摘要 :
Cybersecurity threats targeting users are common in today's information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train u...
展开
Cybersecurity threats targeting users are common in today's information systems. Threat actors exploit human behavior to gain unauthorized access to systems and data. The common suggestion for addressing this problem is to train users to behave better using SETA programs. The notion of training users is old, and several SETA methods are described in scientific literature. Yet, incidents stemming from insecure user behavior continue to happen and are reported as one of the most common types of incidents. Researchers argue that empirically proven SETA programs are needed and point out focus on knowledge rather than behavior, along with poor user adoption, as problems with existing programs. The present study aims to research user preferences regarding SETA methods, with the motivation that a user is more likely to adopt a program perceived positively. A qualitative approach is used to identify existing SETA methods, and a quantitative approach is used to measure user preferences regarding SETA delivery. We show that users prefer SETA methods to be effortless and flexible and outline how existing methods meet that preference. The results outline how SETA methods respond to user preferences and how different SETA methods can be implemented to maximize user perception, thereby supporting user adoption.
收起
摘要 :
Training of human resources in port facilities is of particular importance, especially if one considers that cargo crime could be facilitated by negligence or support of personnel. Recommendations regarding training and education ...
展开
Training of human resources in port facilities is of particular importance, especially if one considers that cargo crime could be facilitated by negligence or support of personnel. Recommendations regarding training and education are available in the SOLAS Chapter XI-2 and ISPS code. However, experts claim that too much freedom of interpretation is given to these frameworks in the process to define security training and education. As a consequence, harmonization of security may be hindered, leaving weak points and compromising commitment, security culture and awareness. In this paper, we aim to understand the present status of port security training and education courses that today are offered in Sweden. In particular, we look at the market for these services and the current level of harmonization. Results show that level of commitment, size of ports, cultural and working conditions may affect the outcome of security courses. From a harmonization viewpoint, we found that more work need to be done to ensure the development of common requirements on EU level, quality assurance systems, and distance learning courses. This paper concludes with a roadmap to harmonization for governments.
收起
摘要 :
Ports are complex, multiple-stakeholder environments representing the entrance point of intercontinental sea shipments into a country. Because ports are areas where large amounts of goods converge, they play a strategic role in a ...
展开
Ports are complex, multiple-stakeholder environments representing the entrance point of intercontinental sea shipments into a country. Because ports are areas where large amounts of goods converge, they play a strategic role in a country’s security and economic sustenance. Consequently different stakeholders interact to ensure that cargo handling operations are optimized and cost-effective, e.g. international shipping, logistics companies, trading communities, and regulatory bodies. In this context security threats assume a special relevance, since ports could be exploited by criminal organizations to smuggle illicit goods into a country or by terrorists planning an attack. To eliminate or mitigate these risks human resources need to be correctly trained and educated. In addition, the competent authorities need to ensure that the same level and quality of training is delivered to all port facilities providing access to a country or a continent. Unfortunately, experts believe that in the EU there is a lack of harmonization of courses and quality assurance systems. Hence, the aim of this study is to review existing regulatory frameworks and assess whether guidance is provided to harmonize security training and education in port facilities. Thereafter, based on the experience developed within other sectors, where harmonization of training and education courses in the EU has been successfully achieved, we make recommendations for improvement of the existing frameworks. The article concludes by summarizing the findings and indicating implications for managers and researchers.
收起
摘要 :
To build secure applications using the Microsoft .NET Framework, two things are important: understanding the framework and its security features, such as Code Access Security (CAS), and applying .NET secure coding best practices i...
展开
To build secure applications using the Microsoft .NET Framework, two things are important: understanding the framework and its security features, such as Code Access Security (CAS), and applying .NET secure coding best practices in the development process. This article addresses both these topics.
收起
摘要 :
Purpose - The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT). Design/methodology/approach - Based...
展开
Purpose - The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT). Design/methodology/approach - Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided. Findings - College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources. Practical implications - Universities can assess their ISAT for students based on the findings of this study. Originality/value - If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.
收起
摘要 :
In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management...
展开
In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management. By replacing manual tasks with automated decision making and sophisticated technology, no doubt we feel much more secure than half a century ago. As the technological advancement takes root, so does the maturity of security threats. It is common that today’s critical infrastructures are operated by non-computer experts, e.g. nurses in health care, soldiers in military or firefighters in emergency services. In such challenging applications, protecting against insider attacks is often neither feasible nor economically possible, but these threats can be managed using suitable risk management strategies. Security technologies, e.g. firewalls, help protect data assets and computer systems against unauthorised entry. However, one area which is often largely ignored is the human factor of system security. Through social engineering techniques, malicious attackers are able to breach organisational security via people interactions. This paper presents a security awareness training framework, which can be used to train operators of critical infrastructure, on various social engineering security threats such as spear phishing, baiting, pretexting, among others.
收起
摘要 :
In this paper, a role play scenario experiment of people's ability to differentiate between phishing and genuine emails demonstrated limitations in the generalisability of phishing studies. This involves issues around the priming ...
展开
In this paper, a role play scenario experiment of people's ability to differentiate between phishing and genuine emails demonstrated limitations in the generalisability of phishing studies. This involves issues around the priming of participants and the diversity of emails used. Only half of our 117 participants were explicitly informed that the study was assessing the ability to identify phishing emails. Results indicate that the informed participants were significantly better at discriminating between phishing and genuine emails than the uninformed participants. This has implications for the interpretation of phishing studies. Specifically, studies where participants are directly asked to identify phishing emails may not represent the performance of real world users, because people are rarely reminded about the risks of phishing emails in real life. Our study also used emails from a larger number and greater diversity of industries than previous phishing studies. Results indicate that participants' performance differs greatly in terms of category (e.g., type of sender) of emails. This demonstrates that caution should be used when interpreting the results of phishing studies that rely on only a small number of emails and/or emails of limited diversity. Hence, when designing and interpreting phishing studies, researchers should carefully consider the instructions provided to participants and the types of emails used.
收起
摘要 :
This paper aims to apply habit-based research to the domain of information security. It proposes a new training paradigm in which a user "automatically" does the right thing without being an expert in the area of information secur...
展开
This paper aims to apply habit-based research to the domain of information security. It proposes a new training paradigm in which a user "automatically" does the right thing without being an expert in the area of information security. The authors used a multiphased approach in which a new security training program was created and assessed for three groups: administrators (mostly managers), medical professionals (included physicians, physician assistants etc.) and staff (appointment coordinators, billing specialists etc.). The authors were able to find strong correlations between habit creation and security threats such as phishing, unauthorized cloud computing use, and password sharing. The authors were also able to ascertain that traditional security training and awareness programs need to move away from the "one-size" fits all technique to custom models that need to look at employee groups. This study supports the idea of training programs that are focused on changing habits, which is an area that has not yet been extensively researched in this context.
收起
摘要 :
Argonne National Laboratory (Argonne), with the support of the US Department of Energy (DOE) Packaging Certification Program, has developed a week long training course on security for nuclear and other radioactive materials during...
展开
Argonne National Laboratory (Argonne), with the support of the US Department of Energy (DOE) Packaging Certification Program, has developed a week long training course on security for nuclear and other radioactive materials during transport. The course focuses on USA domestic and international requirements and recommendations for transport security. A review of applicable US Department of Transportation regulations, recently issued US Nuclear Regulatory Commission regulations, DOE orders and manuals, and relevant international modal regulatory documents relating to transport security was conducted. The review disclosed that existing International Atomic Energy Agency security training materials could be incorporated into a training course on security requirements for US domestic shippers. Development of training materials for such a course was initiated in late 2012, and the first course was convened in early December 2013 at Argonne. The course also incorporated training and hands on transport security applications of the ARG-US Radio Frequency Identification (RFID) system for monitoring the state of health of packages of radioactive and other hazardous materials and for tracking the location of the packages and conveyances during transport and in transit storage. Participants of this initial course obtained insight into both US and international security measures needed for transport and for in transit stopping and storage; gained experience in preparing transport security plans (TSPs) for specific shipments, in performing readiness reviews based on those TSPs, and in identifying needed corrective actions and taking steps to correct deficiencies; and learned by hands on exercises how to apply the ARG-US RFID system to enhance transport security.
收起
摘要 :
This article presents the results of a study to determine the impact of a cyber threat education and awareness intervention on changes in user security behavior. Subjects were randomly assigned to one of two introductory lectures ...
展开
This article presents the results of a study to determine the impact of a cyber threat education and awareness intervention on changes in user security behavior. Subjects were randomly assigned to one of two introductory lectures about cyber threats due to poor password management. The low-information condition was based on very general background information on passwords and computer security, while the high-information condition included very detailed and specific information on the threats to subjects' use of e-commerce. The pre/post-treatment design was a single, between-subjects factor (information level-low/high), repeated measures study, with password strength at Time 1 and password strength at Time 2 used to measure change in security behavior over a period of two weeks. The study found that at Time 1, participants possessed no significant differences in the strength of their passwords. Two weeks later, the password strength of the participants in the low-information condition was not statistically different than their initial levels, while subjects in the high-information condition demonstrated password ratings 36 percent stronger (t = 17.0, p = .000). It is concluded that when users were educated of the threats to e-commerce and trained about proper security practices, their behavior could be changed to enhance online security for themselves and the firms where they are employed.
收起