Change search
Refine search result
1 - 17 of 17
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the 'Create feeds' function.
  • 1.
    Abril, Daniel
    et al.
    IIIA, Institut d'Investigació en Intelligència Artificial – CSIC, Consejo Superior de Investigaciones Científicas, Bellaterra, Spain / UAB, Universitat Autónoma de Barcelona, Bellaterra, Spain.
    Navarro-Arribas, Guillermo
    DEIC, Dep. Enginyeria de la Informació i de les Comunicacions, UAB, Universitat Autònoma de Barcelona, Bellaterra, Spain.
    Torra, Vicenç
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre. IIIA, Institut d'Investigació en Intelligència Artificial – CSIC, Consejo Superior de Investigaciones Científicas, Bellaterra, Spain.
    Spherical Microaggregation: Anonymizing Sparse Vector Spaces2015In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 49, 28-44 p.Article in journal (Refereed)
    Abstract [en]

    Unstructured texts are a very popular data type and still widely unexplored in the privacy preserving data mining field. We consider the problem of providing public information about a set of confidential documents. To that end we have developed a method to protect a Vector Space Model (VSM), to make it public even if the documents it represents are private. This method is inspired by microaggregation, a popular protection method from statistical disclosure control, and adapted to work with sparse and high dimensional data sets.

  • 2.
    Alexiou, Nikolaos
    et al.
    KTH, School of Electrical Engineering (EES), Communication Networks.
    Basagiannis, S.
    Petridou, S.
    Formal security analysis of near field communication using model checking2016In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 60, 1-14 p.Article in journal (Refereed)
    Abstract [en]

    Near field communication (NFC) is a short-range wireless communication technology envisioned to support a large gamut of smart-device applications, such as payment and ticketing. Although two NFC devices need to be in close proximity to communicate (up to 10 cm), adversaries can use a fast and transparent communication channel to relay data and, thus, force an NFC link between two distant victims. Since relay attacks can bypass the NFC requirement for short-range communication cheaply and easily, it is important to evaluate the security of NFC applications. In this work, we present a general framework that exploits formal analysis and especially model checking as a means of verifying the resiliency of NFC protocol against relay attacks. Toward this goal, we built a continuous-time Markov chain (CTMC) model using the PRISM model checker. Firstly, we took into account NFC protocol parameters and, then, we enhanced our model with networking parameters, which include both mobile environment and security-aware characteristics. Combining NFC specifications with an adversary's characteristics, we produced the relay attack model, which is used for extracting our security analysis results. Through these results, we can explain how a relay attack could be prevented and discuss potential countermeasures.

  • 3. Bakari, Jabiri Kuwe
    et al.
    Tarimo, Charles N.
    Yngstrom, Louise
    KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
    Magnusson, Christer
    KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
    Kowalski, Stewart
    KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
    Bridging the gap between general management and technicians - A case study on ICT security in a developing country2007In: Computers & security (Print), ISSN 0167-4048, Vol. 26, no 1, 44-55 p.Article in journal (Refereed)
    Abstract [en]

    The lack of planning, business re-engineering, and coordination in the whole process of computerisation is the most pronounced problem facing organisations. These problems often lead to a discontinuous link between technology and the business processes. As a result, the introduced technology poses some critical risks for the organisations due, in part, to different perceptions of the management and technical staffs in viewing the ICT security problem. This paper discusses a practical experience on bridging the gap between the general management and ICT technicians.

  • 4.
    Bella, Giampaolo
    et al.
    Università di Catania, Italy.
    Giustolisi, Rosario
    RISE - Research Institutes of Sweden, ICT, SICS.
    Lenzini, Gabriele
    University of Luxembourg, Luxembourg City, Luxembourg.
    Ryan, Peter Y. A.
    University of Luxembourg, Luxembourg City, Luxembourg.
    Trustworthy exams without trusted parties2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 67, 291-307 p.Article in journal (Refereed)
    Abstract [en]

    Historically, exam security has mainly focused on threats ascribed to candidate cheating. Such threats have been normally mitigated by invigilation and anti-plagiarism methods. However, as recent exam scandals confirm, also invigilators and authorities may pose security threats. The introduction of computers into the different phases of an exam, such as candidate registration, brings new security issues that should be addressed with the care normally devoted to security protocols. This paper proposes a protocol that meets a wide set of security requirements and resists threats that may originate from candidates as well as from exam administrators. By relying on a combination of oblivious transfer and visual cryptography schemes, the protocol does not need to rely on any trusted third party. We analyse the protocol formally in ProVerif and prove that it verifies all the stated security requirements. © 2016 Elsevier Ltd

  • 5. Camenisch, Jan
    et al.
    Fischer-Hübner, Simone
    Karlstad University, Division for Information Technology.
    Murayama, Yuko
    Future Challenges in Security and Privacy for Academia and  Industry2013In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 33, 1-170 p.Article in journal (Refereed)
  • 6.
    Flores, Waldo Rocha
    et al.
    KTH, School of Electrical Engineering (EES).
    Ekstedt, Mathias
    KTH, School of Electrical Engineering (EES), Electric power and energy systems.
    Shaping intention to resist social engineering through transformational leadership, information security culture and awareness2016In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 59, 26-44 p.Article in journal (Refereed)
    Abstract [en]

    This paper empirically investigates how organizational and individual factors complement each other in shaping employees' intention to resist social engineering. The study followed a mixed methods research design, wherein qualitative data were collected to both establish the study's research model and develop a survey instrument that was distributed to 4296 organizational employees from a diverse set of organizations located in Sweden. The results showed that attitude toward resisting social engineering has the strongest direct association with intention to resist social engineering, while both self-efficacy and normative beliefs showed weak relationships with intention to resist social engineering. Furthermore, the results showed that transformational leadership was strongly associated with both perceived information security culture and information security awareness. Two mediation tests showed that attitude and normative beliefs partially mediate the effect of information security culture on employees' intention to resist social engineering. This suggests that both attitude and normative beliefs play important roles in governing the relationship between information security culture and intention to resist social engineering. A third mediation test revealed that information security culture fully explains the effect of transformational leadership on employees' attitude toward resisting social engineering. Discussion of the results and practical implications of the performed research are provided.

  • 7.
    Franke, Ulrik
    RISE, Swedish ICT, SICS, Software and Systems Engineering Laboratory.
    The cyber insurance market in Sweden2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 68, 130-144 p.Article in journal (Refereed)
    Abstract [en]

    This article is a characterization of the cyber insurance market in Sweden. As empirical investigations of cyber insurance are rarely reported in the literature, the results are novel. The investigation is based on semi-structured interviews with 10 insurance companies active on the Swedish market, and additional interviews with 2 re-insurance companies and 3 insurance intermediaries. These informants represent essentially all companies selling cyber insurance on the Swedish market. Findings include descriptions of the coverages offered, including discrepancies between insurers, and the underwriting process used. Typical annual premiums are found to be in the span of some 5–10 kSEK per MSEK indemnity limit, i.e. 0.5–1% of the indemnity limit. For business interruption coverage, waiting periods are found to be relatively long compared to many outages. Furthermore, insurance companies impose information and IT security requirements on their customers, and do not insure customers that are too immature or have too poor security. Thus cyber insurance, in practice, is not merely an instrument of risk transfer, but also contains aspects of avoidance and mitigation. Based on the findings, market segmentation, pricing, business continuity, and asymmetry of information are discussed, and some future work is suggested.

  • 8. Geneiatakis, Dimitrios
    et al.
    Nai Fovino, Igor
    Kounelis, Ioannis
    KTH, School of Information and Communication Technology (ICT), Communication Systems, CoS. Institute for the Protection and Security of the Citizen, Italy.
    Stirparo, Pasquale
    KTH, School of Information and Communication Technology (ICT), Communication Systems, CoS. Institute for the Protection and Security of the Citizen, Italy.
    A Permission verification approach for android mobile applications2015In: Computers & security (Print), ISSN 0167-4048, Vol. 49, 192-205 p.Article in journal (Refereed)
    Abstract [en]

    Mobile applications build part of their security and privacy on a declarative permission model. In this approach mobile applications, to get access to sensitive resources, have to define the corresponding permissions in a manifest. However, mobile applications may request access to permissions that they do not require for their execution (over-privileges) and offer opportunities to malicious software to gain access to otherwise inaccessible resources. In this paper, we investigate on the declarative permissions model on which security and privacy services of Android rely upon. We propose a practical and efficient permission certification technique, in the direction of risk management assessment. We combine both runtime information and static analysis to profile mobile applications and identify if they are over-privileged or follow the least privilege principle. We demonstrate a transparent solution that neither requires modification to the underlying framework, nor access to the applications' original source code. We assess the effectiveness of our approach, using a randomly selected varied set of mobile applications. Results show that our approach can accurately identify whether an application is over-privileged or not, whilst at the same time guaranteeing the need of declaring specific permissions in the manifest.

  • 9.
    Holm, Hannes
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Performance of automated network vulnerability scanning at remediating security issues2012In: Computers & security (Print), ISSN 0167-4048, Vol. 31, no 2, 164-175 p.Article in journal (Refereed)
    Abstract [en]

    This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for both authenticated and unauthenticated scans. The overall findings suggest that a vulnerability scanner is a usable security assessment tool, given that credentials are available for the systems in the network. However, there are issues with the method: manual effort is needed to reach complete accuracy and the remediation guidelines are oftentimes very cumbersome to study. Results also show that a scanner more accurate in terms of remediating vulnerabilities generally also is better at detecting vulnerabilities, but is in turn also more prone to false alarms. This is independent of whether the scanner is provided system credentials or not.

  • 10.
    Johnson, Pontus
    et al.
    KTH, School of Electrical Engineering (EES), Electric power and energy systems.
    Gorton, Dan
    Lagerström, Robert
    KTH, School of Electrical Engineering (EES), Electric power and energy systems.
    Ekstedt, Mathias
    KTH, School of Electrical Engineering (EES), Electric power and energy systems.
    Time between vulnerability disclosures: A measure of software product vulnerability2016In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 62, 278-295 p.Article in journal (Refereed)
    Abstract [en]

    Time between vulnerability disclosure (TBVD) for individual analysts is proposed as a meaningful measure of the likelihood of finding a zero-day vulnerability within a given timeframe. Based on publicly available data, probabilistic estimates of the TBVD of various software products are provided. Sixty-nine thousand six hundred forty-six vulnerabilities from the National Vulnerability Database (NVD) and the SecurityFocus Vulnerability Database were harvested, integrated and categorized according to the analysts responsible for their disclosure as well as by the affected software products. Probability distributions were fitted to the TBVD per analyst and product. Among competing distributions, the Gamma distribution demonstrated the best fit, with the shape parameter, k, similar for most products and analysts, while the scale parameter, 8, differed significantly. For forecasting, autoregressive models of the first order were fitted to the TBVD time series for various products. Evaluation demonstrated that forecasting of TBVD on a per product basis was feasible. Products were also characterized by their relative susceptibility to vulnerabilities with impact on confidentiality, integrity and availability respectively. The differences in TBVD between products is significant, e.g. spanning differences of over 500% among the 20 most common software products in our data. Differences are further accentuated by the differing impact, so that, e.g., the mean working time between disclosure of vulnerabilities with a complete impact on integrity (as defined by the Common Vulnerability Scoring System) for Linux (110 days) exceeds that of Windows 7 (6 days) by over 18 times.

  • 11.
    Karlsson, Fredrik
    et al.
    Örebro University, Sweden.
    Hedström, Karin
    Örebro University, Sweden.
    Goldkuhl, Göran
    Linköping University, Department of Management and Engineering, Information Systems. Linköping University, Faculty of Arts and Sciences.
    Practice-based discourse analysis of information security policies2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 67, 267-279 p.Article in journal (Refereed)
    Abstract [en]

    To address the "insider" threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation. (C) 2016 Elsevier Ltd. All rights reserved.

  • 12.
    Karlsson, Fredrik
    et al.
    Örebro University, Örebro University School of Business.
    Hedström, Karin
    Örebro University, Örebro University School of Business.
    Goldkuhl, Göran
    Information Systems, Linköpings Universitet, Linköping, Sweden.
    Practice-based discourse analysis of information security policies2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 67, 267-279 p.Article in journal (Refereed)
    Abstract [en]

    To address the “insider” threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees’ poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees’ perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation.

  • 13.
    Kolkowska, Ella
    et al.
    Örebro University, Örebro University School of Business.
    Dhillon, Gurpreet
    Virginia Commonwealth University, USA.
    Organizational power and information security rule compliance2013In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 33, 3-11 p.Article in journal (Refereed)
    Abstract [en]

    This paper analyzes power relationships and the resulting failure in complying with information security rules. It argues that an inability to understand the intricate power relationships in the design and implementation of information security rules leads to a lack of compliance with the intended policy. The argument is conducted through an empirical, qualitative case study set in a Swedish Social Services organization. Our findings indicate that various dimensions of power and how these relate to information security rules ensure adequate compliance. This also helps to improve configuration of security rules through proactive information security management.

  • 14.
    Rocha Flores, Waldo
    et al.
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Antonsen, Egil
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Ekstedt, Mathias
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture2014In: Computers & security (Print), ISSN 0167-4048, Vol. 43, 90-110 p.Article in journal (Refereed)
    Abstract [en]

    This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.

    The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.

    A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.

    The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making. 

  • 15.
    Rocha Flores, Waldo
    et al.
    KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems.
    Ekstedt, Mathias
    KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems.
    Shaping intention to resist social engineering through transformational leadership, information security culture and awareness2016In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 59, 26-44 p.Article in journal (Refereed)
  • 16.
    Sommestad, Teodor
    et al.
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Ekstedt, Mathias
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    Johnson, Pontus
    KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
    A probabilistic relational model for security risk analysis2010In: Computers & security (Print), ISSN 0167-4048, Vol. 29, no 6, 659-679 p.Article in journal (Refereed)
    Abstract [en]

    Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. This paper describes how probabilistic relational models can be used to specify architecture metamodels so that security risk can be inferred from metamodel instantiations. A probabilistic relational model contains classes, attributes, and class-relationships. It can be used to specify architectural metamodels similar to class diagrams in the Unified Modeling Language. In addition, a probabilistic relational model makes it possible to associate a probabilistic dependency model to the attributes of classes in the architectural metamodel. This paper proposes a set of abstract classes that can be used to create probabilistic relational models so that they enable inference of security risk from instantiated architecture models. If an architecture metamodel is created by specializing the abstract classes proposed in this paper, the instantiations of the metamodel will generate a probabilistic dependency model that can be used to calculate the security risk associated with these instantiations. The abstract classes make it possible to derive the dependency model and calculate security risk from an instance model that only specifies assets and their relationships to each other. Hence, the person instantiating the architecture metamodel is not required to assess complex security attributes to quantify security risk using the instance model.

  • 17.
    Volkamer, Melanie
    et al.
    Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science. Technische Universität Darmstadt.
    Renaud, Karen
    University of Glasgow.
    Reinheimer, Benjamin
    Technische Universität Darmstadt.
    Kunz, Alexandra
    Technische Universität Darmstadt.
    User experiences of TORPEDO: TOoltip-powered phishing email DetectiOn2017In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208Article in journal (Refereed)
    Abstract [en]

    We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips. These help people to identify phish links embedded in emails. TORPEDO's tooltips contain the actual URL with the domain highlighted. Link activation is delayed for a short period, giving the person time to inspect the URL before they click on a link. Furthermore, TORPEDO provides an information diagram to explain phish detection. We evaluated TORPEDO's effectiveness, as compared to the worst case “status bar” as provided by other Web email interfaces. People using TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17% versus 43.31% correct answers for phish). We then carried out a field study with a number of TORPEDO users to explore actual user experiences of TORPEDO. We conclude the paper by reporting on the outcome of this field study and suggest improvements based on the feedback from the field study participants.

1 - 17 of 17
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf