Advances in Human Factors in Cybersecurity

We propose a Rapid Serial Visual Presentation (RSVP) graphical authentication method that is suited for multi-touch mobile devices. This method presents degraded pictures of everyday objects in a temporal stream. Considering all the other authentication methods employ a spatial visual search, our method is unique (i.e., searching across time versus space). A temporal method of presentation is used to decreases login times down to 14 s and to allow login with a simple touch of the screen. By degrading the images, over-the-shoulder attackers are prevented from easily capturing the passcode. This study shows that all participants could successfully login at least once when allowed up to three attempts. After becoming familiar with the RSVP authentication method, participants took on the role of an attacker. Notably, no one was able to identify the passcode. The RSVP method offers a memorable, usable, quick, and secure alternative for authentication on multi-touch mobile devices.

The clear presentation of critical Information Security insights is a key challenge for Information Security application design. If implemented incorrectly, evidence of a data breach might be lost against the background of unimportant information. Consequently, it is vital for Information Security application design teams to deliver insights, not simply a lot of data, that enables Information Security teams to quickly secure their organization’s environments more completely. This paper discusses a Human-Centric approach undertaken to reduce Information Density, and to increase Visual Priority with a view to surfacing key insights quickly within Nexpose, Rapid7’s Vulnerability Management application.

Cyber operators frequently need to quickly process large amounts of data that are generated by various network monitoring systems or applications, and they need to rapidly make complex decisions. We posit that dynamically tailoring the user experience to the cyber operator’s context would significantly improve the effectiveness and efficiency of their ability to respond and take action. Tailoring can take the form of filtering to present the information most relevant to the situation, or automating tasks that are most beneficial in the current context. SRI’s bright (www.sri.com/bright) approach records the action and gaze details of cyber operator interactions across several cyber security applications. Analysis of the collected data will provide insight into the current interests of cyber operators, and form the basis for future methods and mechanisms for adapting the user experience.

We propose the design and development of CloudPass, a novel password storage and retrieval scheme that offers extended protection against confidentiality threats. CloudPass first encrypts password, then stores this encrypted password in a cloud environment, namely Dropbox. Employing CloudPass for password storage and retrieval offers a threefold benefit: (1) We optimize memory requirements by having to store less content in local computer/device pertaining to password storage, (2) we gain extra security that is integral to the cloud service, (3) all these services are obtained free of charge. It provides fundamental security services fully, i.e. confidentiality, integrity, availability, authentication, and non-repudiation. Our design is presented as a mobile application, yet it can well be adopted to a PC environment. Performance metrics, measured as the time to store and retrieve a secure password to/from cloud are promising, and their comparisons with similar products as presented are evidently comparable to its peers.

This paper describes biometric-based methods for achieving strong, low cost mutual and multi-factor authentication on the Internet of Things (IoT). These methods can leverage telebiometric authentication objects (TAO), tagged physical objects functionally coupled with biometric sensors and connected to a telecommunications network. Methods presented are convenient for people to use, support Universal Access (UA) goals, and ensure the confidential exchange of information between communicating parties. The described one and two-factor authentication methods use cryptographic techniques to achieve mutual authentication and data confidentiality through password and biometric authenticated key exchange (AKE). These key establishment techniques rely on the use of a Diffie-Hellman key agreement scheme to create a strong symmetric key from a weak secret. AKE protocols can provide forward secrecy and prevent disclosure of user credentials during authentication attempts to thwart active phishing and man-in-the-middle attacks. TAO combined with AKE provides mutual authentication and strong, three-factor user authentication.

Wearable technologies have become useful instruments in providing accurate and trustworthy information about individuals’ activities, especially for health-and-fitness related purposes. However, the constant and ubiquitous data practices of wearable devices bring challenges to users’ privacy and security. This study focused on smartwatches and investigated how users’ personalities, trust, and the usability of the device affected their privacy perceptions while using the wearable device. Our results indicated that users who demonstrated a high tendency towards neuroticism had more awareness about third-party data sharing after a wearable trial. Also, those high in personal trust were less concerned about privacy. In addition, we found that the usability of a device affected the users’ perceptions of data practices. As the first study of its kind, we provide several suggestions for designing privacy-enhancing wearable devices and for future research.

In a survey of cyber defense practitioners, we presented 39 assertions about the work cyber operators do, data sources they use, and how they use or could use cyber security visual presentations. The assertions were drawn from prior work in cyber security visualization over 15 years. Our goal was to determine if these assertions are still valid for today’s cyber operators. Participants included industry, government and academia experts with real experience in the cyber domain. Results validated the assertions, which will serve as a foundation for follow-on security visualization research. Feedback also indicates that when analyzing a security situation, cyber operators inspect large volumes of data, usually in alpha-numeric format, and try to answer a series of analytic questions, expending considerable cognitive energy. Operators believe security visualizations could support their analysis and communication of findings, as well as training new operators.

Cyber-attacks are increasing in the real-world and cause widespread damage to cyber-infrastructure and loss of information. Deception, i.e., actions to promote the beliefs of things that are not true, could be a way of countering cyber-attacks. In this paper, we propose a deception game, which we use to evaluate the decision making of a hacker in the presence of deception. In an experiment, using the deception game, we analyzed the effect of two between-subjects factors in Hacker’s decisions to attack a computer network (N = 100 participants): amount of deception used and the timing of deception. The amount of deception used was manipulated at 2-levels: low and high. The timing of deception use was manipulated at 2-levels: early and late. Results revealed that using late and high deception condition, proportion of not attack actions by hackers are higher. Our results suggest that deception acts as a deterrence strategy for hacker.

Currently, little is known about how defenders’ reliance on decision-support technology influences their decisions. Here, we designed a cyber-security game, where “hackers” decide whether to attack a computer network and “analysts” decide whether to defend the network based upon recommendations from IDS. We present results from an experiment with 200 participants randomly paired and assigned to one of four between-subjects conditions that varied in the IDS’s availability (absent/present) and its accuracy (when present, it is 10, 50, or 90 % accurate). Results revealed that proportion of attack and defend actions were similar and close to their Nash proportions when IDS was absent and when it was 50 % accurate; but, these proportions were smaller and different from their Nash proportions when the IDS was inaccurate (10 % accurate) or very accurate (90 % accurate). Our results suggest that the presence of decision-support technology is likely to make defenders over rely on this technology.

This paper reports on the results of a survey designed to study the psychological characteristics of a sample of cybersecurity competition participants from Cybersecurity Awareness Week (one of the largest cybersecurity competitions in the USA). By comparing the personality, vocational interests, culture, decision-making style and attachment style between participants who reported their intention to enter cybersecurity careers post-competition and those who did not, we evaluated the effectiveness of cybersecurity competitions as a recruitment tool. Overall, most cybersecurity competition participants tended to be high in openness, rational decision-making style, and investigative interests. Conversely, participants scored lower on neuroticism, intuitive decision-making style, and realistic interests. Individuals’ scores on investigative interests, openness to experience, rational decision-making, and self-efficacy were good predictors of their intention to enter cybersecurity careers post-competition. To increase the influx of people into cybersecurity careers, cybersecurity competitions can be designed to attract more people with these characteristics.

The multiple types of culture (e.g. national, social, religious, ethnic, geographic, organizational) that influence human behavioral characteristics and interactions also affect how humans interact with technology and the Internet. In an effort to further understand (and measure) how human factors influence cybersecurity risk, we propose incorporating individuals’ national culture within the human factors framework component of our holistic cybersecurity risk assessment framework. The justification for this inclusion of national culture into the framework results from Nisbett’s, Heinrich’s, and Hofstede’s work with culture and cognition along with Sample’s work with culture and cyber. Culture is a key factor with respect to the human element that has been understudied in cybersecurity risk literature. By identifying the critical culture metrics and integrating them within the Human Factors Framework and Ontology developed for identifying cybersecurity risk assessment metrics for modeling to facilitate additional experimentation.

We examine whether the use of Augmented Reality (AR) may aid the performance of network security operators (NSOs) performing time critical tasks. While attempting to achieve some primary goal, NSOs must continuously monitor and respond to a wide range of ancillary events which may impact mission performance. Responding to these additional events in a time sensitive manner introduces significant stress and impacts primary task performance. We conducted experiments with the Epson Moverio and Vuzix m100 head-mounted displays. Test subjects performed a simulated NSO exercise with and without AR glasses while simultaneously responding to randomly generated ancillary events. Test subjects using AR reported less overall mental demand, performed the primary task more quickly, and more often successfully responded to ancillary events within a required time. We find that AR devices are a promising aid for maintaining focus in primary network operations tasks while reducing overall stress load.

Effective cyber defense depends upon intrusion detection, i.e., the process of monitoring, detecting, and reacting appropriately to cyber activity threatening network security. Intrusion detection requires the execution of multiple unique, interdependent network analysis tasks. The current study aimed to expand understanding of cyber defense by separately assessing task induced workload and stress for two key network analyst tasks, triage analysis and escalation analysis, which are the first and second lines of cyber defense, respectively. In separate studies, participants assumed the role of either a triage analyst or an escalation analyst, performed associated intrusion detection duties in simulated cyber task environments, and reported task induced workload and stress. Findings suggest that, even though triage and escalation analysts are both engaged in cyber defense, their tasks result in differentiable workload and stress profiles. This highlights the need for further human factors research examining operator performance and state across network analyst roles.

Every organization is as frail as its frailest human link in the cyber security of Industry Control System (ICS), which is without predisposition to conceivable technological solutions for enforcing security. Noticeably, human-involved systems are becoming more chaotic, and gravely under attacks due to irregular actions or inactions of human entities in the constituent chain. Many industrial cyber-attacks have successfully defeated technological security solutions through preying on human weaknesses in knowledge and skills, and manipulating insiders within organizations into unsuspectingly delivering entry and access to sensitive industrial assets. In order to help enterprises assess the level of employees’ cyber security awareness and responsiveness, and enhance ICS Cyber security knowledge and skills for ICS protection, a Workforce Cyber Security Capability evaluation model is presented, and theoretically validated. A capability evaluation will allow industries to have a better understanding of the potential state of consciousness, readiness and diagnostic abilities of the industries; thus improve the prevention, detection, and response to any cyber-specific incidents.

We report on a series of interviews and observations conducted with control room dispatchers in a bulk electrical system. These dispatchers must react quickly to incidents as they happen in order to ensure the reliability and safe operation of the power grid. They do not have the time to evaluate incidents for signs of cyber-attack as part of their initial response. Cyber-attack detection involves multiple personnel from a variety of roles at both local and regional levels. Smart grid technology will improve detection and defense capabilities of the future grid, however, the current infrastructure remains a mixture of old and new equipment which will continue to operate for some time. Thus, research still needs to focus on strategies for the detection of malicious activity on current infrastructure as well as protection and remediation.

Social Digital Media become an effective platform for many cyber community to promote product and services to get reach greater potential market around the globe. However, Social Digital Media could lead to several critical cybersecurity risk that might be difficult to manage and mitigate. Moreover, some the cybersecurity risk could cause severe impact of human factors especially if the risk affected the Critical National Information Infrastructure (CNII) that serve as backbone of the country. Hence the objective of the research are to determine the human factors related of social media cybersecurity risk and; to discuss their severity level impact on Critical National Information Infrastructure (CNII). Questionnaires are distributed to various private and government agencies practitioners for the study. The finding of the research show that the top 5 most critical cybersecurity risk are Information Theft; Cyber Attacks; Cyber Crime; Information Manipulation; Productivity Loss. This article also highlight top 5 least critical cybersecurity risks which are Attack of the Software; Cyber Assault/Bullying; Espionage; Terrorisms; Risk of Losing the legal Battle. Through the findings, expert, management and practitioner would be able to identify critical cybersecurity risk and address them appropriately and effectively.

The management of Information Security has become more essential and critical for the success of the enterprises nowadays. Managers need to take many security counter measures in a systematic process. The security policies, breach detection systems, access control systems and anti-virus programs are some of the examples which protect the information from potential threats and risks. The companies need to follow an integrated and holistic management approach. Information security managers have limited resources to handle the security demands properly and on time. As a result, an awareness and training program has an important part for the managers and their staff who need to do their jobs. The security requirements, policies and standards should be defined and implemented systematically and continuously across the enterprise for the management of Information Security.

As technology gets more complex and increasingly connected, there is a continuing concern with cyber security. Partnered with this concern is continuing demand for cyber security defenders. Unfortunately, there is currently a dearth of skilled professionals to meet that demand. In order to prepare the next generation of cyber defenders, we need to understand what characteristics make skilled cyber security professionals. For this work, we focus on professionals who take an offensive approach to cyber security, so called ethical hackers. These hackers utilize many of the same skills that the adversaries that we defend against would use, but with the goal of identifying vulnerabilities so they can be mitigated before they are exploited by adversaries. We interviewed cyber security researchers who specialize in offensive approaches. Based on the responses to the hacker skill inventory, we generated a self-reported skill score for each participant. We also developed a peer-rating for each participant based on the number of times each individual that was interviewed was named as the most skilled in a particular area. The results are discussed in the context of training and recruitment of cyber security professionals.

The U.S. Coast Guard’s 2015 Cyber Strategy states that cyber education and training must be a major component of workforce development. The Coast Guard as a military branch prides itself in agile leadership under pressure. Cadets at the U.S. Coast Guard Academy (CGA) are challenged with a very rigorous academic load on top of military training requirements and club or varsity sports. These teach a cadet about time management and working under stress, however its impact on fostering a climate that promotes situational awareness is an open question. Cadets may be even more susceptible to social engineering attacks. With human performance technologists on its training staff and interdisciplinary academic faculty, CGA is well positioned to conduct human factors in cybersecurity research. As the only institution of higher learning within DHS, the Coast Guard Academy is well positioned to examine these challenges as they apply to national security.

Cyber-attacks may be studied as a non-cooperative game between hackers and analysts. However, current game-theoretic approaches have disregarded how motivational factors (cost and benefit of hacker’s and analyst’s actions) are likely to influence decision-making during cyber-attacks. In an experiment, motivations of humans acting as hackers and analysts were manipulated across three between-subjects conditions in a repeated game: Equal-Payoff (Control; N = 25 pairs), Rewarding-Hacker (for successful attacks; N = 25 pairs) and Rewarding-Analyst (for correctly detecting cyber-attacks; N = 25 pairs). Hackers and analysts simultaneously decided in order to maximize their payoffs. Results revealed that the proportion of attacks was higher for Rewarding-Hacker condition and lower for Rewarding-Analyst condition compared to the Equal-Payoff condition. The proportion of defend actions was higher in Rewarding-Hacker condition and same in Rewarding-Analyst condition compared to the Equal-Payoff condition. We highlight the relevance of our results to cyber-attacks in the real world.

As more concentrations in cybersecurity in the computer science undergraduate curriculum are being offered to meet a high demand, these offerings have not reflected a major concern of cybersecurity researchers, namely that there is little emphasis on the behavioral questions involved in the study and analysis of cybersecurity events. To this end, Howard University has introduced an upper division undergraduate course and graduate course to complement its cybersecurity course offerings, called “Behavioral Cybersecurity.” The behavioral approach also includes considerations of human factors. This paper reviews the course development, pedagogical choices made, and outcomes of its initial offering.

Many cyber security officers are more concerned with outside rather than insider threats because the enemy is generally perceived as being “out there” or beyond the organization. Therefore, defensive actions are readily available once an outside threat is identified (Colwill in Human factors in information security: the insider threat—who can you trust these days? pp. 186–196, 2009 [1]). Contradictory to the ideas of social identification as an “us” and “them,” the greatest enemy may be lurking within one’s own organization. Individuals are considered insiders if they presently have (or at one time had) permission to access an organization’s data or network structures (Greitzer et al. in Secur Priv IEEE 6(1):61–64, 2008 [2]). The concept of the insider threat is considered one of the most difficult situations to deal with in the cybersecurity domain (Hunker and Probst in J Wireless Mobile Netw Ubiquitous Comput Dependable Appl 2(1):4–27, 2011 [3]). The Association of Certified Fraud Examiners has reported two-thirds of fraud and identity thefts are executed by organizations’ employees or other known insiders. They also estimate U.S. companies have lost 5 % of revenue to fraudulent insider activities (Randazzo et al. in Insider threat study: illicit cyber activity in the banking and finance sector, 2005 [4]). Insiders have multiple advantages over an outsider. An insider threat is one of the most difficult situations to identify. Therefore, it is critical that training be developed. The first step to effective training is constructing an environment that lends itself to insider threat situations. The present paper describes the process in which one insider threat virtual environment was constructed. A discussion of the considerations and functional features is detailed.

Cyberspace operations are dependent upon highly sophisticated technology. Unfortunately, it is challenging to find or develop solutions that successfully support critical processes and decisions. Innovation, and the resources associated with innovation, appear to focus primarily on the technology with little emphasis on the human factors associated with employment, training, and sustainment of the capabilities. Researchers and vendors often mistakenly apply information technology solutions to cyberspace operations problems. In such cases, a poor understanding of the nature of the cognitive work and the goals in cyberspace operations results in technologies that are of limited usefulness and usability with regard to the purpose and scale of military operations. This paper presents a practitioner’s perspective on the core human factors of cyberspace operations. It concludes with strong recommendations for how to better incorporate cognitive engineering and experimental psychology practices into research and development projects.

Our society depends on password-based authentication methods for accessing valuable information. However, the use of weak passwords is placing us at risk. Cyber security systems encourage users to employ strong passwords often by increasing requirements. Unfortunately, using a strong password requires more cognitive effort. This increase in effort pushes users to find workarounds that directly harm security. The paradox between security and usability has often resulted in simply blaming users rather than seeking a Human-Centered Design perspective. We introduce a strategy for developing strong passwords that embed contextual cues within mnemonic phrase passwords. Using this strategy participants were able to create strong passwords and better remember them compared with a traditional mnemonic strategy.

This work provides an analysis of current research exploring the problems that arise with combinations of personal data used in primary and secondary authentication and personal data available online. Personal data, such as names and birthdates, are used frequently in password creation or as answers to secondary authentication question. In combination, these problems increase security risks while failing to provide users with usability in the most common of authentication mechanism. Here, current literature is evaluated to compare current personal data used in password authentication with data commonly available online for individuals. The resulting contribution provides a framework for research, a compilation of current understandings of user’s password design and secondary authentication questions, the relationship of authentication to personal data, and directions for future research.

This paper presents the findings of a principled, empirical study of password security. Security policies direct users to select long passwords having arcane collections of case, numerals, and special characters, and no whole words. Then users are told to change passwords often, never to reuse them, and not to record them: Requirement 1: Passwords must be impossible to remember. Requirement 2: Memorize all passwords. When faced with an inconvenient request for a new password, many people reflexively reuse existing passwords, or concoct minimally adequate, easily memorable passwords on-the-fly. In this study, volunteers access the project website to complete a demographic survey, and are asked to create passwords at various points. Later in the encounter, they are asked to reiterate these passwords. Password strength (as determined by an open-source application described in the paper) is correlated with password memorability (ergonomic utility) within the context of the collected demographic factors.

Swipe passwords are a popular method for authenticating on mobile phones. In public, these passwords may become visible to attackers who engage in shoulder surfing. There is a need for strategies that protect swipe passwords from over-the-shoulder attacks (OSAs). We empirically explored the impact of providing gesture visual feedback on OSA performance during successful and unsuccessful swipe login attempts on mobile phones. We found evidence that entry visual feedback facilitates OSAs. As users are biased towards symmetrical swipe patterns, we investigated their impact on attack performance. We found that symmetrical swipe patterns were less vulnerable than asymmetrical patterns, possibly due to the speed of entry. As users tend toward simple patterns, we investigated the impact that nonadjacent, diagonal knight moves have on OSAs. We found that knight moves significantly decreased OSA performance. We recommend users turn off gesture entry visual feedback and use knight moves for greater password security.

Cyberbullying refers to bullying that occurs through the Internet or text messaging. Understanding the nature of cyberbullying and its implications has become an important issue in society. In an attempt to assist with intervention and prevention efforts, the development of computational systems for detecting acts of cyberbullying has become a common trend. However, prior research notes that such systems are typically vulnerable to inaccurate detections, in particular false-positives. Given the prevalence of cyberbullying across age demographics, understanding how humans identify such activity is important for informing and improving such prevention/intervention efforts and reducing system vulnerability. A study was conducted that asked 180 participants to evaluate three excerpts taken from the social media site Formspring. Participants indicated that the use of profane words, and the determination that someone was harmed by the content of the social media post were the most likely determinants that cyberbullying occurred in the post.

Cybercrime is a global problem and the economic damages are enormous (Center for Strategic and International Studies. http://csis.org/ [1]). Identifying reasons for software vulnerabilities is an important issue with some researchers assuming software developers to be part of the problem. As most developers aren’t security experts they create insecure and thus vulnerable software. To avoid this, a tool that supports software developers in dealing with security issues should be developed. This work uses the structure formation technique (Scheele et al. in Dialog-Konsens-Methoden zur Rekonstruktion Subjektiver Theorien: die Heidelberger Struktur-Lege-Technik (SLT) (1988) [2]) as a first step to develop the mental models of software developers when dealing with security measures. A core definition of mental models is compiled and the results of a pilot study deliver valuable information for the supporting tool. In further research the developed mental models of novices’ (software developers) should be compared with the mental models of security experts. On this basis the reliability of the novices’ mental models can be reviewed and occurring problems identified.

Presently, cyber defense heavily relies on human network analysts who must detect and investigate potential suspicious activity, a demanding, fatiguing process that takes a heavy toll on human operators. Given the criticality of these operators to cyber defense, research is needed to investigate and mitigate the sources of those challenges. Currently, few cyber-focused synthetic task environments (STEs) exist, and those that do are not well suited to investigate the problems of network analysts. Therefore, a new cyber STE focused on network analysts called the Air Force Cyber Intruder Alert Testbed (CIAT) was developed. This STE was designed to emulate key functions of Enterprise-level cyber defense platforms. Specifically, CIAT simulates a network analyst environment, including an intrusion detection system, signature database, packet capture software, and network list. The purpose of this paper is to describe the development and validation of the CIAT STE.

Cyber warfare presents a major potential threat to critical infrastructures (CIs). Decision makers who want to develop resilient CIs must consider both strategic and operational aspects of CIs as well as nonlinear dynamics characterizing such cyber-physical systems. This paper combines System Dynamics (SD) with a game-theoretic approach to understand cyber epidemics dynamics of CI operations triggered by attacker and defender strategic interactions. We model attack-defense dynamics as a continuous game of timing to highlight that effectiveness of strategic moves strongly depends on when to act. We simulate scenarios of proactive and reactive defenses to demonstrate how our model supports cyber security policy optimization. This research builds on our previous work by extending a novel block building modeling framework for disruption impact analysis in networked CIs.

There have been several recent examples of cyber-attacks that contain multiple components and have more advanced approaches than those that cyber-defense teams have become accustomed to. Some of these attacks have characteristics of intelligence and can be modelled as a set of collaborating software components such as those used in intelligent agents. In this paper, we discuss a set of parameters useful for analyzing and characterizing potential advanced cyber threats and for helping cybersecurity experts prepare to defend against them. A set of intelligent agents can be designed to collaborate in order to solve a complex problem, each agent having its own set of knowledge and expertise and being able to respond to requests from other agents for help in solving the problem. An intelligent agent can contain or have access to knowledge about context (e.g. patterns of network traffic) or problem-solving and can use any of the artificial intelligence reasoning techniques that are available to larger, more comprehensive software modules. Some agents are mobile, that is they can move across a network to operate on multiple network nodes. These intelligent agent paradigms can represent advanced threats. For example, intelligent agents as individual intelligent software entities, as a collaborating set, or as a swarm with emergent intelligence could be used to model threats which manifest cyber tactics, techniques and procedures (TTPs). This paper includes an analysis of the design parameters of intelligent agent architectures and the implications of these parameter choices for agent behaviors that can be used for analyzing and testing systems for the purpose of learning to secure them against sophisticated cyber-attacks. In order to motivate and support this analysis we provide a scenario use case which envisions the use of advanced intelligent agent teams for analysis of possible threats and for cybersecurity testing.

This paper describes two complementary approaches to modeling and simulation (M&S) of sophisticated malware attacks for their use in understanding and preparing for potential threats. Modern malware operates at multiple scales, and successfully defending against these attacks requires the ability to understand the effects of decisions across this range. We present two types of M&S frameworks that differ in fidelity and scalability. The first is a low fidelity, scalable approach for representing and studying the spread of malware in a large network at a macro scale. The network is both modelled and simulated in ns-3, a discrete event simulation tool typically used for protocol exploration and traffic monitoring that supports the simulation of tens of thousands of nodes. The second type of simulation is a higher-fidelity, micro scale approach that includes nodes that closely emulate the behavior of actual computer systems and may include real hardware and software. Ns-3 allows outside networks to interact in real-time with ns-3. This enables the combination of the network simulation environment with real and virtual machines to allow detailed observation of the ways in which a hypothetical advanced persistent threat would play out in a small subnetwork. The interface between the ns-3 simulation, attack framework (e.g. Metasploit), and the real and virtual nodes is managed by a controller that also supplies configuration, business logic and results logging. We present use cases for both simulation types, showing how each approach can be used in the analysis of malware.

Malware detection is a very important cyber security problem as it compromises computer system integrity and allows the collection of sensitive information or the insertion of disruptive malicious, and intrusive software. Malware is within the domain of cyber security and has become more important with the burgeoning of advanced technologies applied to cyber attacks and people eager to use that technology. We approach malware detection first as a binary classification problem, i.e., one class for malware and another for non-malware. We present a novel classifier that utilizes constrained low rank approximation as the core algorithm innovation generalizing the Moody-Darken single layer perceptron architecture of 1989, which we call the Generalized Moody-Darken Architecture (GMDA). We formulate the new algorithm as a nonconex optimization problem for the hidden layer of the single layer perceptron and derive a constrained convex optimization problem for the output layer estimator. Our previous results have shown that the combined architecture achieves the classification performance of the support vector machine (SVM), but in an online methodology that scales well to massive-scale data. In addition, our new implementation works well for nonnegative data and has been applied to Twitter data sentiment classification as well. We focus this paper on solving the classification problem in the appropriate domain for the data and show that this is critical for both accuracy and interpretation of the results. Also, we demonstrate that the data generation process also should be appropriate for the selected algorithms. All this has critical implications for design of the GMDA. In this paper, we introduce a new classification framework based on our novel implementation of the Moody-Darken architecture that is fast and semi-adaptive in the sense that the hidden layer utilizes a warm-start method for the non-convex optimization problem and is not required to be fully adaptive, while the output layer is fully adaptive and can be updated/downdated for each new input sample. After warm-starting the hidden layer, the output layer can be updated with new inputs independently of the hidden layer. We will compare our new approach with the much-used SVM method to validate and test our model in terms of classification accuracy.

In a world of rapidly evolving technology, it is an increasingly complex task to protect the integrity of information and security of infrastructural systems. Doing so demands a skilled workforce, which can only be assured with careful testing and selection of cyber operations specialists. We are conducting research to develop a cyber aptitude testing battery to improve selection and placement processes, but one of the biggest challenges lies in concisely characterizing the space of work roles. In this paper, we review some prior approaches to defining cyber work roles and describe our current approach to doing so at a more detailed level.

Programming languages are indisputably different from natural languages. Natural languages are communicative in both oral and visual modalities and have thousands of unique lexical items, whereas programming languages may rely on only a few hundred lexical items and are solely practiced in the visual modality. Nonetheless, the two share similar properties like lexical items, syntactic structures, rules of discourse, productivity, and recursion. Previous research on the topic of second language acquisition (SLA) principles applied to programming language learning (PLL) is limited, but finds common ground. One promising crossover area is transfer, a strand of research in SLA on the influence of previously learned language(s) in the learning of an additional language. This review of the literature will focus on parallels between these research areas and discuss potential avenues for future research in PLL, including cross-training: leveraging the experience of learning one programming language for learning an additional programming language.