Search results

The issue of cybersecurity has been cast as the focal point of a fight between two conflicting governance models: the nation-state model of national security and the global governance model of multi-stakeholder collaboration, as seen in forums like IGF, IETF, ICANN, etc. There is a strange disconnect, however, between this supposed fight and the actual control over cybersecurity “on the ground”. This paper aims to reconnect discourse and control via a property rights approach, where control is located first and foremost in ownership.

This paper first conceptualizes current governance mechanisms through ownership and property rights. These concepts locate control over internet resources. They also help us understand ongoing shifts in control. Such shifts in governance are actually happening, security governance is being patched left and right, but these arrangements bear little resemblance to either the national security model of states or the global model of multi-stakeholder collaboration. With the conceptualization in hand, the paper then presents case studies of governance that have emerged around specific security externalities.

While not all mechanisms are equally effective, in each of the studied areas, the author found evidence of private actors partially internalizing the externalities, mostly on a voluntary basis and through network governance mechanisms. No one thinks that this is enough, but it is a starting point. Future research is needed to identify how these mechanisms can be extended or supplemented to further improve the governance of cybersecurity.

This paper bridges together the disconnected research communities on governance and (technical) cybersecurity.

The Cloud of Things (IoT) that refers to the integration of the Cloud Computing (CC) and the Internet of Things (IoT), has dramatically changed the way treatments are done in the ubiquitous computing world. This integration has become imperative because the important amount of data generated by IoT devices needs the CC as a storage and processing infrastructure. Unfortunately, security issues in CoT remain more critical since users and IoT devices continue to share computing as well as networking resources remotely. Moreover, preserving data privacy in such an environment is also a critical concern. Therefore, the CoT is continuously growing up security and privacy issues. This paper focused on security and privacy considerations by analyzing some potential challenges and risks that need to be resolved. To achieve that, the CoT architecture and existing applications have been investigated. Furthermore, a number of security as well as privacy concerns and issues as well as open challenges, are discussed in this work.

The purpose of the study is to identify cybersecurity threats that hinder the adoption of digital banking and provide sustainable strategies to combat cybersecurity risks in the banking industry.

Systematic literature review guidelines were used to conduct a quantitative synthesis of empirical evidence regarding the impact of cybersecurity threats and risks on the adoption of digital banking.

A total of 84 studies were initially examined, and after applying the selection and eligibility criteria for this systematic review, 58 studies were included. These selected articles consistently identified identity theft, malware attacks, phishing and vishing as significant cybersecurity threats that hinder the adoption of digital banking.

With the country’s banking sector being new in this area, this study contributes to the scant literature on cyber security, which is mostly in need due to the myriad breaches that the industry has already suffered thus far.

This paper aims to describe a method for Internet-of-Things-devices to achieve industrial grade reliability for information transfer from wireless sensor systems to production systems using blockchain technologies.

An increased security and reliability of submitted data within the sensor network could be achieved on an application level. Therefore, a lightweight, high-level communication protocol based on blockchain principles was designed.

Blockchain mechanisms can secure the wireless communication of Internet-of-Things-devices in a lightweight and scalable manner.

The innovation of this research is the successful application of general blockchain mechanisms to increase security of a wireless sensor system without binding to a dedicated blockchain technology.

When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study aims to present the results of a penetration test involving smart locks in the context of building security. The authors investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures.

Twenty-seven different “offenders” visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.

A total of 58.6 per cent of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.

The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.

No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).

The purpose of this study is to review and synthesize the literature on in-app advertising, identify gaps and propose future research directions.

The authors use a systematic literature review (SLR) approach, following the PRISMA guidelines, to investigate the current state of research in in-app advertising. The study uses 44 shortlisted articles from the Scopus and Web of Science databases. Using the Theory-Context-Characteristics-Methodology (TCCM) framework, the authors analyze the gaps in theory, context, characteristics and methods.

Using thematic analysis, the authors identify five main themes in the in-app advertising literature, namely, ad platform optimization; mobile app user psychology and behavior; ad effectiveness; ad fraud; and security, privacy and other user concerns. The findings show the need for empirical research, with a strong theoretical foundation in emerging ad formats of in-app advertising, user behavior and buy-side of in-app advertising.

This is a maiden study to conduct a domain-based SLR in the emerging field of in-app advertising using the TCCM framework. The authors highlight the key differences between in-app advertising and mobile web advertising. The authors propose theories in the advertising field that could be used in future empirical studies of in-app advertising.

El propósito de esta investigación es revisar y sintetizar la literatura sobre la publicidad en Apps, identificar lagunas y proponer futuras direcciones de investigación.

Utilizamos un enfoque de revisión sistemática de la literatura, siguiendo las directrices PRISMA, para investigar el estado actual de la investigación en publicidad en aplicaciones. El estudio utiliza 44 artículos preseleccionados de las bases de datos Scopus y Web of Science (WoS). Utilizando el marco Teoría-Contexto-Características-Metodología (TCCM), analizamos las lagunas en teoría, contexto, características y métodos.

Mediante un análisis temático, identificamos cinco temas principales en la literatura sobre publicidad en aplicaciones, a saber: optimización de plataformas publicitarias; psicología y comportamiento de los usuarios de aplicaciones móviles; eficacia publicitaria; fraude publicitario; seguridad, privacidad y otras preocupaciones de los usuarios. Nuestros hallazgos muestran la necesidad de investigación empírica, con una sólida base teórica en los formatos publicitarios emergentes de la publicidad en Apps, el comportamiento del usuario y el buy-side de la publicidad en Apps.

Se trata de un estudio pionero para realizar una revisión sistemática de la literatura basada en el dominio en el campo emergente de la publicidad en Apps utilizando el marco TCCM. Destacamos las principales diferencias entre la publicidad en aplicaciones y la publicidad en la web para móviles. Proponemos teorías en el campo de la publicidad que podrían utilizarse en futuros estudios empíricos sobre la publicidad en Apps.

本研究旨在回顾和总结有关应用内广告的文献, 找出差距并提出未来的研究方向。

我们采用系统性文献综述方法, 遵循 PRISMA 指南, 调查应用内广告的研究现状。研究使用了 Scopus 和 Web of Science (WoS) 数据库中的 44 篇入围文章。利用理论-背景-特征-方法（TCCM）框架, 我们分析了理论、背景、特征和方法方面的差距。

通过主题分析, 我们确定了应用内广告文献的五大主题, 即广告平台优化; 移动应用用户心理和行为; 广告效果; 广告欺诈; 安全、隐私和其他用户关注点。我们的研究结果表明, 有必要在应用内广告的新兴广告形式、用户行为和应用内广告买方等方面开展实证研究, 并奠定坚实的理论基础。

这是一项首次使用 TCCM 框架对新兴的应用内广告领域进行基于领域的系统性文献综述的研究。我们强调了应用内广告与移动网络广告的主要区别。我们提出了广告领域的理论, 可用于未来的应用内广告实证研究。

Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety.

This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling.

The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management.

Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.

The study aims to determine whether audited organizations experience differences between external audits and official controls.

A survey among 100 organic food producers was conducted to explore differences regarding the usability of external audits and official controls. The survey was conducted in 2020 using the computer-assisted telephone interview (CATI) method supplemented by the computer-assisted web interview (CAWI) method. Organizations processing organic farming products in Poland were chosen for the study.

Three primary benefits associated with external audits and official controls were identified, i.e. (1) enabling and initiating activities related to the improvement of the organization, (2) improving the financial performance of the organization and (3) enhancing credibility. For most organizations, the assessment of these features was at the same level for both external audits and official control. However, if these assessments differed, commercial audits were assessed at a higher level than official controls.

The study is limited to only one specific type of manufacturing organization and one European country.

The literature review shows some conceptual differences between audits and official controls, but the results of this study show that the business environment does not perceive these differences as significant. Thus, the value of the study is reflected in the conclusion that both external audits and official controls are considered useful and credible approaches to monitoring the quality within the organization, which allows us to state that external evaluation is generally seen as an opportunity to improve the performance of the organization.

Technology-facilitated abuse, so-called “tech abuse,” through phones, trackers, and other emerging innovations, has a substantial impact on the nature of intimate partner violence (IPV). The current chapter examines the risks and harms posed to IPV victims/survivors from the burgeoning Internet of Things (IoT) environment. IoT systems are understood as “smart” devices such as conventional household appliances that are connected to the internet. Interdependencies between different products together with the devices' enhanced functionalities offer opportunities for coercion and control. Across the chapter, we use the example of IoT to showcase how and why tech abuse is a socio-technological issue and requires not only human-centered (i.e., societal) but also cybersecurity (i.e., technical) responses. We apply the method of “threat modeling,” which is a process used to investigate potential cybersecurity attacks, to shift the conventional technical focus from the risks to systems toward risks to people. Through the analysis of a smart lock, we highlight insufficiently designed IoT privacy and security features and uncover how seemingly neutral design decisions can constrain, shape, and facilitate coercive and controlling behaviors.

Data breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.

Stakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.

Insights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.

These areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.