Search results

This paper aims to focus on the different types of insider-led cyber frauds that gained mainstream attention in recent large-scale fraud events involving prominent Indian banking institutions. In addition to identifying and classifying cyber fraud, the study maps them on a severity scale for optimal mitigation planning.

The methodology used for identification and classification is an analysis of a detailed literature review, a focus group discussion with risk and vigilance officers and cyber cell experts, as well as secondary data of cyber fraud losses. Through machine learning-based random forest, the authors predicted the future of insider-led cyber frauds in the Indian banking business and prioritized and predicted the same. The projected future reveals the dominance of a few specific cyber frauds, which will make it easier to develop a fraud mitigation model based on a victim-centric approach.

The paper concludes with a conceptual framework that can be used to ensure a sustainable cyber fraud mitigation ecosystem within the scope of the study. By using the findings of this research, policymakers and fraud investigators will be able to create a more robust environment for banks through timely detection of cyber fraud and prevent it appropriately before it happens.

The study focuses on fraud, risk and mitigation from a victim-centric perspective and does not address it from the fraudster’s perspective. Data availability was a challenge. Banks are recommended to compile data that can be used for analysis both by themselves and other policymakers.

The structured, sustainable cyber fraud mitigation suggested in the study will provide an agile, quick, proactive, stakeholder-specific plan that helps to safeguard banks, employees, regulatory authorities, customers and the economy. It saves resources, cost and time for bank authorities and policymakers. The mitigation measures will also help improve the reputational status of the Indian banking business and prolong the banks’ sustenance.

The innovative cyber fraud mitigation approach contributes to the sustainability of a bank’s ecosystem quickly, proactively and effectively.

Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their Internet with small and medium scale enterprises (SMEs) and third-party vendors to improve business growth and increase global market share, including changing organizational requirements and business process collaborations. Benefits include a reduction in the cost of production, online services, online payments, product distribution channels and delivery in a supply chain environment. However, the integration has led to an exponential increase in cybercrimes, with adversaries using various attack methods to penetrate and exploit the organizational network. Thus, identifying the attack vectors in the event of cyberattacks is very important in mitigating cybercrimes effectively and has become inevitable. However, the invincibility nature of cybercrimes makes it challenging to detect and predict the threat probabilities and the cascading impact in an evolving organization landscape leading to malware, ransomware, data theft and denial of service attacks, among others. The paper explores the cybercrime threat landscape, considers the impact of the attacks and identifies mitigating circumstances to improve security controls in an evolving organizational landscape.

The approach follows two main cybercrime framework design principles that focus on existing attack detection phases and proposes a cybercrime mitigation framework (CCMF) that uses detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface. The methods and implementation processes were derived by identifying an organizational goal, attack vectors, threat landscape, identification of attacks and models and validation of framework standards to improve security. The novelty contribution of this paper is threefold: first, the authors explore the existing threat landscapes, various cybercrimes, models and the methods that adversaries are deploying on organizations. Second, the authors propose a threat model required for mitigating the risk factors. Finally, the authors recommend control mechanisms in line with security standards to improve security.

The results show that cybercrimes can be mitigated using a CCMF to detect, assess, analyze, evaluate and respond to cybercrimes to improve security in an evolving organizational threat landscape.

The paper does not consider the organizational size between large organizations and SMEs. The challenges facing the evolving organizational threat landscape include vulnerabilities brought about by the integrations of various network nodes. Factor influencing these vulnerabilities includes inadequate threat intelligence gathering, a lack of third-party auditing and inadequate control mechanisms leading to various manipulations, exploitations, exfiltration and obfuscations.

Attack methods are applied to a case study for the implementation to evaluate the model based on the design principles. Inadequate cyber threat intelligence (CTI) gathering, inadequate attack modeling and security misconfigurations are some of the key factors leading to practical implications in mitigating cybercrimes.

There are no social implications; however, cybercrimes have severe consequences for organizations and third-party vendors that integrate their network systems, leading to legal and reputational damage.

The paper’s originality considers mitigating cybercrimes in an evolving organization landscape that requires strategic, tactical and operational management imperative using the proposed framework phases, including detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface, which is currently inadequate.

In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts.

Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review.

The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience.

Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience.

A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions.

To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

Users’ mistakes due to poor cybersecurity skills result in up to 95 per cent of cyber threats to organizations. Threats to organizational information systems continue to result in substantial financial and intellectual property losses. This paper aims to design, develop and empirically test a set of scenarios-based hands-on tasks to measure the cybersecurity skills of non-information technology (IT) professionals.

This study was classified as developmental in nature and used a sequential qualitative and quantitative method to validate the reliability of the Cybersecurity Skills Index (CSI) as a prototype-benchmarking tool. Next, the prototype was used to empirically test the demonstrated observable hands-on skills level of 173 non-IT professionals.

The importance of skills and hands-on assessment appears applicable to cybersecurity skills of non-IT professionals. Therefore, by using an expert-validated set of cybersecurity skills and scenario-driven tasks, this study established and validated a set of hands-on tasks that measure observable cybersecurity skills of non-IT professionals without bias or the high-stakes risk to IT.

Data collection was limited to the southeastern USA and while the sample size of 173 non-IT professionals is valid, further studies are required to increase validation of the results and generalizability.

The validated and reliable CSI operationalized as a tool that measures the cybersecurity skills of non-IT professionals. This benchmarking tool could assist organizations with mitigating threats due to vulnerabilities and breaches caused by employees due to poor cybersecurity skills.

The purpose of this study is to examine the level of effectiveness of the anti-fraud technologies employed by the South African banking industry for cyberfraud mitigation.

This research employed a qualitative research design involving a purposive sampling method. Primary data was collected from the key organisational staff across the 17 licensed commercial banks in South Africa via the use of structured questionnaires. In particular, these were experts involved in combating fraud and taking managerial decisions regarding the use of anti-fraud technologies for cyberfraud mitigation. Non-parametric statistical analyses were carried out from the responses obtained.

The results obtained indicated that the combination of internal and external anti-fraud technologies such as filtering software, firewalls, encryption, continuous auditing, discovery sampling, virus protection, financial ratios, digital analysis and data mining may have a positive effect on cyberfraud mitigation. These technologies are employed mostly to ensure effective internal control systems capable of minimising cyberfraud. In addition, the anti-fraud technologies employed in the South African banking industry may also be effective in the mitigation of cyberfraud, although significant cases of cyberattacks were reported by the respondents.

The study recommends investment in more digital and emerging technologies and the development of human capacities to effectively deploy them in the combat against cybercrime.

The novelty of this study lies in the identification of the type of anti-fraud technologies/software employed by the South African banking industry and their level of effectiveness or success rate.

Internet of Things (IoT) interconnects many heterogeneous devices to each other, collecting and processing large volumes of data for decision making without human intervention. However, the information security concern it brings has attracted quite a lot of attention, and, at this stage, the smart step would be to analyze the security issues of IoT platform and get to the state of readiness before embarking upon this attractive technology. The purpose of this paper is to address these issues.

IoT risk assessment through the application of the analytical hierarchy process (AHP), a favorite multi-criteria decision making technique, is proposed. The IoT risks are prioritized and ranked at different layers, before which a well-defined IoT risk taxonomy is defined comprising of 25 risks across six layers of the IoT model for developing control and mitigation plans for information security of IoT.

People and processes layer, network layer and applications layer are the top three critical layers with risks like the lack of awareness, malware injection, malicious code injection, denial of service and inefficient policies for IoT practice get the highest priority and rank. Pareto analysis of the overall risk factors revealed that the top ten factors contribute to 80 percent of the risks perceived by information security experts.

The study focuses only on certain predefined constructs or layers of the IoT model traced from legacy studies. It is essential to re-look these constructs on a timely basis to prolong the results’ validity. The study’s empirical scope is confined only to the risk perception of select IoT experts and does not encompass a broader segment of the IoT ecosystem. Therefore, the risks assessment may not be sweeping to a bigger audience.

The study implications are two-fold: one it consolidates the earlier siloed works to intensify the need for risk assessment in the IoT domain, and second the study brings yet another contextual avenue of extending the application AHP and Pareto principle combination. The paper also draws specific critical organizational interventions about IoT risks. A comprehensive approach to prioritizing and ranking IoT risks are present in this research paper.

The contribution of this study to the benchmarking of IoT risk assessment is two-fold. One, a comprehensive risk assessment taxonomy is proposed, and two, the risks are prioritized and ranked to give a convincing reference for the organizations while making information security plans for IoT technology.

Cyber-attacks that generate technical disruptions in organisational operations and damage the reputation of organisations have become all too common in the contemporary organisation. This paper explores the reputation repair strategies undertaken by organisations in the event of becoming victims of cyber-attacks.

For developing the authors’ contribution in the context of the Internet service providers' industry, the authors draw on a qualitative case study of TalkTalk, a British telecommunications company providing business to business (B2B) and business to customer (B2C) Internet services, which was a victim of a “significant and sustained” cyber-attack in October 2015. Data for the enquiry is sourced from publicly available archival documents such as newspaper articles, press releases, podcasts and parliamentary hearings on the TalkTalk cyber-attack.

The findings suggest a dynamic interplay of technical and rhetorical responses in dealing with cyber-attacks. This plays out in the form of marshalling communication and mortification techniques, bolstering image and riding on leader reputation, which serially combine to strategically orchestrate reputational repair and stigma erasure in the event of a cyber-attack.

Analysing a prototypical case of an organisation in dire straits following a cyber-attack, the paper provides a systematic characterisation of the setting-in-motion of strategic responses to manage, revamp and ameliorate damaged reputation during cyber-attacks, which tend to negatively shape the evaluative perceptions of the organisation's salient audience.

Automatic dependent surveillance-broadcast (ADS-B) is the foundational technology of the next generation air transportation system defined by Federal Aviation Authority and is one of the most precise ways for tracking aircraft position. ADS-B is intended to provide greater situational awareness to the pilots by displaying the traffic information like aircraft ID, altitude, speed and other critical parameters on the Cockpit Display of Traffic Information displays in the cockpit. Unfortunately, due to the initial proposed nature of ADS-B protocol, it is neither encrypted nor has any other innate security mechanisms, which makes it an easy target for malicious attacks. The system is vulnerable to various active and passive attacks like message ingestion, message deletion, eavesdropping, jamming, etc., which has become an area of concern for the aviation industry. The purpose of this study is to propose a method based on modified advanced encryption standard (AES) algorithm to secure the ADS=B messages and increase the integrity of ADS-B data transmissions.

Though there are various cryptographic and non-cryptographic methods proposed to secure ADS-B data transmissions, it is evident that most of these systems have limitations in terms of cost, implementation or feasibility. The new proposed method implements AES encryption techniques on the ADS-B data on the sender side and correlated decryption mechanism at the receiver end. The system is designed based on the flight schedule data available from any flight planning systems and implementing the AES algorithm on the ADS-B data from each aircraft in the flight schedule.

The suitable hardware was developed using Raspberry pi, ESP32 and Ra-02. Several runs were done to verify the original message, transmitted data and received data. During transmission, encryption algorithm was being developed, which has got very high secured transmission, and during the reception, the data was secured. Field test was conducted to validate the transmission and quality. Several trials were done to validate the transmission process. The authors have successfully shown that the ADS-B data can be encrypted using AES algorithm. The authors are successful in transmitting and receiving the ADS-B data packet using the discussed hardware and software methodology. One major advantage of using the proposed solution is that the information received is encrypted, and the receiver ADS-B system can decrypt the messages on the receiving end. This clearly proves that when the data is received by an unknown receiver, the messages cannot be decrypted, as the receiver is not capable of decrypting the AES-authenticated messages transmitted by the authenticated source. Also, AES encryption is highly unlikely to be decrypted if the encryption key and the associated decryption key are not known.

Implementation of the developed solution in actual onboard avionics systems is not within the scope of this research. Hence, assessing in the real-time distances is not covered.

The authors propose to extend this as a software solution to the onboard avionics systems by considering the required architectural changes. This solution can also bring in positive results for unmanned air vehicles in addition to the commercial aircrafts. Enhancement of security to the key operational and navigation data elements is going to be invaluable for future air traffic management and saving lives of people.

The proposed solution has been practically implemented by developing the hardware and software as part of this research. This has been clearly brought out in the paper. The implementation has been tested using the actual ADS-B data/messages received from using the ADS-B receiver. The solution works perfectly, and this brings immense value to the aircraft-to-aircraft and aircraft-to-ground communications, specifically while using ADS-B data for communicating the position information. With the proposed architecture and minor software updates to the onboard avionics, this solution can enhance safety of flights.

This study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.

This study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWS^TM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWS^TM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.

The results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.

This study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.

This study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.

The study aims to overview the different types of internal-led cyber fraud that have gained mainstream attention in recent major-value fraud events involving prominent Indian banks. The authors attempted to identify and classify cyber frauds and its drivers and correlate them for optimal mitigation planning.

The methodology opted for the identification and classification is through a detailed literature review and focus group discussion with risk and vigilance officers and cyber cell experts. The authors assessed the future of cyber fraud in the Indian banking business through the machine learning–based k-nearest neighbor (K-NN) approach and prioritized and predicted the future of cyber fraud. The predicted future revealing dominance of a few specific cyber frauds will help to get an appropriate fraud prevention model, using an associated parties centric (victim and offender) root-cause approach. The study uses correlation analysis and maps frauds with their respective drivers to determine the resource specific effective mitigation plan.

Finally, the paper concludes with a conceptual framework for preventing internal-led cyber fraud within the scope of the study. A cyber fraud mitigation ecosystem will be helpful for policymakers and fraud investigation officers to create a more robust environment for banks through timely and quick detection of cyber frauds and prevention of them.

Additionally, the study supports the Reserve Bank of India and the Government of India's launched cyber security initiates and schemes which ensure protection for the banking ecosystem i.e. RBI direct scheme, integrated ombudsman scheme, cyber swachhta kendra (botnet cleaning and malware analysis centre), National Cyber Coordination Centre (NCCC) and Security Monitoring Centre (SMC).

Structured and effective internal-led plans for cyber fraud mitigation proposed in this study will conserve banks, employees, regulatory authorities, customers and economic resources, save bank authorities’ and policymakers’ time and money, and conserve resources. Additionally, this will enhance the reputation of the Indian banking industry and extend its lifespan.

The innovative insider-led cyber fraud mitigation approach quickly identifies cyber fraud, prioritizes it, identifies its prominent root causes, map frauds with respective root causes and then suggests strategies to ensure a cost-effective and time-saving bank ecosystem.