Search results

Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.

Overall, 26 interviews were conducted with 21 participants from industry and academia.

The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.

The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.

Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may lack insight about minor variations about attacks that are observed in the real world (but are not described in the model). This may lead to similar attacks being classified as the same type of attack, or in some cases the same instance of attack. The appropriate solution would be to modify the model or replace it entirely. However, doing so may be undesirable as the model may work well for most cases or time and resource constraints may factor in as well. This paper aims to explore the potential value of adding information about attacks and attackers to existing models.

This paper investigates used cases of minor variations in attacks and how it may and may not be appropriate to communicate subtle differences in existing attack models through the use of annotations. In particular, the authors investigate commonalities across a range of existing models and identify where and how annotations may be helpful.

The authors propose that nuances (of attack properties) can be appended as annotations to existing attack models. Using annotations appropriately should enable analysts and researchers to express subtle but important variations in attacks that may not fit the model currently being used.

This work only demonstrated a few simple, generic examples. In the future, the authors intend to investigate how this annotation approach can be extended further. Particularly, they intend to explore how annotations can be created computationally; the authors wish to obtain feedback from security analysts through interviews, identify where potential biases may arise and identify other real-world applications.

The value of this paper is that the authors demonstrate how annotations may help analysts communicate and ask better questions during identification of unknown aspects of attacks faster,e.g. as a means of storing mental notes in a structured manner, especially while facing zero-day attacks when information is incomplete.

The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global governance model of multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange disconnect, however, between this supposed fight and the actual control over cybersecurity “on the ground”. This paper aims to reconnect discourse and control via a property rights approach, where control is located first and foremost in ownership.

This paper first conceptualizes current governance mechanisms through ownership and property rights. These concepts locate control over internet resources. They also help us understand ongoing shifts in control. Such shifts in governance are actually happening, security governance is being patched left and right, but these arrangements bear little resemblance to either the national security model of states or the global model of multi-stakeholder collaboration. With the conceptualization in hand, the paper then presents case studies of governance that have emerged around specific security externalities.

While not all mechanisms are equally effective, in each of the studied areas, the author found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and through network governance mechanisms. No one thinks that this is enough, but it is a starting point. Future research is needed to identify how these mechanisms can be extended or supplemented to further improve the governance of cybersecurity.

This paper bridges together the disconnected research communities on governance and (technical) cybersecurity.

The purpose of this study results and recommendations will have a paramount significance for policymakers, policy advocates, development planners and practitioners who may be in need of such information for reconsideration, evaluation and inclusion into their respective development and humanitarian programming and operational strategies. Above all, the study result has further provided the local community with viable adaptation strategies to climate-induced changes in the study area.

This study was conducted to measure the livelihood vulnerability of Borana pastoralists to climate change and variability in southern Ethiopia. Pastoralists’ households were sampled using multistage sampling techniques. A total of 27 socio-economic and biophysical indicators were used to reflect vulnerability components: adaptive capacity, exposure and sensitivity. Principal component analysis was used to develop weights for indicators and to produce livelihood vulnerability index to classify households according to their level of vulnerability. Ordinal logistic regression was used to identify the determinants of vulnerability to climate-induced stresses.

The results showed that 24.4% of households were highly vulnerable, 60.3% were moderately vulnerable and 15.3% of households were less vulnerable to climate-induced stresses. Factor estimates of the logistic model further revealed that early warning information, bush encroachment, coping strategy, temperature, drought frequency, provision of humanitarian services and food shortage during the normal season of the year have a significant influence on vulnerability in the study area.

The study’s results and recommendations will be of great significance to policymakers, development planners, and practitioners who require such information for reconsideration, evaluation, and inclusion in their respective development and humanitarian program and operational strategies. Most importantly, the study’s findings have provided the local community with practical adaptation strategies to climate-induced changes in the study area.

The study explored pastoralist perception of climate change and variability and measured the livelihood vulnerability of pastoralists’ households to climate change and variability and finally investigated viable adaptation and coping strategies in the study area.

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.

The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.

There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.

Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.

Cyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports’ ability to prepare for an attack and to keep operating and recover quickly. However, little research has been undertaken on the challenges of governing cyber risks in seaports. This study aims to address this gap.

Governing cyber resilience is shaped by distributed responsibilities, uncertainties and ambiguities. The authors use this conceptualization to explore the governance of cyber risks in seaports, taking the Port of Rotterdam as a case study and analyzing semistructured interviews with stakeholders, participatory observation and policy documents and legislation.

The authors found that many strategies for governing cyber risks remain dedicated to protecting computer systems against cyberattacks. Nevertheless, port stakeholders have also developed strategies in anticipation of disruptions. However, these strategies appear informal and uncoordinated due to a lack of information exchange, insufficient knowledge regarding cyber risks and disagreement about how to make the Port of Rotterdam cyber resilient. What mainly hampers the cyber resilience of the port is the lack of a comprehensive regulatory framework and economic incentives. The authors conclude that resilience is merely an ideal at the Port of Rotterdam, meaning related governance strategies remain incremental and await institutionalization.

This paper offers insights into the cyber resilience of critical socio-technical systems, which have been underexposed in cyber resilience debates, but, when exploited, can manifest in large-scale disruptions.

Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence (IPV). The current chapter examines the risks and harms posed to IPV victims/survivors from the burgeoning Internet of Things (IoT) environment. IoT systems are understood as “smart” devices such as conventional household appliances that are connected to the internet. Interdependencies between different products together with the devices' enhanced functionalities offer opportunities for coercion and control. Across the chapter, we use the example of IoT to showcase how and why tech abuse is a socio-technological issue and requires not only human-centered (i.e., societal) but also cybersecurity (i.e., technical) responses. We apply the method of “threat modeling,” which is a process used to investigate potential cybersecurity attacks, to shift the conventional technical focus from the risks to systems toward risks to people. Through the analysis of a smart lock, we highlight insufficiently designed IoT privacy and security features and uncover how seemingly neutral design decisions can constrain, shape, and facilitate coercive and controlling behaviors.

The purpose of this study was to establish a Technology-Organization-Personality model of secure software development (SSD) innovation assimilation at the level of individual motivation. The model identifies individual psychological motivation, which influences innovation assimilation intention and behavior. It constitutes an organizational management view of SSD innovation assimilation from individual psychological motivation perspective.

An empirical study was employed to verify the assumption model. Semi-structured user interviews were conducted with some security experts to consult their advice and obtain the measurement scales. And questionnaires were circulated at a focus group meeting and among some software security professionals by email. Of 230 questionnaires that were answered, 215 could be used. IBM SPSS 19.0 and AMOS 17.0 were used alternately to analyze the data. Structural equation model was employed to verify the hypotheses of the model.

Results reveal that two types of individual motivation can influence SSD innovation assimilation, namely, potential organization support and individual needs. Furthermore, absorption capability was found to play a regulated function in the transition of SSD assimilation intention to behavior.

The findings reveal how individual motivation plays an important role in promoting complex innovation assimilation. It fills the gap of the research on organizational assimilation behavior and individual motivation in the context of SSD complex innovation, and provides management of software development organization with empirically based conceptualization to guide their personnel incentive policymaking.

Data breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.

Stakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.

Insights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.

These areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.

The aim of this paper is to identify some of the challenges that need to be addressed to accelerate the deployment and adoption of smart health technologies for ubiquitous healthcare access. The paper also explores how internet of things (IoT) and big data technologies can be combined with smart health to provide better healthcare solutions.

The authors reviewed the literature to identify the challenges which have slowed down the deployment and adoption of smart health.

The authors discussed how IoT and big data technologies can be integrated with smart health to address some of the challenges to improve health-care availability, access and costs.

The results of this paper will help health-care designers, professionals and researchers design better health-care information systems.