•Journal•ISSN: 2057-2085
Journal of Cybersecurity
Oxford University Press
About: Journal of Cybersecurity is an academic journal published by Oxford University Press. The journal publishes majorly in the area(s): Computer science & Cyberspace. It has an ISSN identifier of 2057-2085. It is also open access. Over the lifetime, 138 publications have been published receiving 2570 citations. The journal is also known as: Journal of cyber security & JCS.
Topics: Computer science, Cyberspace, Malware, Cybercrime, Information security
Papers
More filters
TL;DR: This work reviews all controversies around the new stringent definitions of consent revocation and the right to be forgotten and argues that such enforcement is indeed feasible provided that implementation guidelines and low-level business specifications are put in place in a clear and cross-platform manner in order to cater for all possible exceptions and complexities.
Abstract: Upon the GDPR’s application on 25 May 2018 across the European Union, new legal requirements for the protection of personal data will be enforced for data controllers operating within the EU territory. While the principles encompassed by the GDPR were mostly welcomed, two of them; namely the right to withdraw consent and the right to be forgotten, caused prolonged controversy among privacy scholars, human rights advocates and business world due to their pivotal impact on the way personal data would be handled under the new legal provisions and the drastic consequences of enforcing these new requirements in the era of big data and internet of things. In this work, we firstly review all controversies around the new stringent definitions of consent revocation and the right to be forgotten in reference to their implementation impact on privacy and personal data protection, and secondly, we evaluate existing methods, architectures and state-of-the-art technologies in terms of fulfilling the technical practicalities for the implementation and effective integration of the new requirements into current computing infrastructures. The latter allow us to argue that such enforcement is indeed feasible provided that implementation guidelines and low-level business specifications are put in place in a clear and cross-platform manner in order to cater for all possible exceptions and complexities.
176 citations
TL;DR: This research examines the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.
Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along. Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack. Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.
170 citations
TL;DR: In this article, the authors developed Bayesian generalized linear models to investigate trends in data breaches and found that neither the size nor frequency of data breaches has increased over the pastdecade.
Abstract: Recent widely publicized data breaches have exposed thepersonal information of hundreds of millions of people. Somereports point to alarming increases in both the size and fre-quency of data breaches, spurring institutions around theworld to address what appears to be a worsening situation.But, is the problem actually growing worse? In this paper,we study a popular public dataset and develop BayesianGeneralized Linear Models to investigate trends in databreaches. Analysis of the model shows that neither sizenor frequency of data breaches has increased over the pastdecade. We nd that the increases that have attracted at-tention can be explained by the heavy-tailed statistical dis-tributions underlying the dataset. Speci cally, we nd thatdata breach size is log-normally distributed and that thedaily frequency of breaches is described by a negative bi-nomial distribution. These distributions may provide cluesto the generative mechanisms that are responsible for thebreaches. Additionally, our model predicts the likelihood ofbreaches of a particular size in the future. For example, we nd that in the next year there is only a 31% chance of abreach of 10 million records or more in the US. Regardlessof any trend, data breaches are costly, and we combine themodel with two di erent cost models to project that in thenext three years breaches could cost up to $55 billion.
157 citations
TL;DR: In this paper, a taxonomy of cyber-harms encountered by organisations is presented, which comprises five broad themes: physical or digital harm, economic harm, psychological harm, reputational harm, and social and societal harm.
Abstract: Technological advances have resulted in organisations digitalizing many parts of their operations. The threat landscape of cyber-attacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organisations face from cyber-attacks. In this paper, we reflect on the literature on harm, and how it has been conceptualised in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organisations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organisational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organisations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm.
148 citations
TL;DR: The damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago, and any proposals that alter the security dynamics online should be approached with caution.
Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate security technologies on the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today, there are again calls for regulation to mandate the provision of exceptional access mechanisms. In this article, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect
110 citations