Showing papers presented at "International Conference on Emerging Security Information, Systems and Technologies in 2018"

Analysing trends and success factors of international cybersecurity capacity−building initiatives

Abstract: The global community has been engaged extensively in assessing and addressing gaps in cybersecurity commitments and capabilities across nations and regions. As a result, a significant number of Cybersecurity Capacity Building (CCB) initiatives were launched to overcome cyber-risks and realise digital dividends. However, these efforts are facing various challenges such as lack of strategy, and duplication. Although extensive research has been carried out on CCB, no single study exists which focuses on analysing CCB initiatives. This gap presents an opportunity for investigating current trends in CCB efforts and identifying the principles for successful CCB initiatives. In this paper, we aim to bridge this gap by collecting and analysing 165 publicly available initiatives. We classify the initiatives based on Oxford’s widely accepted Cybersecurity Capacity Maturity Model (CMM) and perform a descriptive statistical analysis. We further reflect on these initiatives, drawing on well-established success factors from the literature of capacity-building. Towards this end, we also conduct qualitative analysis based on CMM reports for two countries which have experienced socio-economic challenges, Mexico and Brazil, to understand which factors are essential in successful CCB initiatives. We conclude the paper with some interesting results on regional trends, key players, and ingredients of success factors.

Towards a Quantitative Approach for Security Assurance Metrics

Abstract: The need for effective and efficient evaluation schemes of security assurance is growing in many organizations, especially Small and Medium Enterprises (SMEs). Although there are several approaches and standards for evaluating application security assurance, they are qualitative in nature and depend to a great extent on manually processing. This paper presents a quantitative evaluation approach for defining security assurance metrics using two perspectives, vulnerabilities and security requirements. While vulnerability represents the negative aspect that leads to a reduction of the assurance level, security requirement improves the assurance posture. The approach employs both Goal Question Metric (GQM) and Common Vulnerability Scoring System (CVSS) methods. GQM is used to construct measurement items for different types of assurance metrics and assess the fulfillment of security requirements or the absence of vulnerabilities, and CVSS is utilized to quantify the severity of vulnerabilities according to various attributes. Furthermore, a case study is provided in this work, which measures and evaluates the security assurance of a discussion forum application using our approach. This can assist SMEs to evaluate the overall security assurance of their systems, and result in a measure of confidence that indicates how well a system meets its security requirements. Keywords–Quantitative security assurance metrics; Security testing; Goal question metric (GQM); Common vulnerability scoring system (CVSS); Security metrics.

Towards a Protection Profile for User-Centric and Self-Determined Privacy Management in Biometrics

Abstract: While new concepts of data analysis bring new opportunities for technological and societal evolution, they also present challenges with respect to privacy. Misconduct on personal data usage, particularly of biometric data, may lead to expose it to identity thieves or unfair practices. It is necessary to define limits to the usage of personal data, involving the user actively in the process of defining and controlling their own data as it is gathered in the EU data regulation (GDPR). It includes the right for the user to be informed about the actual use of the data, as it is called notice and choice. In recent decades, security and privacy design aspects were analysed and incorporated as building blocks for IT systems, and now some aspects are mandatory in standardisation and certification procedures. As a first step towards a Protection Profile in biometrics meeting GDPR requirements, in this paper we propose new privacy enforcement concepts and essential privacy requirements to achieve the goal of designing user-centric and self-determined privacy management in mobile biometrics. Keywords–GDPR; privacy; biometric data; sensible data; informed consent; transparency.

Secure Cooperation of Untrusted Components

Abstract: A growing number of computing systems, e.g., smart phones or web applications, allow to compose their software of components from untrusted sources. For security reasons, such a system should grant a component just the permissions it really requires, which implies that permissions must be sufficiently finegrained. This leads to two questions: How to know and to specify the required permissions, and how to enforce access control in a flexible and efficient way? We suggest a novel approach based on the object capability paradigm with access control at the level of individual methods, which exploits two fundamental ideas: we simply use a component’s published interface as a specification of its required permissions, and extend interfaces with optional methods, allowing to specify permissions which are not strictly necessary, but desired for a better service level. These ideas can be realized within a static type system, where interfaces specify both the availability of methods, as well as the permission to use them. In addition, we support deep attenuation of rights with automatic creation of membranes, where necessary. Thus, our access control mechanisms are easy to use and also efficient, since in most cases permissions can be checked when the component is deployed, rather than at run-time. Keywords—Software-components; security; typesystems.