The prospect of large-scale quantum computers necessitates the design, development, and standardization of post-quantum cryptography (PQC). Industrial control systems (ICS) and critical infrastructures are expected to be among the first industrial environments to adopt PQC. As their components have a long life span (≥ 10 years) and are increasingly interconnected to form an Industrial Internet of Things (IIoT), they require strong and long-lasting security guarantees. Because of these high-security requirements, IIoT products are also increasingly equipped with additional hardware security elements — often Trusted Platform Modules (TPMs). In this work, we study how the current TPM 2.0 specification can supplement the migration towards PQC. Therefore, we integrate the post-quantum (PQ) key exchange CRYSTALS-Kyber, the post-quantum signature scheme SPHINCS, and TPM functionality into the open-source TLS library Mbed TLS. For our performance evaluations we propose three post-quantum TLS cipher suites alongside two different TPM utilization strategies. We report the standalone performance of the aforementioned post-quantum schemes under our proposed TPM utilizations and compare it to current elliptic curve cryptography (ECC). Finally, we report the handshake duration of post-quantum and mutually authenticated TLS (mTLS) connections for our proposed cipher suites with regards to the different TPM utilization scenarios. Our results show that the integration of PQC into mTLS is generally feasible, thus ensuring additional post-quantum client authentication. Regarding our TPM utilizations, we observe a significant decrease in performance when offloading computations of hash functions. However, offloading the generation of random numbers to TPMs in our integrated post-quantum schemes proves to be efficient, ultimately enhancing overall system security.
{"title":"TPM-Based Post-Quantum Cryptography: A Case Study on Quantum-Resistant and Mutually Authenticated TLS for IoT Environments","authors":"Sebastian Paul, Felix Schick, J. Seedorf","doi":"10.1145/3465481.3465747","DOIUrl":"https://doi.org/10.1145/3465481.3465747","url":null,"abstract":"The prospect of large-scale quantum computers necessitates the design, development, and standardization of post-quantum cryptography (PQC). Industrial control systems (ICS) and critical infrastructures are expected to be among the first industrial environments to adopt PQC. As their components have a long life span (≥ 10 years) and are increasingly interconnected to form an Industrial Internet of Things (IIoT), they require strong and long-lasting security guarantees. Because of these high-security requirements, IIoT products are also increasingly equipped with additional hardware security elements — often Trusted Platform Modules (TPMs). In this work, we study how the current TPM 2.0 specification can supplement the migration towards PQC. Therefore, we integrate the post-quantum (PQ) key exchange CRYSTALS-Kyber, the post-quantum signature scheme SPHINCS, and TPM functionality into the open-source TLS library Mbed TLS. For our performance evaluations we propose three post-quantum TLS cipher suites alongside two different TPM utilization strategies. We report the standalone performance of the aforementioned post-quantum schemes under our proposed TPM utilizations and compare it to current elliptic curve cryptography (ECC). Finally, we report the handshake duration of post-quantum and mutually authenticated TLS (mTLS) connections for our proposed cipher suites with regards to the different TPM utilization scenarios. Our results show that the integration of PQC into mTLS is generally feasible, thus ensuring additional post-quantum client authentication. Regarding our TPM utilizations, we observe a significant decrease in performance when offloading computations of hash functions. However, offloading the generation of random numbers to TPMs in our integrated post-quantum schemes proves to be efficient, ultimately enhancing overall system security.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123005762","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Louise Axon, Arnau Erola, Alastair Janse van Rensburg, Jason R. C. Nurse, M. Goldsmith, S. Creese
Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyber-risk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control’s effectiveness and deployment, we conduct a set of interviews exploring practitioners’ perceptions. We compare alignment with the recommendations of security standards and requirements of cyber-insurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits.
{"title":"Practitioners’ Views on Cybersecurity Control Adoption and Effectiveness","authors":"Louise Axon, Arnau Erola, Alastair Janse van Rensburg, Jason R. C. Nurse, M. Goldsmith, S. Creese","doi":"10.1145/3465481.3470038","DOIUrl":"https://doi.org/10.1145/3465481.3470038","url":null,"abstract":"Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyber-risk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control’s effectiveness and deployment, we conduct a set of interviews exploring practitioners’ perceptions. We compare alignment with the recommendations of security standards and requirements of cyber-insurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"82 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123847543","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hiroki Inayoshi, S. Kakei, Eiji Takimoto, Koichi Mouri, S. Saito
Bytecode-level taint tracking discovers suspicious apps on the Android platform; however, malicious apps can bypass it by transferring information via system layers in the Android. A context tainting countermeasure has been devised, but since it employs a list of flow-causing API methods, it will miss flows when unlisted methods are exploited and can also produce false positives. This paper presents a new taint-tracking technique operating value logging and matching based on the flows’ characteristics to detect such flows without relying on lists of API methods. We implemented it into our taint-tracking system called VTDroid and confirmed its effectiveness with our test suite. We also evaluated it with popular apps collected from Google Play. The results show that the precision of VTDroid is 37 points higher than the context tainting.
{"title":"VTDroid: Value-based Tracking for Overcoming Anti-Taint-Analysis Techniques in Android Apps","authors":"Hiroki Inayoshi, S. Kakei, Eiji Takimoto, Koichi Mouri, S. Saito","doi":"10.1145/3465481.3465759","DOIUrl":"https://doi.org/10.1145/3465481.3465759","url":null,"abstract":"Bytecode-level taint tracking discovers suspicious apps on the Android platform; however, malicious apps can bypass it by transferring information via system layers in the Android. A context tainting countermeasure has been devised, but since it employs a list of flow-causing API methods, it will miss flows when unlisted methods are exploited and can also produce false positives. This paper presents a new taint-tracking technique operating value logging and matching based on the flows’ characteristics to detect such flows without relying on lists of API methods. We implemented it into our taint-tracking system called VTDroid and confirmed its effectiveness with our test suite. We also evaluated it with popular apps collected from Google Play. The results show that the precision of VTDroid is 37 points higher than the context tainting.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121808918","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The Tor anonymity network has millions of daily users and thousands of volunteer-run relays. Increasing the number of Tor users will enhance the privacy of not just new users, but also existing users by increasing their anonymity sets. However, growing the network further has several research and deployment challenges. One such challenge is supporting the increase in bandwidth required by additional users joining the network. While adding more Tor relays to the network would increase the total available bandwidth, it requires network architecture changes to reduce the impact of Tor’s growing directory documents. In order to increase the total available network bandwidth without needing to grow Tor’s directory documents, this work provides a multi-threaded relay architecture designed to improve the throughput of individual multi-core relays with available network capacity. We built an implementation of a subset of this new design on top of the standard Tor code base to demonstrate the potential throughput improvements of this architecture on both high- and low-performance hardware.
{"title":"Weaving a Faster Tor: A Multi-Threaded Relay Architecture for Improved Throughput","authors":"S. Engler, I. Goldberg","doi":"10.1145/3465481.3465745","DOIUrl":"https://doi.org/10.1145/3465481.3465745","url":null,"abstract":"The Tor anonymity network has millions of daily users and thousands of volunteer-run relays. Increasing the number of Tor users will enhance the privacy of not just new users, but also existing users by increasing their anonymity sets. However, growing the network further has several research and deployment challenges. One such challenge is supporting the increase in bandwidth required by additional users joining the network. While adding more Tor relays to the network would increase the total available bandwidth, it requires network architecture changes to reduce the impact of Tor’s growing directory documents. In order to increase the total available network bandwidth without needing to grow Tor’s directory documents, this work provides a multi-threaded relay architecture designed to improve the throughput of individual multi-core relays with available network capacity. We built an implementation of a subset of this new design on top of the standard Tor code base to demonstrate the potential throughput improvements of this architecture on both high- and low-performance hardware.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"396 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115916895","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Since healthcare information systems have many important data that can attract many adversaries, it is important to take the right steps to prevent data breaches. Recent studies suggested that 85% of breaches involved a human element and the frequent patterns used are social engineerings. Therefore, many studies focus on making a better understanding of human behavior in cybersecurity and the factors that affect cybersecurity practices. However, there are only a few peer-reviewed studies that focus on the link between stress level and cybersecurity practices. In this study, we examined the link between stress level and cybersecurity practices among hospital employees in Indonesia by surveying 99 hospital workers. Perceived Stress Scale (PSS) was used to measure the employees’ stress level and a new scale to measure hospital staff’s risky cybersecurity practices was proposed. This study showed that both PSS and proposed cybersecurity practices scales are reliable with Cronbach’s α value of more than 0.7. The survey results also revealed that hospital worker’s higher stress levels correlate significantly with riskier cybersecurity practices (rs = 0.305, p < 0.01). Besides, a higher stress level is also significantly linked to certain cybersecurity practices, such as clicking on a link in an email from an unknown sender, not preventing colleagues from viewing patients’ information for a non-therapeutic purpose, posting patient information on social media, ignoring colleagues who engage in negative information security practices, and failing to create strong passwords.
由于医疗保健信息系统有许多重要数据,可能会吸引许多攻击者,因此采取正确的步骤来防止数据泄露非常重要。最近的研究表明,85%的违规行为涉及人为因素,使用的频繁模式是社会工程。因此,许多研究的重点是更好地理解网络安全中的人类行为以及影响网络安全实践的因素。然而,只有少数同行评议的研究关注压力水平和网络安全实践之间的联系。在本研究中,我们通过调查99名医院工作人员,研究了印度尼西亚医院员工的压力水平与网络安全实践之间的联系。采用感知压力量表(PSS)衡量员工的压力水平,并提出了一种新的量表来衡量医院员工的风险网络安全实践。研究表明,PSS量表和网络安全实践量表均具有较好的可靠性,Cronbach’s α值均大于0.7。调查结果还显示,医院工作人员较高的压力水平与更危险的网络安全实践显著相关(rs = 0.305, p < 0.01)。此外,较高的压力水平也与某些网络安全行为显著相关,例如点击未知发件人的电子邮件中的链接,不阻止同事出于非治疗目的查看患者信息,在社交媒体上发布患者信息,忽视从事负面信息安全实践的同事,以及未创建强密码。
{"title":"Examining the Link Between Stress Level and Cybersecurity Practices of Hospital Staff in Indonesia","authors":"M. Fauzi, P. Yeng, Bian Yang, Dita Rachmayani","doi":"10.1145/3465481.3470094","DOIUrl":"https://doi.org/10.1145/3465481.3470094","url":null,"abstract":"Since healthcare information systems have many important data that can attract many adversaries, it is important to take the right steps to prevent data breaches. Recent studies suggested that 85% of breaches involved a human element and the frequent patterns used are social engineerings. Therefore, many studies focus on making a better understanding of human behavior in cybersecurity and the factors that affect cybersecurity practices. However, there are only a few peer-reviewed studies that focus on the link between stress level and cybersecurity practices. In this study, we examined the link between stress level and cybersecurity practices among hospital employees in Indonesia by surveying 99 hospital workers. Perceived Stress Scale (PSS) was used to measure the employees’ stress level and a new scale to measure hospital staff’s risky cybersecurity practices was proposed. This study showed that both PSS and proposed cybersecurity practices scales are reliable with Cronbach’s α value of more than 0.7. The survey results also revealed that hospital worker’s higher stress levels correlate significantly with riskier cybersecurity practices (rs = 0.305, p < 0.01). Besides, a higher stress level is also significantly linked to certain cybersecurity practices, such as clicking on a link in an email from an unknown sender, not preventing colleagues from viewing patients’ information for a non-therapeutic purpose, posting patient information on social media, ignoring colleagues who engage in negative information security practices, and failing to create strong passwords.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"59 4","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120905990","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Clemens Sauerwein, D. Fischer, Milena Rubsamen, Guido Rosenberger, D. Stelzer, R. Breu
In the last couple of years, organizations have demonstrated an increasing willingness to share data, information and intelligence regarding emerging threats to collectively protect against today’s sophisticated cyber attacks. Accordingly, several vendors started to implement software solutions that facilitate this exchange and appear under the name cyber threat intelligence sharing platforms. However, recent investigations have shown that these platforms differ significantly in their functional scope and often only provide threat data instead of the promised actionable intelligence. Moreover, it is unclear to what extent the platforms implement the expected intelligence cycle processes. In order to close this gap, we investigate the state-of-the-art in scientific literature and analyze the functional scope of nine threat intelligence sharing platforms with respect to the intelligence cycle. Our study provides a comprehensive list of software functions that should be implemented by cyber threat intelligence sharing platforms in order to support the intelligence cycle to generate actionable threat intelligence.
{"title":"From Threat Data to Actionable Intelligence: An Exploratory Analysis of the Intelligence Cycle Implementation in Cyber Threat Intelligence Sharing Platforms","authors":"Clemens Sauerwein, D. Fischer, Milena Rubsamen, Guido Rosenberger, D. Stelzer, R. Breu","doi":"10.1145/3465481.3470048","DOIUrl":"https://doi.org/10.1145/3465481.3470048","url":null,"abstract":"In the last couple of years, organizations have demonstrated an increasing willingness to share data, information and intelligence regarding emerging threats to collectively protect against today’s sophisticated cyber attacks. Accordingly, several vendors started to implement software solutions that facilitate this exchange and appear under the name cyber threat intelligence sharing platforms. However, recent investigations have shown that these platforms differ significantly in their functional scope and often only provide threat data instead of the promised actionable intelligence. Moreover, it is unclear to what extent the platforms implement the expected intelligence cycle processes. In order to close this gap, we investigate the state-of-the-art in scientific literature and analyze the functional scope of nine threat intelligence sharing platforms with respect to the intelligence cycle. Our study provides a comprehensive list of software functions that should be implemented by cyber threat intelligence sharing platforms in order to support the intelligence cycle to generate actionable threat intelligence.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"5 ","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120976777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Efficient cyber risk assessment needs to consider all security alerts provided by cybersecurity solutions deployed in a network. To build a reliable overview of cyber risk, there is a need to adopt continuous monitoring of emerged cyber threats related to that risk. Indeed, the integration of Cyber Threat Intelligence (CTI) into cybersecurity solutions provides valuable information about threats, targets, and potential vulnerabilities. Structured Threat Information eXpression (STIX), as a language for expressing information about cyber threats in a structured and unambiguous manner, is becoming a de facto standard for sharing information about cyber threats. In addition, ontology-based semantic knowledge modeling has become a promising solution that provides a machine-readable language for downstream work in cybersecurity problem-solving. In this paper, we propose an ontology using CTI for risk monitoring. This latter improves an existing ontology, originally proposed to be used within a SIEM (Security Information Event Management), by extending it and aligning it with the STIX concepts.
{"title":"Ontology-based Cyber Risk Monitoring Using Cyber Threat Intelligence","authors":"Yazid Merah, Tayeb Kenaza","doi":"10.1145/3465481.3470024","DOIUrl":"https://doi.org/10.1145/3465481.3470024","url":null,"abstract":"Efficient cyber risk assessment needs to consider all security alerts provided by cybersecurity solutions deployed in a network. To build a reliable overview of cyber risk, there is a need to adopt continuous monitoring of emerged cyber threats related to that risk. Indeed, the integration of Cyber Threat Intelligence (CTI) into cybersecurity solutions provides valuable information about threats, targets, and potential vulnerabilities. Structured Threat Information eXpression (STIX), as a language for expressing information about cyber threats in a structured and unambiguous manner, is becoming a de facto standard for sharing information about cyber threats. In addition, ontology-based semantic knowledge modeling has become a promising solution that provides a machine-readable language for downstream work in cybersecurity problem-solving. In this paper, we propose an ontology using CTI for risk monitoring. This latter improves an existing ontology, originally proposed to be used within a SIEM (Security Information Event Management), by extending it and aligning it with the STIX concepts.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116329548","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Falcone, Carmelo Felicetti, A. Garro, Antonino Rullo, D. Saccá
Counterfeiting represents one of the most widespread phenomena at a global level that indiscriminately affects all product sectors, from fashion to food, from medicines to digital media. The fight against counterfeiting remains a significant challenge for industries. Most of the current supply chains rely on centralized authorities or intermediaries that are not sufficient robust to guarantee anti-counterfeiting and traceability of goods. This paper aims at mitigating these issues by introducing a blockchain-based supply chain for traceability and anti-counterfeiting of goods through Physically Unclonable Function (PUF) and Elliptic-Curve Cryptography (ECC)-based devices, where goods are uniquely identified and tracked along the supply chain so as to trace and detect possible counterfeit. Moreover, the proposed blockchain-based supply chain is decentralized, highly available, and guarantees the integrity of the data stored in it. To assess the validity of the solution two application scenarios have been defined followed by a robustness analysis related to the individual parts that make up the solution.
{"title":"PUF-based Smart Tags for Supply Chain Management","authors":"A. Falcone, Carmelo Felicetti, A. Garro, Antonino Rullo, D. Saccá","doi":"10.1145/3465481.3469195","DOIUrl":"https://doi.org/10.1145/3465481.3469195","url":null,"abstract":"Counterfeiting represents one of the most widespread phenomena at a global level that indiscriminately affects all product sectors, from fashion to food, from medicines to digital media. The fight against counterfeiting remains a significant challenge for industries. Most of the current supply chains rely on centralized authorities or intermediaries that are not sufficient robust to guarantee anti-counterfeiting and traceability of goods. This paper aims at mitigating these issues by introducing a blockchain-based supply chain for traceability and anti-counterfeiting of goods through Physically Unclonable Function (PUF) and Elliptic-Curve Cryptography (ECC)-based devices, where goods are uniquely identified and tracked along the supply chain so as to trace and detect possible counterfeit. Moreover, the proposed blockchain-based supply chain is decentralized, highly available, and guarantees the integrity of the data stored in it. To assess the validity of the solution two application scenarios have been defined followed by a robustness analysis related to the individual parts that make up the solution.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126602788","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we explore why partial identity technologies such as privacy-preserving attribute based credentials (pABCs) have been around for a while without getting adopted in real life identity solutions and how we might design for such technologies. This is done by exploring whether this is perceived useful from the user as well as the service provider side through the design of a digital identity solution in Denmark. Two interview studies with three and 11 participants representing service providers and users, respectively, were carried out and a design for a digital identity solution was created. The results show that while there is a use for such technologies, there are certain issues that need to be considered. Based on the results, we present 8 design recommendations on implementing a digital identity solution based on pABCs. For future work, we suggest that these studies should be repeated in other national contexts to explore how general the results are.
{"title":"Towards the Design of a Privacy-preserving Attribute Based Credentials-based Digital ID in Denmark – Usefulness, Barriers, and Recommendations","authors":"Mads Schaarup Andersen","doi":"10.1145/3465481.3469211","DOIUrl":"https://doi.org/10.1145/3465481.3469211","url":null,"abstract":"In this paper, we explore why partial identity technologies such as privacy-preserving attribute based credentials (pABCs) have been around for a while without getting adopted in real life identity solutions and how we might design for such technologies. This is done by exploring whether this is perceived useful from the user as well as the service provider side through the design of a digital identity solution in Denmark. Two interview studies with three and 11 participants representing service providers and users, respectively, were carried out and a design for a digital identity solution was created. The results show that while there is a use for such technologies, there are certain issues that need to be considered. Based on the results, we present 8 design recommendations on implementing a digital identity solution based on pABCs. For future work, we suggest that these studies should be repeated in other national contexts to explore how general the results are.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126307629","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.
{"title":"Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories","authors":"Yuning Jiang, M. Jeusfeld, Jianguo Ding","doi":"10.1145/3465481.3470093","DOIUrl":"https://doi.org/10.1145/3465481.3470093","url":null,"abstract":"Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132903537","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: