Visible to the public Biblio

Filters: Keyword is Guidelines  [Clear All Filters]
2021-07-07
Seneviratne, Piyumi, Perera, Dilanka, Samarasekara, Harinda, Keppitiyagama, Chamath, Thilakarathna, Kenneth, De Soyza, Kasun, Wijesekara, Primal.  2020.  Impact of Video Surveillance Systems on ATM PIN Security. 2020 20th International Conference on Advances in ICT for Emerging Regions (ICTer). :59–64.
ATM transactions are verified using two-factor authentication. The PIN is one of the factors (something you know) and the ATM Card is the other factor (something you have). Therefore, banks make significant investments on PIN Mailers and HSMs to preserve the security and confidentiality in the generation, validation, management and the delivery of the PIN to their customers. Moreover, banks install surveillance cameras inside ATM cubicles as a physical security measure to prevent fraud and theft. However, in some cases, ATM PIN-Pad and the PIN entering process get revealed through the surveillance camera footage itself. We demonstrate that visibility of forearm movements is sufficient to infer PINs with a significant level of accuracy. Video footage of the PIN entry process simulated in an experimental setup was analyzed using two approaches. The human observer-based approach shows that a PIN can be guessed with a 30% of accuracy within 3 attempts whilst the computer-assisted analysis of footage gave an accuracy of 50%. The results confirm that ad-hoc installation of surveillance cameras can weaken ATM PIN security significantly by potentially exposing one factor of a two-factor authentication system. Our investigation also revealed that there are no guidelines, standards or regulations governing the placement of surveillance cameras inside ATM cubicles in Sri Lanka.
2021-05-25
Sabillon, Regner, Serra-Ruiz, Jordi, Cavaller, Victor, Cano, Jeimy.  2017.  A Comprehensive Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit Model (CSAM). 2017 International Conference on Information Systems and Computer Science (INCISCOS). :253—259.

Nowadays, private corporations and public institutions are dealing with constant and sophisticated cyberthreats and cyberattacks. As a general warning, organizations must build and develop a cybersecurity culture and awareness in order to defend against cybercriminals. Information Technology (IT) and Information Security (InfoSec) audits that were efficient in the past, are trying to converge into cybersecurity audits to address cyber threats, cyber risks and cyberattacks that evolve in an aggressive cyber landscape. However, the increase in number and complexity of cyberattacks and the convoluted cyberthreat landscape is challenging the running cybersecurity audit models and putting in evidence the critical need for a new cybersecurity audit model. This article reviews the best practices and methodologies of global leaders in the cybersecurity assurance and audit arena. By means of the analysis of the current approaches and theoretical background, their real scope, strengths and weaknesses are highlighted looking forward a most efficient and cohesive synthesis. As a resut, this article presents an original and comprehensive cybersecurity audit model as a proposal to be utilized for conducting cybersecurity audits in organizations and Nation States. The CyberSecurity Audit Model (CSAM) evaluates and validates audit, preventive, forensic and detective controls for all organizational functional areas. CSAM has been tested, implemented and validated along with the Cybersecurity Awareness TRAining Model (CATRAM) in a Canadian higher education institution. A research case study is being conducted to validate both models and the findings will be published accordingly.

Raj, Rajendra K., Ekstrom, Joseph J., Impagliazzo, John, Lingafelt, Steven, Parrish, Allen, Reif, Harry, Sobiesk, Ed.  2017.  Perspectives on the future of cybersecurity education. 2017 IEEE Frontiers in Education Conference (FIE). :1—2.
As the worldwide demand for cybersecurity-trained professionals continues to grow, the need to understand and define what cybersecurity education really means at the college or university level. Given the relative infancy of these efforts to define undergraduate cybersecurity programs, the panelists will present different perspectives on how such programs can be structured. They will then engage with the audience to explore additional viewpoints on cybersecurity, and work toward a shared understanding of undergraduate cybersecurity programs.
2021-04-27
Samuel, J., Aalab, K., Jaskolka, J..  2020.  Evaluating the Soundness of Security Metrics from Vulnerability Scoring Frameworks. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :442—449.

Over the years, a number of vulnerability scoring frameworks have been proposed to characterize the severity of known vulnerabilities in software-dependent systems. These frameworks provide security metrics to support decision-making in system development and security evaluation and assurance activities. When used in this context, it is imperative that these security metrics be sound, meaning that they can be consistently measured in a reproducible, objective, and unbiased fashion while providing contextually relevant, actionable information for decision makers. In this paper, we evaluate the soundness of the security metrics obtained via several vulnerability scoring frameworks. The evaluation is based on the Method for DesigningSound Security Metrics (MDSSM). We also present several recommendations to improve vulnerability scoring frameworks to yield more sound security metrics to support the development of secure software-dependent systems.

2021-04-08
Walia, K. S., Shenoy, S., Cheng, Y..  2020.  An Empirical Analysis on the Usability and Security of Passwords. 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI). :1–8.
Security and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.
2021-03-29
Anell, S., Gröber, L., Krombholz, K..  2020.  End User and Expert Perceptions of Threats and Potential Countermeasures. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). :230—239.

Experts often design security and privacy technology with specific use cases and threat models in mind. In practice however, end users are not aware of these threats and potential countermeasures. Furthermore, mis-conceptions about the benefits and limitations of security and privacy technology inhibit large-scale adoption by end users. In this paper, we address this challenge and contribute a qualitative study on end users' and security experts' perceptions of threat models and potential countermeasures. We follow an inductive research approach to explore perceptions and mental models of both security experts and end users. We conducted semi-structured interviews with 8 security experts and 13 end users. Our results suggest that in contrast to security experts, end users neglect acquaintances and friends as attackers in their threat models. Our findings highlight that experts value technical countermeasures whereas end users try to implement trust-based defensive methods.

2021-02-01
Wickramasinghe, C. S., Marino, D. L., Grandio, J., Manic, M..  2020.  Trustworthy AI Development Guidelines for Human System Interaction. 2020 13th International Conference on Human System Interaction (HSI). :130–136.
Artificial Intelligence (AI) is influencing almost all areas of human life. Even though these AI-based systems frequently provide state-of-the-art performance, humans still hesitate to develop, deploy, and use AI systems. The main reason for this is the lack of trust in AI systems caused by the deficiency of transparency of existing AI systems. As a solution, “Trustworthy AI” research area merged with the goal of defining guidelines and frameworks for improving user trust in AI systems, allowing humans to use them without fear. While trust in AI is an active area of research, very little work exists where the focus is to build human trust to improve the interactions between human and AI systems. In this paper, we provide a concise survey on concepts of trustworthy AI. Further, we present trustworthy AI development guidelines for improving the user trust to enhance the interactions between AI systems and humans, that happen during the AI system life cycle.
2021-01-11
Kim, Y.-K., Lee, J. J., Go, M.-H., Lee, K..  2020.  Analysis of the Asymmetrical Relationships between State Actors and APT Threat Groups. 2020 International Conference on Information and Communication Technology Convergence (ICTC). :695–700.
During the Cold War era, countries with asymmetrical relationships often demonstrated how lower-tier nation states required the alliance and support from top-tier nation states. This statement no longer stands true as country such as North Korea has exploited global financial institutions through various malware such as WANNACRY V0, V1, V2, evtsys.exe, and BRAMBUL WORM. Top tier nation states such as the U.S. are unable to use diplomatic clout or to retaliate against the deferrer. Our study examined the affidavit filed against the North Korean hacker, Park Jin Hyok, which was provided by the FBI. Our paper focuses on the operations and campaigns that were carried out by the Lazarus Group by focusing on the key factors of the infrastructure and artifacts. Due to the nature of the cyber deterrence, deterrence in the cyber realm is far complex than the nuclear deterrence. We focused on the Sony Picture Entertainment’s incident for our study. In this study, we discuss how cyber deterrence can be employed when different nation states share an asymmetrical relationship. Furthermore, we focus on contestability and attribution that is a key factor that makes cyber deterrence difficult.
2020-12-28
Lee, H., Cho, S., Seong, J., Lee, S., Lee, W..  2020.  De-identification and Privacy Issues on Bigdata Transformation. 2020 IEEE International Conference on Big Data and Smart Computing (BigComp). :514—519.

As the number of data in various industries and government sectors is growing exponentially, the `7V' concept of big data aims to create a new value by indiscriminately collecting and analyzing information from various fields. At the same time as the ecosystem of the ICT industry arrives, big data utilization is treatened by the privacy attacks such as infringement due to the large amount of data. To manage and sustain the controllable privacy level, there need some recommended de-identification techniques. This paper exploits those de-identification processes and three types of commonly used privacy models. Furthermore, this paper presents use cases which can be adopted those kinds of technologies and future development directions.

2020-12-01
Craggs, B., Rashid, A..  2019.  Trust Beyond Computation Alone: Human Aspects of Trust in Blockchain Technologies. 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS). :21—30.

Blockchains - with their inherent properties of transaction transparency, distributed consensus, immutability and cryptographic verifiability - are increasingly seen as a means to underpin innovative products and services in a range of sectors from finance through to energy and healthcare. Discussions, too often, make assertions that the trustless nature of blockchain technologies enables and actively promotes their suitability - there being no need to trust third parties or centralised control. Yet humans need to be able to trust systems, and others with whom the system enables transactions. In this paper, we highlight that understanding this need for trust is critical for the development of blockchain-based systems. Through an online study with 125 users of the most well-known of blockchain based systems - the cryptocurrency Bitcoin - we uncover that human and institutional aspects of trust are pervasive. Our analysis highlights that, when designing future blockchain-based technologies, we ought to not only consider computational trust but also the wider eco-system, how trust plays a part in users engaging/disengaging with such eco-systems and where design choices impact upon trust. From this, we distill a set of guidelines for software engineers developing blockchain-based systems for societal applications.

2020-11-17
Nasim, I., Kim, S..  2019.  Human EMF Exposure in Wearable Networks for Internet of Battlefield Things. MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). :1—6.

Numerous antenna design approaches for wearable applications have been investigated in the literature. As on-body wearable communications become more ingrained in our daily activities, the necessity to investigate the impacts of these networks burgeons as a major requirement. In this study, we investigate the human electromagnetic field (EMF) exposure effect from on-body wearable devices at 2.4 GHz and 60 GHz, and compare the results to illustrate how the technology evolution to higher frequencies from wearable communications can impact our health. Our results suggest the average specific absorption rate (SAR) at 60 GHz can exceed the regulatory guidelines within a certain separation distance between a wearable device and the human skin surface. To the best of authors' knowledge, this is the first work that explicitly compares the human EMF exposure at different operating frequencies for on-body wearable communications, which provides a direct roadmap in design of wearable devices to be deployed in the Internet of Battlefield Things (IoBT).

2020-11-04
Stange, M., Tang, C., Tucker, C., Servine, C., Geissler, M..  2019.  Cybersecurity Associate Degree Program Curriculum. 2019 IEEE International Symposium on Technologies for Homeland Security (HST). :1—5.

The spotlight is on cybersecurity education programs to develop a qualified cybersecurity workforce to meet the demand of the professional field. The ACM CCECC (Committee for Computing Education in Community Colleges) is leading the creation of a set of guidelines for associate degree cybersecurity programs called Cyber2yr, formerly known as CSEC2Y. A task force of community college educators have created a student competency focused curriculum that will serve as a global cybersecurity guide for applied (AAS) and transfer (AS) degree programs to develop a knowledgeable and capable associate level cybersecurity workforce. Based on the importance of the Cyber2yr work; ABET a nonprofit, non-governmental agency that accredits computing programs has created accreditation criteria for two-year cybersecurity programs.

2020-10-12
Eckhart, Matthias, Ekelhart, Andreas, Lüder, Arndt, Biffl, Stefan, Weippl, Edgar.  2019.  Security Development Lifecycle for Cyber-Physical Production Systems. IECON 2019 - 45th Annual Conference of the IEEE Industrial Electronics Society. 1:3004–3011.

As the connectivity within manufacturing processes increases in light of Industry 4.0, information security becomes a pressing issue for product suppliers, systems integrators, and asset owners. Reaching new heights in digitizing the manufacturing industry also provides more targets for cyber attacks, hence, cyber-physical production systems (CPPSs) must be adequately secured to prevent malicious acts. To achieve a sufficient level of security, proper defense mechanisms must be integrated already early on in the systems' lifecycle and not just eventually in the operation phase. Although standardization efforts exist with the objective of guiding involved stakeholders toward the establishment of a holistic industrial security concept (e.g., IEC 62443), a dedicated security development lifecycle for systems integrators is missing. This represents a major challenge for engineers who lack sufficient information security knowledge, as they may not be able to identify security-related activities that can be performed along the production systems engineering (PSE) process. In this paper, we propose a novel methodology named Security Development Lifecycle for Cyber-Physical Production Systems (SDL-CPPS) that aims to foster security by design for CPPSs, i.e., the engineering of smart production systems with security in mind. More specifically, we derive security-related activities based on (i) security standards and guidelines, and (ii) relevant literature, leading to a security-improved PSE process that can be implemented by systems integrators. Furthermore, this paper informs domain experts on how they can conduct these security-enhancing activities and provides pointers to relevant works that may fill the potential knowledge gap. Finally, we review the proposed approach by means of discussions in a workshop setting with technical managers of an Austrian-based systems integrator to identify barriers to adopting the SDL-CPPS.

2020-08-24
Torkura, Kennedy A., Sukmana, Muhammad I.H., Cheng, Feng, Meinel, Christoph.  2019.  SlingShot - Automated Threat Detection and Incident Response in Multi Cloud Storage Systems. 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA). :1–5.
Cyber-attacks against cloud storage infrastructure e.g. Amazon S3 and Google Cloud Storage, have increased in recent years. One reason for this development is the rising adoption of cloud storage for various purposes. Robust counter-measures are therefore required to tackle these attacks especially as traditional techniques are not appropriate for the evolving attacks. We propose a two-pronged approach to address these challenges in this paper. The first approach involves dynamic snapshotting and recovery strategies to detect and partially neutralize security events. The second approach builds on the initial step by automatically correlating the generated alerts with cloud event log, to extract actionable intelligence for incident response. Thus, malicious activities are investigated, identified and eliminated. This approach is implemented in SlingShot, a cloud threat detection and incident response system which extends our earlier work - CSBAuditor, which implements the first step. The proposed techniques work together in near real time to mitigate the aforementioned security issues on Amazon Web Services (AWS) and Google Cloud Platform (GCP). We evaluated our techniques using real cloud attacks implemented with static and dynamic methods. The average Mean Time to Detect is 30 seconds for both providers, while the Mean Time to Respond is 25 minutes and 90 minutes for AWS and GCP respectively. Thus, our proposal effectively tackles contemporary cloud attacks.
2020-07-30
Jiang, Tao, Hu, Shuijing.  2019.  Intellectual Property Protection for AI-Related Inventions in Japan. 2019 International Conference on Virtual Reality and Intelligent Systems (ICVRIS). :286—289.
To increase the possibility of patent entitled of artificial intelligence related inventions at the Japanese patent office, this paper analyzes the Japanese patent act and patent examination guidelines. The approach for assessing whether a computer related invention belongs to a eligible subject-matter includes two steps. The first step is whether a computer related invention meets the definition of an "invention" that is "creation of a technical idea utilizing the laws of nature" . The second step is whether a computer related invention meets "idea based on the standpoint of software" . From the perspective of patent analysis, Japan's artificial intelligence technology is leading the world, second only to the United States. In this field, the Japanese patent office is one of the most important intellectual property offices, and its legislation and practice of patent eligibility review for artificial intelligence related inventions have an important impact on the world.
2020-05-04
Chaisuriya, Sarayut, Keretho, Somnuk, Sanguanpong, Surasak, Praneetpolgrang, Prasong.  2018.  A Security Architecture Framework for Critical Infrastructure with Ring-based Nested Network Zones. 2018 10th International Conference on Knowledge and Smart Technology (KST). :248–253.
The defense-in-depth approach has been widely recommended for designing critical information infrastructure, however, the lack of holistic design guidelines makes it difficult for many organizations to adopt the concept. Therefore, this paper proposes a holistic architectural framework and guidelines based on ring-based nested network zones for designing such highly secured information systems. This novel security architectural framework and guidelines offer the overall structural design and implementation options for holistically designing the N-tier/shared nothing system architectures. The implementation options, e.g. for the zone's perimeters, are recommended to achieve different capability levels of security or to trade off among different required security attributes. This framework enables the adaptive capability suitable for different real-world contexts. This paper also proposes an attack-hops verification approach as a tool to evaluate the architectural design.
2020-01-21
Rana, Rima, Zaeem, Razieh Nokhbeh, Barber, K. Suzanne.  2019.  An Assessment of Blockchain Identity Solutions: Minimizing Risk and Liability of Authentication. 2019 IEEE/WIC/ACM International Conference on Web Intelligence (WI). :26–33.
Personally Identifiable Information (PII) is often used to perform authentication and acts as a gateway to personal and organizational information. One weak link in the architecture of identity management services is sufficient to cause exposure and risk identity. Recently, we have witnessed a shift in identity management solutions with the growth of blockchain. Blockchain-the decentralized ledger system-provides a unique answer addressing security and privacy with its embedded immutability. In a blockchain-based identity solution, the user is given the control of his/her identity by storing personal information on his/her device and having the choice of identity verification document used later to create blockchain attestations. Yet, the blockchain technology alone is not enough to produce a better identity solution. The user cannot make informed decisions as to which identity verification document to choose if he/she is not presented with tangible guidelines. In the absence of scientifically created practical guidelines, these solutions and the choices they offer may become overwhelming and even defeat the purpose of providing a more secure identity solution.We analyze different PII options given to users for authentication on current blockchain-based solutions. Based on our Identity Ecosystem model, we evaluate these options and their risk and liability of exposure. Powered by real world data of about 6,000 identity theft and fraud stories, our model recommends some authentication choices and discourages others. Our work paves the way for a truly effective identity solution based on blockchain by helping users make informed decisions and motivating blockchain identity solution providers to introduce better options to their users.
2019-10-22
Hagan, Matthew, Siddiqui, Fahad, Sezer, Sakir.  2018.  Policy-Based Security Modelling and Enforcement Approach for Emerging Embedded Architectures. 2018 31st IEEE International System-on-Chip Conference (SOCC). :84–89.
Complex embedded systems often contain hard to find vulnerabilities which, when exploited, have potential to cause severe damage to the operating environment and the user. Given that threats and vulnerabilities can exist within any layer of the complex eco-system, OEMs face a major challenge to ensure security throughout the device life-cycle To lower the potential risk and damage that vulnerabilities may cause, OEMs typically perform application threat analysis and security modelling. This process typically provides a high level guideline to solving security problems which can then be implemented during design and development. However, this concept presents issues where new threats or unknown vulnerability has been discovered. To address this issue, we propose a policy-based security modelling approach, which utilises a configurable policy engine to apply new policies that counter serious threats. By utilising this approach, the traditional security modelling approaches can be enhanced and the consequences of a new threat greatly reduced. We present a realistic use case of connected car, applying several attack scenarios. By utilising STRIDE threat modelling and DREAD risk assessment model, adequate policies are derived to protect the car assets. This approach poses advantages over the standard approach, allowing a policy update to counter a new threat, which may have otherwise required a product redesign to alleviate the issue under the traditional approach.
2019-03-28
Stavrou, E..  2018.  Enhancing Cyber Situational Awareness: A New Perspective of Password Auditing Tools. 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). :1-4.

Password auditing can enhance the cyber situational awareness of defenders, e.g. cyber security/IT professionals, with regards to the strength of text-based authentication mechanisms utilized in an organization. Auditing results can proactively indicate if weak passwords exist in an organization, decreasing the risks of compromisation. Password cracking is a typical and time-consuming way to perform password auditing. Given that defenders perform password auditing within a specific evaluation timeframe, the cracking process needs to be optimized to yield useful results. Existing password cracking tools do not provide holistic features to optimize the process. Therefore, the need arises to build new password auditing toolkits to assist defenders to achieve their task in an effective and efficient way. Moreover, to maximize the benefits of password auditing, a security policy should be utilized. Currently the efforts focus on the specification of password security policies, providing rules on how to construct passwords. This work proposes the functionality that should be supported by next-generation password auditing toolkits and provides guidelines to drive the specification of a relevant password auditing policy.

2018-05-09
Acar, Y., Backes, M., Fahl, S., Garfinkel, S., Kim, D., Mazurek, M. L., Stransky, C..  2017.  Comparing the Usability of Cryptographic APIs. 2017 IEEE Symposium on Security and Privacy (SP). :154–171.
Potentially dangerous cryptography errors are well-documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programming Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic libraries that they claim are more usable, however, none of these libraries have been empirically evaluated for their ability to promote more secure development. This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries. We conducted a controlled experiment in which 256 Python developers recruited from GitHub attempt common tasks involving symmetric and asymmetric cryptography using one of five different APIs. We examine their resulting code for functional correctness and security, and compare their results to their self-reported sentiment about their assigned library. Our results suggest that while APIs designed for simplicity can provide security benefits - reducing the decision space, as expected, prevents choice of insecure parameters - simplicity is not enough. Poor documentation, missing code examples, and a lack of auxiliary features such as secure key storage, caused even participants assigned to simplified libraries to struggle with both basic functional correctness and security. Surprisingly, the availability of comprehensive documentation and easy-to-use code examples seems to compensate for more complicated APIs in terms of functionally correct results and participant reactions, however, this did not extend to security results. We find it particularly concerning that for about 20% of functionally correct tasks, across libraries, participants believed their code was secure when it was not. Our results suggest that while ne- cryptographic libraries that want to promote effective security should offer a simple, convenient interface, this is not enough: they should also, and perhaps more importantly, ensure support for a broad range of common tasks and provide accessible documentation with secure, easy-to-use code examples.
2018-02-21
Tien, C. W., Huang, T. Y., Huang, T. C., Chung, W. H., Kuo, S. Y..  2017.  MAS: Mobile-Apps Assessment and Analysis System. 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). :145–148.

Mobile apps are widely adopted in daily life, and contain increasing security flaws. Many regulatory agencies and organizations have announced security guidelines for app development. However, most security guidelines involving technicality and compliance with this requirement is not easily feasible. Thus, we propose Mobile Apps Assessment and Analysis System (MAS), an automatic security validation system to improve guideline compliance. MAS combines static and dynamic analysis techniques, which can be used to verify whether android apps meet the security guideline requirements. We implemented MAS in practice and verified 143 real-world apps produced by the Taiwan government. Besides, we also validated 15,000 popular apps collected from Google Play Store produced in three countries. We found that most apps contain at least three security issues. Finally, we summarize the results and list the most common security flaws for consideration in further app development.

2018-02-06
Detken, K. O., Jahnke, M., Rix, T., Rein, A..  2017.  Software-Design for Internal Security Checks with Dynamic Integrity Measurement (DIM). 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 1:367–373.

Most security software tools try to detect malicious components by cryptographic hashes, signatures or based on their behavior. The former, is a widely adopted approach based on Integrity Measurement Architecture (IMA) enabling appraisal and attestation of system components. The latter, however, may induce a very long time until misbehavior of a component leads to a successful detection. Another approach is a Dynamic Runtime Attestation (DRA) based on the comparison of binary code loaded in the memory and well-known references. Since DRA is a complex approach, involving multiple related components and often complex attestation strategies, a flexible and extensible architecture is needed. In a cooperation project an architecture was designed and a Proof of Concept (PoC) successfully developed and evaluated. To achieve needed flexibility and extensibility, the implementation facilitates central components providing attestation strategies (guidelines). These guidelines define and implement the necessary steps for all relevant attestation operations, i.e. measurement, reference generation and verification.

2018-01-16
Buriro, A., Akhtar, Z., Crispo, B., Gupta, S..  2017.  Mobile biometrics: Towards a comprehensive evaluation methodology. 2017 International Carnahan Conference on Security Technology (ICCST). :1–6.

Smartphones have become the pervasive personal computing platform. Recent years thus have witnessed exponential growth in research and development for secure and usable authentication schemes for smartphones. Several explicit (e.g., PIN-based) and/or implicit (e.g., biometrics-based) authentication methods have been designed and published in the literature. In fact, some of them have been embedded in commercial mobile products as well. However, the published studies report only the brighter side of the proposed scheme(s), e.g., higher accuracy attained by the proposed mechanism. While other associated operational issues, such as computational overhead, robustness to different environmental conditions/attacks, usability, are intentionally or unintentionally ignored. More specifically, most publicly available frameworks did not discuss or explore any other evaluation criterion, usability and environment-related measures except the accuracy under zero-effort. Thus, their baseline operations usually give a false sense of progress. This paper, therefore, presents some guidelines to researchers for designing, implementation, and evaluating smartphone user authentication methods for a positive impact on future technological developments.

2017-12-12
Saundry, A..  2017.  Institutional Repository Digital Object Metadata Enhancement and Re-Architecting. 2017 ACM/IEEE Joint Conference on Digital Libraries (JCDL). :1–3.

We present work undertaken at our institutional repository to enhance metadata and re-organize digital objects according to new information architecture, in an effort to minimize administrative object management and processing, and improve object discovery and use. This work was partly motivated by the launch of a new discovery platform at our institution, which aggregates metadata and full text from our four open access repositories into a cohesive, consistent, and enhanced searching and browsing experience. The platform provides digital object identifier (DOI) assignment, metadata access via various formats, and an open metadata and full text application program interface (API) for researchers, amongst other features. Functionality of these platform features relies heavily on accurate object representation and metadata. This work facilitates and improves the discovery and engagement of the diverse digital objects available from our institution, so they can be used and analyzed in new, flexible, and innovative ways by a myriad of communities and disciplines.

2017-11-20
Buthelezi, M. P., Poll, J. A. van der, Ochola, E. O..  2016.  Ambiguity as a Barrier to Information Security Policy Compliance: A Content Analysis. 2016 International Conference on Computational Science and Computational Intelligence (CSCI). :1360–1367.

Institutions use the information security (InfoSec) policy document as a set of rules and guidelines to govern the use of the institutional information resources. However, a common problem is that these policies are often not followed or complied with. This study explores the extent to which the problem lies with the policy documents themselves. The InfoSec policies are documented in the natural languages, which are prone to ambiguity and misinterpretation. Subsequently such policies may be ambiguous, thereby making it hard, if not impossible for users to comply with. A case study approach with a content analysis was conducted. The research explores the extent of the problem by using a case study of an educational institution in South Africa.