Search results
1 – 10 of over 2000Tran Khanh Dang and Tran Tri Dang
By reviewing different information visualization techniques for securing web information systems, this paper aims to provide a foundation for further studies of the same topic…
Abstract
Purpose
By reviewing different information visualization techniques for securing web information systems, this paper aims to provide a foundation for further studies of the same topic. Another purpose of the paper is to discover directions in which there is a lack of extensive research, thereby encouraging more investigations.
Design/methodology/approach
The related techniques are classified first by their locations in the web information systems architecture: client side, server side, and application side. Then the techniques in each category are further classified based on attributes specific to that category.
Findings
Although there is much research on information visualization for securing web browser user interface and server side systems, there are very few studies about the same techniques on web application side.
Originality/value
This paper is the first published paper reviewing extensively information visualization techniques for securing web information systems. The classification used here offers a framework for further studies as well as in‐depth investigations.
Details
Keywords
Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and…
Abstract
Purpose
Phishing is essentially a social engineering crime on the Web, whose rampant occurrences and technique advancements are posing big challenges for researchers in both academia and the industry. The purpose of this study is to examine the available phishing literatures and phishing countermeasures, to determine how research has evolved and advanced in terms of quantity, content and publication outlets. In addition to that, this paper aims to identify the important trends in phishing and its countermeasures and provides a view of the research gap that is still prevailing in this field of study.
Design/methodology/approach
This paper is a comprehensive literature review prepared after analysing 16 doctoral theses and 358 papers in this field of research. The papers were analyzed based on their research focus, empirical basis on phishing and proposed countermeasures.
Findings
The findings reveal that the current anti‐phishing approaches that have seen significant deployments over the internet can be classified into eight categories. Also, the different approaches proposed so far are all preventive in nature. A Phisher will mainly target the innocent consumers who happen to be the weakest link in the security chain and it was found through various usability studies that neither server‐side security indicators nor client‐side toolbars and warnings are successful in preventing vulnerable users from being deceived.
Originality/value
Educating the internet users about phishing, as well as the implementation and proper application of anti‐phishing measures, are critical steps in protecting the identities of online consumers against phishing attacks. Further research is required to evaluate the effectiveness of the available countermeasures against fresh phishing attacks. Also there is the need to find out the factors which influence internet user's ability to correctly identify phishing websites.
Details
Keywords
Timothy Kelley and Bennett I. Bertenthal
Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes…
Abstract
Purpose
Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes ignore it. This study aims to assess users’ knowledge of security warnings communicated via browser indicators and the likelihood that their online decision-making adheres to this knowledge.
Design/methodology/approach
Participants from Amazon’s Mechanical Turk visited a series of secure and insecure websites and decided as quickly and as accurately as possible whether it was safe to login. An online survey was then used to assess their knowledge of information security.
Findings
Knowledge of information security was not necessarily a good predictor of decisions regarding whether to sign-in to a website. Moreover, these decisions were modulated by attention to security indicators, familiarity of the website and psychosocial stress induced by bonus payments determined by response times and accuracy.
Practical implications
Even individuals with security knowledge are unable to draw the necessary conclusions about digital risks when browsing the web. Users are being educated through daily use to ignore recommended security indicators.
Originality/value
This study represents a new way to entice participants into risky behavior by monetizing both speed and accuracy. This approach could be broadly useful as a way to study risky environments without placing participants at risk.
Details
Keywords
The aim of this research is to enable web‐based tracking and guiding by integrating location‐awareness with the Worldwide Web so that the users can use various location‐based…
Abstract
Purpose
The aim of this research is to enable web‐based tracking and guiding by integrating location‐awareness with the Worldwide Web so that the users can use various location‐based applications without installing extra software.
Design/methodology/approach
The concept of web‐based tracking and guiding is introduced and the relevant issues are discussed regarding location‐aware web systems, location determination, location‐dependent content query and personalized presentation. The framework of the web‐based tracking and guiding system – the Web‐Based Guide is proposed, and its prototypical implementation is presented. The main design principles are making use of existing web technologies, making use of available and cheap devices, general‐purpose and lightweight client‐side, and good scalability.
Findings
The paper presents the general‐purpose and modular framework of the Web‐Based Guide, which consists of the Location Server, the Content Server, the Guiding Web Server and the clients which are standard web browsers extended with the Location Control. With such a framework, location‐based applications can offer the services on the web.
Research limitations/implications
The performance of the system should be evaluated and improved, such as the number of the concurrent sessions that the system can sustain, and the workload on the system when in the tracking mode.
Originality/value
The paper proposes a framework for personalized tracking and guiding systems on the web, which can be used in campuses, museums, national parks and so on.
Details
Keywords
The purpose of the paper is to assess the precautionary measures adopted by the popular websites in India, and, thus, find out how vulnerable the Indian Web users are to this form…
Abstract
Purpose
The purpose of the paper is to assess the precautionary measures adopted by the popular websites in India, and, thus, find out how vulnerable the Indian Web users are to this form of attack. Today almost all work is done through the Internet, including monetary transactions. This holds true even for developing countries like India, thus making secure browsing a necessity. However, an attack called “clickjacking” can help Internet scammers to carry out fraudulent tasks. Even though researchers had proposed different techniques to face this threat, it remains a question on how effectively they are deployed in practice.
Design/methodology/approach
To carry out the study, top 100 Indian and global websites in India were identified and were divided into static and dynamic websites based on the level of interaction they offer to the users. These websites were checked to see whether they offer any basic protection against clickjacking and, if so, which defence technique is used. A comparison between Indian websites and global websites is done to see where India stands in terms of providing security.
Findings
The results show that 86 per cent of Indian websites offer no protection against clickjacking, in contrast to 51 per cent of global websites. It is also observed that in the case of dynamic websites, only 18 per cent of Indian websites offer some form of protection, when compared to 63 per cent of global websites. This is quite alarming, as dynamic websites such as social networking and banking websites are the likely candidates for clickjacking, resulting in serious consequences such as identity and monetary theft.
Originality/value
In this paper, vulnerability of Indian websites to clickjacking is presented, which was not addressed before. This will help in creating awareness among the Indian Web developers as well as the general public, so that precautionary measures can be adopted.
Details
Keywords
The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training…
Abstract
Purpose
The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT).
Design/methodology/approach
Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided.
Findings
College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources.
Practical implications
Universities can assess their ISAT for students based on the findings of this study.
Originality/value
If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.
Details
Keywords
The purpose of this paper is to classify and categorize the vulnerability types emerged with time as information technology (IT) systems evolved. This comparative study aims to…
Abstract
Purpose
The purpose of this paper is to classify and categorize the vulnerability types emerged with time as information technology (IT) systems evolved. This comparative study aims to compare the seriousness of the old well-known vulnerabilities that may still exist with lower possibility of happening with that of new technologies like cloud computing with Mobility access. Cloud computing is a new structure of IT that is becoming the main part of the new model of business environment. However, issues regarding such new hype of technology do not come without obstacles. These issues have to be addressed before full acceptability of cloud services in a globalized business environment. Businesses need to be aware of issues of concerns before joining the cloud services. This paper also highlights these issues and shows the comparison table to help businesses with appropriate decision-making when joining the cloud.
Design/methodology/approach
A historical review of emerged vulnerabilities as IT systems evolved was conducted, then these vulnerabilities were categorized into eight different categories, each of which composed of multiple vulnerability types. Simple scoring techniques were used to build a “risk” analysis table where each vulnerability type was given a score based on availability of matured solution and the likeliness of happening, then in case of vulnerability type, another score was used to derive the impact of such vulnerability. The resulted weighted score can be derived from the multiplication of likeliness to happen score with that of its impact in case it did happen. Percentage of seriousness represented by the percentage of the derived weighted score of each of the vulnerabilities can then be concluded. Similar table was developed for issues related to cloud computing environment in specific.
Findings
After surveying the historical background of IT systems and emerged vulnerabilities as well as reviewing the common malicious types of system vulnerabilities, this paper identifies 22 different types of vulnerability categorized in eight different categories. This comparative study explores amount of possible vulnerabilities in new technology like cloud computing services. Specific issues for cloud computing were also explored and a similar comparative study was developed on these issues. The result of the comparative study between all types of vulnerabilities since the start of IT system development till today’s technology of cloud computing, shows that the highest percentage vulnerability category was the one related to mobility access as mobile applications/systems are relatively newly emerged and do not have a matured security solution(s).
Practical implications
Learning from history, one can conclude the current risk factor in dealing with new technology like cloud computing. Businesses can realize that decision to join the cloud requires thinking about the issues mentioned in this paper and identifying the most vulnerability types to try to avoid them.
Originality/value
A new comparative study and new classification of vulnerabilities demonstrated with risk analysis using simple scoring technique.
Details
Keywords
Fayez Ghazai Alotaibi, Nathan Clarke and Steven M. Furnell
The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used…
Abstract
Purpose
The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time consuming. This paper aims to propose an approach that attempts to propose a system for improving security management and awareness for home users.
Design/methodology/approach
The proposed system is capable of creating and assigning different security policies for different digital devices in a user-friendly fashion. These assigned policies are monitored, checked and managed to review the user’s compliance with the assigned policies to provide bespoke awareness content based on the user’s current needs.
Findings
A novel framework was proposed for improving information security management and awareness for home users. In addition, a mock-up design was developed to simulate the proposed approach to visualise the main concept and the functions which might be performed when it is deployed in a real environment. A number of different scenarios have been simulated to show how the system can manage and deal with different types of users, devices and threats. In addition, the proposed approach has been evaluated by experts in the research domain. The overall feedback is positive, constructive and encouraging. The experts agreed that the identified research problem is a real problem. In addition, they agreed that the proposed approach is usable, feasible and effective in improving security management and awareness for home users.
Research limitations/implications
The proposed design of the system is a mock-up design without real data. Therefore, implementing the proposed approach in a real environment can provide the researcher with a better understanding of the effectiveness and the functionality of the proposed approach.
Practical implications
This study offers a framework and usable mock-up design which can help in improving information security management for home users.
Originality/value
Improving the security management and awareness for home users by monitoring, checking and managing different security controls and configurations effectively are the key to strengthen information security. Therefore, when home users have a good level of security management and awareness, this could protect and secure the home network and subsequently business infrastructure and services as well.
Details
Keywords
Information technology users often fail to adopt necessary security and privacy measures, leading to increased risk of cybercrimes. There has been limited research on how…
Abstract
Purpose
Information technology users often fail to adopt necessary security and privacy measures, leading to increased risk of cybercrimes. There has been limited research on how demographic differences influence information security behaviour and understanding this could be important in identifying users who may be more likely to have poor information security behaviour. This study aims to investigate whether there are any gender differences in security and privacy behaviours and perceptions, to identify potential differences that may have implications for protecting users’ privacy and securing their devices, software and data.
Design/methodology/approach
This paper addresses this research gap by investigating security behaviours and perceptions in the following two studies: one focussing on information security and one on information privacy. Data was collected in both studies using anonymous online surveys.
Findings
This study finds significant differences between men and women in over 40% of the security and privacy behaviours considered, suggesting that overall levels of both are significantly lower for women than for men, with behaviours that require more technical skill being adopted less by female users. Furthermore, individual perceptions exhibited some gender differences.
Originality/value
This research suggests that potential gender differences in some security and privacy behaviours and perceptions should be taken into account when designing information security education, training and awareness initiatives for both organisations and the broader community. This study also provides a strong foundation to explore information security individual differences more deeply.
Details
Keywords
Aggelos Kiayias, Thomas Zacharias and Bingsheng Zhang
This paper aims to investigate the importance of auditing for election privacy via issues that appear in the state-of-the-art implementations of e-voting systems that apply…
Abstract
Purpose
This paper aims to investigate the importance of auditing for election privacy via issues that appear in the state-of-the-art implementations of e-voting systems that apply threshold public key encryption (TPKE) in the client such as Helios and use a bulletin board (BB).
Design/methodology/approach
Argumentation builds upon a formal description of a typical TPKE-based e-voting system where the election authority (EA) is the central node in a star network topology. The paper points out the weaknesses of the said topology with respect to privacy and analyzes how these weaknesses affect the security of several instances of TPKE-based e-voting systems. Overall, it studies the importance of auditing from a privacy aspect.
Findings
The paper shows that without public key infrastructure (PKI) support or – more generally – authenticated BB “append” operations, TPKE-based e-voting systems are vulnerable to attacks where the malicious EA can act as a man-in-the-middle between the election trustees and the voters; hence, it can learn how the voters have voted. As a countermeasure for such attacks, this work suggests compulsory trustee auditing. Furthermore, it analyzes how lack of cryptographic proof verification affects the level of privacy that can be provably guaranteed in a typical TPKE e-voting system.
Originality/value
As opposed to the extensively studied importance of auditing to ensure election integrity, the necessity of auditing to protect privacy in an e-voting system has been mostly overlooked. This paper reveals design weaknesses present in noticeable TPKE-based e-voting systems that can lead to a total breach of voters’ privacy and shows how auditing can be applied for providing strong provable privacy guarantees.
Details