Visible to the public Human Trust 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Human Trust 2015

Human behavior is complex and that complexity creates a tremendous problem for cybersecurity.  The works cited here address a range of human trust issues related to behaviors, deception, enticement, sentiment and other factors difficult to isolate and quantify. For the Science of Security community, human behavior is a Hard Problem.  The work cited here was presented in 2015.

Adeka, M.; Shepherd, S.; Abd-Alhameed, R.; Ahmed, N.A.S., "A Versatile and Ubiquitous Secret Sharing," in Internet Technologies and Applications (ITA), 2015, pp. 466-471, 8-11 Sept. 2015. doi: 10.1109/ITechA.2015.7317449

Abstract: The Versatile and Ubiquitous Secret Sharing System, a cloud data repository secure access and a web based authentication scheme. It is designed to implement the sharing, distribution and reconstruction of sensitive secret data that could compromise the functioning of an organisation, if leaked to unauthorised persons. This is carried out in a secure web environment, globally. It is a threshold secret sharing scheme, designed to extend the human trust security perimeter. The system could be adapted to serve as a cloud data repository and secure data communication scheme. A secret sharing scheme is a method by which a dealer distributes shares of a secret data to trustees, such that only authorised subsets of the trustees can reconstruct the secret. This paper gives a brief summary of the layout and functions of a 15-page secure server-based website prototype; the main focus of a PhD research effort titled `Cryptography and Computer Communications Security: Extending the Human Security Perimeter through a Web of Trust'. The prototype, which has been successfully tested, has globalised the distribution and reconstruction processes.

Keywords: Internet; cloud computing; message authentication; trusted computing; ubiquitous computing;AdeVersUS3;Adekas Versatile and Ubiquitous Secret Sharing System; Web based authentication scheme; cloud data repository secure access; human trust security perimeter; secure data communication; secure server-based Website prototype; threshold secret sharing scheme; Computer science; Cryptography; Electrical engineering; IP networks; Prototypes; Radiation detectors; Servers; (k, n)-threshold; authentication; authorised user; cloud data repository; combiner; cryptography; dealer or distributor;  human security perimeter; interpolation; key management; participants (trustees); secret sharing}, (ID#: 15-8540)



Dawson, S.; Crawford, C.; Dillon, E.; Anderson, M., "Affecting Operator Trust in Intelligent Multirobot Surveillance Systems," in Robotics and Automation (ICRA), 2015 IEEE International Conference on, pp. 3298-3304, 26-30 May 2015. doi: 10.1109/ICRA.2015.7139654

Abstract: Homeland safety and security will increasingly depend upon autonomous unmanned vehicles as a method of assessing and maintaining situational awareness. As autonomous team algorithms evolve toward requiring less human intervention, it may be that having an “operator-in-the-loop” becomes the ultimate goal in utilizing autonomous teams for surveillance. However studies have shown that trust plays a factor in how effectively an operator can work with autonomous teammates. In this work, we study mechanisms that look at autonomy as a system and not as the sum of individual actions. First, we conjecture that if the operator understands how the team autonomy is designed that the user would better trust that the system will contribute to the overall goal. Second, we focus on algorithm input criteria as being linked to operator perception and trust. We focus on adding a time-varying spatial projection of areas in the ROI that have been unseen for more than a set duration (STEC). Studies utilize a custom test bed that allows users to interact with a surveillance team to find a target in the region of interest. Results show that while algorithm training had an adverse effect, projecting salient team/surveillance state had a statistically significant impact on trust and did not negatively affect workload or performance. This result may point at a mechanism for improving trust through visualizing states as used in the autonomous algorithm.

Keywords: autonomous aerial vehicles; mobile robots; multi-robot systems; national security; surveillance; ROI; adverse effect; autonomous team algorithms; autonomous teammates; autonomous unmanned vehicles; homeland safety; homeland security; intelligent multirobot surveillance system; operator in the loop; operator perception; operator trust; region of interest; salient team projection; situational awareness; state visualization; surveillance state projection; team autonomy; time-varying spatial projection; Automation; Robots; Standards; Streaming media; Surveillance; Training; User interfaces (ID#: 15-8541)



Kuntze, N.; Rudolph, C.; Brisbois, G.B.; Boggess, M.; Endicott-Popovsky, B.; Leivesley, S., "Security vs. Safety: Why Do People Die Despite Good Safety?," in Integrated Communication, Navigation, and Surveillance Conference (ICNS), 2015, pp. A4-1-A4-10, 21-23 April 2015. doi: 10.1109/ICNSURV.2015.7121213

Abstract: This paper will show in detail the differences between safety and security. An argument is made for new system design requirements based on a threat sustainable system (TSS) drawing on threat scanning, flexibility, command and control, system of systems, human factors and population dependencies. Principles of sustainability used in historical design processes are considered alongside the complex changes of technology and emerging threat actors. The paper recognises that technologies and development methods for safety do not work for security. Safety has the notion of a one or two event protection, but cyber-attacks are multi-event situations. The paper recognizes that the behaviour of interconnected systems and modern systems requirements for national sustainability. System security principles for sustainability of critical systems are considered in relation to failure, security architecture, quality of service, authentication and trust and communication of failure to operators. Design principles for operators are discussed along with recognition of human factors failures. These principles are then applied as the basis for recommended changes in systems design and discuss system control dominating the hierarchy of design decisions but with harmonization of safety requirements up to the level of sustaining security. These new approaches are discussed as the basis for future research on adaptive flexible systems that can sustain attacks and the uncertainty of fast-changing technology.

Keywords: national security; protection; safety systems; security of data; sustainable development; authentication; cyberattacks; failure; national sustainability; protection; safety; system security principles; threat scanning; threat sustainable system; trust; Buildings; Control systems; Safety; Software; Terrorism; Transportation (ID#: 15-8542)



Bianchi, A.; Corbetta, J.; Invernizzi, L.; Fratantonio, Y.; Kruegel, C.; Vigna, G., "What the App is That? Deception and Countermeasures in the Android User Interface," in Security and Privacy (SP), 2015 IEEE Symposium on, pp. 931-948, 17-21 May 2015. doi: 10.1109/SP.2015.62

Abstract: Mobile applications are part of the everyday lives of billions of people, who often trust them with sensitive information. These users identify the currently focused app solely by its visual appearance, since the GUIs of the most popular mobile OSes do not show any trusted indication of the app origin. In this paper, we analyze in detail the many ways in which Android users can be confused into misidentifying an app, thus, for instance, being deceived into giving sensitive information to a malicious app. Our analysis of the Android platform APIs, assisted by an automated state-exploration tool, led us to identify and categorize a variety of attack vectors (some previously known, others novel, such as a non-escapable full screen overlay) that allow a malicious app to surreptitiously replace or mimic the GUI of other apps and mount phishing and click-jacking attacks. Limitations in the system GUI make these attacks significantly harder to notice than on a desktop machine, leaving users completely defenseless against them. To mitigate GUI attacks, we have developed a two-layer defense. To detect malicious apps at the market level, we developed a tool that uses static analysis to identify code that could launch GUI confusion attacks. We show how this tool detects apps that might launch GUI attacks, such as ransom ware programs. Since these attacks are meant to confuse humans, we have also designed and implemented an on-device defense that addresses the underlying issue of the lack of a security indicator in the Android GUI. We add such an indicator to the system navigation bar, this indicator securely informs users about the origin of the app with which they are interacting (e.g., The Pay Pal app is backed by "Pay Pal, Inc."). We demonstrate the effectiveness of our attacks and the proposed on-device defense with a user study involving 308 human subjects, whose ability to detect the attacks increased significantly when using a system equipped with our defense.

Keywords: Android (operating system);graphical user interfaces; invasive software; program diagnostics; smart phones; Android platform API; Android user interface; GUI confusion attacks; app origin; attack vectors; automated state-exploration tool; click-jacking attacks; desktop machine; malicious app; mobile OS; mobile applications; on-device defense; phishing attacks; ransomware programs; security indicator; sensitive information; static analysis; system navigation bar; trusted indication; two-layer defense; visual appearance; Androids; Graphical user interfaces; Humanoid robots; Navigation; Security; Smart phones; mobile-security; static-analysis; usable-security (ID#: 15-8543)



Anneken, Mathias; Fischer, Yvonne; Beyerer, Jurgen, "Evaluation and Comparison of Anomaly Detection Algorithms in Annotated Datasets from the Maritime Domain," in SAI Intelligent Systems Conference (IntelliSys), 2015, pp. 169-178, 10-11 Nov. 2015. doi: 10.1109/IntelliSys.2015.7361141

Abstract: Anomaly detection supports human decision makers in their surveillance tasks to ensure security. To gain the trust of the operator, it is important to develop a robust system, which gives the operator enough insight to take a rational choice about future steps. In this work, the maritime domain is investigated. Here, anomalies occur in trajectory data. Hence, a normal model for the trajectories has to be estimated. Despite the goal of anomaly detection in real life operations, until today, mostly simulated anomalies have been evaluated to measure the performance of different algorithms. Therefore, an annotation tool is developed to provide a ground truth on a non-simulative dataset. The annotated data is used to compare different algorithms with each other. For the given dataset, first experiments are conducted with the Gaussian Mixture Model (GMM) and the Kernel Density Estimator (KDE). For the evaluation of the algorithms, precision, recall, and f1-score are compared.

Keywords: Clustering algorithms; Gaussian mixture model; Hidden Markov models; Intelligent systems; Sea measurements; Surveillance; Trajectory; Anomaly detection; Gaussian Mixture Model; Kernel Density Estimation; Maritime domain (ID#: 15-8544)



Renaud, K.; Hoskins, A.; von Solms, R., "Biometric Identification: Are We Ethically Ready?," in Information Security for South Africa (ISSA), 2015, pp. 1-8, 12-13 Aug. 2015. doi: 10.1109/ISSA.2015.7335051

Abstract: “Give us your fingerprint, your Iris print, your photograph. Trust us; we want to make your life easier!” This is the implicit message behind many corporations' move towards avid collection and use of biometrics, and they expect us to accept their assurances at face value. Despite their attempts to sell this as a wholly philanthropic move, the reality is that it is often done primarily to ease their own processes or to increase profit. They offer no guarantees, allow no examination of their processes, and treat detractors with derision or sanction. The current biometric drive runs counter to emergent wisdom about the futility of a reductionist approach to humanity. Ameisen et al. (2007) point out that the field of integrative biology is moving towards a more holistic approach, while biometrics appear to be moving in the opposite direction, reducing humans to sets of data with cartographic locators: a naïve over-simplification of the uniqueness that characterizes humanity. They argue that biometrics treat the body as an object to be measured, but in fact the body is a subject, the instantiation of the individual's self, subject to vulnerability and mortality. Treating it merely as a measured and recorded object denies the body's essential right to dignity. Here we explore various concerning aspects of the global move towards widespread biometric use.

Keywords: biometrics (access control); biometric identification; cartographic locators; holistic approach; integrative biology; reductionist approach; Databases; Fingerprint recognition; Iris recognition; Physiology;  biometrics; ethics; security (ID#: 15-8545)



Khatoun, R.; Gut, P.; Doulami, R.; Khoukhi, L.; Serhrouchni, A., "A Reputation System for Detection of Black Hole Attack in Vehicular Networking," in Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), 2015 International Conference on, pp. 1-5, 5-7 Aug. 2015. doi: 10.1109/SSIC.2015.7245328

Abstract: In recent years, vehicular networks has drawn special attention as it has significant potential to play an important role in future smart city to improve the traffic efficiency and guarantee the road safety. Safety in vehicular networks is crucial because that it affects the life of humans. It is essential like that the vital information cannot be modified or deleted by an attacker and must be also determine the responsibility of drivers while maintaining their privacy. The Black hole attack is a well-known and critical threaten of network availability in vehicular environment. In this paper we present a new reputation system for vehicular networks, where each vehicle reports the packet transmission with its neighbours and the Trust Authority (TA) classifies the reliability of players based on the reports. This reputation system can quickly detect the malicious players in the network, prevent the damage caused by the Black hole attack and improve the effectiveness of routing process.

Keywords: mobile radio; road safety; smart cities; telecommunication network routing; black hole attack detection; malicious player detection; packet transmission; reputation system; road safety; routing process; smart city; trust authority; vehicular networking; Ad hoc networks; Packet loss; Protocols; Routing; Vehicles; Black hole attack; Intrusion detection; Smart City; Vehicular Networking (ID#: 15-8546)



Gazis, V.; Goertz, M.; Huber, M.; Leonardi, A.; Mathioudakis, K.; Wiesmaier, A.; Zeiger, F., "Short Paper: IoT: Challenges, Projects, Architectures," in Intelligence in Next Generation Networks (ICIN), 2015 18th International Conference on, pp. 145-147, 17-19 Feb. 2015. doi: 10.1109/ICIN.2015.7073822

Abstract: Internet of Things (IoT) is a socio-technical phenomena with the power to disrupt our society such as the Internet before. IoT promises the (inter-) connection of myriad of things proving services to humans and machines. It is expected that by 2020 tens of billions of things will be deployed worldwide. It became evident that the traditional centralized computing and analytic approach does not provide a sustainable model this new type of data. A new kind of architecture is needed as a scalable and trusted platform underpinning the expansion of IoT. The data gathered by the things will be often noisy, unstructured and real-time requiring a decentralized structure storing and analysing the vast amount of data. In this paper, we provide an overview of the current IoT challenges, will give a summary of funded IoT projects in Europe, USA, and China. Additionally, it will provide detailed insights into three IoT architectures stemming from such projects.

Keywords: Internet of Things; internetworking; China; Europe; Internet of Things; IoT project; USA; centralized computing; data gathering; decentralized structure; sociotechnical phenomena; Computer architecture; Europe; Interoperability; Reliability; Security; Semantics; Technological innovation (ID#: 15-8547)



Bullee, Jan-Willem H.; Montoya, Lorena; Pieters, Wolter; Junger, Marianne; Hartel, Pieter H., "Regression Nodes: Extending Attack Trees with Data from Social Sciences," in Socio-Technical Aspects in Security and Trust (STAST), 2015 Workshop on, pp. 17-23, 13-13 July 2015. doi: 10.1109/STAST.2015.11

Abstract: In the field of security, attack trees are often used to assess security vulnerabilities probabilistically in relation to multi-step attacks. The nodes are usually connected via AND-gates, where all children must be executed, or via OR-gates, where only one action is necessary for the attack step to succeed. This logic, however, is not suitable for including human interaction such as that of social engineering, because the attacker may combine different persuasion principles to different degrees, with different associated success probabilities. Experimental results in this domain are typically represented by regression equations rather than logical gates. This paper therefore proposes an extension to attack trees involving a regression-node, illustrated by data obtained from a social engineering experiment. By allowing the annotation of leaf nodes with experimental data from social science, the regression-node enables the development of integrated socio-technical security models.

Keywords: Context; Fault trees; Logic gates; Open wireless architecture; Regression tree analysis; Safety; Security (ID#: 15-8548)



Parkin, Simon; Epili, Sanket, "A Technique for Using Employee Perception of Security to Support Usability Diagnostics," in Socio-Technical Aspects in Security and Trust (STAST), 2015 Workshop on, pp. 1-8, 13-13 July 2015. doi: 10.1109/STAST.2015.9

Abstract: Problems of unusable security in organisations are widespread, yet security managers tend not to listen to employees' views on how usable or beneficial security controls are for them in their roles. Here we provide a technique to drive management of security controls using end-user perceptions of security as supporting data. Perception is structured at the point of collection using Analytic Hierarchy Process techniques, where diagnostic rules filter user responses to direct remediation activities, based on recent research in the human factors of information security. The rules can guide user engagement, and support identification of candidate controls to maintain, remove, or learn from. The methodology was incorporated into a prototype dashboard tool, and a preliminary validation conducted through a walk-through consultation with a security manager in a large organisation. It was found that user feedback and suggestions would be useful if they can be structured for review, and that categorising responses would help when revisiting security policies and identifying problem controls.

Keywords: Analytic hierarchy process; Human factors; Information security; Interviews; Measurement; Usability; analytic hierarchy process; human factors of security; information security; security policies (ID#: 15-8549)



Pirinen, R.; Rajamaki, J., "Mechanism of Critical and Resilient Digital Services for Design Theory," in Computer Science, Computer Engineering, and Social Media (CSCESM), 2015 Second International Conference on, pp. 90-95, 21-23 Sept. 2015. doi: 10.1109/CSCESM.2015.7331874

Abstract: This study discusses design theory with focus on critical digital information services that support collective service design targets in international over border environments. Designing security for such digital systems has been challenging because of the technologies that make up the systems for digital information sharing. More specifically, new advances in hardware, networking, information, and human interface need new ways of thinking and realization to, for example, design, build, evaluate, and conceptualize a resilient digital service or system. This study focuses on the methodological contribution of design theory to resilient digital systems and further serves as a continuum to existing studies.

Keywords: critical infrastructures; information services; security of data; border environments; collective service design; critical digital information services; critical infrastructure protection; cyber security; design theory; digital information sharing; digital systems security; hardware; human interface; international environments; networking; resilient digital services; resilient digital systems; Security; Servers; critical infrastructure protection; cyber security; design science research; design theory; digital systems; resilient digital services; trust building (ID#: 15-8550)



Papadakis, M.; Yue Jia; Harman, M.; Le Traon, Y., "Trivial Compiler Equivalence: A Large Scale Empirical Study of a Simple, Fast and Effective Equivalent Mutant Detection Technique," in Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on, vol.1, pp. 936-946, 16-24 May 2015. doi: 10.1109/ICSE.2015.103

Abstract: Identifying equivalent mutants remains the largest impediment to the widespread uptake of mutation testing. Despite being researched for more than three decades, the problem remains. We propose Trivial Compiler Equivalence (TCE) a technique that exploits the use of readily available compiler technology to address this long-standing challenge. TCE is directly applicable to real-world programs and can imbue existing tools with the ability to detect equivalent mutants and a special form of useless mutants called duplicated mutants. We present a thorough empirical study using 6 large open source programs, several orders of magnitude larger than those used in previous work, and 18 benchmark programs with hand-analysis equivalent mutants. Our results reveal that, on large real-world programs, TCE can discard more than 7% and 21% of all the mutants as being equivalent and duplicated mutants respectively. A human- based equivalence verification reveals that TCE has the ability to detect approximately 30% of all the existing equivalent mutants.

Keywords: formal verification; program compilers ;program testing; TCE technique; duplicated mutants; human-based equivalence verification; mutant detection technique; mutation testing; trivial compiler equivalence technology; Benchmark testing; Java; Optimization; Scalability; Syntactics (ID#: 15-8551)



Mitchell, M.; Patidar, R.; Saini, M.; Singh, P.; An-I Wang; Reiher, P., "Mobile Usage Patterns and Privacy Implications," in Pervasive Computing and Communication Workshops (PerCom Workshops), 2015 IEEE International Conference on, pp. 457-462, 23-27 March 2015. doi: 10.1109/PERCOMW.2015.7134081

Abstract: Privacy is an important concern for mobile computing. Users might not understand the privacy implications of their actions and therefore not alter their behavior depending on where they move, when they do so, and who is in their surroundings. Since empirical data about the privacy behavior of users in mobile environments is limited, we conducted a survey study of ~600 users recruited from Florida State University and Craigslist. Major findings include: (1) People often exercise little caution preserving privacy in mobile computing environments; they perform similar computing tasks in public and private. (2) Privacy is orthogonal to trust; people tend to change their computing behavior more around people they know than strangers. (3) People underestimate the privacy threats of mobile apps, and comply with permission requests from apps more often than operating systems. (4) Users' understanding of privacy is different from that of the security community, suggesting opportunities for additional privacy studies.

Keywords: data privacy; human factors; mobile computing; operating systems (computers);Craigslist; Florida State University; empirical data; mobile applications; mobile computing environments; mobile usage patterns; operating systems; permission requests; privacy threats; security community; user computing behavior; users privacy behavior; Encryption; IEEE 802.11 Standards; Mobile communication; Mobile computing; Mobile handsets; Portable computers; Privacy; human factors;mobile computing; privacy; security (ID#: 15-8552)



Boyes, H., "Best Practices in an ICS Environment," in Cyber Security for Industrial Control Systems,  pp. 1-36, 2-3 Feb. 2015. doi: 10.1049/ic.2015.0006

Abstract: Presents a collection of slides covering the following topics: software trustworthiness; insecure building control system; prison system glitch; cyber security; ICS; vulnerability assessment; dynamic risks handling; situational awareness; human factor; industrial control systems and system connectivity.

Keywords: control engineering computing; human factors; industrial control; security of data; trusted computing; ICS; cybersecurity; dynamic risks handling; human factor; industrial control systems; insecure building control system; prison system glitch; situational awareness; software trustworthiness; system connectivity; vulnerability assessment (ID#: 15-8553)



Aggarwal, A.; Kumaraguru, P., "What They Do in Shadows: Twitter Underground Follower Market," in Privacy, Security and Trust (PST), 2015 13th Annual Conference on, pp. 93-100, 21-23 July 2015

doi: 10.1109/PST.2015.7232959

Abstract: Internet users and businesses are increasingly using online social networks (OSN) to drive audience traffic and increase their popularity. In order to boost social presence, OSN users need to increase the visibility and reach of their online profile, like - Facebook likes, Twitter followers, Instagram comments and Yelp reviews. For example, an increase in Twitter followers not only improves the audience reach of the user but also boosts the perceived social reputation and popularity. This has led to a scope for an underground market that provides followers, likes, comments, etc. via a network of fraudulent and compromised accounts and various collusion techniques. In this paper, we landscape the underground markets that provide Twitter followers by studying their basic building blocks - merchants, customers and phony followers. We charecterize the services provided by merchants to understand their operational structure and market hierarchy. Twitter underground markets can operationalize using a premium monetary scheme or other incentivized freemium schemes. We find out that freemium market has an oligopoly structure with few merchants being the market leaders. We also show that merchant popularity does not have any correlation with the quality of service provided by the merchant to its customers. Our findings also shed light on the characteristics and quality of market customers and the phony followers provided by underground market. We draw comparison between legitimate users and phony followers, and find out key identifiers to separate such users. With the help of these differentiating features, we build a supervised learning model to predict suspicious following behaviour with an accuracy of 89.2%.

Keywords: human factors; learning (artificial intelligence); oligopoly; social networking (online);Facebook likes; Instagram comments; OSN users; Twitter followers; Yelp reviews; customers; fraudulent network; incentivized freemium schemes; market hierarchy; market leaders; merchant popularity; oligopoly structure; online profile; online social networks; operational structure; perceived social popularity; perceived social reputation; phony followers; premium monetary scheme; quality of service; social presence; supervised learning model; suspicious following behaviour prediction; underground follower market; Business; Data collection; Facebook; Measurement; Media; Quality of service; Twitter (ID#: 15-8554)



Nishioka, D.; Murayama, Y., "The Influence of User Attribute onto the Factors of Anshin for Online Shopping Users," in System Sciences (HICSS), 2015 48th Hawaii International Conference on, pp. 382-391, 5-8 Jan. 2015. doi: 10.1109/HICSS.2015.53

Abstract: In this research, we investigate users' subjective sense of security, which we call Anshin in Japanese. The research goal is to create a guideline of Anshin in information security for users. In this paper, we report how the user security knowledge level could influence the factors of Anshin for online shopping users. Traditional studies on security are based on the assumption that users would feel the sense of security with objectively secure systems. We conducted a Web survey using questionnaire with 920 subjects. In this paper, we report how the user attributes (age, sex, knowledge, experience) influence the factors of An shin for online shopping users. As a result, we showed that woman and low experience level group feel An shin when provided with secure systems and services. Moreover, we showed that other group does not feel An shin when provided with secure systems and services.

Keywords: Internet; human factors; retail data processing; security of data; Anshin; Japanese language; Web survey; information security; low-experience level group; online shopping users; secure services; secure systems; user age; user attributes; user experience; user knowledge; user security knowledge level; user sex; user subjective sense-of-security; woman group; Companies; Information security; Information technology; Psychology; Usability; Anshin; Factor analysis; Questionnaire; Trust (ID#: 15-8555)



Bhargava, M.; Sheikh, K.; Mai, K., "Robust True Random Number Generator Using Hot-Carrier Injection Balanced Metastable Sense Amplifiers," in Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on, pp. 7-13, 5-7 May 2015. doi: 10.1109/HST.2015.7140228

Abstract: Hardware true random number generators are an essential functional block in many secure systems. Current designs that use bi-stable elements balanced in the metastable region are capable of both high randomness and high bitrate. However, these designs require extensive support circuits to maintain balance in the metastable region, complex built-in self test loops to configure the support circuits, and suffer from sensitivity to environmental conditions. We propose a true random number generator design based around sense amplifier circuits that are balanced in the metastable region using hot carrier injection, rather than complex support circuits. Further, we show an architecture that maintains high entropy output across a range of ± 20% voltage variation. Experimental results from a prototype design in a 65nm bulk CMOS process demonstrate the efficacy of the proposed TRNG architecture, which passes all NIST tests.

Keywords: CMOS integrated circuits; amplifiers; built-in self test; entropy; hot carriers; integrated circuit design; integrated circuit testing; random number generation; NIST tests; TRNG architecture; bi-stable elements; built-in self test loops; bulk CMOS process; entropy output; environmental conditions; functional block; hardware true random number generators; hot carrier injection; metastable region; metastable sense amplifiers; robust true random number generator design; secure systems; sense amplifier circuits; size 65 nm; support circuits; voltage variation; Entropy; Generators; Hardware; Hot carrier injection; Human computer interaction; MOSFET; Stress (ID#: 15-8556)



Ferreira, Ana; Lenzini, Gabriele, "An Analysis of Social Engineering Principles in Effective Phishing," in Socio-Technical Aspects in Security and Trust (STAST), 2015 Workshop on, pp. 9-16, 13-13 July 2015

doi: 10.1109/STAST.2015.10

Abstract: Phishing is a widespread practice and a lucrative business. It is invasive and hard to stop: a company needs to worry about all emails that all employees receive, while an attacker only needs to have a response from a key person, e.g., a finance or human resources' responsible, to cause a lot of damages. Some research has looked into what elements make phishing so successful. Many of these elements recall strategies that have been studied as principles of persuasion, scams and social engineering. This paper identifies, from the literature, the elements which reflect the effectiveness of phishing, and manually quantifies them within a phishing email sample. Most elements recognised as more effective in phishing commonly use persuasion principles such as authority and distraction. This insight could lead to better automate the identification of phishing emails and devise more appropriate countermeasures against them.

Keywords: Decision making; Electronic mail; Internet; Psychology; Security; Social network services; classification; phishing emails; principles of persuasion; social engineering (ID#: 15-8557)



Martinelli, F.; Santini, F.; Yautsiukhin, A., "Network Security Supported by Arguments," in Privacy, Security and Trust (PST), 2015 13th Annual Conference on, pp. 165-172, 21-23 July 2015. doi: 10.1109/PST.2015.7232969

Abstract: Argumentation has been proved as a simple yet powerful approach to manage conflicts in reasoning with the purpose to find subsets of “surviving” arguments. Our intent is to exploit such form of resolution to support the administration of security in complex systems, e.g., in case threat countermeasures are in conflict with non-functional requirements. The proposed formalisation is able to find the required security controls and explicitly provide arguments supporting this selection. Therefore, an explanation automatically comes as part of the suggested solution, facilitating human comprehension.

Keywords: graph theory; inference mechanisms; network theory (graphs) ;security of data; AAF; abstract argumentation framework; network security; reasoning conflict management; Internet; Network topology; Quality of service; Security; Semantics; Topology; Virtual private networks}, (ID#: 15-8558)



Yanli Pei; Shan Wang; Jing Fan; Min Zhang, "An Empirical Study on the Impact of Perceived Benefit, Risk and Trust on E-Payment Adoption: Comparing Quick Pay and Union Pay in China," in Intelligent Human-Machine Systems and Cybernetics (IHMSC), 2015 7th International Conference on, vol. 2, pp. 198-202, 26-27 Aug. 2015. doi: 10.1109/IHMSC.2015.148

Abstract: To explain the adoption of two online payment tools (Quick Pay, Union Pay Online), we use TAM and Trust Theories to extend the Valence Framework. Then we designed a questionnaire in accordance with the proposed model. With the data collected, we have discovered that perceived benefit and trust are the key factors determining users' adoption of e-payment tools, and users pay much less attention to perceived risk. Using the validated and modified model, we explained the adoption of the mentioned two e-payment tools. Quick Pay is more popular than Union Pay because Quick Pay has better performance in ease access, usability, reputation and secure protection.

Keywords: electronic commerce; human factors; risk management; trusted computing; China; Quick Pay; TAM; UnionPay Online; perceived benefit; perceived risk; trust theories; user e-payment tool adoption; valence framework; Context; Instruments; Online banking; Privacy; Security; Uncertainty; Usability; Adoption; E-payment; Perceived Benefit; Perceived Risk; Trust (ID#: 15-8559)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications.