Network games are commonly used to capture the strategic interactions among interconnected agents in simultaneous moves. The agents’ actions in a Nash equilibrium must take into account the mutual dependencies connecting them, which is typically obtained by solving a set of fixed point equations. Stackelberg games, on the other hand, model the sequential moves between agents that are categorized as leaders and followers. The corresponding solution concept, the subgame perfect equilibrium, is typically obtained using backward induction. Both game forms enjoy very wide use in the (cyber)security literature, the network game often as a template to study security investment and externality—also referred to as the interdependent security games—and the Stackelberg game as a formalism to model a variety of attacker–defender scenarios. In this study, we examine a model that combines both types of strategic reasoning: the interdependency as well as sequential moves. Specifically, we consider a scenario with a network of interconnected first movers (firms or defenders, whose security efforts and practices collectively determine the security posture of the eco-system) and one or more second movers, the attacker(s), who determine how much effort to exert on attacking the many potential targets. This gives rise to an equilibrium concept that embodies both types of equilibria mentioned above. We will examine how its existence and uniqueness conditions differ from that for a standard network game. Of particular interest are comparisons between the two game forms in terms of effort exerted by the defender(s) and the attacker(s), respectively, and the free-riding behavior among the defenders.
{"title":"Interdependent security games in the Stackelberg style: how first-mover advantage impacts free riding and security (under-)investment","authors":"Ziyuan Huang, Parinaz Naghizadeh, Mingyan Liu","doi":"10.1093/cybsec/tyae009","DOIUrl":"https://doi.org/10.1093/cybsec/tyae009","url":null,"abstract":"Network games are commonly used to capture the strategic interactions among interconnected agents in simultaneous moves. The agents’ actions in a Nash equilibrium must take into account the mutual dependencies connecting them, which is typically obtained by solving a set of fixed point equations. Stackelberg games, on the other hand, model the sequential moves between agents that are categorized as leaders and followers. The corresponding solution concept, the subgame perfect equilibrium, is typically obtained using backward induction. Both game forms enjoy very wide use in the (cyber)security literature, the network game often as a template to study security investment and externality—also referred to as the interdependent security games—and the Stackelberg game as a formalism to model a variety of attacker–defender scenarios. In this study, we examine a model that combines both types of strategic reasoning: the interdependency as well as sequential moves. Specifically, we consider a scenario with a network of interconnected first movers (firms or defenders, whose security efforts and practices collectively determine the security posture of the eco-system) and one or more second movers, the attacker(s), who determine how much effort to exert on attacking the many potential targets. This gives rise to an equilibrium concept that embodies both types of equilibria mentioned above. We will examine how its existence and uniqueness conditions differ from that for a standard network game. Of particular interest are comparisons between the two game forms in terms of effort exerted by the defender(s) and the attacker(s), respectively, and the free-riding behavior among the defenders.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141502761","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Albesë Demjaha, David Pym, Tristan Caulfield, Simon Parkin
Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.
越来越多的组织认识到人的因素在工作场所安全管理中的重要性。在管理安全基础设施方面存在着挑战,其中可能有中央授权和地方管理的措施来促进安全行为。我们在一所大型大学中采用了共同设计方法来协调员工行为和集中式安全管理。这包括通过共同设计方法进行的一轮又一轮的访谈,访谈对象包括:14 名处理高价值数据并有特殊安全需求的员工;7 名跨本地和中央 IT 及 IT 安全支持团队的支持人员;以及两名组织中的高级安全决策者。我们发现,员工更喜欢本地支持,以及确保他们行为安全的保证,而不是缺乏本地背景的精确指示。对了解本地需求的支持团队的信任也会提高员工的参与度,尤其是那些不知道该怎么做的员工。员工通过与支持人员的互动,以及看到同事在工作场所实施安全行为,就能理解政策。迭代式共同设计方法汇集了一系列员工群体和安全决策者的观点,抓住了推动安全工作实践的关键影响因素。我们提出了改进工作场所安全的建议,包括认识到政策沟通与政策内容同等重要。
{"title":"‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large university","authors":"Albesë Demjaha, David Pym, Tristan Caulfield, Simon Parkin","doi":"10.1093/cybsec/tyae007","DOIUrl":"https://doi.org/10.1093/cybsec/tyae007","url":null,"abstract":"Increasingly, organizations are acknowledging the importance of human factors in the management of security in workplaces. There are challenges in managing security infrastructures in which there may be centrally mandated and locally managed initiatives to promote secure behaviours. We apply a co-design methodology to harmonize employee behaviour and centralized security management in a large university. This involves iterative rounds of interviews connected by the co-design methodology: 14 employees working with high-value data with specific security needs; seven support staff across both local and central IT and IT-security support teams; and two senior security decision-makers in the organization. We find that employees prefer local support together with assurances that they are behaving securely, rather than precise instructions that lack local context. Trust in support teams that understand local needs also improves engagement, especially for employees who are unsure what to do. Policy is understood by employees through their interactions with support staff and when they see colleagues enacting secure behaviours in the workplace. The iterative co-design approach brings together the viewpoints of a range of employee groups and security decision-makers that capture key influences that drive secure working practices. We provide recommendations for improvements to workplace security, including recognizing that communication of the policy is as important as what is in the policy.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141502762","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aviram Zrahia, Neil Gandal, Sarit Markovich, Michael Riordan
We first provide background on the “nuts and bolts” of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (“ethical” hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.
{"title":"The simple economics of an external shock to a bug bounty platform","authors":"Aviram Zrahia, Neil Gandal, Sarit Markovich, Michael Riordan","doi":"10.1093/cybsec/tyae006","DOIUrl":"https://doi.org/10.1093/cybsec/tyae006","url":null,"abstract":"We first provide background on the “nuts and bolts” of a bug bounty platform: a two-sided marketplace that connects firms and individual security researchers (“ethical” hackers) to facilitate the discovery of software vulnerabilities. Researchers get acknowledged for valid submissions, but only the first submission of a distinct vulnerability is rewarded money in this tournament-like setting. We then empirically examine the effect of an exogenous external shock (COVID-19) on Bugcrowd, one of the leading platforms. The shock presumably reduced the opportunity set for many security researchers who might have lost their jobs or been placed on a leave of absence. We show that the exogenous shock led to a huge rightward shift in the supply curve and increased the number of submissions and new researchers on the platform. During the COVID period, there was a significant growth in duplicate (already known) valid submissions, leading to a lower probability of winning a monetary reward. The supply increase resulted in a significant decline in the equilibrium price of valid submissions, mostly due to this duplicate submission supply-side effect. The results suggest that had there been a larger increase in the number of firms and bug bounty programs on the platform, many more unique software vulnerabilities could have been discovered.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140928704","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Serverless computing is an ever-growing programming paradigm being adopted by developers all over the world. Its highly scalable, automatic load balancing, and pay for what you use design is a powerful tool that can also greatly reduce operational costs. However, these advantages also leave serverless computing open to a unique threat, Denial-of-Wallet (DoW). It is the intentional targeting of serverless function endpoints with request traffic in order to artificially raise the usage bills for the application owner. A subset of these attacks are leeches. They perform DoW at a rate that could go undetected as it is not a sudden violent influx of requests. We devise a means of detecting such attacks by utilizing a novel approach of representing request traffic as heat maps and training an image classification algorithm to distinguish between normal and malicious traffic behaviour. Our classifier utilizes convolutional neural networks and achieves 97.98% accuracy. We then design a system for the implementation of this model that would allow application owners to monitor their traffic in real time for suspicious behaviour.
{"title":"DoWNet—classification of Denial-of-Wallet attacks on serverless application traffic","authors":"Daniel Kelly, Frank G Glavin, Enda Barrett","doi":"10.1093/cybsec/tyae004","DOIUrl":"https://doi.org/10.1093/cybsec/tyae004","url":null,"abstract":"Serverless computing is an ever-growing programming paradigm being adopted by developers all over the world. Its highly scalable, automatic load balancing, and pay for what you use design is a powerful tool that can also greatly reduce operational costs. However, these advantages also leave serverless computing open to a unique threat, Denial-of-Wallet (DoW). It is the intentional targeting of serverless function endpoints with request traffic in order to artificially raise the usage bills for the application owner. A subset of these attacks are leeches. They perform DoW at a rate that could go undetected as it is not a sudden violent influx of requests. We devise a means of detecting such attacks by utilizing a novel approach of representing request traffic as heat maps and training an image classification algorithm to distinguish between normal and malicious traffic behaviour. Our classifier utilizes convolutional neural networks and achieves 97.98% accuracy. We then design a system for the implementation of this model that would allow application owners to monitor their traffic in real time for suspicious behaviour.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140199772","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardize the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralized incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital.
{"title":"The barriers to sustainable risk transfer in the cyber-insurance market","authors":"Henry R K Skeoch, Christos Ioannidis","doi":"10.1093/cybsec/tyae003","DOIUrl":"https://doi.org/10.1093/cybsec/tyae003","url":null,"abstract":"Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardize the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralized incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-02-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139945993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Those charged with protecting the homeland through intelligence analysis, particularly in counterterrorism, must be capable of rapidly adopting innovative technologies to detect and prevent exploitation and disruption of vulnerable critical infrastructures. However, implementing these responses requires a highly skilled technical workforce that is continually provided with timely educational and training programs. Yet, questions remain regarding the technical aptitude necessary to respond to today’s terrorism threats and the Department of Homeland Security’s ability to provide consistent and rigorous standards for technology training and education. By surveying analysts, we examine what, if any, educational and training programs have been provided to adapt and remain technologically competitive and effectively utilize emerging technologies. We find a distinct need to focus on improvements that involve clarifying terms, building a technology and cybersecurity roadmap for analysts, allocating additional training time for employees, and building partnerships with private industry.
{"title":"Behind the curve: technology challenges facing the homeland intelligence and counterterrorism workforce","authors":"Michelle Black, Lana Obradovic, Deanna House","doi":"10.1093/cybsec/tyae002","DOIUrl":"https://doi.org/10.1093/cybsec/tyae002","url":null,"abstract":"Those charged with protecting the homeland through intelligence analysis, particularly in counterterrorism, must be capable of rapidly adopting innovative technologies to detect and prevent exploitation and disruption of vulnerable critical infrastructures. However, implementing these responses requires a highly skilled technical workforce that is continually provided with timely educational and training programs. Yet, questions remain regarding the technical aptitude necessary to respond to today’s terrorism threats and the Department of Homeland Security’s ability to provide consistent and rigorous standards for technology training and education. By surveying analysts, we examine what, if any, educational and training programs have been provided to adapt and remain technologically competitive and effectively utilize emerging technologies. We find a distinct need to focus on improvements that involve clarifying terms, building a technology and cybersecurity roadmap for analysts, allocating additional training time for employees, and building partnerships with private industry.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139773215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This research examined the lives of Australian employees who moved to work from home during COVID-19. Taking a unique approach to cybersecurity, we sought to gain insights into the intermingling of individuals’ personal lives and technology to inform policies and educational programmes. The study employed interpretative phenomenological analysis to understand 27 participants’ lived experiences under lockdown. We found that psychological (e.g. stress, anxiety, confidence, motivation) and sociological (e.g. sharing physical spaces, digital divide) factors impacted employees’ likelihood and ability to engage in effective cybersecurity practices. So did new ways of using technology (e.g. teaching via Zoom), which elucidated unexpected but significant security concerns (e.g. naked children in virtual classrooms). We suggest that cyber educators and policymakers take a Vygotskian approach, which considers that social interaction is central to learning. This assumption means that personal factors must be considered instead of a ‘one-size-fits-all approach’. We argue that organizations should think about approaches that consider the employees’ psychological state before training (and perhaps find ways to reduce anxiety), helping employees redesign their home workspaces to ensure privacy and concentration, and updating employees’ digital devices. Practitioners and scholars can also apply these results post-COVID-19, especially if the ‘new working normal’ provides options for employees to work from home.
{"title":"Cybersecurity when working from home during COVID-19: considering the human factors","authors":"Monica T Whitty, Nour Moustafa, Marthie Grobler","doi":"10.1093/cybsec/tyae001","DOIUrl":"https://doi.org/10.1093/cybsec/tyae001","url":null,"abstract":"This research examined the lives of Australian employees who moved to work from home during COVID-19. Taking a unique approach to cybersecurity, we sought to gain insights into the intermingling of individuals’ personal lives and technology to inform policies and educational programmes. The study employed interpretative phenomenological analysis to understand 27 participants’ lived experiences under lockdown. We found that psychological (e.g. stress, anxiety, confidence, motivation) and sociological (e.g. sharing physical spaces, digital divide) factors impacted employees’ likelihood and ability to engage in effective cybersecurity practices. So did new ways of using technology (e.g. teaching via Zoom), which elucidated unexpected but significant security concerns (e.g. naked children in virtual classrooms). We suggest that cyber educators and policymakers take a Vygotskian approach, which considers that social interaction is central to learning. This assumption means that personal factors must be considered instead of a ‘one-size-fits-all approach’. We argue that organizations should think about approaches that consider the employees’ psychological state before training (and perhaps find ways to reduce anxiety), helping employees redesign their home workspaces to ensure privacy and concentration, and updating employees’ digital devices. Practitioners and scholars can also apply these results post-COVID-19, especially if the ‘new working normal’ provides options for employees to work from home.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139583452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nur Ilzam Che Mat, Norziana Jamil, Yunus Yusoff, Miss Laiha Mat Kiah
Advanced persistent threats (APTs) pose significant security-related challenges to organizations owing to their sophisticated and persistent nature, and are inimical to the confidentiality, integrity, and availability of organizational information and services. This study systematically reviews the literature on methods of detecting APTs by comprehensively surveying research in the area, identifying gaps in the relevant studies, and proposing directions for future work. The authors provide a detailed analysis of current methods of APT detection that are based on multi-stage attack-related behaviors. We adhered to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and conducted an extensive search of a variety of databases. A total of 45 studies, encompassing sources from both academia and the industry, were considered in the final analysis. The findings reveal that APTs have the capability to laterally propagate and achieve their objectives by identifying and exploiting existing systemic vulnerabilities. By identifying shortcomings in prevalent methods of APT detection, we propose integrating the multi-stage attack-related behaviors of APTs with the assessment of the presence of vulnerabilities in the network and their susceptibility to being exploited in order to improve the accuracy of their identification. Such an improved approach uses vulnerability scores and probability metrics to determine the probable sequence of targeted nodes, and visualizes the path of APT attacks. This technique of advanced detection enables the early identification of the most likely targets, which, in turn, allows for the implementation of proactive measures to prevent the network from being further compromised. The research here contributes to the literature by highlighting the importance of integrating multi-stage attack-related behaviors, vulnerability assessment, and techniques of visualization for APT detection to enhance the overall security of organizations.
{"title":"A systematic literature review on advanced persistent threat behaviors and its detection strategy","authors":"Nur Ilzam Che Mat, Norziana Jamil, Yunus Yusoff, Miss Laiha Mat Kiah","doi":"10.1093/cybsec/tyad023","DOIUrl":"https://doi.org/10.1093/cybsec/tyad023","url":null,"abstract":"Advanced persistent threats (APTs) pose significant security-related challenges to organizations owing to their sophisticated and persistent nature, and are inimical to the confidentiality, integrity, and availability of organizational information and services. This study systematically reviews the literature on methods of detecting APTs by comprehensively surveying research in the area, identifying gaps in the relevant studies, and proposing directions for future work. The authors provide a detailed analysis of current methods of APT detection that are based on multi-stage attack-related behaviors. We adhered to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and conducted an extensive search of a variety of databases. A total of 45 studies, encompassing sources from both academia and the industry, were considered in the final analysis. The findings reveal that APTs have the capability to laterally propagate and achieve their objectives by identifying and exploiting existing systemic vulnerabilities. By identifying shortcomings in prevalent methods of APT detection, we propose integrating the multi-stage attack-related behaviors of APTs with the assessment of the presence of vulnerabilities in the network and their susceptibility to being exploited in order to improve the accuracy of their identification. Such an improved approach uses vulnerability scores and probability metrics to determine the probable sequence of targeted nodes, and visualizes the path of APT attacks. This technique of advanced detection enables the early identification of the most likely targets, which, in turn, allows for the implementation of proactive measures to prevent the network from being further compromised. The research here contributes to the literature by highlighting the importance of integrating multi-stage attack-related behaviors, vulnerability assessment, and techniques of visualization for APT detection to enhance the overall security of organizations.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2024-01-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139373999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
David Barrera, Christopher Bellman, Paul C van Oorschot
We carry out a detailed analysis of the security advice coding method (SAcoding) of Barrera et al., which is designed to analyze security advice in the sense of measuring actionability and categorizing advice items as practices, policies, principles, or outcomes. The main part of our analysis explores the extent to which a second coder’s assignment of codes to advice items agrees with that of a first, for a dataset of 1013 security advice items nominally addressing Internet of Things devices. More broadly, we seek a deeper understanding of the soundness and utility of the SAcoding method, and the degree to which it meets the design goal of reducing subjectivity in assigning codes to security advice items. Our analysis results in suggestions for modifications to the coding tree methodology, and some recommendations. We believe the coding tree approach may be of interest for analysis of qualitative data beyond security advice datasets alone.
{"title":"A close look at a systematic method for analyzing sets of security advice","authors":"David Barrera, Christopher Bellman, Paul C van Oorschot","doi":"10.1093/cybsec/tyad013","DOIUrl":"https://doi.org/10.1093/cybsec/tyad013","url":null,"abstract":"We carry out a detailed analysis of the security advice coding method (SAcoding) of Barrera et al., which is designed to analyze security advice in the sense of measuring actionability and categorizing advice items as practices, policies, principles, or outcomes. The main part of our analysis explores the extent to which a second coder’s assignment of codes to advice items agrees with that of a first, for a dataset of 1013 security advice items nominally addressing Internet of Things devices. More broadly, we seek a deeper understanding of the soundness and utility of the SAcoding method, and the degree to which it meets the design goal of reducing subjectivity in assigning codes to security advice items. Our analysis results in suggestions for modifications to the coding tree methodology, and some recommendations. We believe the coding tree approach may be of interest for analysis of qualitative data beyond security advice datasets alone.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2023-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138505420","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The rise of consumer encryption has led to a fierce debate over whether the loss of potential evidence due to encryption will be offset by the increase in evidence available from electronic metadata. One major question raised by this debate is how jurors will interpret and value metadata as opposed to content information. Though there are plausible arguments in favor of the persuasive power of each type of evidence, to date no empirical study has examined how ordinary people, potential jurors, view each of these sorts of evidence. We address this issue through a series of survey experiments that present respondents with hypothetical criminal trials, randomly assigning them to descriptions featuring either metadata or content information. These studies show that the relative power of content and metadata information is highly contextual. Content information and metadata can be equally useful when conveying logically equivalent information. However, content information may be more persuasive where the defendant’s state of mind is critical, while metadata can more convincingly establish a pattern of behavior. This suggests that the rise of encryption will have a heterogeneous effect on criminal cases, with the direction of the effect depending on the facts that the prosecution must prove.
{"title":"Juror interpretations of metadata and content information: implications for the going dark debate","authors":"Anne E Boustead, Matthew B Kugler","doi":"10.1093/cybsec/tyad002","DOIUrl":"https://doi.org/10.1093/cybsec/tyad002","url":null,"abstract":"The rise of consumer encryption has led to a fierce debate over whether the loss of potential evidence due to encryption will be offset by the increase in evidence available from electronic metadata. One major question raised by this debate is how jurors will interpret and value metadata as opposed to content information. Though there are plausible arguments in favor of the persuasive power of each type of evidence, to date no empirical study has examined how ordinary people, potential jurors, view each of these sorts of evidence. We address this issue through a series of survey experiments that present respondents with hypothetical criminal trials, randomly assigning them to descriptions featuring either metadata or content information. These studies show that the relative power of content and metadata information is highly contextual. Content information and metadata can be equally useful when conveying logically equivalent information. However, content information may be more persuasive where the defendant’s state of mind is critical, while metadata can more convincingly establish a pattern of behavior. This suggests that the rise of encryption will have a heterogeneous effect on criminal cases, with the direction of the effect depending on the facts that the prosecution must prove.","PeriodicalId":44310,"journal":{"name":"Journal of Cybersecurity","volume":null,"pages":null},"PeriodicalIF":3.9,"publicationDate":"2023-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138505422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}