is devoted to the general definition of the...

Enhancing Supply Chain Cybersecurity with Blockchain

Hämäläinen, Ari, Nadesan, Rekha

January 2022

Supply chains have become targets for hostile cyber actors. Motivations for cyber crimes include intellectual property theft, customer data theft and industrial espionage. The cyber threat landscape in which businesses operate is constantly evolving. The consequences of a successful cyber attack can be devastating for a business. Increasing the resilience of the supply chain in the digital environment is a complex task because the supply chain consists of different organisations with varying levels of cybersecurity defence capability. Orchestrating cybersecurity improvement in a supply chain requires visibility into the security posture of each participating organisation and this is generally lacking. This thesis studies the potential use of blockchain for enhancing the cybersecurity of the supply chain. The study simulates a permissioned blockchain among supply chain members to monitor digital assets important for cybersecurity. The blockchain is analysed to extract insights from the perspective of a supply chain cybersecurity oversight role. The study finds that a blockchain can provide visibility by sharing cybersecurity-related information among supply chain members. It can also provide a digital forensic record for incident response and forensic investigations.

Cybersecurity

blockchain

supply chain

digital forensics

informationssäkerhet

säkerhet

cybersäkerhet

totalförsvaret

Other Computer and Information Science

Annan data- och informationsvetenskap

Gender in Cyber policy, is it really necessary? : A critical analysis of gender in EU’s cybersecurity policy

Linden, Emmie

January 2022

Cyberspace offers many opportunities but is also a very hostile place for women. Studies claim that women are disproportionally affected by certain cybercrimes and suffer frequent rights violations in cyberspace. The aim of cybersecurity policies is, among others, to protect citizens from different cyberthreats and the EU has a vital role in designing such policies. This involves portraying what issues are seen as cyberthreats and in extension, which issues are prioritized over others. Therefore, it is important to problematize what key EU bodies depict as cybersecurity threats and how they incorporate gender in their cybersecurity policy and strategy. This study uses post-structural feminist theory to analyze the EU cybersecurity discourse and its implications for women’s rights. This is because the theory emphasizes the deconstruction of discourse to showcase hidden gendered power dimensions. It is a qualitative case study that uses the framing method to identify the discursive construction of threats, priorities, and key issues, and McPhail’s feminist policy analysis framework to investigate how gender is incorporated in the discourse. The findings confirm previous research, which states that cybersecurity is mainly state-centric and securitized and gender is silenced in the overall discourse. Among the five distinct frames that I identified in the discourse on cybersecurity, none includes a gendered perspective. No official EU document adopts or argues for a gender-sensitive approach to cybersecurity. Gender is only mentioned with regard to empowering women in the STEM sector, although the European Parliament stresses the need to target cyberviolence against women. The study concludes that a gender-neutral approach to cybersecurity has negative implications for women’s rights, as cybercrimes and violates women endure are overlooked and deprioritized in comparison to a gendered approach. This is because it is more likely that political measures can be taken if the policies and actors acknowledge the gendered issues, which then have positive implications for the protection of women’s rights in cyberspace.

EU

cybersecurity policy

gender

human rights

women’s rights

securitization

post- structural feminist theory

policy discourse analysis

Political Science

Statsvetenskap

Digital Vulnerability Awareness : In a “working from home” environment during COVID-19 / Medvetenhet om Digital Sårbarhet : I en “working from home” miljö under COVID-19

Jarlhem, Jonathan, Stigsson, Jakob

January 2021

Employees who have adapted to a "working from home" environment, due to the COVID-19 pandemic, rapidly face a lack of awareness regarding cybersecurity and cybercrimes. It is well established that the rate of employees hacked has increased dramatically due to the pandemic. This study aims to determine what has more impact on digital vulnerability awareness of cybersecurity and cybercrime. Specifically, it investigates from the perspectives of training and education, digital competence, being a victim, and how protection motivation plays a role in policy following. In this context, digital vulnerability is defined as the risk that individuals might put themselves into unknowingly through the lack of security when working from home, which leads to having incriminating information publicly disclosed and exploited by third parties. Digital competence refers to the extent of an individual's information technology skills. To test the hypothesis that training and education lead to higher digital vulnerability awareness, a set of interviews was conducted with various employees working from home from different industries, age groups, and countries. Furthermore, an online survey was distributed among online communities on Discord, Facebook and Instagram. The survey was meant to prove the points made by the participants of the interviews. The results showed a slight effect in the opposite direction than hypothesised: digital vulnerability awareness was associated with digital competence over training and education. These results suggest that employees who have higher digital competence are more likely to understand their digital vulnerability awareness, making it easier to identify cyber threats. On this basis, the concept of training and educating is not enough to prevent cybercrimes. To better prevent cybercrime, employees must be willing to learn and understand the threats and risks. / Medarbetare som har anpassat sig till en "working from home" miljö på grund av COVID-19 pandemin möter snabbt en bristande medvetenhet inom cybersäkerhet och cyberbrott. Det är väl etablerat att antalet medarbetare som blivit hackade har  kat drastiskt till följd av pandemin. Denna studien försöker forma förståelse om vad som har större inverkan på medvetenhet av digitalsårbarhet om cybersäkerhet och cyberbrott. I detta sammanhang definieras digitalsårbarhet som risken till att individer kan sätta sig själv omedvetet i osäkerhet när de arbetar hemifrån, vilket leder till att inkriminerande information offentliggörs och utnyttjas av tredje part. Digital kompetens avses att vara en individs informationstekniska färdigheter. För att kunna testa hypotesen, att utbildning leder till högre medvetenhet inom digitalsårbarhet, genomfördes intervjuer med anställda som jobbade hemifrån med bakgrund från olika industrier, land och åldersgrupper. Dessutom genomfördes också en online enkätundersökning som tog plats bland sociala medier platformer så som Discord, Facebook och Instagram. Resultaten visade en motsatt riktning i förhållande till hypotesen där medvetenhet om digitalsårbarhet var förknippad med digital kompetens över utblidning. Resultaten visar att anställda som har högre digital kompetens är mer benägna att förstå dess medvetenhet om digitalsårbarhet i vilket gör det lättare för de att identifiera cyberhot. Utifrån detta tyder studien på att utbildning inte är tillräckligt för att förhindra cyberbrott. För att bättre förebygga cyberbrott måste anställda vara villiga att lära sig och vilja förstå hoten och riskerna.

Cybercrime

Digital Vulnerability

Awareness

Digital Competence

Cybersecurity

Cyberbrott

digitalsårbarhet

medvetenhet

digital kompetens

cybersäkerhet

Information Systems

Essays on Experimental Economics

Daniel John Woods (11038146)

22 July 2021

This thesis contains three chapters, each of which covers a different topic in experimental economics.<br><br>The first chapter investigates power and power analysis in economics experiments. Power is the probability of detecting an effect when a true effect exists, which is an important but under-considered concept in empirical research. Power analysis is the process of selecting the number of observations in order to avoid issues with low power. However, it is often not clear ex-ante what the required parameters for a power analysis, like the effect size and standard deviation, should be. <br>This chapter considers the use of Quantal Choice/Response (QR) simulations for ex-ante power analysis, as it maps related data-sets into predictions for novel environments. <br>The QR can also guide optimal design decisions, both ex-ante as well as ex-post for conceptual replication studies. This chapter demonstrates QR simulations on a wide variety of applications related to power analysis and experimental design.<br><br>The second chapter considers a question of interest to computer scientists, information technology and security professionals. How do people distribute defenses over a directed network attack graph, where they must defend a critical node? Decision-makers are often subject to behavioral biases that cause them to make sub-optimal defense decisions. Non-linear probability weighting<br>is one bias that may lead to sub-optimal decision-making in this environment. An experimental test provides support for this conjecture, and also other empirically important biases such as naive diversification and preferences over the spatial timing of the revelation of an overall successful defense. <br><br>The third chapter analyzes how individuals resolve an exploration versus exploitation trade-off in a laboratory experiment. The experiment implements the single-agent exponential bandit model. The experiment finds that subjects respond in the predicted direction to changes in the prior belief, safe action, and discount factor. However, subjects also typically explore less than predicted. A structural model that incorporates risk preferences, base rate neglect/conservatism, and non-linear probability weighting explains the empirical findings well. <br>

Economics

Experimental Economics

Behavioral Economics

Quantal response equilibrium

Power analysis

Non-linear probability weighting

Optimal experimental design

Cybersecurity

Intrusion Attack & Anomaly Detection in IoT Using Honeypots

Kulle, Linus

January 2020

This thesis is presented as an artifact of a project conducted at MalmöUniversity IoTaP LABS. The Internet of Things (IoT) is a growing field and its usehas been adopted in many aspects of our daily lives, which has led todigitalization and the creation of smart IoT ecosystems. However, with the rapidadoption of IoT, little or no focus has been put on the security implications,device proliferations and its advancements. This thesis takes a step forward toexplore the usefulness of implementing a security mechanism that canproactively be used to aid understanding attacker behaviour in an IoTenvironment. To achieve this, this thesis has outlined a number of objectivesthat ranges from how to create a deliberate vulnerability by using honeypots inorder to lure attacker’s in order to study their modus operandi. Furthermore,an Intrusion Attack Detection (Model) has been constructed that has aided withthis implementation. The IAD model, has been successfully implemented withthe help of interaction and dependence of key modules that have allowedhoneypots to be executed in a controlled IoT environment. Detailed descriptionsregarding the technologies that have been used in this thesis have also beenexplored to a greater extent. On the same note, the implemented system withthe help of an attack scenario allowed an attacker to access the system andcircumnavigate throughout the camouflaged network, thereafter, the attacker’sfootprints are mapped based on the mode of attack. Consequently, given thatthis implementation has been conducted in MAU environment, the results thathave been generated as a result of this implementations have been reportedcorrectly. Eventually, based on the results that have been generated by thesystem, it is worth to note that the research questions and the objective posedby the thesis have been met.

honeypot

honeypots

iot

cyber

cybersecurity

information security

infosec

cybersec

anomaly detection

intrusion detection

iot security

Engineering and Technology

Teknik och teknologier

Public Servants' Perceptions of the Cybersecurity Posture of the Local Government in Puerto Rico

Rodriguez, Julio C

01 January 2019

The absence of legislation, the lack of a standard cybersecurity framework, and the failure to adopt a resilient cybersecurity posture can be detrimental to the availability, confidentiality, and integrity of municipal information systems. The purpose of this phenomenological study was to understand the cybersecurity posture of municipalities from the perception of public servants serving in information technology (IT) leadership roles in highly populated municipalities in the San Juan-Carolina-Caguas Metropolitan Statistical Area of Puerto Rico. The study was also used to address key factors influencing the cybersecurity posture of these municipalities. The theoretical framework was open system theory used in combination with a conceptual framework encompassing key dimensions influencing digital government. Data were collected using semistructured interviews with 10 public servants working in IT leadership positions in a municipal setting in Puerto Rico. Data analysis involved horizontalization, reduction, elimination, clustering, thematizing, validation, and development of individual and composite textural descriptions. Participants reported that the cybersecurity posture of their municipalities was resilient. Participants also reported that technological changes, politics, the economy, management support, and processes were key elements to achieve a resilient posture. Findings may be used to empower elected officials, policymakers, public servants, and practitioners to manage and improve elements affecting cybersecurity with the goal of achieving a resilient posture to deliver cybersecurity as a public good.

cybersecurity

information assurance

information security

local government

municipality

security posture

Databases and Information Systems

Public Administration

Public Policy

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Curran, Theresa

01 January 2018

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.

cybersecurity program

information security awareness

information security policy

organizational relevance

security compliance requirements

security risk management

Computer Sciences

A Comprehensive Cybersecurity Defense Framework for Large Organizations

Smith, Willarvis

01 January 2019

There is a growing need to understand and identify overarching organizational requirements for cybersecurity defense in large organizations. Applying proper cybersecurity defense will ensure that the right capabilities are fielded at the right locations to safeguard critical assets while minimizing duplication of effort and taking advantage of efficiencies. Exercising cybersecurity defense without an understanding of comprehensive foundational requirements instills an ad hoc and in many cases conservative approach to network security. Organizations must be synchronized across federal and civil agencies to achieve adequate cybersecurity defense. Understanding what constitutes comprehensive cybersecurity defense will ensure organizations are better protected and more efficient. This work, represented through design science research, developed a model to understand comprehensive cybersecurity defense, addressing the lack of standard requirements in large organizations. A systemic literature review and content analysis were conducted to form seven criteria statements for understanding comprehensive cybersecurity defense. The seven criteria statements were then validated by a panel of expert cyber defenders utilizing the Delphi consensus process. Based on the approved criteria, the team of cyber defenders facilitated the development of a Comprehensive Cybersecurity Defense Framework prototype for understanding cybersecurity defense. Through the Delphi process, the team of cyber defense experts ensured the framework matched the seven criteria statements. An additional and separate panel of stakeholders conducted the Delphi consensus process to ensure a non-biased evaluation of the framework. The comprehensive cybersecurity defense framework is developed through the data collected from two distinct and separate Delphi panels. The framework maps risk management, behavioral, and defense in depth frameworks with cyber defense roles to offer a comprehensive approach to cyber defense in large companies, agencies, or organizations. By defining the cyber defense tasks, what those tasks are trying to achieve and where best to accomplish those tasks on the network, a comprehensive approach is reached.

comprehensive cyber defense

cyber defense

cybersecurity

frameworks

large organizations

Communication

Communication Technology and New Media

Computer Sciences

Engineering

Social and Behavioral Sciences

A cybersecurity audit of the Garmin Venu

Antal, Oliver

January 2023

The presence of smart wearables has established itself as a norm of the 21 st century, but the state of their trustworthiness from the viewpoint of personal safety remains debatable. The information gathered by such devices has great potential for personal safety risks and must be handled safely. Previous work on the Garmin Venu watch gave room for relevant future work. This thesis aims to perform further evaluation of this smartwatch in unexplored areas. The work took inspiration from the relatively new “PatrIoT” penetration testing methodology, developed in-house at the Network and Systems Engineering lab, customized for penetration testing of Internet of Things devices. This project examined a broad surface on the watch including network traffic, data over USB connection, a few details in the watch’s update mechanism, probed for some memory attack mitigations, fuzz testing of some functions in the Software Development Kit’s Application Programming Interface, and some more. According to these investigations, the watch is perceived as safe. A deeper look into some investigations is left for future work. / Bärbara enheter har blivit en normal del av 21:a århundradet, men deras pålitlighet från ett personligt säkerhetssynvinkel är diskutabelt. Informationen som samlas in av dessa har stort potential för att orsaka personliga säkerhetsrisker och måste hanteras säkert. Tidigare utförda undersökningar av Garmin Venu-smartklockan lämnade utrymme för relevant framtida arbete. Det här examensarbetet siktar på att utföra ytterligare undersökningar av denna smartklocka. Arbetet tog inspiration av det relativt nya “PatrIoT” intrångstestmetodologin, internt utvecklad av personalen i avdelningen för nätverk och systemteknik, skräddarsydd för intrångstestning av Sakernas Internet-enheter. Det här projektet undersökte en bred attackyta på klockan, inkluderande datatrafik, data över USB-anslutning, några detaljer i klockans uppdateringsmekanism, undersökte närvaron av några mekanismer för minnesbaserade attacker, försök till störningsattacker i programvaruutvecklingssatsens applikationsprogrammeringsgränssnitt, med flera. Enligt dessa undersökningar uppfattas klockan vara säker. En djupare undersökning av dessa aspekter lämnas till framtida arbete.

IoT wearables

cybersecurity

penetration testing

sniffing

fuzzing

sakernas internet bärbara enheter

cybersäkerhet

intrångstestning

avlyssning

störningsattacker

Computer and Information Sciences

Data- och informationsvetenskap