Human Factors in Cybersecurity最新文献

{"title":"Security in Vehicle-to-Infrastructure Communications","authors":"Pablo Marcillo, Ángel Leonardo Valdivieso Caraguay, Myriam Hernández-Álvarez","doi":"10.54941/ahfe1002210","DOIUrl":"https://doi.org/10.54941/ahfe1002210","url":null,"abstract":"By 2020, the number of connected vehicles will reach 250 million units. Thus, one of five vehicles worldwide will count on any wireless connection. Functional areas such as telecommunications, infotainment, automatic driving, or mobility services will have to face the implications caused by that growth. As long as vehicles require exchanging information with other vehicles or accessing external networks through a communication infrastructure, these vehicles must be part of a network. A VANET is a type of mobile network formed by base stations known as Road Side Units (RSU) and vehicles equipped with communication units known as Onboard Units (OBU). The two modes of communication in a VANET are Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I). Some authors consider that V2I communication has more advantages than V2V communication because V2I communication provides services such as driving guidance or early warning for drivers. This consideration has meant that researchers show more interest in this mode of communication. Likewise, others affirm that the problem of V2I communication is its security. This review focuses on knowing the most relevant and current approaches on security in V2I communication. Among the solutions, we have authentication schemes based on Blockchain technology, Elliptic Curve cryptography, key insulation strategy, and certificateless aggregate signature technique. Also, we found security arquitectures and identification schemes based on SDN, NFV, and Fog / Edge / Cloud computing. The proposals focus on resolving issues such as the privacy-preserving, high computational work, regular updating and exposure of secret keys, large number of revoked pseudonyms lists, lack of scalability in networks, and high dependence on certification authorities. In addition, these proposals provide countermeasures or strategies against replay, message forgery, impersonation, eavesdropping, DDoS, fake information, modification, Sybil, man-in-the-middle, and spoofing attacks. Finally, we determined that the attacks in V2I communications mostly compromise security requirements such as confidentiality, integrity, authentication, and availability. Preserving privacy by reducing computational costs by integrating emerging technologies is the direction toward security in vehicular network points.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127715299","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Architectural Design for Secure Smart Contract Development","authors":"Myles Lewis","doi":"10.54941/ahfe1003726","DOIUrl":"https://doi.org/10.54941/ahfe1003726","url":null,"abstract":"As time progresses, the need for more secure applications grows exponentially. The different types of sensitive information that is being transferred virtually has sparked a rise in systems that leverage blockchain. Different sectors are beginning to use this disruptive technology to evaluate the risks and benefits. Sectors like finance, medicine, higher education, and wireless communication have research regarding blockchain. Futhermore, the need for security standards in this area of research is pivotal. In recent past, several attacks on blockchain infrastructures have resulted in hundreds of millions dollars lost and sensitive information compromised. Some of these attacks include DAO attacks, bZx attacks, and Parity Multisignature Wallet Double Attacks which targeted vulnerabilities within smart contracts on the Ethereum network. These attacks exposed the weaknesses of current smart contract development practices which has led to the increase in distrust and adoption of systems that leverage blockchain for its functionality. In this paper, I identify common software vulnerabilities and attacks on blockchain infrastructures, thoroughly detail the smart contract development process and propose a model for ensuring a stronger security standard for future systems leveraging smart contracts. The purpose for proposing a model is to promote trust among end users in the system which is a foundational element for blockchain adoption in the future.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"405 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126680679","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Keeping the human element to secure autonomous shipping operations","authors":"Per Håkon Meland, Dag Atle Nesheim, Ørnulf Jan Rødseth","doi":"10.54941/ahfe1003715","DOIUrl":"https://doi.org/10.54941/ahfe1003715","url":null,"abstract":"Autonomous shipping operations are becoming economically and technically feasible, but this development also requires new human roles and responsibilities onshore for managing cyber events. The goal of this paper is to present a methodology for describing autonomous shipping operations and risks caused by potential cyber-attacks, focusing on critical situations to the interplay between the automation and human operators. We have applied our methodology on a case study for planned autonomous operations in European waterways. Our results show that the reliance on new technologies such as sensors, computer vision and AI reasoning onboard the autonomous ships or cranes opens to new types of attacks that the industry has little experience with as of now. Unmanned systems should therefore be designed with assurance methods that can bring the human into the loop, providing situational awareness and control. At the same time, human resource exhaustion is a potential attack goal against remote operations. We could see from our threat likelihood estimation that attacks related to deny- and injure-motivations have the highest values in all mission phase patterns. This is in accordance with the general attack trends within the maritime domain and many other sectors, where financially motivated attackers will try to demand a ransom to stop business disruption.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"234 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115753866","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Out of Sight but Still In Mind: Making ‘Invisible’ Cyber Threats More Salient Via Concrete Analogies","authors":"Aryn A. Pyke, Rebecca Bouchelle, David Uzhca","doi":"10.54941/ahfe1003716","DOIUrl":"https://doi.org/10.54941/ahfe1003716","url":null,"abstract":"It can be easier to conceive of and anticipate physical threats than cyber threats. Cyber threats can involve unseen remote hackers, and capitalize on invisible wireless signals as vectors. As such cyber threats are often out of sight and out of mind. How can we make these abstract, 'invisible' threats more intuitive and salient? We employed concrete analogies to enable future Army Officers to better anticipate cyber threats in tactical contexts. Modern multi-domain battle involves not only physical threats like fire fights and improvised explosive devices (IEDs), but also, increasingly, cyber threats. For example, the enemy may jam, intercept or track communication signals, hack into computing systems to exfiltrate or alter information, and/or hack equipment with electronic and autonomous components (including navigation systems, drones and robots). To ensure readiness, all soldiers, (not only cyber specialists) must have some awareness of this 'threatscape'. We developed the problem anticipation task (PAT) to gauge the degree to which participants would anticipate cyber as well as non-cyber tactical threats. They read a hypothetical mission description and tried to anticipate various problems that could arise. The mission explicitly mentioned several cyber-vulnerable components (e.g., radios, navigation systems, drones, biosensors, cell phones). Prior research using a sample from the same population indicated that about 40% of subjects did not anticipate a single cyber threat (Pyke, Ness, Feltner, in press). The current research used the PAT as a pre- and post-test and included an intervening intervention. Experimental subjects read a passage about a fictitious historical mission set in the 1800s. The version of the passage presented to the experimental group included historical issues (e.g., carrier pigeon intercepted by enemy) that were intended to be analogous to modern cyber-related issues (e.g., wireless communications signal intercepted/tapped by enemy). The intervention for the comparison group involved a passage describing historical issues (e.g., horse losing a shoe) that were intended to be analogous to modern non-cyber related issues (e.g., vehicle breakdown). Note that the link to the corresponding modern situation was not made explicit to the participants, they were just exposed to a historical situation that could lend itself to being analogous to a modern cyber situation. For the experimental group (but not the control) there was a significant gain in the percent of participants who were able anticipate one or more cyber issues. Thus, concrete analogies can serve to make 'invisible' cyber threats more intuitive and easier to anticipate.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129999289","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Insider Threat: Cognitive Effects of Modern Apathy towards Privacy, Trust, and Security","authors":"V. Yerdon, P. Hancock","doi":"10.54941/ahfe1002196","DOIUrl":"https://doi.org/10.54941/ahfe1002196","url":null,"abstract":"The purpose of this study was to analyze how contemporary social apathy levels towards privacy have changed across time from before the integration of computers into American society. With private information stored in a computational net of digital information, rather than in personal possession and control, there may be signals towards the increase in the “inattentive” insider Threat to cybersecurity. By using the results of sequential privacy index surveys (Westin, 2003; Kumaragru & Cranor, 2005), along with trait and state subjective questionnaires, changes and possible shared factors in attitude towards privacy were evaluated. It was hypothesized that there would be significant evidence for 1) change over time in concern for privacy, 2) high distrust, 2) high apathy, 3) low motivation, 4) difference between privacy group membership and subjective measure factors. These questionnaires were randomly administered to volunteer undergraduate psychology students at the University of Central Florida (UCF) who were compensated with course extra credit through a university system. The results of this study suggested that privacy concern has lowered over time, there was an overall high level of subjective apathy, and high level of instrumental motivation, which was correlated with the level of privacy concern. This research is looking for indicators of lower concern for privacy, to mitigate the inattentive insider threat in the workplace. Future phases of this research will use the same privacy and subjective questionnaires with the addition of an Implicit Association Test (IAT) for privacy and apathy in the primed and unprimed positions. This research will be used to validate an IAT for privacy, conduct a cross-factor analysis of privacy concern, state, and traits, along with testing for the ability to prime privacy concern.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"254 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116071096","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Using Security Metrics to Determine Security Program Effectiveness","authors":"Satyam Mishra, Phung Thao Vi, Vu Minh Phuc, Damilola Oni, Nguyen Van Tanh","doi":"10.54941/ahfe1003720","DOIUrl":"https://doi.org/10.54941/ahfe1003720","url":null,"abstract":"Security objectives serve as the foundation for security metrics, which are used to guide decisions on how to increase the security of all parts engaged in providing services and processing data. Numerous data breaches are re-vealed each week, some of which may have affected tens or even hundreds of millions of people. Customers and regulators are both becoming more concerned about firms' information security procedures and their plans for preventing security breaches and protecting sensitive data. As a result, sever-al laws and regulations have been enacted to enhance cybersecurity risk management and to protect personal information that may be held or trans-mitted among businesses. The majority of these industry-specific and general data protection laws are complex, requiring ongoing oversight to maintain compliance throughout your business and the companies of your vendors. To gauge the effectiveness of and involvement in the usage of security con-trols, it is crucial to define a set of security metrics. A carefully defined set of metrics will help direct future security decisions and strengthen your or-ganization's security posture. In our study, we proposed to review security metrics to determine security program effectiveness for a company which is fictional for the scope of study. Firstly, we defined security metrics and their key indicators successfully. We discussed different scenarios for Trivest Technologies Limited company, which is fictional, we just used it for our scope of study. We successfully discussed, developed, and used KPIs, KRIs and KGIs; which are security metrics for the Trivest Technologies Limited company, and we found out that these security metrics help us determine the security program effectiveness for a company successfully. By implementation of its successful results, it also aligns with one of the United Nations Sustainable Development Goals i.e., 8th: Decent work and Economic Growth.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"58 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133027769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Assessing Human Factors and Cyber Attacks at the Human-Machine Interface: Threats to Safety and Pilot and Controller Performance","authors":"Mark Miller, Sam Holley","doi":"10.54941/ahfe1002204","DOIUrl":"https://doi.org/10.54941/ahfe1002204","url":null,"abstract":"The current state of automated digital information in aviation continues to expand rapidly as NextGen ADS-B(In) systems become more common in the form of Electronic Flight Bag (EFB) pad devices brought onto the flight deck. Integrated systems including satellites, aircraft, and air traffic control (ATC) data currently are not effectively encrypted and invite exposure to cyber attacks targeting flight decks and ATC facilities. The NextGen ATC system was not designed from the outset to identify and nullify cyber threats or attempts at disruption, and the safety gap has enlarged. Performance error at digital human-machine interfaces (HMI) has been well documented in aviation and now presents a potentially significant threat where the HMI can be more susceptible to human error from cyber attacks. Examples of HMI errors arising from digital information produced by automated systems are evaluated by the authors using HMI flaws discovered in recent Boeing 737-Max accidents. SHELL computer diagrams for both the digital flight deck and ATC facilities illustrate how the system is now interconnected for potential cyber threats and identifies how human factors consequences compromising HMI safety and operator performance present potential dangers. Aviation Safety and Reporting System (ASRS) data are examined and confirm HMI threats. The authors contrast various HMI errors with cyber attack effects on cognition, situational awareness, and decision making. A focused examination to assess cyber attack effects on cognitive metrics suggests cognitive clarity of operators is confounded when confronted with conflicting or confusing indications at the HMI. Difficulty in successfully identifying a cyber attack and the actions taken as human factors countermeasures are illustrated in the context of the HMI environment. The Human Factors Analysis and Classification System (HFACS) is used to show how cyber attacks could occur and be addressed along with a dual-path solution.Keywords: NextGen, Cyber attack, SHELL, HMI, Cognitive load, HFACS","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123613843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Non-Experts' Perceptions Regarding the Severity of Different Cyber-Attack Consequences: Implications for Designing Warning Messages and Modeling Threats","authors":"Natalie R. Lodinger, Keith S. Jones, Akbar Siami-Namin, Benjamin P. Widlus","doi":"10.54941/ahfe1002212","DOIUrl":"https://doi.org/10.54941/ahfe1002212","url":null,"abstract":"Cyber-defenders must account for users’ perceptions of attack consequence severity. However, research has yet to investigate such perceptions of a wide range of cyber-attack consequences. Thus, we had users rate the severity of 50 cyber-attack consequences. We then analyzed those ratings to a) understand perceived severity for each consequence, and b) compare perceived severity across select consequences. Further, we grouped ratings into the STRIDE threat model categories and c) analyzed whether perceived severity varied across those categories. The current study’s results suggest not all consequences are perceived to be equally severe; likewise, not all STRIDE threat model categories are perceived to be equally severe. Implications for designing warning messages and modeling threats are discussed.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126781624","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Maladaptive Behaviour in Phishing Susceptibility: How Email Context Influences the Impact of Persuasion Techniques","authors":"George Raywood-Burke, Dylan Jones, Phillip Morgan","doi":"10.54941/ahfe1003718","DOIUrl":"https://doi.org/10.54941/ahfe1003718","url":null,"abstract":"With over 80-90% of cyber incidents occurring in businesses and home settings often due to human errors in decision making (CybSafe, 2020; World Economic Forum, 2022; Verizon, 2022), a human-centric approach to cyber-security is needed to understand mechanisms behind maladaptive behaviours. One key area is susceptibility to phishing emails. Whilst some have investigated the success of different persuasion techniques in phishing susceptibility – most notably use of authority, urgency, and scarcity – less is known about how the wider context of the email (e.g., financial vs a work-related event) could influence the success of such techniques. The current paper presents initial findings from a repeated measures experiment where 271 participants included in the final analysis, recruited via Prolific (2022), judged whether they would or would not respond to presented email content containing a range of contexts and persuasion techniques. Diverging from previous research, participants were not necessarily more likely on average to respond to emails containing a persuasion technique, with large differences in persuasion success greatly depending upon the email context – with the proportion of response likelihood varying from 13.3% to 87.5% of participants choosing to respond. From this, not only do we demonstrate the successful impact of the main persuasion techniques and email context combinations upon phishing, but how overreliance on available information can bias individuals to engage in maladaptive cyber security behaviours.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127536844","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Information Security Awareness and Training as a Holistic Key Factor – How Can a Human Firewall Take on a Complementary Role in Information Security?","authors":"Erfan Koza","doi":"10.54941/ahfe1002201","DOIUrl":"https://doi.org/10.54941/ahfe1002201","url":null,"abstract":"Human elements have been identified as a factor in over 95% of all security incidents. Current technical preventive, corrective, and defensive mechanisms address intelligent and practical approaches to increase the resilience of information technology (IT) systems. However, these approaches do not fully consider the behavioral, cognitive, and heterogeneous motivations that lead to human failure in the security causal chain. In this paper, we present the Awareness Continuum Management Model (ACM2), which is a role-based and topic-based theoretical approach for an information security awareness and training program that uses Boyd’s observe–orient–decide–act (OODA) loop as a framework. The proposed ACM2 is based on the situational engineering method and regards the human firewall as an integral, indispensable, and complementary part of the holistic approach to increase IT systems’ resilience. The proposed approach can be applied to different types of organizations and critical infrastructure and can be integrated into existing training programs.","PeriodicalId":373044,"journal":{"name":"Human Factors in Cybersecurity","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129776159","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}