Abstract: Regulated industries, such as Healthcare and Finance, are starting to move parts of their data and workloads to the public cloud. However, they are still reluctant to trust the public cloud with their most sensitive records, and hence leave them in their premises, leveraging the hybrid cloud architecture. We address the security and performance challenges of big data analytics using a hybrid cloud in a real-life use case from a hospital. In this use case, the hospital collects sensitive patient data and wants to run analytics on it in order to lower antibiotics resistance, a significant challenge in healthcare. We show that it is possible to run large-scale analytics on data that is securely stored in the public cloud encrypted using Apache Parquet Modular Encryption (PME), without significant performance losses even if the secret encryption keys are stored on-premises. PME is a standard mechanism for data encryption and key management, not specific to any public cloud, and therefore helps prevent vendor lock-in. It also provides privacy and integrity guarantees, and enables granular access control to the data. We also present an innovation in PME for lowering the performance hit incurred by calls to the Key Management Service. Our solution therefore enables protecting large amounts of sensitive data in hybrid clouds and still allows to efficiently gain valuable insights from it.

• arxiv.org
  Visit

• No downloads available

Abstract: Cyber-physical systems and their smart components have a pervasive presence in all our daily activities. Unfortunately, identifying the potential threats and issues in these systems and selecting enough protection is challenging given that such environments combine human, physical and cyber aspects to the system design and implementation. Current threat models and analysis do not take into consideration all three aspects of the analyzed system, how they can introduce new vulnerabilities or protection measures to each other. In this work, we introduce a novel threat model for cyber-physical systems that combines the cyber, physical, and human aspects. Our model represents the system’s components relations and security properties by taking into consideration these three aspects. Together with the threat model we also propose a threat analysis method that allows understanding the security state of the system’s components. The threat model and the threat analysis have been implemented into an automatic tool, called TAMELESS, that automatically analyzes threats to the system, verifies its security properties, and generates a graphical representation, useful for security architects to identify the proper prevention/mitigation solutions. We show and prove the use of our threat model and analysis with three cases studies from different sectors.

• ieee.org
  Visit

• No downloads available

Abstract: The consumer IoT is now prevalent and creates an enormous amount of fine-grained, detailed information about consumers’ everyday actions, personalities, and preferences. Such detailed information brings new and unique privacy challenges. The consumers are not aware of devices that surround them. There is a lack of transparency and absence of support for consumers to control the collection and processing of their personal and sensitive data. This paper reports on a review of state-of-the-art on privacy protection in IoT, with respect to privacy enhancing technologies (PETs) and GDPR-specific privacy principles. Drawing on a thorough analysis of 36 full papers, we identify key privacy challenges in IoT that need to be addressed to provide consumers with transparency and control over their personal data. The privacy challenges we have identified are (1) the lack of technical expertise in privacy notice comprehension, (2) the lack of transparency and control of personal data, and (3) the lack of personalized privacy recommendations.

• scitepress.org
  Visit

• No downloads available

Abstract: A privacy notice is a document/notification that is addressed to consumers, describing how their personal information will be handled. While browsing the Internet, installing an app on smartphone, setting up a smart sensor or IoT devices in personal spaces, consumers are often asked to consent to privacy notices. Ideally, the consumer is expected to read and understand the notice and give an informed consent. These notices are often lengthy and complicated, containing legal-technical jargons and ambiguous statements describing commercial use of personal data. Most people reflexively choose “I consent”, unknowingly agreeing to unfair-deceptive practices. Given the ubiquity of IoT and thus ubiquity of (personal) data collection, the reliance on notice and consent is inappropriate. In this article, we present the challenges of the notice and consent paradigm, and explore the idea of privacy-assistive solutions to enhance consumer privacy awareness and control in IoT.

• sintef.no
  Visit

• No downloads available

Abstract: Technology adoption is often predicted based on little information such as the Perceived ease-of-use and the Perceived usefulness of the technology. Related constructs such as Attitude to use, Behavioral intention to use and External variables cannot be easily operationalised and so are often ignored. However, technology characteristics themselves fail to represent other factors such as potential adopter attitudes and how they react to the opportunities offered by the technology to meet their needs. In a series of three studies, qualitative methods were used to identify, validate and then exploit narrative themes. Based on the short narratives of potential adopters discussing their experiences with a set of cybersecurity tools, we are developing a small-story narrative framework to capture how they respond to the technology contextualised directly within their professional environment. Akin to concepts from adoption frameworks in healthcare intervention studies, we conclude that adopter’s personal response to a technology and how they make sense of it in their environment becomes evident in the narratives they create.

• springer.com
  Visit

• No downloads available

Abstract: The cybersecurity landscape is particularly challenging for SMEs. On the one hand, they must comply with regulation or face legal sanction. But on the other, they may not have the resource or expertise to ensure regulatory compliance, especially since this is not their core business. At the same time, it is also well-attested in the literature that individuals (human actors in the ecosystem) are often targeted for cyber attacks. So, SMEs must also consider their employees but also their clients as potential risks regarding cybersecurity. Finally, it is also known that SMEs working together as part of a single supply chain are reluctant to share cybersecurity status and information. Given all of these challenges, assuming SMEs recognise their responsibility for security, they may be overwhelmed in trying to meet all the associated requirements. There are tools to help support them, of course, assuming they are motivated to engage with such tooling. This paper looks at the following aspects of this overall situation. In a set of four studies, we assess private citizen understanding of cybersecurity and who they believe to be responsible. On that basis, we then consider their attitude to sharing data with service providers. Moving to SMEs, we provide a general overview of their response to the cybersecurity landscape. Finally, we ask four SMEs across different sectors how they respond to cybersecurity tooling. As well as providing an increased understanding of private citizen and SME attitudes to cybersecurity, we conclude that SMEs need not be overwhelmed by their responsibilities. On the contrary, they can take the opportunity to innovate based on their experience with cybersecurity tools.

• springer.com
  Visit

• No downloads available

Abstract: Humans are the weak link in cybersecurity, hence, this paper considers the human factor in cybersecurity and how the customer journey approach can be used to increase cybersecurity awareness. The Customer Journey Modelling Language (CJML) is used to document and visualise a service process. We expand the CJML formalism to encompass cybersecurity and develop an easy-to-use web application as a supporting tool for training and awareness. We present the results from the usability test with ten persons in the target group and report on usability and feasibility. All participants managed to finish the test, and most participants indicated that the tool was easy to use. By using the tool, non-expert users can make user journey diagrams showing basic conformance in a short time without professional training. For the threat diagram, half of the users achieved full conformance. In conclusion, the tool can serve as low-threshold cybersecurity awareness training for SME employees. We discuss the limitations and validity of the results and future work to improve the tool’s usability.

• unit.no
  Visit

• No downloads available

Abstract: As digital information has come to underpin the majority of modern systems in almost all domains (e.g. business, finance, government, education, health, third sector), increasingly sophisticated cybersecurity attacks have become an unavoidable reality of modern life. In the face of this, regulation and best practice are increasing moving from simplistic security control tick-lists towards risk management frameworks (such as recommended in the EU’s GDPR and NIS directive and described in standards such as ISO 27005). Consequently, it is highly relevant for students, practitioners, and researchers alike to understand risk management, systems modelling, attack paths, and human interactions and risks in order to understand the central value and importance of cybersecurity risk management in supporting trustworthiness in information systems. As part of the H2020 CyberKit4SME project, this interactive, hands-on tutorial will explore state-of-the-art approaches to trustworthy cybersecurity risk management that is able to effectively and sufficiently account for the risks that humans introduce into any information system [1]. After establishing the basic concepts around cybersecurity, trustworthiness, system modelling, risk management and socio-technical theory, an exploration of the importance and role of visualised attack paths in providing easily understood risks, thereby ensuring intelligent risk management tools do not become ‘black boxes’ to their users, will be undertaken. Alongside this, how attack paths help support human decision-making by pinpointing the most effective risk mitigation strategies will be investigated. In addition, the tutorial will explore human interaction flows and how they can combine with attack paths to empower comprehensive cybersecurity risk assessments and help guide holistic mitigations. In the final part of the tutorial, there will be an opportunity to get practical experience of modelling an information system and identifying and mitigating the cybersecurity risks to it using two tools: the System Security Modeller [2, 3] (University of Southampton) and the Human and Organisational Risk Modelling framework (SINTEF) which is derived from the Customer Journey Modelling Language [4, 5] (CJML).

• sintef.no
  Visit

• No downloads available

Abstract: During the grid planning process, electric power grid companies evaluate different options for the long-term grid development to address the expected future demands. The options can be passive measures, e.g., traditional reinforcement or building new lines, or active measures, e.g., support from ICT-solutions during operation to increase the power transfer capability. The ongoing digitalization of the electric power grid inevitably push the grid companies to assess potential cyber risks as part of the grid planning process. This applies especially for active measures which to a greater extent rely on support from ICT-solutions to operate the system closer to its limits. However, current grid planning approaches do not adequately provide the support needed in practice, and the industry is struggling to adopt and execute cyber-risk assessments. The contribution of this paper is threefold. First, we interview six companies from the energy sector, and based on the interviews we identify seven success criteria that cyber-risk assessment methods for the electric power sector need to fulfil to provide adequate support. Second, we present four risk assessment methods and evaluate the extent to which they fulfil the identified success criteria. Third, we address the specific need for approaches that are easy to use and comprehend, especially for grid planning purposes, and propose a low-threshold approach to support high-level cyber-risk assessment in an electric power grid planning process. Based on our findings, we provide lessons learned in terms of gaps that need to be addressed to improve cyber-risk assessment in the context of smart grids.

• doi.org
  Visit

• No downloads available

Abstract: Small and Medium Enterprises (SMEs) are increasingly exposed to cyber risks. Some of the main reasons include budget constraints, the employees’ lack of cybersecurity awareness, cross-sectoral cyber risks, lack of security practices at organizational level, and so on. To equip SMEs with appropriate tools and guidelines that help mitigate their exposure to cyber risk, we must better understand the SMEs’ context and their needs. Thus, the contribution of this paper is a survey based on responses collected from 141 SMEs based in the UK, where the objective is to obtain information to better understand their level of cybersecurity awareness and practices they apply to protect against cyber risks. Our results indicate that although SMEs do apply some basic cybersecurity measures to mitigate cyber risks, there is a general lack of cybersecurity awareness and lack of processes and tools to improve cybersecurity practices. Our findings provide to the cybersecurity community a better understa nding of the SME context in terms of cybersecurity awareness and cybersecurity practices, and may be used as a foundation to further develop appropriate tools and processes to strengthen the cybersecurity of SMEs.

• doi.org
  Visit

• No downloads available

Abstract: Improving security posture while addressing human errors made by employees are among the most challenging tasks for SMEs concerning cybersecurity risk management. To facilitate these measures, a domain-specific modelling tool for visualising cybersecurity-related user journeys, called the HORM Diagramming Tool (HORM-DT), is introduced. By visualising SMEs’ cybersecurity practices, HORM-DT aims to raise their cybersecurity awareness by highlighting the related gaps, thereby ultimately informing new or updated cyber-risk strategies. HORM-DT’s target group consists of SMEs’ employees with various areas of technical expertise and different backgrounds. The tool was developed as part of the Human and Organisational Risk Modelling (HORM) framework, and the underlying formalism is based on the Customer Journey Modelling Language (CJML) as extended by elements of the CORAS language to cover cybersecurity-related user journeys. HORM-DT is a fork of the open-source Diagrams.net software, which was modified to facilitate the creation of cybersecurity-related diagrams. To evaluate the tool, a usability study following a within-subject design was conducted with 29 participants. HORM-DT achieved a satisfactory system usability scale score of 80.69, and no statistically significant differences were found between participants with diverse diagramming tool experience. The tool’s usability was also praised by participants, although there were negative comments regarding its functionality of connecting elements with lines.

• doi.org
  Visit

• No downloads available

Abstract: The Tor browser is a popular tool that is used by many users around the world. The browser is common among cyber criminals who use the tool to hide their activities. Until now, little research has been conducted by forensics researchers on the Tor browser, its application, and the data that can be obtained from the artefacts generated from its execution. In this work, we present a forensics analysis of the footprint left by the Tor application in the Windows environment. Our analysis focuses on three critical areas that are examined: network, memory, and hard disk. We provide a methodology that allows a structured forensic investigation. In this work, we examine multiple tools’ abilities in obtaining artefacts. The artefacts were identified not only when the Tor browser was running, but also when it was closed and uninstalled. We provide a methodology to analyse Tor applications with a focused case study of the Tor browser, allowing investigators to analyse Tor browsers and reproduce our results.

• acm.org
  Visit

• No downloads available

Abstract: We present a first-of-a-kind end-to-end framework for running privacy risk assessments of AI models that enables assessing models from multiple ML frameworks, using a variety of low-level privacy attacks and metrics. The tool automatically selects which attacks and metrics to run based on answers to questions, runs the attacks, summarizes and visualizes the results in an easy-to-consume manner.

• acm.org
  Visit

• No downloads available

Abstract: We are currently seeing an increase in the use of voice assistants which are used for various purposes. These assistants have a wide range of inbuilt functionalities with the possibility of installing third-party applications. In this work, we will focus on analyzing and identifying vulnerabilities that are introduced by these third-party applications. In particular, we will build third-party applications (called Skills) for Alexa, the voice assistant developed by Amazon. We will analyze existing exploits, identify accessible data and propose an adversarial framework that deceives users into disclosing private information. For this purpose, we developed four different malicious Skills that harvest different pieces of private information from users. We perform a usability analysis on the Skills and feasibility analysis on the publishing pipeline for one of the Skills.

• cyberkit4sme.eu
  Visit
• ac.uk
  Visit

• No downloads available

Abstract: Small and medium enterprises (SMEs) make up a significant part of European economies. They are often described as poorly place to deal with cyber risks though because of resource constraints or commercial interests. Providing appropriate tooling would facilitate a greater appreciation of the risks and provide mitigation strategies. In a series of workshops demonstrating visualization tools for cybersecurity, constructs from healthcare models such as awareness, self-efficacy, and a willingness to engage were investigated to throw light on the likelihood that the technologies would be adopted. Although most constructs were validated, it turns out that self-efficacy could more appropriately be interpreted as a desire to understand a broader company narrative rather than empowering any individual to identify and manage cyber risk. As part of an ongoing examination of technology acceptance, this work provides further evidence that technology must be contextualized to make sense for the individual as part of the SME rather than as individual employee.

• springer.com
  Visit

• Pickering_etal_ItsNotMyProblem_WorkingCopy_02022021
  Download

Abstract: Forest roads in Romania are unique natural wildlife sites used for recreation by countless tourists. In order to protect and maintain these roads, we propose RovisLab AMTU (Autonomous Mobile Test Unit), which is a robotic system designed to autonomously navigate off-road terrain and inspect if any deforestation or damage occurred along tracked route. AMTU’s core component is its embedded vision module, optimized for real-time environment perception. For achieving a high computation speed, we use a learning system to train a multi-task Deep Neural Network (DNN) for scene and instance segmentation of objects, while the keypoints required for simultaneous localization and mapping are calculated using a handcrafted FAST feature detector and the Lucas-Kanade tracking algorithm. Both the DNN and the handcrafted backbone are run in parallel on the GPU of an NVIDIA AGX Xavier board. We show experimental results on the test track of our research facility.

• arxiv.org
  Visit

• No downloads available

Abstract: Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and they may face various internal issues when attempting to set up cyber-risk strategies. In this work, we apply a user journey approach to model human behaviour and visually map SMEs’ practices and threats, along with a visualisation of the socio-technical actor network, targeted specifically at the risks highlighted in the user journey. By using a combination of cybersecurity-related visualisations, our goals are: i) to raise awareness about cybersecurity, and ii) to improve communication among IT personnel, security experts, and non-technical personnel. To achieve these goals, we combine two modelling languages: Customer Journey Modelling Language (CJML) is a visual language for modelling and visualisation of work processes in terms of user journeys. System Security Modeller (SSM) is an asset-based risk-analysis tool for socio-technical systems. By demonstrating the languages’ supplementary nature through a threat scenario and considering related theories, we believe that there is a sound basis to warrant further validation of CJML and SSM together to raise awareness and handle cyber threats in SMEs.

• scitepress.org
  Visit
• boletsis.net
  Visit

• No downloads available

Abstract: Self-driving cars and autonomous vehicles are revolutionizing the automotive sector, shaping the future of mobility altogether. Although the integration of novel technologies such as Artificial Intelligence (AI) and Cloud/Edge computing provides golden opportunities to improve autonomous driving applications, there is the need to modernize accordingly the whole prototyping and deployment cycle of AI components. This paper proposes a novel framework for developing so-called AI Inference Engines for autonomous driving applications based on deep learning modules, where training tasks are deployed elastically over both Cloud and Edge resources, with the purpose of reducing the required network bandwidth, as well as mitigating privacy issues. Based on our proposed data driven V-Model, we introduce a simple yet elegant solution for the AI components development cycle, where prototyping takes place in the cloud according to the Software-in-the-Loop (SiL) paradigm, while deployment and evaluation on the target ECUs (Electronic Control Units) is performed as Hardware-in-the-Loop (HiL) testing. The effectiveness of the proposed framework is demonstrated using two real-world use-cases of AI inference engines for autonomous vehicles, that is environment perception and most probable path prediction.

• arxiv.org
  Visit
• mdpi.com
  Visit

• No downloads available