Quantifying security threats and their potential impacts: a case study

In earlier works we presented a computational infrastructure that allows an analyst to estimate the security of a system in terms of the loss that each stakeholder stands to sustain as a result of security breakdowns. In this paper we illustrate this infrastructure by means of an e-commerce application.     

基于贝叶斯知识追踪的网安人才能力智能化评估方法

近年来,网络空间安全形势日益严峻,导致网络空间安全人才(以下简称网安人才)缺口巨大,国家加快网安人才评估的需求愈加强烈。针对当前网安人才能力评估精准度不足的问题,本文提出了一种改进的贝叶斯知识追踪CT-BKT(Cybersecurity Talents Bayesian Knowledge Tracing)模型,通过网安人才能力评估时的个性智能化问答过程,该模型可对网安人才的知识状态进行追踪,从而实现对其能力的动态精准评估。为了验证CT-BKT模型的有效性,本文以Web安全为例,梳理了Web安全的知识技能体系并构建了相应题库,实现了一个面向Web安全领域的网安人才技能智能化评估系统CTIES(Cybersecurity Talents Intelligent Evaluation System)。通过对22名网安人员进行Web安全的能力评估,本文提出的CT-BKT知识追踪模型的对网安人才的知识掌握状态的预测准确率较高,CTIES系统能细致且直观地展现网安人才Web安全的知识掌握程度及相应专业技能水平,验证了本文所提出的网安人才能力评估方法的可行性和有效性。     

Cybersecurity Costs: Balancing Blanket Security with Real-World Practicality

The freedom to access information on the Internet, install application programs, and modify server configurations are often required for efficient productivity. As a whole, cybersecurity can be divided into four separate components: 1) network cybersecurity - to secure data on the wire; 2) host cybersecurity - to protect applications and operating system software; 3) storage cybersecurity - to secure stored data-at-rest; 4) administrative "cyber"-security - the noncybersecurity element, consisting of human and process security. To determine how much is needed to invest in any security components, this paper examines the specific roles and functions of each component     

Cybersecurity Economic Issues: Clearing the Path to Good Practice

Software project managers have limited project resources. Requests for security improvements must compete with other requests, such as for new tools, more staff, or additional testing. Deciding how and whether to invest in cybersecurity protection requires knowing the answer to at least two questions: What is the likelihood of an attack, and what are its likely consequences? Security analysts understand a system's vulnerability to potential cyberattacks fairly well, but to date, research on the economic consequences of cyberattacks has been limited, dealing primarily with microanalyses of attacks' direct impacts on a particular organization. Many managers recognize the significant potential of a cyberattack's effects to cascade from one computer or business system to another, but there have been no significant efforts to develop a methodology to account for both direct and indirect costs. Without such a methodology, project managers and their organizations are hard pressed to make informed decisions about how much to invest in cybersecurity and how to ensure that security resources are used effectively. In this article, we explore how others have sought answers to our two questions. We describe the data available to inform decisions about investing in cybersecurity and look at research models of the trade-offs between investment and protection. The framework we present can help project managers find appropriate models with credible data so that they can make effective security decisions.     

Dependency-based security risk assessment for cyber-physical systems

A cyber-physical attack is a security breach in cyber space that impacts on the physical environment. The number and diversity of such attacks against Cyber-Physical Systems (CPSs) are increasing at impressive rates. In times of Industry 4.0 and Cyber-Physical Systems, providing security against cyber-physical attacks is a serious challenge which calls for cybersecurity risk assessment methods capable of investigating the tight interactions and interdependencies between the cyber and the physical components in such systems. However, existing risk assessment methods do not consider this specific characteristic of CPSs. In this paper, we propose a dependency-based, domain-agnostic cybersecurity risk assessment method that leverages a model of the CPS under study that captures dependencies among the system components. The proposed method identifies possible attack paths against critical components of a CPS by taking an attacker’s viewpoint and prioritizes these paths according to their risk to materialize, thus allowing the defenders to define efficient security controls. We illustrate the workings of the proposed method by applying it to a case study of a CPS in the energy domain, and we highlight the advantages that the proposed method offers when used to assess cybersecurity risks in CPSs.

     

民用航空电子系统网络安全验证方法研究

针对民用飞机适航中的网络安全特殊风险,通过研究美欧等民航审定机构的网络安全特殊风险的测试过程和方法,结合常用的符合性测试方法提出了民用飞机电子系统网络安全测试方法。基于DO-326A中的网络安全测试框架,提出航电系统适用的网络安全鲁棒性测试方法与网络安全脆弱性测试方法。该方法为民用飞机电子系统网络安全适航提供了可行的思路。     

基于残差空洞卷积神经网络的网络安全实体识别方法

近年来,网络安全威胁日益增多,数据驱动的安全智能分析成为网络安全领域研究的热点。特别是以知识图谱为代表的人工智能技术可为多源异构威胁情报数据中的复杂网络攻击检测和未知网络攻击检测提供支撑。网络安全实体识别是威胁情报知识图谱构建的基础。开放网络文本数据中的安全实体构成非常复杂,导致传统的深度学习方法难以准确识别。在BERT（pre-training of deep bidirectional transformers）预训练语言模型的基础上,提出一种基于残差空洞卷积神经网络和条件随机场的网络安全实体识别模型 BERT-RDCNN-CRF。通过BERT模型训练字符级特征向量表示,结合残差卷积与空洞神经网络模型有效提取安全实体的重要特征,最后通过CRF获得每一个字符的BIO标注。在所构建的大规模网络安全实体标注数据集上的实验表明,所提方法取得了比LSTM-CRF模型、BiLSTM-CRF模型和传统的实体识别模型更好的效果。     

POSITIONING CYBERSECURITY IN THE C-SUITE: HOW TO BUILD A JOINT SECURITY OPERATIONS CENTER

ABSTRACT

This paper argues that the creation of a Joint Security Operations Center (JSOC) must be coordinated, implemented, and administered by a single dedicated entity, one that operates at the highest level of organizational authority to ensure proper coordination and enforcement. Currently, not one sector in the U.S.’s national infrastructure have yet to come up with an effective strategy or a coherent scheme to protect itself from a concerted cyberattack. Therefore, it is critically important that we begin to get our act together in cyberspace. Electronic, personnel, and physical security are separate operations in most companies. So, in essence, the separation of functions has created three wobbly one-legged stools instead of one solid three-legged stool. Thus, we need a single unified point to create and manage a complete, rational, organization-wide cybersecurity control system. In essence, a complete cybersecurity response requires expertise in electronic, behavioral, and physical security operations and the key to success lies in the proper placement. The obligation for creating and sustaining this strategic function lies with corporate leadership, not the people down the organizational ladder in IT. The converged approach is essential because monitoring and enforcement is cross functional and comprehensive.     

‘What a waste of time’: An examination of cybersecurity legitimacy

Managers who oversee cybersecurity policies commonly rely on managerial encouragement (e.g., rewards) and employee characteristics (e.g., attitude) to drive compliant behaviour. However, whereas some cybersecurity initiatives are perceived as reasonable by employees, others are viewed as a ‘waste of time’. This research introduces employee judgements of cybersecurity legitimacy as a new angle for understanding employee compliance with cybersecurity policies over time. Drawing on theory from the organisational legitimacy and cybersecurity literature, we conduct a three-wave survey of 529 employees and find that, for each separate wave, negative legitimacy judgements mediate the relationship between management support and compliance, as well as between cybersecurity inconvenience and compliance. Our results provide support for cybersecurity legitimacy as an important influence on employee compliance with cybersecurity initiatives. This is significant because it highlights to managers the importance of not simply expecting compliant employee behaviour to follow from the introduction of cybersecurity initiatives, but that employees need to be convinced that the initiatives are fair and reasonable. Interestingly, we did not find sufficient support for our expectation that the increased likelihood of a cybersecurity incident will moderate the legitimacy-policy compliance relationship. This result suggests that the legitimacy perceptions of employees are unyielding to differences in the risk characteristics of the cybersecurity incidents facing organisations.     

An iterative mathematical decision model for cloud migration: A cost and security risk approach

This paper presents an iterative mathematical decision model for organizations to evaluate whether to invest in establishing information technology (IT) infrastructure on‐premises or outsourcing IT services on a multicloud environment. This is because a single cloud cannot cover all types of users’ functional/nonfunctional requirements, in addition to several drawbacks such as resource limitation, vendor lock‐in, and prone to failure. On the other hand, multicloud brings several merits such as vendor lock‐in avoidance, system fault tolerance, cost reduction, and better quality of service. The biggest challenge is in selecting an optimal web service composition in the ever increasing multicloud market in which each provider has its own pricing schemes and delivers variation in the service security level. In this regard, we embed a module in the cloud broker to log service downtime and different attacks to measure the security risk. If security tenets, namely, security service level agreement, such as availability, integrity, and confidentiality for mission‐critical applications, are targeted by cybersecurity attacks, it causes disruption in business continuity, leading to financial losses or even business failure. To address this issue, our decision model extends the cost model by using the cost present value concept and the risk model by using the advanced mean failure cost concept, which are derived from the embedded module to quantify cloud competencies. Then, the cloud economic problem is transformed into a bioptimization problem, which minimizes cost and security risks simultaneously. To deal with the combinatorial problem, we extended a genetic algorithm to find a Pareto set of optimal solutions. To reach a concrete result and to illustrate the effectiveness of the decision model, we conducted different scenarios and a small‐to‐medium business IT development for a 5‐year investment as a case study. The result of different implementation shows that multicloud is a promising and reliable solution against IT on‐premises deployment.     

The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence

As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.

     

网络安全检测框架与方法研究

网络和信息系统已经成为关键基础设施乃至整个经济社会的核心,一旦遭受攻击破坏、发生重大安全事件,将严重危害国家经济安全和公共利益。如何检测网络攻击行为,保障网络基础设施的安全,是保障核心技术装备安全可控,构建国家网络安全保障体系的核心环节。系统地介绍了针对入侵检测框架、特征自动生成、安全检测理论及方法、网络拓扑监控与网络路由控制等问题已取得的若干创新成果,梳理出网络安全检测算法和框架、无线网络安全检测、网络监控和安全增强等若干科学发现,最后总结了网络安全检测与控制技术发展趋势。     

山东省水利系统网络安全工作探索

针对山东省水利系统网络安全威胁感知能力不强、应急处置水平不高等突出问题,结合水利信息系统现状及网络安全实际需求,在山东省水利厅部署态势感知系统平台,全省 16 个市部署网络流量采集引擎,不间断采集分析水利网络数据,实现安全态势实时感知和动态监测,对全省水利重要业务应用开展实战化网络攻防演练,深度检验水利信息系统防护、监测预警和应急处置等能力,进一步发现网络安全深层次问题和隐患。通过部署态势感知系统,开展网络攻防演练,山东省水利系统网络监测预警机制初步建立,网络安全工作队伍得到有效锻炼,网络安全整体水平显著提升,并为构建智慧水利时代全面、智能、联动的网络安全体系提供工作参考。     

探索“网安医生”人才培养模式

网络安全的竞争归根结底是人才的竞争，世界各国纷纷将网络安全人才培养放在了国家战略高度。网络空间安全学科作为一门新兴交叉学科，其学科的内涵外延还在更新发展，目前缺乏适合网络空间安全人才特点的培养模式及评价机制。根据多年的教学研究，参考国外的先进培养模式及评价机制，结合国内实际情况，提出适合网络空间安全学科特点的“网安医生”培养模式，该模式覆盖本科培养的全生命周期，以问题为导向，培养学生针对网络空间发现和解决安全问题的能力，高校与产业界、科研机构紧密互动构建人才培养的生态环境。以此提高学生掌握知识、技能和应用能力，培养学生探索最新前沿科技和核心技术的兴趣和能力，提升师资力量和教育水平，同时也有利于企业选拔优秀人才，提升企业研发能力和市场竞争力。最终实现合作方协同创新，优势互补，全面共赢的良好局面，促进网络空间安全人才培养和学科发展。     

Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals

Password reuse – using the same password for multiple accounts – is a prevalent phenomenon that can make even the most secure systems vulnerable. When passwords are reused across multiple systems, hackers may compromise accounts by stealing passwords from low-security sites to access sites with higher security. Password reuse can be particularly threatening to users in developing countries in which cybersecurity training is limited, law enforcement of cybersecurity is non-existent, or in which programs to secure cyberspace are limited. This article proposes a two-pronged solution for reducing password reuse through detection and mitigation. First, based on the theories of routine, cognitive load and motor movement, we hypothesize that password reuse can be detected by monitoring characteristics of users' typing behavior (i.e. keystroke dynamics). Second, based on protection motivation theory, we hypothesize that providing just-in-time fear appeals when a violation is detected will decrease password reuse. We tested our hypotheses in an experiment and found that users' keystroke dynamics are diagnostic of password reuse. By analyzing changes in typing patterns, we were able to detect password reuse with 81.71% accuracy. We also found that just-in-time fear appeals decrease password reuse; 88.41% of users who received a fear appeal subsequently created unique passwords, whereas only 4.45% of users who did not receive a fear appeal created unique passwords. Our results suggest that future research should continue to examine keystroke dynamics as an indicator of cybersecurity behaviors and use just-in-time fear appeals as a method for reducing non-secure behavior. The findings of our research provide a practical and cost-effective solution to bolster cybersecurity through discouraging password reuse.     

Paranoid? Who Says I'm Paranoid?

By focusing all our attention on cybersecurity, have we left the backdoor open for more conventional attacks? Phillip A. Laplante, a member of IT Professional's editorial board, examines this conundrum and advises the reader to up his or her own paranoia level to address the very real security gaps we're leaving open every day our attention is diverted.     

A Model for the Impact of Cybersecurity Infrastructure on Economic Development in Emerging Economies: Evaluating the Contrasting Cases of India and Pakistan

The possibilities and risks inherent in the dissemination of ICT necessitate implementation of cybersecurity initiatives. Yet, we know very little about the specific relationships between national information infrastructure (NII), cybersecurity capability, and economic development in emerging economies. This paper proposes a model based on national nuclear threat security through which a developing nation could develop an effective cybersecurity infrastructure while simultaneously positively impacting economic development. Our model extends the cybersecurity triad of internal governance, private sector partners and an active cybercitizenry to add a fourth influence – foreign government relations – that significantly impacts socioeconomic development. The model will be elaborated through the lens of two case study nation-states: India and Pakistan.     

A systematic approach to analysis for assessing the security level of cyber-physical systems in the electricity sector

In a context of digitalization and technological evolution in all aspects of our lives, the electricity sector could not be left behind. This opens up a new range of possibilities until now unthinkable, which will facilitate the progress and services that we will be able to enjoy thanks to the development of the smart grid. But it also poses new challenges, both technological and in terms of cybersecurity, as the electricity sector takes on an increasingly important role in our lives. Therefore, after an analysis of the main incidents that have affected the energy sector, a general study is made of the standards that affect it, especially the IEEE 1686 and IEC 62,351 standards, in order to develop a simple and practical methodology to assess the level of security of the cyber-physical systems and equipment that makes up an electrical installation. The aforementioned methodology is developed based on a selection of specific requirements from the aforementioned standards that will serve as a starting point for the development of a series of specific compliance tests to assess the equipment to be installed or modified in a smart grid. This is because every measure is too little to put a stop to the successes achieved so far by cybercriminals. To this end, it is necessary to set out one of the many routes initiated by the many standards, norms, and laws, and thus define an effective and efficient path that will allow us to establish secure pillars on which to build the future.     

Useful Cybersecurity Metrics

Measuring cybersecurity is difficult, but other disciplines can offer important lessons and techniques for building a system that can help test hypotheses about system security.     

New instant confirmation mechanism based on interactive incontestable signature in consortium blockchain

The blockchain is a radical innovation that has a considerable effect on payments, stock exchanges, cybersecurity, and computational law. However, its limitations in terms of the uncertainty involved in transaction confirmation are significant. In this paper, we describe the design of a decentralized voting protocol for the election of a block generator in a consortium blockchain and propose a new system framework that allows fast and exact confirmation of all transactions. In addition, to replace a transaction’s owner signature, a new interactive incontestable signature between the dealer and owner is used to confirm a transaction. By means of this signature, the dealer can assure the owner that a transaction will be permanently included in the blockchain in a non-repudiation manner. Moreover, the signatures of all transactions in a block share only one witness that provides membership proof between the block and these transactions. Finally, a security and performance analysis shows that the proposed schemes are provably secure and highly efficient.