Pub Date : 2026-06-01Epub Date: 2026-02-07DOI: 10.1016/j.cose.2026.104850
D.J. Leith
It is known that cookies and other data can be used to track user activity and infringe privacy, but most work to date has focussed on the cookies stored by web browsers rather than by other mobile apps. We report on the results of a measurement study investigating the cookies, identifiers and other data stored on Android handsets by Google Play Services, the Google Play store and other pre-installed Google apps. We decrypt handset network traffic and analyse the data stored on the handset disk. We find that multiple cookies and identifiers are sent by Google servers and stored on the handset, even when no Google apps have ever been opened by the user. This includes advertising analytics/tracking cookies, links and device identifiers. No consent is sought for storing any of this data and there is no opt out. Our measurements raise concerns that Google is violating EU data privacy regulations, which generally require specific, informed and unambiguous user consent before data can be stored on a handset.
{"title":"Cookies, identifiers and other data that google silently stores on android handsets","authors":"D.J. Leith","doi":"10.1016/j.cose.2026.104850","DOIUrl":"10.1016/j.cose.2026.104850","url":null,"abstract":"<div><div>It is known that cookies and other data can be used to track user activity and infringe privacy, but most work to date has focussed on the cookies stored by web browsers rather than by other mobile apps. We report on the results of a measurement study investigating the cookies, identifiers and other data stored on Android handsets by Google Play Services, the Google Play store and other pre-installed Google apps. We decrypt handset network traffic and analyse the data stored on the handset disk. We find that multiple cookies and identifiers are sent by Google servers and stored on the handset, even when no Google apps have ever been opened by the user. This includes advertising analytics/tracking cookies, links and device identifiers. No consent is sought for storing any of this data and there is no opt out. Our measurements raise concerns that Google is violating EU data privacy regulations, which generally require specific, informed and unambiguous user consent before data can be stored on a handset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"165 ","pages":"Article 104850"},"PeriodicalIF":5.4,"publicationDate":"2026-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146161962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-06-01Epub Date: 2026-02-08DOI: 10.1016/j.cose.2026.104858
Jengchung Victor Chen, Yang-Suen Chen, Thanh-Minh Ha Le
The growth of smart home devices does not only increase at-home convenience but also amplifies cybersecurity risks. While technological solutions are critical, enhancing user cybersecurity awareness is equally important for mitigating these risks. This study investigates whether cybersecurity recommendations from smart home vendors’ chatbots influence users’ coping processes, as part of awareness formation. Drawing on technology threat avoidance theory, we conceptualize awareness as a developmental process encompassing threat appraisal, coping appraisal, and subsequent coping responses. We integrate social information processing theory to examine how chatbot design elements (i.e., social presence and message personalization) serve as informational cues shaping users’ appraisals and coping behaviors. Using data from 533 U.S. smart home users collected via Amazon Mechanical Turk, we employ partial least squares (PLS) analysis. Results indicate that chatbot’s social presence and message personalization increase both perceived cybersecurity threat and perceived avoidability. These appraisals, in turn, promote problem-focused coping (i.e., purchasing devices with built-in cybersecurity safeguards) and emotion-focused coping (inward and outward). Among coping outcomes, only outward emotion-focused coping increases problem-focused coping, whereas inward emotion-focused coping shows no significant effect.
{"title":"Impact of cybersecurity recommendations from smart home vendors’ chatbots on user’s cybersecurity coping process","authors":"Jengchung Victor Chen, Yang-Suen Chen, Thanh-Minh Ha Le","doi":"10.1016/j.cose.2026.104858","DOIUrl":"10.1016/j.cose.2026.104858","url":null,"abstract":"<div><div>The growth of smart home devices does not only increase at-home convenience but also amplifies cybersecurity risks. While technological solutions are critical, enhancing user cybersecurity awareness is equally important for mitigating these risks. This study investigates whether cybersecurity recommendations from smart home vendors’ chatbots influence users’ coping processes, as part of awareness formation. Drawing on technology threat avoidance theory, we conceptualize awareness as a developmental process encompassing threat appraisal, coping appraisal, and subsequent coping responses. We integrate social information processing theory to examine how chatbot design elements (i.e., social presence and message personalization) serve as informational cues shaping users’ appraisals and coping behaviors. Using data from 533 U.S. smart home users collected via Amazon Mechanical Turk, we employ partial least squares (PLS) analysis. Results indicate that chatbot’s social presence and message personalization increase both perceived cybersecurity threat and perceived avoidability. These appraisals, in turn, promote problem-focused coping (i.e., purchasing devices with built-in cybersecurity safeguards) and emotion-focused coping (inward and outward). Among coping outcomes, only outward emotion-focused coping increases problem-focused coping, whereas inward emotion-focused coping shows no significant effect.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"165 ","pages":"Article 104858"},"PeriodicalIF":5.4,"publicationDate":"2026-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146193030","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-02-06DOI: 10.1016/j.cose.2026.104857
Mai Nguyen, Sara Rungård, Shang Gao
The purpose of this paper is to investigate how information security managers cope with the challenges in the input stage when developing an information security policy (ISP) in the context of hybrid work in the financial sector. To address this, an empirical study was conducted using semi-structured interviews with eight information security managers in Sweden’s financial sector. The data is analyzed through qualitative thematic analysis. The lens of institutional theory was also applied to interpret the results. According to the results, 18 challenges and their associated solutions for five selected inputs (i.e., risk assessment, industry standards and guidelines, regulations, existing policies and organizational business requirements) within the input stage of the ISP development are identified. For example, one recurring challenge at the input stage of an organization’s risk assessment is the potential intrusion into employees’ privacy when work occurs in their homes. Risks that are easy to identify and evaluate in a controlled office environment often become less visible or more difficult to assess in home-based settings. This creates uncertainty during the input stage because organizations must address these dispersed and varied risks without intruding on employees’ private lives. This study advances the understanding of the input stage’s challenges in the ISP development process in a hybrid work environment. While previous research has primarily examined the ISP’s input stage in traditional office-based contexts, hybrid work introduces additional complexity. According to the results, organizations must balance essential information security requirements with increasing demands for workplace flexibility. They need to ensure that security expectations remain clear and actionable, yet adaptable enough to accommodate employees working remotely. This tension between maintaining operational security and supporting flexibility poses a significant challenge at the input stage related to organizational business requirements when developing effective ISPs for hybrid work. Furthermore, through the lens of institutional theory, the results indicate that some inputs are more strongly affected by isomorphism (i.e., coercive influence), whereas mimetic and normative influences appear less directly associated with specific inputs. Additionally, a primary practical implication is the encapsulated knowledge on the challenges managers may face and the associated solutions in the input phase of ISP development in the context of hybrid work in the financial sector. Managers can adopt and adapt the suggested solutions to further strengthen their work practices in the input stage of the ISP development.
{"title":"Coping with input stage challenges in information security policy development: Information security managers’ perspectives in a hybrid work environment","authors":"Mai Nguyen, Sara Rungård, Shang Gao","doi":"10.1016/j.cose.2026.104857","DOIUrl":"10.1016/j.cose.2026.104857","url":null,"abstract":"<div><div>The purpose of this paper is to investigate how information security managers cope with the challenges in the input stage when developing an information security policy (ISP) in the context of hybrid work in the financial sector. To address this, an empirical study was conducted using semi-structured interviews with eight information security managers in Sweden’s financial sector. The data is analyzed through qualitative thematic analysis. The lens of institutional theory was also applied to interpret the results. According to the results, 18 challenges and their associated solutions for five selected inputs (i.e., risk assessment, industry standards and guidelines, regulations, existing policies and organizational business requirements) within the input stage of the ISP development are identified. For example, one recurring challenge at the input stage of an organization’s risk assessment is the potential intrusion into employees’ privacy when work occurs in their homes. Risks that are easy to identify and evaluate in a controlled office environment often become less visible or more difficult to assess in home-based settings. This creates uncertainty during the input stage because organizations must address these dispersed and varied risks without intruding on employees’ private lives. This study advances the understanding of the input stage’s challenges in the ISP development process in a hybrid work environment. While previous research has primarily examined the ISP’s input stage in traditional office-based contexts, hybrid work introduces additional complexity. According to the results, organizations must balance essential information security requirements with increasing demands for workplace flexibility. They need to ensure that security expectations remain clear and actionable, yet adaptable enough to accommodate employees working remotely. This tension between maintaining operational security and supporting flexibility poses a significant challenge at the input stage related to organizational business requirements when developing effective ISPs for hybrid work. Furthermore, through the lens of institutional theory, the results indicate that some inputs are more strongly affected by isomorphism (i.e., coercive influence), whereas mimetic and normative influences appear less directly associated with specific inputs. Additionally, a primary practical implication is the encapsulated knowledge on the challenges managers may face and the associated solutions in the input phase of ISP development in the context of hybrid work in the financial sector. Managers can adopt and adapt the suggested solutions to further strengthen their work practices in the input stage of the ISP development.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104857"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Learning-based methods have been widely applied in the field of Android malware detection. However, adversarial samples pose a serious challenge to such methods, as carefully constructed adversarial samples may evade detection by these detectors. To evaluate the robustness of the mainstream Android malware detection, in this paper, we propose a novel differentiated adversarial perturbation generation method in problem space. We first slice a large number of benign applications to get a set of code slices that preserve context semantics. An improved optimal perturbation screening method based on Hierarchical Attention Network is proposed to effectively select the optimal slice from the code slice set as the perturbation of the target attack model. We perform dynamic adaptive compute based on the target attack model to achieve the optimal adversarial perturbation. After adding perturbation to the target sample, the sample is repackaged and signed to verify the adversarial effect of the detection model. The experimental results on multiple malware datasets show that the adversarial samples generated by our method can significantly reduce the accuracy of the target detectors and achieve better adversarial attack effect compared with the existing methods.
{"title":"Dapadv: Differentiated adversarial perturbation generation method in problem space for android malware detection","authors":"Junwei Tang , Sijie Zhou , Tao Peng , Wenlong Tian","doi":"10.1016/j.cose.2026.104845","DOIUrl":"10.1016/j.cose.2026.104845","url":null,"abstract":"<div><div>Learning-based methods have been widely applied in the field of Android malware detection. However, adversarial samples pose a serious challenge to such methods, as carefully constructed adversarial samples may evade detection by these detectors. To evaluate the robustness of the mainstream Android malware detection, in this paper, we propose a novel differentiated adversarial perturbation generation method in problem space. We first slice a large number of benign applications to get a set of code slices that preserve context semantics. An improved optimal perturbation screening method based on Hierarchical Attention Network is proposed to effectively select the optimal slice from the code slice set as the perturbation of the target attack model. We perform dynamic adaptive compute based on the target attack model to achieve the optimal adversarial perturbation. After adding perturbation to the target sample, the sample is repackaged and signed to verify the adversarial effect of the detection model. The experimental results on multiple malware datasets show that the adversarial samples generated by our method can significantly reduce the accuracy of the target detectors and achieve better adversarial attack effect compared with the existing methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104845"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081598","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-01-15DOI: 10.1016/j.cose.2026.104839
ALLADEAN CHIDUKWANI, SEBASTIAN ZANDER, POLYCHRONIS KOUTSAKIS
This study builds upon the foundational research of Chidukwani et al. (2022, 2024) to critically examine and validate cybersecurity assertions made by small and medium-sized enterprises (SMEs). Through a mixed-method multiple case study design, the research employed a comprehensive methodology to gain firsthand insights into SME cybersecurity postures. Central to this study is the introduction of the Validated Cybersecurity Posture Assessment Framework (VCPAF), a novel multi-layered methodology tailored to the SME context. VCPAF integrates self-reported assessments, expert-led interviews, technical vulnerability scanning, artifact and documentation review, and a triangulated scoring and gap analysis. This holistic and iterative approach enables a more accurate and context-sensitive validation of cybersecurity practices, bridging the gap between perceived and actual security postures.
Fieldwork included site visits, inspections, direct observations, and in-depth interviews with key personnel to validate initial survey responses from Chidukwani et al. (2024). Benchmarking against the NIST Cybersecurity Framework (CSF), the study revealed significant disparities between SMEs’ self-reported cybersecurity practices and evidence from expert assessments. SMEs consistently overstated their cybersecurity maturity, often conflating IT support with cybersecurity services. Overestimations were particularly notable across the NIST CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover with critical weaknesses identified in asset management, patch management, network security, access control, monitoring, and incident response. Additionally, misunderstandings regarding IT provider responsibilities and regulatory obligations were found to exacerbate vulnerabilities.
We conclude that self-reporting alone is insufficient for accurately assessing SME cybersecurity posture. To close the gap between perceived and actual security practices, independent validation and tailored frameworks are critical. We advocate for sector-specific adaptations of established standards, transparent service provider agreements, and mandatory employee training. Additionally, introducing an industry standardised terminology and taxonomy similar to those used in healthcare insurance would simplify service offerings, and improve SME understanding of cybersecurity responsibilities.
{"title":"Beyond self-reporting: Uncovering the operational realities of SME cybersecurity through expert assessment","authors":"ALLADEAN CHIDUKWANI, SEBASTIAN ZANDER, POLYCHRONIS KOUTSAKIS","doi":"10.1016/j.cose.2026.104839","DOIUrl":"10.1016/j.cose.2026.104839","url":null,"abstract":"<div><div>This study builds upon the foundational research of Chidukwani et al. (2022, 2024) to critically examine and validate cybersecurity assertions made by small and medium-sized enterprises (SMEs). Through a mixed-method multiple case study design, the research employed a comprehensive methodology to gain firsthand insights into SME cybersecurity postures. Central to this study is the introduction of the Validated Cybersecurity Posture Assessment Framework (VCPAF), a novel multi-layered methodology tailored to the SME context. VCPAF integrates self-reported assessments, expert-led interviews, technical vulnerability scanning, artifact and documentation review, and a triangulated scoring and gap analysis. This holistic and iterative approach enables a more accurate and context-sensitive validation of cybersecurity practices, bridging the gap between perceived and actual security postures.</div><div>Fieldwork included site visits, inspections, direct observations, and in-depth interviews with key personnel to validate initial survey responses from Chidukwani et al. (2024). Benchmarking against the NIST Cybersecurity Framework (CSF), the study revealed significant disparities between SMEs’ self-reported cybersecurity practices and evidence from expert assessments. SMEs consistently overstated their cybersecurity maturity, often conflating IT support with cybersecurity services. Overestimations were particularly notable across the NIST CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover with critical weaknesses identified in asset management, patch management, network security, access control, monitoring, and incident response. Additionally, misunderstandings regarding IT provider responsibilities and regulatory obligations were found to exacerbate vulnerabilities.</div><div>We conclude that self-reporting alone is insufficient for accurately assessing SME cybersecurity posture. To close the gap between perceived and actual security practices, independent validation and tailored frameworks are critical. We advocate for sector-specific adaptations of established standards, transparent service provider agreements, and mandatory employee training. Additionally, introducing an industry standardised terminology and taxonomy similar to those used in healthcare insurance would simplify service offerings, and improve SME understanding of cybersecurity responsibilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104839"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081600","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-01-23DOI: 10.1016/j.cose.2026.104842
Magdalena Glas , Christoph Nirschl , Bar Lanyado , Johan van Niekerk
Generative artificial intelligence (AI) tools are increasingly used in software development, improving the efficiency of software developers. However, this adoption introduces notable security challenges. AI/generated code is not secure by default, as it is often based on large-scale training data that includes open-source code of varying quality and trustworthiness. Developers using these tools may be unaware of the associated risks or may place excessive trust in the security of the output. This briefing paper outlines the key security risks associated with generative AI and offers human-centered strategies for mitigation. Since these risks arise not only from how generative AI models are built but also from how humans interact with them, we adopt a human-centric perspective. To this end, we provide recommendations for individuals, organizations, and educators to help harness the potential of generative AI in software development while effectively managing the associated security risks.
{"title":"Insecure by design? A human-centric security perspective on AI-assisted software development","authors":"Magdalena Glas , Christoph Nirschl , Bar Lanyado , Johan van Niekerk","doi":"10.1016/j.cose.2026.104842","DOIUrl":"10.1016/j.cose.2026.104842","url":null,"abstract":"<div><div>Generative artificial intelligence (AI) tools are increasingly used in software development, improving the efficiency of software developers. However, this adoption introduces notable security challenges. AI/generated code is not secure by default, as it is often based on large-scale training data that includes open-source code of varying quality and trustworthiness. Developers using these tools may be unaware of the associated risks or may place excessive trust in the security of the output. This briefing paper outlines the key security risks associated with generative AI and offers human-centered strategies for mitigation. Since these risks arise not only from how generative AI models are built but also from how humans interact with them, we adopt a human-centric perspective. To this end, we provide recommendations for individuals, organizations, and educators to help harness the potential of generative AI in software development while effectively managing the associated security risks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104842"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081602","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-02-01DOI: 10.1016/j.cose.2026.104843
Hui Wang , Ruike Guan , Peiqian Liu, Kun Liu
Ignoring the semantic integrity of trajectory data and the security of sensitive locations may expose personal privacy to threats. To address the issue of ensuring user privacy security while maintaining the usability of published trajectory data, this paper proposes a trajectory privacy protection scheme based on the optimal decision-making of obfuscation points (OPSA-DP). Firstly, user stay points are extracted using the velocity threshold-based dynamic window stay point detection algorithm (VT-DWA). Hotspot areas are then obtained through density-based clustering (DBSCAN), and eventually dividing these hotspot areas into sensitive regions using the sensitive region division algorithm (SRDA) to accurately locate sensitive regions within the trajectory.Secondly, a personalized allocation model is established to accurately allocate privacy budgets to each stay point, based on the regional characteristics identified in the previous step and the spatial attributes and privacy sensitivity levels of each stay point. Finally, multiple sets of confusion points are generated within sensitive regions, and the optimal obfuscation points are accurately selected using the scoring function in the obfuscation point selection algorithm (OPSA). The moving points adjacent to sensitive regions are reconstructed to address potential trajectory mutation after replacement, thereby ensuring the final output trajectory exhibits both integrity and continuity. Experiments show that compared with existing methods, this scheme improves trajectory usability and can effectively resist semantic inference attacks, providing a new solution for balancing privacy protection and service value.
{"title":"OPSA-DP: A trajectory privacy protection scheme based on the optimal decision-making of obfuscation points","authors":"Hui Wang , Ruike Guan , Peiqian Liu, Kun Liu","doi":"10.1016/j.cose.2026.104843","DOIUrl":"10.1016/j.cose.2026.104843","url":null,"abstract":"<div><div>Ignoring the semantic integrity of trajectory data and the security of sensitive locations may expose personal privacy to threats. To address the issue of ensuring user privacy security while maintaining the usability of published trajectory data, this paper proposes a trajectory privacy protection scheme based on the optimal decision-making of obfuscation points (OPSA-DP). Firstly, user stay points are extracted using the velocity threshold-based dynamic window stay point detection algorithm (VT-DWA). Hotspot areas are then obtained through density-based clustering (DBSCAN), and eventually dividing these hotspot areas into sensitive regions using the sensitive region division algorithm (SRDA) to accurately locate sensitive regions within the trajectory.Secondly, a personalized allocation model is established to accurately allocate privacy budgets to each stay point, based on the regional characteristics identified in the previous step and the spatial attributes and privacy sensitivity levels of each stay point. Finally, multiple sets of confusion points are generated within sensitive regions, and the optimal obfuscation points are accurately selected using the scoring function in the obfuscation point selection algorithm (OPSA). The moving points adjacent to sensitive regions are reconstructed to address potential trajectory mutation after replacement, thereby ensuring the final output trajectory exhibits both integrity and continuity. Experiments show that compared with existing methods, this scheme improves trajectory usability and can effectively resist semantic inference attacks, providing a new solution for balancing privacy protection and service value.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104843"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-02-03DOI: 10.1016/j.cose.2026.104848
Francesco Casaril, Letterio Galletta
The increasing digitalization of the space industry and the rapid expansion of commercial space activities have increased the sector’s exposure to cyber threats. As satellite operators and aerospace entities rely on Internet-connected devices (ICDs) for control, communication, and ground-based operations, their attack surface expands accordingly. Despite this growing risk, there remains a lack of standardized methodologies tailored to measuring real-world cybersecurity exposure of ICDs in the space sector. Existing frameworks often overlook the unique characteristics of space infrastructure, including persistent connectivity, long system lifespans, and limited patching opportunities. To address this gap, we propose the Risk Exposure Framework (REF), a methodology to quantify cybersecurity exposure using Internet-facing asset data. REF integrates elements from well-established risk assessment models with targeted analysis of exposed services, known vulnerabilities, and exploit availability. The framework calculates risk through a structured approach that combines Exposure and Likelihood scores based on observable attack surface metrics. Our methodology allows one to compare exposure levels across organizations and supports alignment with sector-specific cybersecurity requirements, and it is adaptable to other critical infrastructure environments where external exposure plays a central role in cyber risk. Unlike general-purpose frameworks, REF directly captures space-specific traits by relying on observable network exposure indicators and by aligning with the principles of attack surface measurement in space environments. REF quantifies the externally observable posture of space organisations, primarily ground-segment and enterprise networks, based on Internet-facing exposure and exploitability. The framework does not model spacecraft constraints, but it can reflect their downstream effects when those constraints manifest at network boundaries. This paper also examines how the REF methodology can support existing cybersecurity policy frameworks and risk assessment strategies in both Europe and the United States.
{"title":"Assessing the attack surface of space organizations: A data-driven analysis","authors":"Francesco Casaril, Letterio Galletta","doi":"10.1016/j.cose.2026.104848","DOIUrl":"10.1016/j.cose.2026.104848","url":null,"abstract":"<div><div>The increasing digitalization of the space industry and the rapid expansion of commercial space activities have increased the sector’s exposure to cyber threats. As satellite operators and aerospace entities rely on Internet-connected devices (ICDs) for control, communication, and ground-based operations, their attack surface expands accordingly. Despite this growing risk, there remains a lack of standardized methodologies tailored to measuring real-world cybersecurity exposure of ICDs in the space sector. Existing frameworks often overlook the unique characteristics of space infrastructure, including persistent connectivity, long system lifespans, and limited patching opportunities. To address this gap, we propose the Risk Exposure Framework (REF), a methodology to quantify cybersecurity exposure using Internet-facing asset data. REF integrates elements from well-established risk assessment models with targeted analysis of exposed services, known vulnerabilities, and exploit availability. The framework calculates risk through a structured approach that combines Exposure and Likelihood scores based on observable attack surface metrics. Our methodology allows one to compare exposure levels across organizations and supports alignment with sector-specific cybersecurity requirements, and it is adaptable to other critical infrastructure environments where external exposure plays a central role in cyber risk. Unlike general-purpose frameworks, REF directly captures space-specific traits by relying on observable network exposure indicators and by aligning with the principles of attack surface measurement in space environments. REF quantifies the externally observable posture of space organisations, primarily ground-segment and enterprise networks, based on Internet-facing exposure and exploitability. The framework does not model spacecraft constraints, but it can reflect their downstream effects when those constraints manifest at network boundaries. This paper also examines how the REF methodology can support existing cybersecurity policy frameworks and risk assessment strategies in both Europe and the United States.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104848"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191200","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-02-08DOI: 10.1016/j.cose.2026.104859
Tripti Singh , Allen C. Johnston , Matthew Hudnall , Gregory J. Bott
As more organizations implement employee monitoring technologies to identify insider threats and enforce policy compliance, cybersecurity professionals are increasingly finding themselves in the position of surveilling their colleagues. This brings with it a type of stress distinct from traditional technostress or workload-induced pressure, one based on ethical uncertainty, interpersonal strain, and affective tension. Drawing on interviews with 20 cybersecurity professionals across sectors such as retail, academia, healthcare, finance, information technology, information security, and consulting, we develop a stage model of surveillance stress grounded in the transactional theory of stress and the challenge–hindrance framework. Our model explains how cybersecurity professionals assess the centrality and meaning of surveillance responsibilities, how they experience stress as either a challenge or a hindrance, and how they respond through coping strategies aimed at navigating moral unease and preserving social trust. Our findings show that professionals frequently experience moral ambiguity, concern about damaging workplace relationships, and emotional fatigue arising from uncertain surveillance data, alternating between viewing surveillance as professional growth and as a source of guilt, frustration, and exhaustion. They respond through technical adaptation, peer support, and emotional distancing, while organizational and individual factors shape these experiences. By shifting the analytical lens from the surveilled to the surveillant, this study surfaces the hidden psychological costs of cybersecurity work and offers new insight into the human consequences of digital surveillance.
{"title":"Understanding surveillance stress in cybersecurity professionals: A stage model perspective","authors":"Tripti Singh , Allen C. Johnston , Matthew Hudnall , Gregory J. Bott","doi":"10.1016/j.cose.2026.104859","DOIUrl":"10.1016/j.cose.2026.104859","url":null,"abstract":"<div><div>As more organizations implement employee monitoring technologies to identify insider threats and enforce policy compliance, cybersecurity professionals are increasingly finding themselves in the position of surveilling their colleagues. This brings with it a type of stress distinct from traditional technostress or workload-induced pressure, one based on ethical uncertainty, interpersonal strain, and affective tension. Drawing on interviews with 20 cybersecurity professionals across sectors such as retail, academia, healthcare, finance, information technology, information security, and consulting, we develop a stage model of surveillance stress grounded in the transactional theory of stress and the challenge–hindrance framework. Our model explains how cybersecurity professionals assess the centrality and meaning of surveillance responsibilities, how they experience stress as either a challenge or a hindrance, and how they respond through coping strategies aimed at navigating moral unease and preserving social trust. Our findings show that professionals frequently experience moral ambiguity, concern about damaging workplace relationships, and emotional fatigue arising from uncertain surveillance data, alternating between viewing surveillance as professional growth and as a source of guilt, frustration, and exhaustion. They respond through technical adaptation, peer support, and emotional distancing, while organizational and individual factors shape these experiences. By shifting the analytical lens from the surveilled to the surveillant, this study surfaces the hidden psychological costs of cybersecurity work and offers new insight into the human consequences of digital surveillance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104859"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191273","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-05-01Epub Date: 2026-02-03DOI: 10.1016/j.cose.2026.104849
Rohit Negi, Gargi Sarkar, Sandeep Kumar Shukla
As digital infrastructures expand and cyber threats intensify, cybersecurity audits have become a critical assurance mechanism for detecting vulnerabilities, validating control effectiveness, and maintaining national cyber resilience. The quality of these audits is fundamentally dependent on the competence of the auditors / auditing organizations conducting them. In practice, auditee organizations often select an auditor / auditing organization through cost-driven or ad hoc processes. However, selecting the auditor / auditing organization is still a challenge for auditee organization despite the expanded vendor list provided by regulatory body as empaneled auditors. Inclusion of an auditor in the empaneled auditors list establishes eligibility but by itself does not provide any measure of its capability. To address this critical cybersecurity gap, we introduce AuditorMatch, a risk-informed cybersecurity evaluation and selection framework designed to strengthen audit assurance. AuditorMatch transforms heterogeneous CERT-In (The Computer Emergency Response Team established by the Government of India) empanelment records into a structured relational schema and applies a multi-criteria scoring model that incorporates technical capability, scope-specific audit experience, certification maturity, human-resource stability, and tooling diversity, factors that directly impact vulnerability detection quality and control assessment accuracy. Using the 2024 CERT-In empanelment dataset, we demonstrate how AuditorMatch provides a data-driven, defensible basis for selecting auditors whose competencies are aligned with an organization’s cyber risk profile. Beyond the Indian context, the framework provides a generalizable path toward standardizing cybersecurity audit quality, improving transparency in national audit ecosystems, and reinforcing systemic cyber resilience through improved assurance processes.
{"title":"AuditorMatch: A data-driven decision-support system for evaluating and selecting cybersecurity auditors","authors":"Rohit Negi, Gargi Sarkar, Sandeep Kumar Shukla","doi":"10.1016/j.cose.2026.104849","DOIUrl":"10.1016/j.cose.2026.104849","url":null,"abstract":"<div><div>As digital infrastructures expand and cyber threats intensify, cybersecurity audits have become a critical assurance mechanism for detecting vulnerabilities, validating control effectiveness, and maintaining national cyber resilience. The quality of these audits is fundamentally dependent on the competence of the auditors / auditing organizations conducting them. In practice, auditee organizations often select an auditor / auditing organization through cost-driven or ad hoc processes. However, selecting the auditor / auditing organization is still a challenge for auditee organization despite the expanded vendor list provided by regulatory body as empaneled auditors. Inclusion of an auditor in the empaneled auditors list establishes eligibility but by itself does not provide any measure of its capability. To address this critical cybersecurity gap, we introduce AuditorMatch, a risk-informed cybersecurity evaluation and selection framework designed to strengthen audit assurance. AuditorMatch transforms heterogeneous CERT-In (The Computer Emergency Response Team established by the Government of India) empanelment records into a structured relational schema and applies a multi-criteria scoring model that incorporates technical capability, scope-specific audit experience, certification maturity, human-resource stability, and tooling diversity, factors that directly impact vulnerability detection quality and control assessment accuracy. Using the 2024 CERT-In empanelment dataset, we demonstrate how AuditorMatch provides a data-driven, defensible basis for selecting auditors whose competencies are aligned with an organization’s cyber risk profile. Beyond the Indian context, the framework provides a generalizable path toward standardizing cybersecurity audit quality, improving transparency in national audit ecosystems, and reinforcing systemic cyber resilience through improved assurance processes.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104849"},"PeriodicalIF":5.4,"publicationDate":"2026-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146191199","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号