NCSU – North Carolina State University
SoS Newsletter- Advanced Book Block
These publications were done for the Lablet activities at this school, and were listed in the Quarterly Reports back to the government. Please direct any comments to research (at) securedatabank.net if there are any questions or concerns regarding these publications.
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: Keeping up with the Joneses: Assessing phishing susceptibility in an email task
Author(s): Hong, K. W., Kelley, C. M., Mayhorn, C. B., & Murphy-Hill, E
Hard Problem: Human Behavior
Abstract: From NCSU.edu: Most prior research on preventing phishing attacks focuses on technology to identify and prevent the delivery of phishing emails. The current study supports an ongoing effort to develop a user-profile that predicts when phishing attacks will be successful. We sought to identify the behavioral, cognitive and perceptual attributes that make some individuals more vulnerable to phishing attack than others. Fifty-three participants responded to a number of self-report measures (e.g., dispositional trust) and completed the 'Bob Jones' email task that was designed to empirically evaluate phishing susceptibility. Over 92% of participants were to some extent vulnerable to phishing attacks. Additionally, individual differences in gender, trust, and personality were associated with phishing vulnerability. Application and implications for future research are discussed.(ID#:14-2544)
URL: http://www4.ncsu.edu/~khong/papers/kwh_etal_hfes_13.pdf
Publication Location: Human Factors and Ergonomics Society 57th Annual Meeting 2013
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: Something smells phishy: Exploring definitions, consequences, and reactions to phishing
Author(s): Kelley, C. M., Hong, K. W., Mayhorn, C. B., & Murphy-Hill, E
Hard Problem: Human Behavior
Abstract: From NCSU.edu: One hundred fifty-five participants completed a survey on Amazon's Mechanical Turk that assessed characteristics of phishing attacks and requested participants to describe their previous experiences and the related consequences. Results indicated almost all participants had been targets of a phishing with 22% reporting these attempts were successful. Participants reported actively engaging in efforts to protect themselves online by noticing the "padlock icon" and seeking additional information to verify the legitimacy of e-retailers. Moreover, participants indicated that phishers most frequently pose as members of organizations and that phishing typically occurs via email yet they are aware that other media might also make them susceptible to phishing scams. The reported consequences of phishing attacks go beyond financial loss, with many participants describing social ramifications such as embarrassment and reduced trust. Implications for research in risk communication and design roles by human factors/ergonomics (HF/E) professionals are discussed. (ID#:14-2545)
URL: http://www4.ncsu.edu/~khong/papers/ck_etal_hfes_12.pdf
Publication Location: Human Factors and Ergonomics Society 56th Annual Meeting 2012
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: Have you smelled something phishy - full title "Have you smelled something phishy? A cross-cultural study on conceptions and experiences of phishing between China and the U.S."
Author(s): Lui, Y., & Mayhorn, C. B.
Hard Problem: Human Behavior
Abstract: Not Found; see "American and Indian conceptualizations of phishing"
below (ID#:14-2546)
URL: Not found; see "American and Indian..." below
Publication Location: Twelfth Annual North Carolina State University Undergraduate Summer Research Symposium 2013
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: American and Indian conceptualizations of phishing
Author(s): Tembe, R., Hong, K. W., Mayhorn, C. B., Murphy-Hill, E., & Kelley, C. M.
Hard Problem: Human Behavior
Abstract: titled "Phishing in international waters: exploring cross-national differences in phishing conceptualizations between Chinese, Indian and American samples";
Rucha Tembe, Olga Zielinska, Yuqi Liu, Kyung Wha Hong, Emerson Murphy-Hill, Chris Mayhorn, and Xi Ge. 2014. Phishing in international waters: exploring cross-national differences in phishing conceptualizations between Chinese, Indian and American samples. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (HotSoS '14). ACM, New York, NY, USA, , Article 8 , 7 pages. DOI=10.1145/2600176.2600178 http://doi.acm.org/10.1145/2600176.2600178
One hundred-sixty four participants from the United States, India and China completed a survey designed to assess past phishing experiences and whether they engaged in certain online safety practices (e.g., reading a privacy policy). The study investigated participants' reported agreement regarding the characteristics of phishing attacks, types of media where phishing occurs and the consequences of phishing. A multivariate analysis of covariance indicated that there were significant differences in agreement regarding phishing characteristics, phishing consequences and types of media where phishing occurs for these three nationalities. Chronological age and education did not influence the agreement ratings; therefore, the samples were demographically equivalent with regards to these variables. A logistic regression analysis was conducted to analyze the categorical variables and nationality data. Results based on self-report data indicated that (1) Indians were more likely to be phished than Americans, (2) Americans took protective actions more frequently than Indians by destroying old documents, and (3) Americans were more likely to notice the "padlock" security icon than either Indian or Chinese respondents. The potential implications of these results are discussed in terms of designing culturally sensitive anti-phishing solutions. (ID#:14-2547)
URL: http://dl.acm.org/citation.cfm?id=2600178
Publication Location: International Workshop on the Socio-Technical Aspects of Security and Trust 2013
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: Phishing in international waters: Exploring cross-cultural differences in phishing conceptualizations between Chinese, Indian, and American samples
Author(s): Tembe, R., Zielinska, O., Liu, Y., Hong, K. W., Mayhorn, C. B., & Murphy-Hill
Hard Problem: Human Behavior
Abstract:
Rucha Tembe, Olga Zielinska, Yuqi Liu, Kyung Wha Hong, Emerson Murphy-Hill, Chris Mayhorn, and Xi Ge. 2014. Phishing in international waters: exploring cross-national differences in phishing conceptualizations between Chinese, Indian and American samples. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (HotSoS '14). ACM, New York, NY, USA, , Article 8 , 7 pages. DOI=10.1145/2600176.2600178 http://doi.acm.org/10.1145/2600176.2600178
One hundred-sixty four participants from the United States, India and China completed a survey designed to assess past phishing experiences and whether they engaged in certain online safety practices (e.g., reading a privacy policy). The study investigated participants' reported agreement regarding the characteristics of phishing attacks, types of media where phishing occurs and the consequences of phishing. A multivariate analysis of covariance indicated that there were significant differences in agreement regarding phishing characteristics, phishing consequences and types of media where phishing occurs for these three nationalities. Chronological age and education did not influence the agreement ratings; therefore, the samples were demographically equivalent with regards to these variables. A logistic regression analysis was conducted to analyze the categorical variables and nationality data. Results based on self-report data indicated that (1) Indians were more likely to be phished than Americans, (2) Americans took protective actions more frequently than Indians by destroying old documents, and (3) Americans were more likely to notice the "padlock" security icon than either Indian or Chinese respondents. The potential implications of these results are discussed in terms of designing culturally sensitive anti-phishing solutions. (ID#:14-2548)
URL: http://dl.acm.org/citation.cfm?id=2600178
Publication Location: First HotSoS: Symposium and Bootcamp on the Science of Security 2014
NCSU - North Carolina State University
Topic: Developing a User Profile to Predict Phishing Susceptibility and Security Technology Acceptance
Title: One Phish, Two Phish, How to Avoid the Internet Phish: Analysis of Training Strategies to Detect Phishing Emails
Author(s): Zielinska, O., Tembe, R., Hong, K. W., Xe, G., Murphy-Hill, E. & Mayhorn, C. B.
Hard Problem: Human Behavior
Abstract: Not found (ID#:14-2549)
URL: Not found
Publication Location: Human Factors and Ergonomics Society.
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: Using Templates to Elicit Implied Security Requirements from Functional Requirements - A Controlled Experiment
Author(s): M. Riaz, J. Slankas, J. King, L. Williams
Hard Problem: Metrics
Abstract: not found (ID#:14-2550)
URL: not found
Publication Location: International Symposium on Empirical Software Engineering and Measurement (ESEM) 2014
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: Hidden in Plain Sight: Automatically Identifying Security Requirements from Natural Language Artifacts
Author(s): M. Riaz, J. Slankas, J. King, L. Williams.
Hard Problem: Metrics
Abstract: Seems to be the same as "Discovering Security Requirements from Natural Language", from NCSU.edu: Natural language artifacts, such as requirements specifications, often explicitly state the security requirements for software systems. However, these artifacts may also imply additional security requirements that developers may overlook but should consider to strengthen the overall security of the system. The goal of this research is to aid requirements engineers in producing a more comprehensive and classified set of security requirements by (1) automatically identifying security-relevantsentences in natural language requirements artifacts, and (2) providing context-specific security requirements templates to help translate the security-relevant sentences into functional security requirements. Using machine learning techniques, we have developed a tool-assisted process that takes as input a set of natural language artifacts. Our process automatically identifies security-relevant sentences in the artifacts and classifies them according to the security objectives, either explicitly stated or implied by the sentences. We classified 10,963 sentences in six different documents from healthcare domain and extracted corresponding security objectives. Our manual analysis showed that 46% of the sentences were security-relevant. Of these, 28% explicitly mention security while 72% of the sentences are functional requirements with security implications. Using our tool, we correctly predict and classify 82% of the security objectives for all the sentences (precision). We identify 79% of all security objectives implied by the sentences within the documents (recall). Based on our analysis, we develop context-specific templates that can be instantiated into a set of functional security requirements by filling in key information from security-relevant sentences. (ID#:14-2551)
URL: http://www4.ncsu.edu/~mriaz/docs/re14main-hidden-in-plain-sight-preprint.pdf
Publication Location: IEEE International Requirements Engineering Conference (RE) 2014
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: Integration of Network and Application Access Control Configuration Verification
Author(s): Mohammed Alsaleh, and Ehab Al-Shaer
Hard Problem: Metrics
Abstract: Not found. See: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5990556 (ID#:14-2552)
URL: Not found
Publication Location: Journal of Advanced Research 2014
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: A Formal Framework for Network Security Design Synthesis
Author(s): Rahman, M. A. and Al-Shaer, E.
Hard Problem: Metrics
Abstract: Mohammad Ashiqur Rahman and Ehab Al-Shaer. 2013. A Formal Framework for Network Security Design Synthesis. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems (ICDCS '13). IEEE Computer Society, Washington, DC, USA, 560-570. DOI=10.1109/ICDCS.2013.70 http://dx.doi.org/10.1109/ICDCS.2013.70
Due to the extensive use of Internet services and emerging security threats, most enterprise networks deploy varieties of security devices for controlling resource access based on organizational security requirements. These requirements are becoming more fine-grained, where access control depends on heterogeneous isolation patterns like access deny, trusted communication, and payload inspection. However, organizations are looking to design usable and optimal security configurations that can harden the network security within enterprise budget constraints. This requires analyzing various alternative security architectures in order to find a security design that satisfies the organizational security requirements as well as the business constraints. In this paper, we present ConfigSynth, an automated framework for synthesizing network security configurations by exploring various security design alternatives to provide an optimal solution. The main design alternatives include different kinds of isolation patterns for traffic flows in different segments of the network. ConfigSynth takes security requirements and business constraints along with the network topology as inputs. Then it synthesizes optimal and cost-effective security configurations satisfying the constraints. ConfigSynth also provides optimal placements of different security devices in the network according to the given network topology. ConfigSynth uses Satisfiability Modulo Theories (SMT) for modeling this synthesis problem. We demonstrate the scalability of the tool using simulated experiments. (ID#:14-2553)
URL: http://dl.acm.org/citation.cfm?id=2549698
Publication Location: International Conference on Distributed Computing Systems (ICDCS), 2013
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: A Formal Approach for Network Security Management Based on Qualitative Risk Analysis
Author(s): Rahman, M. A. and Al-Shaer, E.
Hard Problem: Metrics
Abstract: Rahman, M.A; Al-Shaer, E., "A formal approach for network security management based on qualitative risk analysis," Integrated Network Management (IM 2013), 2013 IFIP/IEEE International Symposium on , vol., no., pp.244,251, 27-31 May 2013
The risk analysis is an important process for enforcing and strengthening efficient and effective security. Due to the significant growth of the Internet, application services, and associated security attacks, information professionals face challenges in assessing risk of their networks. The assessment of risk may vary with the enterprise's requirements. Hence, a generic risk analysis technique is suitable. Moreover, configuring a network with correct security policy is a difficult problem. The assessment of risk aids in realizing necessary security policy. Risk is a function of security threat and impact. Security threats depend on the traffic reachability. Security devices like firewalls are used to selectively allow or deny traffic. However, the connection between the network risk and the security policy is not easy to establish. A small modification in the network topology or in the security policy, can change the risk significantly. It is hard to manually follow a systematic process for configuring the network towards security hardening. Hence, an automatic generation of proper security controls, e.g., firewall rules and host placements in the network topology, is crucial to keep the overall security risk low. In this paper, we first present a declarative model for the qualitative risk analysis. We consider transitive reachability, i.e., reachability considering one or more intermediate hosts, in order to compute exposure of vulnerabilities. Next, we formalize our risk analysis model and the security requirements as a constraint satisfaction problem using the satisfiability modulo theories (SMT). A solution to the problem synthesizes necessary firewall policies and host placements. We also evaluate the scalability of the proposed risk analysis technique as well as the synthesis model. (ID#:14-2554)
URL: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6572992&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6572992
Publication Location: IFIP/IEEE International Symposium on Integrated Network Management (IM), IEEE, 2013
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: ConfigSynth: A Formal Framework for Optimal Network Security Design
Author(s): Rahman, M. A. and Al-Shaer, E.
Hard Problem: Metrics
Abstract: Rahman, M.A; Al-Shaer, E., "A Formal Framework for Network Security Design Synthesis," Distributed Computing Systems (ICDCS), 2013 IEEE 33rd International Conference on , vol., no., pp.560,570, 8-11 July 2013doi: 10.1109/ICDCS.2013.70
Due to the extensive use of Internet services and emerging security threats, most enterprisenetworks deploy varieties of security devices for controlling resource access based on organizationalsecurity requirements. These requirements are becoming more fine-grained, where access control depends on heterogeneous isolation patterns like access deny, trusted communication, and payload inspection. However, organizations are looking to design usable and optimal security configurations that can harden the network security within enterprise budget constraints. This requires analyzing various alternative security architectures in order to find a security design that satisfies the organizational security requirements as well as the business constraints. In this paper, we present ConfigSynth, an automated framework for synthesizing network security configurations by exploring various security design alternatives to provide an optimal solution. The main design alternatives include different kinds of isolation patterns for traffic flows in different segments of the network. ConfigSynth takes security requirements and business constraints along with the network topology as inputs. Then it synthesizes optimal and cost-effective security configurations satisfying the constraints. ConfigSynth also provides optimal placements of different security devices in thenetwork according to the given network topology. ConfigSynth uses Satisfiability Modulo Theories (SMT) for modeling this synthesis problem. We demonstrate the scalability of the tool using simulated experiments. (ID#:14-2556)
URL: http://ieeeexplore.com/xpl/articleDetails.jsp?tp=&arnumber=6681625&queryText%3Dnetwork+security
Publication Location: Network & Distributed System Security Symposium (NDSS), February 2013 (Short paper)
NCSU - North Carolina State University
Topic: Software Security Metrics
Title: Objective Metrics for Firewall Security: A Holistic View
Author(s): Mohammed Noraden Alsaleh, Saeed Al-Haj and Ehab Al-Shaer
Abstract: Alsaleh, M.N.; Al-Haj, S.; Al-Shaer, E., "Objective metrics for firewall security: A holistic view," Communications and Network Security (CNS), 2013 IEEE Conference on , vol., no., pp.470,477, 14-16 Oct. 2013 doi: 10.1109/CNS.2013.6682762
Firewalls are the primary security devices in cyber defense. Yet, the security of firewalls depends on the quality of protection provided by the firewall policy. The lack of metrics and attack incident data makes measuring the security of firewall policies a challenging task. In this paper, we present a new set of quantitative metrics that can be used to measure, as well as, compare the security level of firewall policies in an enterprise network. The proposed metrics measure the risk of attacks on the network that is imposed due to weaknesses in the firewall policy. We also measure the feasibility of mitigating or removing that risk. The presented metrics are proven to be (1) valid as compared with the ground truth, and (2) practically useful as each one implies actionable security hardening. (ID#:14-2557)
URL: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6682762&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6682762
Publication Location: Symposium on Security Analytics and Automation (SafeConfig), 2013
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.