Advances in Human Factors in Cybersecurity

To make cybersecurity efforts proactive rather than solely reactive, this work proposes using machine learning to process large network related data: We collect various performance metrics in a network and use machine learning techniques to identify anomalous behavior. We introduce the novel idea of using weighted trust to prevent corruption of classifiers. Our design combines all aspects of a log management system into one distributed application for a data center to effectively offer logging, aggregation, monitoring and intelligence services. For this, we employ a three-component log management system: (1) to actively extract metrics from machines, (2) to aggregate and analyze extracted metrics to detect anomalous behavior, and (3) to allow reviewing collected metrics and to report on anomalous behavior observed. Our system runs at network and application layers and is concerned with risk mitigation and assessment. Several machine learning techniques are compared w.r.t. their classification, as well as detection performances.

This paper describes biometric-based cryptographic techniques that use weak secrets to provide strong, multi-factor and mutual authentication, and establish secure channels for subsequent communications. These techniques rely on lightweight cryptographic algorithms for confidential information exchange. Lightweight algorithms are suitable for use in resource constrained environments such as the Internet of Things where implementations require efficient execution, limited access to memory and small code size. Password Authenticated Key Exchange, and Biometric Authenticated Key Exchange protocols based on user knowledge extracted from biometric sensor data, both rely on weak secrets. These secrets are shared between a client and an access controlled server, and used as inputs to Diffie-Hellman key establishment schemes. Diffie-Hellman provides forward secrecy, prevents user credentials from being exposed during identity authentication attempts, and thwarts man-in-the-middle and phishing attacks. This paper describes the operation of these protocols using an adaptive knowledge substitution process that frequently modifies the weak secrets used for protocol operation without requiring disruptive user password changes. The password substitution strings used to implement this process can be far longer and more complex than the weak secrets people can easily memorize. The process described in this paper allows people with diverse abilities to use simple, easily recalled, quickly entered passwords and still benefit from the strength of long, complex strings when operating cryptographic protocols.

Concerns about security on the Internet of Things (IoT) cover data privacy and integrity, access control and availability. IoT abuse in distributed denial of service (DDoS) attacks is a major issue, as the limited computing, communications, and power resources of typical IoT devices are prioritised in implementing functionality rather than security features. Incidents involving attacks have been reported, but without clear characterisation and evaluation of threats and impacts. The main purpose of this work is to mitigate DDoS attacks against the IoT, by studying new technologies and identifying possible vulnerabilities and potential malicious uses, and building protections against them. The simulation results show that the proposed scheme is effective in mitigating DDoS attacks on IoT.

In this paper, we investigate the cognitive process behind graphical password selection by using eye-tracking. The goal of the study is to discover how users perceive and react to graphical authentication during graphical password selection, which is valuable for improving the design concepts in novel authentication mechanisms. As a result, we present the initial results of the study noting cognitive differences based on gender, and we define user profiles for enrolment and authentication processes.

The Internet has become very important today and a large part of everyday life, so it is vital to focus on security for web applications and mobile services, so as to protect electronic commerce, electronic government, social media and all electronic services that transfer information through it. News reports of attacks on services are frequent. Hackers use vulnerabilities in software or hardware to destroy services, and one of the common vulnerabilities is SQL injection. This vulnerability comes down to poor coding practices of junior programmers writing SQL dynamics at the back end. This paper creates a case study that considers two scenarios using ASP.NET 2015 and SQL Server 2014. In the first scenario, we check whether SQL injection exists or not, then make an SQL injection from the front end and add it to the SQL statement that exists at the back end. Then we hack the website. In the second scenario, we attempt to create a solution to protect this website. The research paper confirms that SQL injection already exists in ASP.NET 2015 (web form) and SQL Server 2014.

Passwords today are the most widely used form of authentication, yet have significant issues in regards to security due to human memorability limitations. Inability to remember strong passwords causes users generally to only satisfy the bare minimum requirements during an enrollment process. Users having weak passwords are vulnerable to offline password attacks, where an adversary iteratively guesses the victim’s password and tests for correctness. In this paper, we introduce a new password scheme, Grid framework, that takes advantage of current encryption technologies and reduces the user’s effort to create a strong password. The Grid Framework scheme translates an easy-to-remember sequence on a grid into a complex password consisting of randomly selected uppercase, lowercase, numeric, and special symbols with a minimum length of eighteen characters that the user is not required to memorize. The Grid Framework results in a system that increases memorability for secure authentication.

In conventional single-server environment, a user must register to every server if he/she wants to access numerous network services. It is exceedingly hard for users to generate different robust passwords and remember them with corresponding identities. To solve this problem, many multi-server authentication schemes have been proposed in recent years. In 2017, Chang et al. improved Chuang and Chen’s scheme, arguing that their scheme provides higher security and practicability. However, we demonstrate that Chang et al.’s scheme is still vulnerable to outsider attack and session key derived attack. In addition, we also find that both malicious user and server can carry out user impersonation attack in their scheme. In this paper, we propose a new biometrics-based authentication scheme that is suitable for use in multi-server environment. Finally, we show that the proposed scheme improves on the level of security in comparison with related schemes.

In a public communication environment, a remote user authentication scheme for establishing a secure session between a user and a server is a very important factor. Authentication schemes, which originate from a password-based authentication scheme, apply some mathematical algorithms to securely share session keys between users and servers. In a remote user authentication scheme, safety is a very important factor, but it is also important to reduce computational cost. Therefore, even if a mathematical algorithm is applied, it is necessary to select an algorithm that consumes a small amount of computation. Recently, Luo et al. proposed a chaos-based two-party key exchange protocol and claimed that the proposed scheme solved the off-line password guessing attack and was safe from other common attacks. They used a Chebyshev chaotic maps. This algorithm is used in many authentication schemes because it consumes a small amount of computation. However, we find that Luo et al.’s scheme is still insecure. In this paper, we show the problems of Chebyshev chaotic maps and demonstrate how an attacker can attempt some attacks.

The mobile device market has grown rapidly, and as the internet becomes available wireless, it offers a variety of services to people such as browsing, file sharing, shopping anytime and anywhere. Contemporary, a smartcard comes to one of beneficial thing because of its convenience and lightweight. As smartcards become commercially available, on one side, smartcard based authentication scheme also actively researched. In 2016, Ahmed et al. proposed lightweight communication overhead authentication scheme with smartcard. Ahmed et al. argued that scheme they proposed was lightweight compared to the previously well-known other schemes, safe from multiple attacks, and satisfied multiple security features. However, we found that Ahmed et al.’s scheme also showed weaknesses and scheme’s progress was incomplete. In this paper, we briefly introduce Ahmed et al.’s scheme and demonstrate that their scheme is still unstable to apply to user authentication environment using smartcard.

The compliance with data protection and privacy regulations such as the European General Data Protection Regulation (GDRP) is a challenging task for companies with complex IT landscapes. Current approaches lack of a technical integration with enterprise software systems and therefore require considerable manual effort to keep permissions and retention of data in line with data protection and privacy requirements. We propose an integrated information model to link data privacy requirements with software systems, modules and data to address this problem with the help of Information Lifecycle Management (ILM) functionality. The approach is illustrated with a use case of the compliant deletion of employee data upon fulfillment of the stated purpose.

The antinomic proposition of usable system authentication, an easily remembered and usable scheme for the proper user which is simultaneously unknown and unusable to any other entity, historically proves to be an elusive goal. While alternative propositions for authentication protocols are numerous, lacking in literature is foundational work directly relating potential authenticators with the discoverability of personal data online. This work presents a brief but foundational analysis of authentication and the connection between the authentication protocols and the inevitability of the introduction of personal data to the protocol to improve usability, particularly with regard to password based authentication. We investigate the discoverability, particularly whether another human, unacquainted with a specific individual, is able to purposefully find particular personal data commonly used in authentication protocols. In the study, five participants were asked to search for specific personal data regarding a sixth participant. Analysis of the results reveals consistent patterns in the personal data discovered by users. Analysis of discovered data lays a foundation for the improvement of current authentication systems as well as providing a proof of concept for the methodology and application recommendations to guide the creation of password alternatives with a goal towards the creation of usable, secure authentication systems.

In this paper, we summarize a new approach to make security and privacy issues in the Internet of Things (IoT) more transparent for vulnerable users. As a pilot project, we investigate monitoring of Alzheimer’s patients for a low-cost early warning system based on bio-markers supported with smart technologies. To provide trustworthy and secure IoT infrastructures, we employ formal methods and techniques that allow specification of IoT scenarios with human actors, refinement and analysis of attacks and generation of certified code for IoT component architectures.

The balance between end user and software engineer is important to the usage and development of software. Finding this balance, in which the end user can access needed information without overly complicated displays, a time-consuming labyrinth of clicks, and the engineer can implement the display concisely is difficult. Typically, end users desire complex displays that allow for fluid movement to the answers they need. However, accomplishing this can be time consuming for the engineer because complex displays require hard-coded GUIs. Depending on the amount of unique end – users, these issues can multiply because every user role could need a unique, complex display that will require hard coding from the engineer. However, through the usage of the Service Oriented Architecture (SOA) a solution may exist. This architectural style has been leveraged in developing an “adaptive presentation layer” pattern that allows for complex GUIs to be derived without the need of hard coding. This solution was developed for a domain that needed role specific information for map clients; however, other user interface clients have not been applied to this pattern. Therefore, to examine the viability of this solution, it must be applied in other domains using various UI clients. The cyber security domain provides suitable platform to research this solution because of the necessity to monitor several entities of data concurrently and ensure that those monitoring the data can quickly attain the need information. A successful implementation could provide a viable solution in the development of future cyber security interfaces.

This paper explores the interaction of humans and autonomous, intelligent agents working together as teammates in cyberspace operations. Though much research has investigated human-machine teams in domains such as robotics, there is a dearth of research into human-agent dynamics in cyberspace operations Some challenges are similar, such as trust between human and agent. Other challenges, such as representation and interface, are unique to cyberspace given that topological, logical, and temporal relationships are first class constructs with different semantic interpretations from their counterpart visual and spatial representations that are prevalent in physical domains. These challenges arise as the software behaves less like a tool and increasingly becomes more like a synthetic teammate.

In most cyber security contexts, users need to make trade-offs for information security. This research examined this issue by quantifying the relative value of information security within a value system that comprises of multiple conflicting objectives. Using this quantification as a platform, this research also examined the effect of different usage contexts on information security concern. Users were asked to indicate how much loss in productivity and time, and how much more money they were willing to incur to acquire an effective phishing filter. The results indicated that users prioritize productivity and time over information security while there was much more heterogeneity in the concern about cost. The value of information security was insignificantly different across different usage contexts. The relative value of information security was found to be predictive of self-reported online security behaviors. These results offer valuable implications for the design of a more usable information security system.

Event detection is a very important problem across many domains and is a broadly applicable encompassing many disciplines within engineering systems. In this paper, we focus on improving the user’s ability to quickly identify threat events such as malware, military policy violations, and natural environmental disasters. The information to perform these detections is extracted from text data sets in the latter two cases. Malware threats are important as they compromise computer system integrity and potentially allow the collection of sensitive information. Military policy violations such as ceasefire policies are important to monitor as they disrupt the daily lives of many people within countries that are torn apart by social violence or civil war. The threat of environmental disasters takes many forms and is an ever-present danger worldwide, and indiscriminate regarding who is harmed or killed. In this paper, we address all three of these threat event types using the same underlying technology for mining the information that leads to detecting such events. We approach malware event detection as a binary classification problem, i.e., one class for the threat mode and another for non-threat mode. We extend our novel classifier utilizing constrained low rank approximation as the core algorithm innovation and apply our Nonnegative Generalized Moody-Darken Architecture (NGMDA) hybrid method using various combinations of input and output layer algorithms. The new algorithm uses a nonconvex optimization problem via the nonnegative matrix factorization (NMF) for the hidden layer of a single layer perceptron and a nonnegative constrained adaptive filter for the output layer estimator. We first show the utility of the core NMF technology for both ceasefire violation and environmental disaster event detection. Next NGMDA is applied to the problem of malware threat events, again based on the NMF as the core computational tool. Also, we demonstrate that an algorithm should be appropriately selected for the data generation process. All this has critical implications for design of solutions for important threat/event detection scenarios. Lastly, we present experimental results on foreign language text for ceasefire violation and environmental disaster events. Experimental results on a KDD competition data set for malware classification are presented using our new NGMDA classifier.

Games viewed as socio-technical representations of real world system-of-systems may turn into Microworld research tools to monitor human dynamic decision making. In this paper we illustrate the potential of this methodology focusing on a Cyber Security Dilemma game, and various player models that we can elucidate from them at individual and aggregated levels.

Distinguished social psychologist Geert Hofstede observed, “This dominance of technology over culture is an illusion. The software of the machines may be globalized, but the software of the minds that use them is not.” The role of culture in the thought process is prevalent, yet unstated, that many cultural beliefs and biases are accepted as truths. Cultural beliefs and biases are incorporated into the thought process where they reveal themselves in patterns of thought. Once the thought patterns are established they may be observed in the digital trail that results from online interactions. Once captured online, the behaviors can be reviewed and examined in multiple ways so that researchers can gain new insights.

Historically, observations have taken place in the physical environment; this talk discusses findings of cultural markers in the cyber realm. The results of evidence-based research exploring the relationship between national culture and cyber behaviors will be discussed. These quantitative, observational studies were the result of researchers mining the raw website defacements found in the Zone-H archives containing over 10 million records. Mining the dataset and evaluating the findings within Hofstede’s cultural framework allowed for research into behaviors, preferences, reasons, imaging, sentiment analysis, and various other aspects of attacker and victim cybersecurity actors. The use of Hofstede’s six dimensional cultural framework to define culture, along with some basic inferential statistics, resulted in specific digital identifiers that were associated with specific cultural dimensions. Over time findings can be trended, allowing for more accurate modeling of cyber actors based on cultural values. The results supported Nisbett’s observation that people “think the way they do because of the nature of the societies they line in”.

This discussion centers on the six dimensions of culture, the values associated with each dimension, and examples of those values in cyber space for victims, attackers and defenders. The six cultural dimensions measure views on self-determination, collectivism, aggression, nurturing, uncertain outcomes, holism, instant gratification, and levels of societal openness. The behavioral traits that associate with the cultural values are behavioural traits that are consistent with cyber behaviors.

Cultural values provide context for individual behaviors by determining the norm for a group. Thus, behavior that may seem perfectly normal in one environment may stand out as odd in a different environment. Cultural difference have been historically used to model adversaries in the kinetic world. Moving this analysis into the cyber realm offers the potential to gain greater insights into all cyber actors.

We describe the novel use of the Microsoft HoloLens to assist human operators with computer network operations tasks. We created three applications to explore how the HoloLens may aid cybersecurity practitioners. First, we developed a 3D network visualizer that displays network topologies in varying levels of detail, ranging from a global perspective down to specific properties of individual nodes. The user navigates through the topology views using hand gestures while responding to simulated alarm conditions on specific nodes. Second, we developed an application that simulates a “capture the flag” exercise. Third, we developed an application to test network connectivity. We discuss the benefits, challenges, and lessons learned from developing mixed-reality applications for computer network operations. We also discuss ideas for further development in this area.

This paper describes a proposed approach, centered on human factors, for securing the Total Learning Architecture (TLA). The TLA, which is being developed for the United States Department of Defense, will rely on large stores of personal data that could be targeted by sophisticated adversaries. We describe the TLA and its envisioned users at a fairly high level before describing expected classes of attacks against it. We then examine existing and proposed controls that, if properly managed, should allow users and service providers to significantly reduce the risks to the system.

The paper aims to establish a research framework: encompass various fields of interest that have not been linked previously: the information security, the computer supported collaborative work (CSCW), and team cognition in high-risk situations. Where they meet in practice are the Security Operations Centers (SOCs). These security organization units rely on teamwork of experts and they collaborate under high time pressure. They must react as fast as possible to protect the enterprise assets and data. To understand and support their work the research should focus on them as a team. We are highlighting perspectives to understand the teamwork in SOCs.

Almost every day, the world hears about a new information security breach. In many cases, this is due to the vast quantity of data generated across millions of connected devices with little insight, and the amount of work that information security practitioners must do to make sense of it all. The lack of skilled information security resources doesn’t help. Different approaches are being attempted to fix these issues. However, many approaches are neither cost-effective nor scalable. One potential approach, which is both cost-effective and scalable, is the utilization of chatbots. In this paper, the authors focus on ways in which chatbots can assist information security practitioners, such as security analysts and pentesters, beyond the current human-before-support philosophy. Scenarios include investigations of potentially malicious behavior and team pentest projects, each of which explores how a chatbot might allow the relevant type of information security practitioner to be far more effective and efficient.

The perspective of human factors is largely missing from the wider cyber security dialogue and its scope is often limited. We propose a framework in which we consider cyber security as a state of a system. System change is brought on by an entity’s behavior. Interventions are ways of changing entities’ behavior to inhibit undesirable behavior and increase desirable behavior. Choosing an intervention should take into account the dynamic nature of how humans use cyberspace. People are not likely to change old behavior at the drop of a hat. The key is to invent new ways to maintain old behavior in new circumstances. Our framework differentiates three basic pathways of actor behavior that influence the cyber security of a system. The distinction between reflex, habit and thoughtful paths to action does facilitate the endeavor to develop successful interventions.

Humans design, operate and are the net beneficiaries of most systems. However humans are fallible and make mistakes. At the same time humans are adaptable and resourceful in both designing systems and correcting them when they go wrong. In contrast machines have in the main been designed to follow rules and are often constrained to produce the same output for the same input over and over again. Ethical decisions require that different outputs arise from apparently identical appearing inputs as the wider context for the decision has changed. Humans make ethical decisions almost automatically but as we move towards an increasingly machine led society those aspects of dignity, ethics and security which are managed by humans will be addressed by machines. The aim of this paper is to give an overview of the state of the art in security standardization in machine to machine and IoT systems, for the use cases of eHealth and autonomous transport systems, in order to outline the new ethics and security challenges of the machine led society. This will consider progress being made in standards towards the ideal of each of a Secure and Privacy Preserving Turing Machine and of an Ethical Turing Machine.

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to foster a positive information security culture within the organization. In this study, we present a literature review on information security culture by outlining the factors that contribute to the security culture of an organization and developing a framework from the synthesized research. The findings in this review can be used to further research in information security culture and can help organizations develop and improve their information security programs.

In our Behavioral Cybersecurity course at Howard University in last spring (2016), students for their final exam were asked to write an opinion on the following question: “We know, in general in the US as well as at Howard, that only about 20% of Computer Science majors are female. Furthermore, of those CS students choosing to concentrate in Cybersecurity, fewer than 10% are female. Can you suggest any reason or reasons that so many fewer female computer scientists choose Cybersecurity?” In the course of reviewing the answers, it became clear that the challenge of determining the gender of the writer was a difficult problem. To that end, a sample of approximately 50 readers have analyzed the students’ texts and tried to determine the gender of the writers. The distribution of answers, to be presented in the full paper, has provided interesting options for further development of this research. In some aspects, the challenge of determining gender from a source absent of physical signals is similar to the challenge of the original Turing Test, which Turing formulated in order to present the challenge of determining whether or not machines could be said to possess intelligence.

An online survey was administered to college students asking them whether they read the terms of use and privacy policy when using services or applications, and if not, why. Also, when apps ask to have access to their location, contacts, or camera, do the students allow access or not, due to security concerns. One hundred and seventy students have completed the survey. Results suggest that 62% of participants “Agree” to not reading the terms of use or privacy policies, with the most common explanation being that the text is “too long.” For the question “Have you ever rejected a mobile app request for accessing your contacts, camera or location?” the answers are more encouraging. Ninety-two percent of those surveyed express that they “Yes,” have rejected access if they believe the app does not need to access the camera or contacts.

This study sought to investigate the attitude and behavior of people toward the issue of privacy and national security. The online survey was carried administered to 243 online users. Participants were randomly assigned to evaluate three statements, namely, “Citizen Privacy takes precedence over national security,” “Governments should have access to all encrypted data,” and “Individual privacy is a human right.” For each statement, we measured participants’ level of agreement using a 5-point Likert scale. Using a one-way analysis of variance (ANOVA), we examined if privacy attitudes were different among user characteristics such as gender, religions belief, field of study and educational level. The results showed that most people have negative attitude toward government access to private data, but this view is divided along the religious, gender and field of study.

Cloud computing applications are nowadays commonly used in various aspects of human endeavour, and the education is no exception. Although cloud computing applications bring numerous advantages, their adoption could be significantly reduced due to users’ concerns related to security, privacy, and trust. This paper introduces a research framework that captures the essence of security, privacy, trust, and adoption in the context of cloud computing applications when used in educational environment. Drawing on an extensive literature review, a finite set of items was determined and consequently employed for the design of the measuring instrument in the form of a post-use questionnaire. With an aim to examine psychometric features of the measuring instrument, an empirical study was carried out. Participants in the study were students from two higher education institutions who employed cloud-based applications for the purpose of creating, sharing, and organizing educational artefacts. Study findings helped us determine the relevance of security, privacy, trust, and adoption dimensions in the context of cloud computing applications as perceived by users who apply them for educational purposes.