European Conference on Cyber Warfare and Security

From Provoking Emotions to fake Images: The Recurring Signs of fake news and Phishing Scams Spreading on Social Media in Hungary, Romania and Slovakia

Kenyeres Attila Zoltán — 2023-07-04

The phenomenon of fake news and media manipulation has always existed in human history, long before the invention of digital technology. However, never before in the history of mankind has it been possible to spread fake news so quickly, in such large quantities and to such large masses, as now, in the age of the internet and social media. In this paper we identified 31 recurring signs of fake news and phishing scams spreading on social media in Hungary, Romania and Slovakia, based on the content analysis of 866 screenshots of social media posts, internet articles, phishing emails and SMS messages from these 3 countries. The most common group of signs are signs of provoking emotions. The second largest group of indicators include the characteristics of the media publishing the news. The third major category is the visual appearance and wording of the news. The fourth group of recurring signs refers to the original source of the news. The fifth group of indicators is the lack of reliable and/or official media coverage of the story. The elements of the sixth group of signs are the photoshopped and re-framed 'proof' images and videos that appear in the news. The seventh, and final group, of indicators refers to the prior beliefs and biases of the target audience. Provoking emotions, and thereby turning off the recipient's critical thinking, is the most common sign of fake news, scams and other hoaxes. Consequently, there is a great need for a high level of critical thinking and information literacy regarding social media contents on the part of the recipient. Our research was based on a fake news database collected in the framework of an international Erasmus+ project called "Media Detective". The aim of the project is to develop media literacy training modules for teachers and youth workers that could be used in school settings.

Cybersecurity in Mozambique: Status and Challenges

Martina De Barros — 2023-06-19

Digital technologies became one of the most important components of societies day to day life. In Africa, they brought several benefits as well as challenges. For instance, the number of cyber-crimes and cyber-attacks are increasing. Yet, not all 54 African countries have implemented proper cybersecurity measures such as the adoption of national cybersecurity strategy, technical and organizational measures, development of cyber capacity and fostering national and engaging in regional and international cooperation. However, the adoption of these measures are vital and imperative. Mozambique is one of these countries where these measures are lacking. Therefore, the aim of this paper is to give an overview of the current state of cybersecurity in Mozambique considering all of the aspects mentioned above. Additionally, this paper also aims to present some best practices that Mozambique can adopt to improve and intensify its cybersecurity commitments. The proposed recommendations are based on internationally recognized frameworks and models developed by entities such as the European Union Agency for Cybersecurity (ENISA), International Telecommunication Union (ITU) and African Union (AU).

Spreading Lies Through the Cyber Domain

Thomas Dempsey — 2023-06-19

The expansion of Information Operations (IO) over the past ten years has allowed individuals and groups to increase their sphere of influence on a global scale. Nation-state cyber threat actors have increased their presence on social media, building out false personas to influence large populations. This type of activity is difficult to stop due to the availability of social networks on the internet and the ease of creating false personas that can’t be directly attributed to the actor. IO activity has been observed with the Russian cyber activity during the 2016 U.S. Presidential elections and from Russian social media campaigns provoking extremist groups and attempting to cause physical harm, such as the 2017 campaign on Facebook to start a rally and a simultaneous counter rally in front of the Islamic Da’wah Centre of Houston. Although Russia has been observed leveraging this capability, they are not the only global actor in the cyber domain taking advantage of IO. Global threat actors have leveraged social media platforms and blogs to influence the global population and spread propaganda. This type of activity has been seen within traditional warfare using propaganda techniques. With the introduction of the cyber domain into warfare, there is an increased ability to communicate not only to one population but to the global community with the intent to manipulate the masses using IO. This paper examines the Cybersecurity Operations (CO) that have been observed utilizing IO and the psychological impacts they have had in successful campaigns against the United States. This paper argues that with increased influence capabilities in the cyber domain, individuals and groups will continue using IO to support tactical and strategic objectives. Through the available literature, this paper examines the impacts that IO has had on the United States through attempts to manipulate elections and create divides in the nation over the last ten years. This paper leverages the psychology of group processes to analyze the literature involving social media campaigns and the influencing of groups through the lens of social identity theory to provide new insight into mitigating and countering IO.

The Concept of Comprehensive Security as a Tool for Cyber Deterrence

Maria keinonen — 2023-06-19

Cyber deterrence is often studied from the point of view of deterrence by punishment or offensive cyber strategies. A vast amount of studies claim that deterrence in cyberspace can never be successful with cyber means alone due to technical challenges and the problem of attribution. Some scholars argue that cyber resilience is an essential part of cyber deterrence, since not every cyberattack can be countered. These reviews are usually technical and concentrate on investigating the balance of offensive and defensive cyber strategies. The technical view leaves gaps in the physical and cyber-persona layers of cyberspace. This paper examines resilience from a societal perspective and reflects on the findings of cyber deterrence theories. The Concept of Comprehensive Security (CCS) is a Finnish model for building and sustaining resilience in society. Preparation for disruptive situations is carried out with the operating principle of overall safety, where society´s vital functions are protected in collaboration between the authorities, the business world, organisations, and citizens. The growing importance of cyber security has led to emphasising the importance of cyber resilience in the Concept of Comprehensive Security. This study investigates the possibilities to utilize the CCS as a tool for cyber deterrence and aims to create a new perspective on the international academic discussion of cyber deterrence. The research method is content analysis. The investigated material consists of Finnish CCS documents, as well as academic cyber deterrence and cyber resilience literature. The characteristics of the CCS are compared to the factors found in the cyber deterrence material to answer the research question. The key observation presented in this study is that a comprehensive approach to building resilience in the society is essential for the credibility of cyber deterrence. Resilience in cyberspace should be viewed from the perspective of every layer, including logical, physical and cyber-persona layers.

Building Situational Awareness of GDPR

Pauliina Hirvonen — 2023-06-19

Because previous academic research does not comment sufficiently on how the relevant content of the European Union (EU) General Data Protection Regulation (GDPR has been properly communicated to the organisations, or how the situational awareness (SA) of GDPR has been built in the organisations, this qualitative empirical research was regarded as a valuable approach for gathering authentic research material on the practical bases of this phenomena. The aim of this empirical case study (CS) is to develop a picture of what processes organisations use to build SA of the GDPR requirements. To guide the CS, we asked how the SA for decision-making was constructed and how it was perceived in organisations. The experiences of eight Finnish organisations showed that the organisations’ practices of building SA and their experiences with the quality and adequacy of SA differed. However, building SA proved to be a critical step for organisations in the overall process of meeting GDPR requirements. Especially the data coming from inside the organisation became very relevant in the SA process, because it supported decision makers to determine how the GDPR requirements should be implemented in the organisation. As a main contribution of this article, based on best practices shared by organisations a model of building SA was built. The proposed model is threefold and was constructed by combining the findings of an empirical CS analysis, the steps of the intelligence process, and the essential elements of the model of creating information security SA. The result is potentially beneficial for building situational understanding of any complex or ambiguous issue, especially in complex and digitalised technological areas, where combining information management with accurate and efficient decision-making is a common challenge. The results can be used by any party who is looking to build SA of an abstract issue in a complex environment.

Organisational GDPR Investments and Impacts

Pauliina Hirvonen — 2023-06-19

The aim of this empirical multi-case study is to understand the GDPR investments and impacts of the organisations. Among these, the measuring experiences related to GDPR and information security (Isec), and the future expectations are examined. Several interesting findings were recognised, which also enabled further suggestions. First, an understanding of the organisations’ investments and their impact is built by gathering information about the actions that organisations made to fulfil the GDPR requirements. In the second phase, it is deemed necessary to examine how organisations experience the measures and evaluation of GDPR development and progress, in order to understand how respondents, end up evaluating the impact of their investments. In the third phase it is considered necessary to consider the future development of GDPR and the challenges and opportunities it brings to organisations, in order to understand how the experiences so far affect preparations for the future. The final phase of evaluation focuses on finding out what impact the GDPR has had on organisations. On the one hand, it is possible that the total investment in the GDPR may also correlate with the development of the organisational Isec maturity, because GDPR has brought more resources and visibility to the organisation’s Isec, and operations have become more systematic. On the other hand, organisations with an already high level of Isec maturity and organisations operating in a regulatory-focused industry may accept the GDPR-based Isec investments more easily. If GDPR is tightly integrated with both the organisation’s information security and the business functions under the responsibility of executive management, it may support the organisation’s business and information security development. This research serves GDPR authorities, organisational executives, persons in charge of GDPR/information security/cybersecurity, service providers and academia.

A Whole-of-Society Approach to Organise for Offensive Cyberspace Operations: The Case of the Smart State Sweden

Gazmend Huskaj — 2023-06-19

Threat actors conduct offensive cyberspace operations for many purposes, such as espionage, to destroy information assets, and cybercrime. These operations are possible thanks to the innovation and development of information and communications technologies (ICT). Interconnected information systems have transformed societies positively. However, specific states exploit these systems' vulnerabilities to advance their strategic national interests. Therefore, it is important to know how a state can organise itself to defend against threat actors. The purpose of this research is to present how the smart state Sweden can through a whole-of-society approach organise for Offensive Cyberspace Operations. The intent is to conduct an active and independent foreign-, security- and defence policy, but also as a base for deterrence and defence. This article is based on a mixed methods approach. It uses the case study research strategy to discover new information. Fourteen men and women participated in individual semi-structured interviews. The respondents ranged in age from 40 to 65 with more than 20 years of experience in cyberspace operations, intelligence operations, military operations, special forces operations, and knowledge and understanding about information warfare and information operations. The analytic strategies include thematic analysis and quantitative methods to interpret the data. The results show many themes, but the article is especially focused on the themes of Operations, Capability, Policy & Governance, and Legal Frameworks. Finally, a conceptual map of a whole-of-society approach to organise for offensive cyberspace operations is presented inferred from the themes, codes, and content, and mapped to each responsible agency based on the interviews and codes. The answer to the research question is that Sweden should have a whole-of-society approach to organise for Offensive Cyberspace Operations to project power in and through cyberspace with the intent to conduct an active and independent foreign, security and defence policy and for deterrence, as described in Figure 2.

A State-of-the-art of Scientific Research on Disinformation

Gazmend Huskaj — 2023-06-19

Technological advancements in information and communications technologies and related hardware and software have positively transformed the political, military, economic and social domains in all countries around the globe. These technologies are imperfect, and States and state-sponsored threat actors are exploiting flaws in hardware and software for various types of attacks. Furthermore, the same threat actors exploit software technologies to spread disinformation and disseminate false information to mislead public opinion. This research article reviews the discourse of the scientific community on disinformation. The purpose is to understand where the research focus lies and who the researchers are the co-authors, and the publication venues. This research article reviews the scientific literature using the computational literature review, a semi-automated review method and the structural topical modelling framework to understand trends in the research. Of 3 097 documents published in 1 700 publication venues between 1974 to 2022, 704 were analysed. The results reveal 46 topics on issues such as rumours and disinformation spread during the Covid-19 pandemic, Soviet and Russian Information Warfare, and Trolls and health-related themes and effects.

Fake news as a distortion of media reality: tell-truth strategy in the post-truth era

Anastasiia Iufereva — 2023-06-19

The article deals with fake news which has been considered one of the greatest threats to information security. The expansion of digital technologies and the development of communication networks have contributed to the spreading of misinformation. In particular, the emergence of different sources of information on the Internet, the growing polarization of opinions in the political and socio-economic dimensions, the devaluation of the fact, and the widespread fake news on the Internet (e.g., social media) form the question of revision of the process of collecting, verifying presenting information, methods, and technologies for verifying facts, including methods for countering fake news. Although this issue has been widely investigated in academic discourse, there are still controversial arguments regarding which elements should form a tell-truth strategy. This paper focuses on recent research that reflects trends and patterns in this field and on the author’s empirical survey - interviews with university professors and media experts (N=6), journalists (N=6), and students (N=14) in Russia. In this study, the author describes the key characteristics of fake news and the elements of this tell-truth strategy. It is intended that this paper focuses on both professional journalists and professors who may use the results of this investigation in such courses as political science, sociology, philosophy, and journalism.

Hybrid threats-possible consequences in societal contexts

Georgiana Daniela Lupulescu — 2023-06-19

Hybrid threats have become a persistent term in the 21st century geopolitical architecture, acquiring new values as innovative unconventional means come to be used by both state and non-state actors in contemporary conflicts, with a view to obtaining strategic advantages, yet with devastating consequences at individual level. While the armed conflict effects have long been studied, the war metamorphosis with hybrid threats innuendos bring new challenges in assessing societal consequences, even more so, as they are increasingly identified in apparently peaceful times. A multifaced perspective on the threat outcome reveals multiple latent consequences, such as physical, material, psychological and emotional ones. Fear, one of the dominant human emotions, is the first to be triggered when any threat is present, regardless of its occurrence probability or possible effects. Fear becomes a strong drive for individuals’ future actions, sometimes prompting an offensive or defensive reaction previously embedded in the main actor’s behavior. In this context, the present paper aims to identify, analyze and understand the Russian-Ukrainian conflict consequences on the European states’ neighboring population, looking at the reactions and decisions triggered by fear. Using observation as a research method but also the case study method, we identified a series of similarities and differences in these countries’ reaction to solving situations, migration- generated crises, Russian disinformation and propaganda and Ukraine or other European state oriented cyber-attack. The main goal for this approach is to highlight the hybrid threats emotional consequences in conflicts that are more than psychological. Moreover, this is a preliminary step in a PhD research thesis with a view to provide states with solutions for resilience policies, to ensure their citizens’ survival and well-being.

Target Audiences’ Characteristics and Prospective in Countering Information Warfare

Daniel Ionel Andrei Nistor — 2023-06-19

NATO Defense Education Enhancement Program defines Information Warfare as an operation run to get cognitive assets over the opponents, by controlling one’s own information space while disrupting the opponents’ one. Not new as a process, continuous technological progress has endowed this phenomenon with speed and instruments to fight cyber and cognitive battles, to attack perceptions, trust, polarise and disrupt societies at large. The all present and undergoing kinetic conflict between Russia and Ukraine doubled by an even stronger cognitive and information war since February 2022 has highlighted even more the need to better understand individuals’ behaviour and characteristics when faced with unconventional attacks, irrespective of a passive or active feedback. By identifying and analysing specific public categories, one can establish which are contextual variables that trigger a social reaction, to be able to then design a set of protective or defensive measures. For a full understanding of the way Information Warfare impacts people’s thinking and decision-making process, to see how a resilience plan can be designed, one should investigate not only the information war instruments but also their effects over people at large. Not knowing the voice of the hostile authors, it Is still important to understand the domestic audience and their reaction to it, so that protective actions be taken for resilience and protection, through education. The domestic public’s identity and its dominant characteristics are brought into attention to understand which is the relation between these and the way Information Warfare can be countered through education, with examples from the Russian’s hostile activity. Values, national identity, stereotypes and generalist psychological profiles will be looked at in this paper, to be put in relation to behaviours, attitude change and resistance in front of types of messages, campaigns and types of media-embedded grey zone threats. The present paper is part of a larger PhD research program that focuses on consolidating a society’s security culture through better institutional strategic communication, therefore all the findings will be used to this end.

Technology-Oriented Innovations and Cyber Security Challenges in the Healthcare Delivery System: A perspective from Developing Economy

Victor Kwarteng Owusu — 2023-06-19

There is no dispute about the looming digital transformation of certain sectors within transitional economies, especially in Ghana. In fact, for most developed economies, digitalization has proven to have relevant visible effects. The paradox, however, is the seamless nature of this propagation in contrast to the myriad associated benefits. Suffice it to say that, the main purpose of this study was to identify the perceived impediments against the adoption and continuous acceptance of technology-oriented innovation for healthcare delivery in transitional economies through innovations. Especially, in the current technological dispensation where Africa and other developing countries are striving to bridge the technology gap in service delivery. Though much research has been conducted within the healthcare sector, factors that hinder technology acceptance and continuous usage have rarely been their primary focus. To address this consequential lacuna, this study takes inspiration from literature through document and theme analysis and proposes a model which could serve as a remedy to the identifiable impediments and inhibitors to the seamless delivery of healthcare services in transitional economies. We emphasize good management and government-based interventions throughout the literature review as well as the document analyzed. We also made suggestions for further research, notably concerning means of increasing technology diffusion and possible remedy to cyber-security threats in the healthcare sector.

Deep-learning-based Intrusion Detection for Software-defined Networking Space Systems

Uakomba Uhongora — 2023-06-19

This paper briefly reviews the application of the Software-defined Networking (SDN) architecture to satellite networks. It highlights the prominent cyber threats that SDN-based satellite networks are vulnerable to and proposes relevant defence mechanisms. SDN transforms traditional networking architectures by separating the control plane from the forwarding (data) plane. This separation enhances scalability and centralises management. In comparison, in traditional networks, the control plane and the data plane are usually combined, resulting in complex network management and reduced scalability. Satellite networks can take advantage of these benefits offered by SDN and this supports them as key enablers of critical services, including weather prediction, global broadband Internet coverage, and Internet of Things (IoT) services. Ease of configuration and flexibility are essential for satellites providing critical services to instantly adapt to network changes. These desirable attributes can be realised by applying SDN to satellite networks. Although SDN offers significant benefits to satellite networks, it is vulnerable to cyber-attacks and particularly due to its centralised architecture. A common attack on SDN is the Distributed Denial of Service (DDoS) attack which could render the entire SDN unavailable. To mitigate such threats, an efficient Intrusion Detection System (IDS) is required to monitor the network and detect any suspicious traffic. However, traditional IDSs produce too many false positives and often fail to detect advanced attacks. For their ability to learn feature hierarchies in network traffic data automatically, whether, for network traffic classification or anomaly detection, deep learning (DL) plays an increasingly important role in IDSs. In this paper, we present a brief review of recent developments in cyber security for SDN-based space systems, and we identify vulnerabilities and threats to an SDN-based satellite network. We further discuss the potential of a DL-based IDS for the detection of cyber threats. Finally, we identify further research gaps in the recent literature and propose future research directions.

Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph

Thomas Heverin — 2023-06-19

In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective. Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs.

MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings.

In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.

AI-based quantum-safe cybersecurity automation and orchestration for edge intelligence in future networks

Aarne Hummelholm — 2023-06-19

The AIQUSEC (AI-based quantum secure cyber security automation and orchestration in the edge intelligence of future networks) brings measurable advances to the cyber security of access and edge networks and their services, as well as Operational Service Technologies (OT). The research aims for significant cybersecurity scalability, efficiency, and effectiveness of operations through improved and enhanced device and sensor securities, security assurance, quantum security, and Artificial Intelligence (AI) based automation solutions. The new application scenarios of near future, the multiple stakeholders within each scenario, and the higher data volumes raise the need for novel cybersecurity solutions. Recently, OT cybersecurity threat landscape has become wider, due to the increase digitalization of services, the increase in virtualization and slicing of networks, as well as the increase in advanced cyber-attacks. Because of recent advances in computing power, AI in cybersecurity analyzing and validations is now becoming a reality. A significant part of currently used encryption technologies which secures communications and infrastructures might become instantly penetrable when quantum computing becomes available. Enabling quantum-safety migration development is a clear goal to the project. The research develops a state-of-the-art information security verification and validation environment that supports the integration of cyber security systems as a reference model, focusing on architectural choices and network connection from different vertical use cases. With the help of the platform and the reference model, common cybersecurity capabilities and requirements can be built, tested, and validated, as well as their fulfillment. In addition to the environment mentioned above, the results of the research are demonstrated and utilized in critical communication systems, water utilities, industrial environments, in physical access solutions and remote work. The developed platform can also be used for auditing devices, systems, and software’s in the future. The research integrates new quantum-safe artificial intelligence-based, hardware-hardened, and scalable cybersecurity solutions that have been validated in a standardized way. In this research, we also deal with the requirements of the EU sustainable growth program - issues related to the green transition.

Security Issues of GPUs and FPGAs for AI-powered near & far Edge Services

Stylianos Koumoutzelis — 2023-06-19

Graphics Processing Units (GPUs) and Field Programmable Gate Arrays (FPGAs) are widely applied to cloud and embedded applications in which such devices are applied to near and far edge computing operations. This pool of available devices has a wide range of power/size specifications to support servers ranging from big data centres to small cloudlets, or even down to embedded systems and IoT boards. Overall, the most prominent devices and vendors in the market today are the following Xilinx for FPGA-based accelerators, Nvidia and AMD for GPUs, Intel for FPGA- /GPU-based accelerators. Decreasing the latency and increasing the throughput of Artificial Intelligence Functions (AIF), either for network automation or user applications, requires some sort of parallelization inside such purpose-built hardware acceleration. The AI@EDGE project is developing a Connect-Compute Platform (CCP) in which hardware accelerators (1 Nvidia GPU Tesla V100 (near edge device) and 1 Jetson AGX and 1 Jetson Nano (far edge devices), as well as 2 Xilinx FPGAs Alveo U280+U200 (near edge devices) and 1 Versal VCK190 and 2 Zynq ZCU104) are placed inside a server node and execute edge computing scenarios involving multiple nodes of diverse compute capabilities each, to test various integration approaches, to study orchestration techniques measure AIF deployment efficiency, all while developing certain FPGA/GPU code to accelerate representative AIFs of AI@EDGE. In this paper we compare the power/size/performance specifications of all accelerators and highlight the security issues associated with the cloud and embedded accelerators. This study presents the security issues announced by the vendors with the results of our tests and proposes tests and security functions (policies and objectives) which will be applied to the CCP to increase the security level of CCP. It also considers security issues related with the hardware set-up (accelerators inside server nodes) from the network point of view.

Hybrid Threat and Information Influence in Connection with Security of Supply

Jyri Rajamäki — 2023-06-19

Hybrid threat is a multidimensional and hard-to-detect activity. It includes a wide range of actions, from influencing information to the military means by which the hybrid actor achieves its goals. These goals can include weakening or even destroying the target. Security of supply means preparedness and continuity management actions, which aim to safeguard economic activities and related systems that are necessary for the population’s livelihood, the country’s economic life, and national defense in the event of exceptional conditions and comparable serious disruptions. Both hybrid threat and information influencing can disrupt the realization of the goals of security of supply. This work-in-progress paper proposes a framework, which consists of hybrid threat and its sub-classification, and information influencing as one of the means to implement hybrid threat. The framework also describes the security of supply and elements that are used to combat information influence and maintain the security of supply. In addition, the framework paper discusses what kind of elements measuring the maturity level of an organization’s prevention of information influence could consist of.

Demand Analysis of the Cybersecurity Knowledge Areas and Skills for the Nurses: Preliminary Findings

Jyri Rajamäki — 2023-06-19

The purpose of this paper is to present a preliminary analysis of the cybersecurity market demand in the nursing and health sector. Currently, the market demand study is ongoing under the Digital Europe Programme CyberSecPro project, which strengthens the role of higher education institutions as a provider of practical and working life skills. The project promotes reliable digital transformation in critical sectors, such as healthcare. The rapid development of e-health emphasizes the central position of cybersecurity in healthcare organizations that are increasingly the targets of cyber-attacks. This descriptive literature review explores what a nurse needs to know about cybersecurity. Our results show that awareness of cyber risks is weak in the healthcare sector. Understanding cyber risks and recognizing the effects of one's own activities increases the cybersecurity of the entire organization, therefore cybersecurity training for nurses should be increased. Our study suggested that nurses’ most important cyber skills are their own cyber-safe way of operations, identifying cyber threats related to equipment, identifying the effects of cyber disruptions, and acting in a cyber disruption situation. Future nurse training programs should be updated to include these skills. Additionally, the teaching of nurses must be developed so that it meets these competence needs.

Hidden Permissions on Android: A Permission-Based Android Mobile Privacy Risk Model

Saliha Yilmaz — 2023-06-19

The continuously increasing amount of data input on mobile devices has made collating and monitoring users’ data not only uniquely personalised but easier than ever. Along with that, mobile security threats have overtaken with rising numbers in bank fraud and personal information leaks. This suggests that there is a significant lack of awareness of security issues among mobile users. Specifically, permission-based passive content leaks are getting more attention due to the emerging issues in data privacy. One reason for this is that permissions are running in the background collecting and transmitting data between applications within the same permission group, without the user's knowledge. This means, that a supposedly innocent application like the Clock, which is linked with the Calendar to provide the date and time functionality, can have access to any other application within the same Calendar permission group, which is compromising confidentiality. Moreover, this can lead to a violation of data privacy as the user is not aware of which assets are being shared between permissions. Developers of mobile platforms have implemented permission-based models to counteract these issues, however, application designers have shown that they are not necessarily complying with the General Data Protection Regulations (GDPR). For the mobile user, this means that app developers, app providers, and third parties who are included in the applications, can gain access to sensitive data without user consent or awareness. To address this issue, this study examines permissions that are inherent in the Android mobile infrastructure and exemplifies how they can reveal delicate user information, identify user behaviour, and can be shared among other applications - without obviously breaching GDPR guidelines. 10 first-party Android applications were statically analysed by their permissions and manually investigated for their actual purpose and privacy risk. Finally, considering the affected area, these permissions were categorised into four asset groups that form the base of a risk model. With risk levels from low to high, this model provides detection of risks on data privacy in mobile permissions and highlights the difficulty with GDPR compliance, which we therefore named PRAM, a permission-based Android Mobile Privacy Risk Assessment Model.

How Does the Tallinn Manual 2.0 Shed Light on the Threat of Cyber Attacks against Taiwan?

Chih-Hsiang Chang — 2023-06-19

This paper will identify possible unsettled issues when applying jus ad bellum and jus in bello to case scenarios based on China's cyber operations against Taiwan, pursuant to the rules of international law governing cyber or military operations attributable to States reflected in Tallinn Manual 2.0. This paper will argue that because of Taiwan’s legal international status as a sovereign State, the different responsive actions it may take, should it be faced with any such aggressive cyber or military attack, may be considered controversial. This paper will then identify the possible legal issues that may pertain under current international law, should any such armed conflict occur between China and Taiwan.

Digital Forensic Readiness Model for Internet Voting

Edmore Muyambo — 2023-06-19

Voting is an exercise of choosing a preferred candidate through a process called an election. In many countries, this exercise is a basic human right. In every election process, there are some pre-requisite processes and procedures which must be set up first. These are essential in the pre-vote-casting stage, during vote-casting and post-vote-casting stage. Electoral disagreements amongst stakeholders and parties of interest are usually experienced in each of the above-mentioned voting process stages. The main points of conflict in an election process are vote rigging and vote fraud. Failure to amicably mitigate these issues can result in a criticised/rejected election result. Therefore, this research aims to address the problem of vote rigging and vote fraud allegations in an election process. The resolution thereof is achieved through the introduction of an online based voting system which is supported by a digital forensic readiness mechanism. Online voting system gives citizens the flexibility to use internet-enabled devices such as cell phones and laptops to cast their votes in a safe, secrete and secure protocol. To address the problem of vote rigging and vote fraud, the online voting system is integrated with cyber security and vote protection mechanisms. The cyber security and vote protection mechanism is based on Blockchain algorithms. A Blockchain-based voting process is a peer-to-peer mechanism where a decentralised database is used to store data. Tokens move directly from one peer (voter) to another peer (candidate). The results are tallied by counting the number of tokens paid to each candidate. Each voter is allocated a Bitcoin token and each candidate is allocated a Bitcoin address. During vote casting, the voter transfers their Bitcoin token into the wallet of a registered candidate. At the end of the voting process, the total number of Bitcoin tokens transferred to each candidate is counted and tallied up. The wallet is loaded with only one Bitcoin token, hence there is no possibility of double voting. The model ensures vote security, anonymity, auditability, accountability, accuracy and uniqueness.

We see what we want to see: Pitfalls of Perception and Decision-making in Security Management

Helvi Salminen — 2023-06-19

We human beings are often convinced of having a clear picture of reality and believe ourselves to be thoroughly rational in our thinking and decision-making. However, our perception of reality is limited and prone to errors, and our decision-making is often guided by emotions and instincts instead of facts and rational thinking. If we don’t stop to think we often jump to conclusions based on partial or erroneous information, and eloquently justify our decisions with apparently rational arguments. In many areas of human activities, including security management, limits of perception and errors in decision-making can have harmful, even disastrous consequences. Very often in security management the decision-making process is not sufficiently challenged by critical thinking as decisions are often made hidden behind the veil of secrets. Cognitive biases - systematic errors in thinking affecting decisions and judgments - have been identified and analysed in various contexts, and the results have been applied to improve decision-making processes. However, in the heavily regulated and compliance-dominated world of security management sufficient attention hasn’t been paid to cognitive biases and their impacts. As result of insufficient attention an important risk factor is regularly underestimated. This paper includes an introduction to the concept of cognitive biases and the research on the phenomenon. The biases which in the author’s experience have a particularly harmful impact on security management are described in detail. This introduction is followed by description of scenarios and real-life examples where erroneous perception and decision-making of security actors leads to disasters. De-biasing is the strategy which aims at eliminating or at least limiting of the impact of cognitive biases. This strategy has been successfully implemented in various types of environments. This paper presents ideas how de-biasing strategies could be implemented in security management in order to improve the quality of decision-making.

Zero Trust: The Magic Bullet or Devil’s Advocate?

Helvi Salminen — 2023-06-19

The concept of Zero trust was first introduced in mid 1990’s, and has gradually attracted increasing attention. This approach to building organizations’ information system infrastructures has been developed as response to increasing interaction and interconnection of information systems. Along with organizational boundaries have become less clear with the new business models where a business process exceeds the organizational boundaries, also the boundaries of information systems are no longer clear. In this interconnected world the purely perimeter-based security model defining zones of trusted entities inside the perimeter and the untrusted external world outside the perimeter no longer serves the needs of new business models. And the combination of complex technology and sophisticated attack methods it is no longer possible to be sure that all system components and actors inside the perimeter can be trusted. The Zero trust approach brings the sophisticated controls from the perimeter to the entire system. The core idea can be expressed with the four words “never trust, always verify”. No system component is by default trusted , and one-time verification is not sufficient – access to a resource must be verified at each connection attempt. Mutual authentication of the communicating parties is in the core of the approach. But does the zero trust approach have unwanted side-effects? The complexity of the system increases when new control layers are built, and system complexity can increase the possibility of configuration errors. Can there be other side-effects as well? The need for trust does not disappear even when the systems are built on the zero trust principles. When studying the zero trust approach the author started thinking what would happen in human interaction and organizational co-operation if they are based on or partly apply the zero trust approach. And the scenarios were quite gloomy. But is this only a nightmare or already at least partly present in our reality? This article describes the zero trust approach and its applicability to technical environments. The second part present scenarios of the impacts which application of zero trust principles could have – or maybe already has - in human communication and organizational relationships.

A Survey on National Cyber Emergency Plans

Konstantinos Adamos — 2023-06-19

Operators of Essential services (OESs) and Critical infrastructures (CIs), whether private companies or public organizations are going through a digital transformation to pace with the evolution of technology and to bring better services to customers and countries’ citizens. Operational Technology (OT) systems like Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) used to control and monitor functions in such infrastructures are converging with Information Technology (IT) environments. This convergence has exposed infrastructures to new cyber risks. For this reason, EU Member States have been trying to build resilience against cyber-attacks to ensure the stable operation of their states. Several countries have established cybersecurity incident response procedures as well as steps or phases of response before, during, and after a cyber incident. The sum of these procedures and guidelines constitutes their national cyber emergency plans (NCEPs). Still, these NCEPs differ widely in their approaches. These differences manifest as both managerial, governmental, legal, and technical, creating a complex environment worldwide. In this paper, we gather four major NCEPs worldwide to analyze and compare them with prominent standards and industry guidelines in cybersecurity, like the ISO 27001 and NIST 800 series. We investigate NCEP approaches to building cyber resilience based on their response models, their involved entities, the cooperation between agencies and other countries, and their risk-based categorization for cyber incidents. We elaborate on their differences, potential issues and divergences and argue whether these plans can be combined to bridge potential weaknesses. We selected and surveyed four (4) cyber emergency plans from four (4) countries that are frequent targets of cyber-attacks and have long experience in managing and responding to cyber incidents.

Digital Forensic in A Virtual World; A Case of Metaverse and VR

tayba al ali — 2023-06-19

Metaverse is a virtual space where users can interact with each other. It is a combination of virtual reality, augmented reality, and mixed reality. This evolving technology can offer many exciting opportunities that can be used for individuals and businesses. Although this technology has many advantages, people are misusing it for their benefit. Many cyberattacks are occurring in the metaverse world because it has various vulnerabilities and privacy issues. This paper explains four cyberattacks and a case scenario of each attack as it relates to the metaverse. Additionally, this study developed a metaverse forensic framework that can be used to investigate cyberattacks in the metaverse world. Furthermore, this study describes how forensic examiners can conduct a forensic investigation using state-of-the-art forensic solutions and tools. The developed framework can be used by forensic examiners, security researchers, as well as the general scientific community for the security of the metaverse.

Attention-Based Deep Learning Modelling for Intrusion Detection

Ban AlOmar — 2023-06-19

Cyber-attacks are becoming increasingly sophisticated, posing more significant challenges to traditional intrusion detection methods. The inability to prevent intrusions could compromise the credibility of security services, thereby putting data confidentiality, integrity, and availability at risk. In response to this problem, research has been conducted to apply deep learning (DL) models to intrusion detection, leveraging the new era of AI and the proven efficiency of DL in many fields. This study proposes a new intrusion detection system (IDS) based on DL, utilizing attention-based long short-term memory (AT-LSTM) and attention-based bidirectional LSTM (AT-BiLSTM) models. The time-series nature of network traffic data, which changes continuously over time, makes LSTM and BiLSTM particularly effective in handling intrusion detection. These models can capture long-term dependencies in the sequence of events, learn the patterns of normal network behaviour, and detect deviations from this behaviour that may indicate an intrusion. Also, the attention mechanism in the proposed models lets them make predictions based on the most important parts of the network traffic data. This is important for finding intrusions because network traffic data can have many different features, not all of which are important for finding an attack. The attention mechanism lets the models learn which features are most important for making accurate predictions, which improves their performance and efficiency. The UNSW-NB15 benchmark dataset is used in the study to measure and compare the effectiveness and reliability of the proposed system. This dataset contains normal and attack traffic data with a significant class imbalance. To address this issue, the study employs the Synthetic Minority Over-sampling Technique (SMOTE) to balance the dataset, thus reducing the risk of overfitting to the majority class and improving the model's performance in detecting attacks. The performance evaluation results demonstrate that the proposed models achieved a detection rate of over 93%, indicating high precision in detecting intrusions. By harnessing the power of deep learning, these models can learn and adapt to new threats over time, thus ensuring data confidentiality, integrity, and availability in today's interconnected world.

Towards the Development of Indicators of Fake Websites for Digital Investigation

Aysha Alkuwaiti — 2023-06-19

A fake website is considered a website that is intended to cause harm and manipulate users, especially novice users without some knowledge of indicators of fakeness. Understanding the indicators of fake websites is thus considered an important concept to avoid being a victim of malicious attacks in online engagements. In some cases, such knowledge is required to reduce the potential attack surface of cyber criminals. However, the increasing rate of website diversity and complexities makes it difficult for an individual to distinguish between a fake and a real website while compounding the investigation process of a website. Also, the growing rate of website imitation technology and website domain closure presents a veritable platform for the development of fake websites. As a step towards determining the genuineness of a website, this study developed a forensic framework based on an exploratory analysis of different genres of fake websites. To achieve this, forensic methodologies and processes were applied to methodically selected samples of known fake websites based on three fakeness categories: Hoaxes, Cybersquatting, and Sweepstakes. The result revealed the existence of salient markers which can be used as indicators of fakeness and can be applied across a wide genre of websites. Furthermore, the resultant observation was used to develop a digital forensic framework for website fakeness evaluation. The developed framework was benchmarked to the ISO 27043/2015 and the NIST SP800-86 standard for completeness and relevance to forensic investigation processes. By leveraging the proposed digital forensic framework, an investigation can develop a reliable pointer to evaluate the genuineness of any website, which can significantly reduce the investigation time. For a non-forensic individual, the developed framework can be leveraged to identify, at first glance, the degree of fakeness of a website. Such a mechanism can therefore provide a useful tool to reduce the potential susceptibility of users thereby creating user awareness.

An Educational Scenario for Teaching Cyber Security Using low-cost Equipment and Open Source Software

Antonios Andreatos — 2023-06-19

This work presents a set of hands-on educational activities designed to teach some cyber security concepts in the classroom. The experimental configuration used an ad-hoc wireless and wired network, and a Raspberry Pi implementing a Web and an SSH server. Students were connected using their own devices (laptops or tablets). Initially the students tested DoS attacks to the Web server using various tools. Next, the students had to create SSH accounts to the server and a pair of RSA keys; using their SSH accounts, the students had to transfer their public keys to the server. Finally, students had to attack the SSH service from Kali Linux running on virtual machines in teams, each team using a different tool. The scenario was implemented in parts during a series of lessons and was positively accepted and evaluated by the students, who got familiar with a number of concepts and tools of computer networking and network security. In the end, the students informally assessed the Kali Linux SSH attack tools. Ways to assess the students qualitatively and quantitatively based on their participation are also presented. These lab exercises used a series of open source software, as well as low-cost equipment.

A Methodical Framework for Conducting Reconnaissance and Enumeration in the Ethical Hacking Lifecycle

Fouz Barman — 2023-06-19

Reconnaissance and enumeration are both equally significant phases of the penetration testing lifecycle. In hindsight, both reconnaissance and enumeration seem to be very similar as the pair involve information gathering. Whilst reconnaissance leverages passive approaches without direct interaction with the target, enumeration exploits susceptibilities and vulnerabilities in direct client-server communication. Both phases involve gathering information and pinpointing the attack surface within the network of the target. To do so, powerful tools such as Nmap and Netcat are utilized by ethical hackers and penetration testers to identify and resolve security vulnerabilities and weaknesses. Nmap is an open-source command-line tool used for information gathering, network discovery, and security auditing. Whereas Netcat is a back-end tool that manages networks, monitors traffic flow between systems, as well as allows port scanning and listening. However, the plethora of tools and approaches available for these two phases often introduce inconsistencies and time wastage, which can lead to frustration and poor outcome for inexperienced penetration testers. Additionally, not all commands found online are relevant and applicable. In such situations, there is a high probability that the user will feel overwhelmed and exasperated with the overflow of new and foreign information. To address this daunting challenge, this study developed a methodical framework that can provide a technical guide for the reconnaissance and enumeration phases of the penetration testing lifecycle. Furthermore, a clear and thorough step-by-step procedure and detailed explanations of each stage and commands initiated using Nmap and Netcat are provided. The output of this study will be extremely beneficial and informative to a vast group of audience, ranging from university students majoring in security to individuals interested in ethical hacking, and even someone looking for a job with a position of a penetration tester. Furthermore, this technical guide on Nmap and Netcat extends the common body of knowledge in penetration, as a bridge between the industry and academia.

A Commentary and Exploration of Maritime Applications of Biosecurity and Cybersecurity Intersections

Michaela Barnett — 2023-06-19

Prior work has discussed the emerging fields of Biocybersecurity (BCS) and Cyberbiosecurity (CBS) in multiple forms. These include the definition, mission-awareness, general applications, and policy (Murch et al, 2018; Peccoud et al, 2019; Potter et al, 2020). One area that has received relatively little attention are unique BCS/CBS vulnerabilities with maritime theaters, which refers to ocean and littoral-based commercial and military ventures. There is considerable ground for both bioeconomies and militaries to be placed at risk of degraded capacity for activity due to maritime-specific BCS/CBS attacks presently in the future. This is especially the case where aforementioned vulnerabilities are used to disrupt logistics through targeting of personnel and means of transport. This paper discusses the growing relevance of CBS/BCS in maritime space, aspects of maritime environments that can be exploited for BCS attacks, possible BCS/CBS attacks in the near future, possible BCS/CBS means of defense and pre-emptive positioning, and discussion of BCS/CBS relevance in international policy, and differences in application. This paper aims to facilitate and accelerate discussion of BCS to spur helpful action in this area.

Functional Architectural Design of a Digital Forensic Readiness Cybercrime Language as a Service

Stacey O Baror — 2023-06-19

Developing a generic digital forensic solution in a cloud computing platform that can address the functional requirements of digital forensic stakeholders is a complex process. The solution would require a technology-independent architectural design that addresses the challenges of incident threat identification, triggering, incident threat isolation and investigation. Existing approaches are limited to the functionality that treats these four challenges individually without the due diligence to consider their interoperability. This study proposes a context-independent and technology-neutral architecture to address these issues by developing a digital forensic readiness (DFR) based on a human language communication interaction (HLI) system that could create a cybercrime language as a service (DFClaaS). The functional architectural design of the proposed DFR HLI DFClaaS system comprises microservices, layered and event/component-based architectural patterns on top of cloud architectural patterns. The DFR HLI DFClaaS system integrates flexibility and other quality requirements to separate concerns while accommodating rigid requirements like security and reliability. The developed architecture is essential for any human-centred digital forensic solution. Therefore, integrating the developed architecture presents a reliable baseline for the digital forensic community.

Teaching Social Science Aspects of Information Security

Igor Bernik — 2023-06-19

As information security has become increasingly crucial in our daily lives, there is a growing need to teach its social science aspects. This paper explores the challenges and best practices for teaching social science aspects of information security. It begins with the importance of information security and cyberspace and highlights the human aspects of information security. Next, it discusses the role of social science in understanding information security and how social science can help us better design and implement security measures. The paper identifies challenges in teaching social science aspects of information security, such as the interdisciplinary nature of the subject and the need for a standardised curriculum. Finally, the paper outlines best practices for teaching social science aspects of information security, such as using case studies and real-world examples, incorporating interactive and experiential learning, and leveraging existing resources. The conclusion highlights the importance of incorporating social science aspects of information security in education and suggests future research directions.

An Analysis of the MTI Crypto Investment Scam: User Case

Johnny Botha — 2023-06-19

Since the start of the Covid-19 pandemic, blockchain and cryptocurrency adoption has increased significantly. The adoption rate of blockchain-based technologies has surpassed the Internet adoption rate in the 90s and early 2000s. As this industry has grown significantly, so too has the instances of crypto scams. Numerous cryptocurrency scams exist to exploit users. The generally limited understanding of how cryptocurrencies operate has increased the possible number of scams, relying on people’s misplaced sense of trust and desire for making money quickly and easily. As such, investment scams have also been growing in popularity. Mirror Trading International (MTI) has been named South Africa’s biggest crypto scam in 2020, resulting in losses of $1.7 billion. It is also one of the largest reported international crypto investment scams. This paper focuses on a specific aspect of the MTI scam; an analysis on the fund movements on the blockchain from the perpetrators and members who benefited the most from the scam. The authors used various Open-Source Intelligence (OSINT) tools, alongside QLUE, as well as news articles and blockchain explorers. These tools and techniques are used to follow the money-trial on the blockchain, in search of possible mistakes made by the perpetrator. This could include instances where some personal information might have been leaked. With such disclosed personal information, OSINT tools and investigative techniques can be used to identify the criminals. Due to the CEO of MTI having been arrested, and the case currently being dealt with in the court of law in South Africa, this paper also presents investigative processes that could be followed. Thus, the focus of this paper is to follow the money and consequently propose a process for an investigator to investigate crypto crimes and scams on the blockchain. As the adoption of blockchain technologies continues to increase at unprecedented rates, it is imperative to produce investigative toolkits and use cases to help reduce time spent trying to catch bad actors within the generally anonymous realm of cryptocurrencies.

How to safely communicate with a phishing attacker by email?

Ladislav Buřita — 2023-06-19

The published study is a part of the long-term research of emails with phishing attacks against the article's author. In the previous three years, 3 experiments were carried out to analyze phishing emails. The result is their detailed classification. The subsequent experiment was focused on defense against phishing attacks using the rules of the MS Outlook email client. The last experiment, which is the article's content, is devoted to analyzing communications with phishing attackers. A fake identity was created for the experiment and security rules were set up. A total of 100 phishing emails were answered, with a preference for those whose content was not aimed at fulfilling any request; that was clarified during the communications. The conducted literature search confirmed the assumption that no one is engaged in similar research, so the results of the research may be more interesting for the cybersecurity community. The articles of the literary research are focused on the issue of social engineering from an interdisciplinary perspective. A great deal of attention has also been oriented on the influence of social networks on people information perception or on their exploitation in cyber-attacks. The result of the study is a statistical analysis of communications and a detailed analysis of its content. Out of 100 replies to the phishing email, 32 (32%) were answered by the phisher. The longest communications had 6 cycles. If the phisher insisted aggressively on personal information, the communications was terminated. From the content of the communications, the attacker's procedures and his argumentation to obtain the required information were primarily examined. A detailed analysis of the texts from the communications aimed to answer the question of whether the phisher is a robot or a person. Further considerations are being made within the team on how to continue researching phishing attacks.

Agile Methods For Improved Cyber Operations Planning

Jami Carroll — 2023-06-19

Cyber Ranges provide an interactive simulated environment of hardware and software for simulation. This closed environment provides a safe and legal environment where cyber warfighters can refine their skills. They enable mock cyber mission rehearsal of operation playbooks. Simulated cyber capabilities in the cyber range parallel the intelligence, surveillance, and reconnaissance (ISR), Order of Battle (OOB), and battle damage assessment (BDA) in a closed, safe environment for experimentation. Scrum has been used in collegial cyber competitions with success because it has allowed Capture-the-Flag cyber games to create quicker simulations. Defense Innovation Units (DIUs) are using agile Scrum processes to numerous warfighting areas in order to make them more agile. This research argues that the agile software development processes could be used to optimize the planning and execution of offensive, defensive, and operation and maintenance (O&M) of cyber warfare simulations within cyber ranges. O&M can be done quicker, new exploitable modules can be includer more rapidly, and the capability can be reconstituted to the appropriate skill level for the next set of trainees quicker. The White team as maintainers of the networks, systems, applications and cyber tools select the CVE exploits and spend an enormous amount of time installing and configuring these capabilities for the next set of trainees. Quite often, there are different skill levels which require multiple builds and the ability to refresh the cyber range with varying levels of cyber trainee complexity. This requirement to restore the cyber range quickly with a variety of builds, varying levels of difficulty, and ensure the experiential learning is maximized with the best availability lends to agile methods such as Scrum could lend to improvements with cyber operations. This research will illustrate how a cyber range could leverage agile Scrum processes to provide an improved cyber range environment quicker and with more capabilities.

A New Interpretation of Integrated Deterrence: Physical and Virtual Strategies

Jim Chen — 2023-06-19

The integrated deterrence strategy, backstopped by nuclear deterrent, calls for seamless collaboration in deterrence across warfighting domains, using all instruments of national power, and with allies and partners. Being a warfighting domain and being closely related to the information instrument of national power, the cyber domain should certainly be included, and cyber deterrence should play a significant role in the integrated deterrence strategy. Nevertheless, as cyber deterrence seems not to be as effective as it is expected at least currently, some scholars and practitioners doubt its mere existence, not mentioning the role that it can play in the integrated deterrence strategy. This paper argues that not having deterrence in cyberspace leaves a blank spot in the strategy since some critical functionality of deterrence in cyberspace cannot easily be replaced. By recognizing the unique strategic context of cyberspace, the paper maintains that deterrent effect can actually be achieved in unique ways in this space. To further explore the unique role that deterrence in cyberspace plays within the integrated deterrence strategy, this paper proposes a multi-level and multi-aspect architecture for integrated deterrence strategy. This novel architecture is able to cover varied levels of strategic environments both below and above the threshold of armed conflict. It is also able to correlate varied deterrent measures with varied strategic environments categorized via various aspects, such as diplomacy, information, military, economy, etc. This paper shows that the inclusion of deterrence in cyberspace can empower the strategy by making the strategy flexible enough in tackling various challenges. Eventually, the strategy can make its contribution in preventing war and maintaining peace.

Influence Diagrams in Cyber Security: Conceptualization and Potential Applications

Sabarathinam Chockalingam — 2023-06-19

Over the last years, cyber-attacks are increasing in organizations especially due to the use of emerging technologies and transformation in terms of how we work. Informed decision-making in cyber security is critical to prevent, detect, respond, and recover from cyber-attacks effectively and efficiently. In cyber security, Decision Support System (DSS) plays a crucial role especially in supporting security analysts, managers, and operators in making informed decisions. Artificial Intelligence (AI)-based techniques like Bayesian Networks, Decision Trees are used as an underlying approach in such DSSs. Furthermore, Influence Diagrams (IDs) possess the capability to support informed decision-making based on its existing applications in other domains like medical. However, the complete capability and potential of IDs are not utilised in cyber security especially in terms of its explainable nature for different stakeholders and existing applications in other domains. Therefore, this research tackles the following research question: “What are potential applications of Influence Diagrams (IDs) in cyber security?”. We identified applications of IDs in different domains and then translated it to design potential applications for cyber security issues. In the future, this will help both researchers and practitioners to develop and implement IDs for cyber security-related problems, which in turn will enhance decision-making especially due to its explainable nature for different stakeholders.

Permission-Based Classification of Android Malware Applications Using Random Forest

Nikolaos Chrysikos — 2023-06-19

Android is arguably the most widely used mobile operating system in the world. Due to its widespread use, it has attracted a lot of attention of cybercriminals who attempt to exploit its architecture and outsmart innocent users to install malware applications. The number of such applications is growing every day either by alternating a basic exploitation mechanism or by creating novel mechanisms to exfiltrate users’ data. As a result, there is an increasing need for detection mechanisms that can classify these applications to families based on their characteristics. A significant amount of research has already been devoted to analysing and mitigating this growing problem; however, this situation demands more efficient methods with higher precision. The paper proposes such a framework for analysing and classifying a malicious application to certain families relying on the permissions used. The proposed method involves the pre-processing of the applications to extract their permissions, the tokenization of permissions, the data cleansing and finally the application of the Random Forest Classifier to classify the applications in families. The proposed method is trained and tested with a dataset of 11,159 malicious applications categorized in 33 unique families. The precision, recall and f1-score achieved is 98%. The results of the proposed methodology are promising, since it even works in an unbalanced dataset and in many cases outperform other state-of-the-art approaches.

Cultural Influences on Information Security

Henry Collier — 2023-06-19

Humans are by far the weakest link in the information security chain. Many in the information security industry advocate for a technical solution to this problem. Unfortunately, technology does not hold the answer to solving the human problem. Instead, it is important to better understand the problem and find new ways of training individuals, so they have a better security mindset and make better security minded decisions. The security challenges associated with human factors have been widely studied in previous literature and different research groups. Prior research has shown that both human behavioural factors and social media usage factors can be used to better assess a person’s susceptibility to cybercrime. We know that humans are multi-faceted beings who are swayed by many factors. In addition to behavioural factors and social media factors, humans are predisposed by cultural influences. This paper begins the process of understanding how culture influences a person's ability to make positive cybersecurity decisions in a world that is full of data being thrown at them. The end goal of this research is to use culture, along with behaviour and social media usage as new metrics in measuring a person’s susceptibility to cybercrime. This information can then be used by information security practitioners and researchers to better prepare individuals to defend themselves from cyber threats. This paper is the start of the research process into how culture impacts a person’s susceptibility to cybercrime. It shows the significance of identifying what specific aspects of culture impact how someone makes a decision. This can help mitigate social engineering attacks by better understanding the influencing factors which control an end user. The authors will continue their work on this project to develop new Information Awareness (IA) training programmes that work to modify an individual's behaviour, while taking into consideration their behaviours, social media usage and culture.

Designing a high-fidelity testbed for 5G-based Industrial IoT

Diogo Cruz — 2023-06-19

With the rise of the Industrial IoT (Internet of Things) and Industry 4.0 paradigms, many control and sensor systems used for IACS (Industrial Automation and Control Systems) have become more complex, due to the increasing number of interconnected field devices, sensors and actuators often being geographically spread across large areas. Supporting these increasingly sophisticated networked scenarios calls for the involvement of telecommunications and utility providers to better support Machine-to-Machine (M2M) communications and infrastructure orchestration, for which 5G technology is considered a perfect match. Nowadays, such 5G networks empower solutions both for consumer and for industrial IoT scenarios, providing the capacity and the means to seamlessly connect a massive number of gadgets and sensors, with diverse data rate requirements, low latency, and low power consumption. Part of this flexibility is also due to the nature of the 5G Service Architecture (SA), which is based on a microservice concept, dividing its core through multiple functions, allowing it to horizontally scale in a flexible way. Furthermore, the 3GPP specifications encompass specific support for verticals by means of slicing and 5G LANs, paving the way for a paradigm shift in terms of the relationship between service, telecom, and operational infrastructure tenants. However, such benefits come at the cost of extra complexity and, consequently, an increased vulnerability surface. This calls for further research focused on improving 5G infrastructure management, service integration and security, which cannot be safely undertaken in production environments, thus motivating the development of suitable 5G testbeds. This research work, which was developed in the scope of the POWER and Smart5Grid P2020 projects, addresses the creation of a high-fidelity environment for 5G-related research, which encompasses a gNodeB and 5G core, together with emulated User Elements (terminal devices) and IoT nodes (in this specific case, Programmable Logic Controllers), constituting a 5G Industrial IoT scenario designed for development and validation of new solutions, security research, or even advanced training purposes. The entire infrastructure is supported via container orchestration technology, providing enhanced scalability and resilience characteristics.

This work was co-financed by the European Regional Development Fund (FEDER), through the Portugal 2020 (PT2020) framework, and by the Competitiveness and Internationalization Operational Programme (COMPETE 2020), under the scope of projects POWER (grant number POCI-01-0247-FEDER - 070365) and Smart5Grid (Grant POCI-01-0247- FEDER-047226). It was also partially supported by the FCT–Foundation for Science and Technology, Instituto Público (I.P.)/MCTES through National Funds, within the scope of Centre for Informatics and Systems of the University of Coimbra (CISUC) Research and Development Unit, under Grant UIDB/00326/2020 and Project UIDP/00326/2020.

Cognitive Security: Facing Cognitive Operations in Hybrid Warfare1

Didier Danet — 2023-06-19

The digital space is now an active area of conflict. Attacks take many forms, to the point where concepts multiply and overlap. One concept in particular raises important questions: cognitive warfare. Cognitive warfare is an issue of concern to all countries, but there are very significant differences in approach between countries such as the United States or France and countries such as Russia, Iran or China. We try to show that these very different approaches leave Western countries unprepared for a global threat and poorly identified vulnerabilities. The concept of cognitive security therefore appears to be a promising avenue for reflection.

JTF-ARES as a Model of a Persistent, Joint Cyber Task Force

Charlotte Donnelly — 2023-06-19

Military involvement in cyberspace has traditionally been limited to operations in service of “kinetic,” or physical, missions. Military cyberoperations are therefore usually described using traditional “kinetic” descriptors and rarely articulate cyber-related goals that are independent of kinetic operations. Recently, the concepts of “persistence” and “jointness” have been increasingly used by the U.S. Cyber Command to describe cyberoperations. Persistence describes operations that focus on a target over time (in contrast to the episodic “response” concepts articulated in kinetic warfare). “Jointness” describes working across group or agency lines. This paper will investigate the effectiveness of “persistent” and “joint” task forces in accomplishing cyber-related goals by means of a case study of Joint Task Force – ARES (“JTF-ARES”). JTF-ARES was set up as a task force by the U.S. Cyber Command to disrupt ISIS cyberoperations – a singularly cyber (as opposed to kinetic) goal. By contrasting the approach of JTF-ARES with the existing history of US operations in cyberspace, militaries can apply JTF-ARES’ successful approach to accomplish future cyber-related goals that are independent of kinetic military units. After discussing a brief history of the U.S. Cyber Command and defining the terms “persistence” and “jointness,” the paper discusses JTF-ARES’ successful operation and contributing factors, most notably its organization within the U.S. Cyber Command. Next, it explores a counterfactual organization of JTF-ARES, suggesting that alternative organizational structures would likely have ended in failure and highlighting factors that may have influenced its success. Furthermore, the paper discusses the administrative challenges associated with creating a JTF, which include administration hurdles as well as collaboration and training requirements specific to joint operations. Since JTF-ARES deviates from traditional organizational structures within U.S. Cyber Command, this paper articulates criteria for creating a joint, persistent cyber task force, which militaries may find useful when considering how to implement cyber-specific goals. The first criterion concerns the operations required for the mission – namely, are reconnaissance, offensive, and defensive cyberoperations required? The second criterion asks whether the cyberoperation has a uniquely cyber-oriented end state: for missions with non-kinetic goals, it may be helpful to consider a joint, persistent task force.

Cyber power in the African context: an exploratory analysis and proposition

Petrus Duvenage — 2023-06-19

While the centrality of cyber power in the safeguarding and advancing nation states’ national interests and objectives is now widely accepted, the academic discourse (on cyber power) is still incipient. In literature reviewed, cyber power is predominantly viewed as comprising of two dimensions, namely offensive and defensive. The exploratory analysis we conducted found that Africa’s unique, contextual factors necessitate an expanded conceptualisation of cyber power. This alternative conceptualisation does not dispute the existing notion that cyber power has offensive and defensive dimensions. The fact that cyber is by its very nature borderless and that African countries function in an interconnected global arena of competition and conflict, are also not contested. What is required is the addition of a third dimension to cyber power, namely developmental power. This paper advances a tentative proposition on a cyber-power triad (with offensive, defensive and developmental dimensions). This proposition, we argue, is more apposite to African countries’ national objectives —strategically and in the allocation of resources. At least on a notional level, the cyber-power triad can guide the leveraging of the asymmetric advantages that cyber space offers African nation states and in a manner that pursues all three (cyber power) dimensions in a complementary manner. Such synergetic wielding of cyber power is one of the keys indispensable to African countries addressing their substantial challenges and unlocking their vast potential.

DPIA for Cloud-based Health Organizations in the context of GDPR

Dimitra Georgiou — 2023-06-19

The General Data Protection Regulation is the core instrument of the reformed legal framework for personal data protection in the European Union. The GDPR was put into effect on May 25, 2018, and requires assessing and conducting a Data Protection Impact Assessment for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, specifically using new technologies and considering the nature, scope, context, and purposes of the processing. Although GDPR does not precisely specify the types of processing activities for which a DPIA would be necessary, through the guidelines that it provides, the organization should conduct a DPIA, if there is large scale processing of health data. An example of this, is a Cloud-based Health Organization. Taking into account this parameter, that Cloud-based Health Organization processes personal data that could impact the freedoms and rights of a data subject under the GDPR and that the GDPR does not specify a DPIA process to follow, instead it allows organizations to use a framework that complements their existing processes, this paper presents the last two steps of a DPIA study for a Cloud-based Health Organization and provides guidelines on how to carry them out effectively. This study is part of a project for the compliance of Cloud-based Health Organizations with the General Data Protection Regulation 2016/679. For fulfilling the objectives of this study, the PIA-CNIL methodology is applied, which is in accordance with the data privacy impact assessment that has been described in ISO/IEC 29134. The main contribution of this work is the development of a guide that is designed to help Cloud-based Health organizations identify, analyze and reduce data protection risks in relation to their processing activities. More analytically, this research presents the risks that could be materialized by the data processing activities carried out by a Cloud-based Health Organization regarding its Processing Activities and could have an impact on the fundamental rights and freedoms of natural persons.

Radiograph Manufacturer and Model Identification Using Deep-RSI

Farid Ghareh Mohammadi — 2023-06-19

Malware attacks of healthcare institutions are simultaneously becoming more common and more sophisticated. Artificial intelligence (AI) has resulted in the ability to rapidly alter or generate false images, advancing the ease of forgery of digital images. Digital image manipulation and substitution of radiographs are major threats to healthcare institutions because these altered images may affect patient care. Identifying the source (manufacturer, model) of radiology images is one method of validating the origin of radiology images in a healthcare system. In a previous study, researchers demonstrated that features from magnetic resonance imaging (MRI) could be used to trace and authenticate the source of the MRI images. We previously developed and tested the Deep learning for Radiograph Source Identification (Deep-RSI) approach for source identification of radiographs obtained of the upper extremities (hands, wrists, forearms, elbows, and shoulders). In this research, we present an empirical and quantitative investigation using deep learning to validate the source of digital radiographic images of the lower extremities (knees, legs, ankles, and feet). A convolutional neural network (CNN) is employed to extract features, which are then followed by three fully connected layers (FCNN). To ensure that our proposed method is a content-free approach, we added a new layer before the CNN to extract the initial content-free pixels and train the features using the CNN and FCNN layers. This proposed approach was used to identify the source of each digital image of a lower extremity. Adult patients of both sexes who had radiographs of the lower extremities at Mayo Clinic between 01/01/2010 and 12/31/2021 were evaluated. The data was randomly split by patient into training/validation and test datasets. There were 9 radiographic machine models and 6 manufacturers. Deep-RSI had an accuracy of 99.00% (AUC= 0.99) and 97.00% (AUC=0.94) for detecting the manufacturer and model of the radiographic machine for radiographs of the feet respectively, confirming that forensic evaluation of radiographs can be performed. This is the first medical forensics examination of this type to identify and confirm the source origins for radiographs of the lower extremities. This technique may be helpful to detect radiology malware attacks and scientific fraud.

Cyberspace Geography and Cyber Terrain: Challenges Producing a Universal map of Cyberspace

Alexander Grandin — 2023-06-19

Much in the same way that cyber has become the fifth military domain, cyberspace has also brought forth the research area of Cyberspace Geography. The challenge of producing a universal map of cyberspace however still exists. Cybersecurity specialists, military personnel and researchers still begin with a blank sheet on which the wanted elements of cyberspace are arranged before solving their actual problem. The abundance of elements in cyberspace requires a careful selection of factors to include in one's map, depending on how it will be used. However, a complex and ever-changing environment such as cyberspace could make use of a generally acknowledged starting point, facilitating this work. In previous research cyberspace has been described as a combination of the physical world, the social world and the information world. The multidisciplinary research in Cyberspace Geography has developed models for mapping and displaying cyberspace. This is often done by creating topological maps, much like the map of the New York subway system. Military cybersecurity researchers have through the concept of Cyber Terrain presented similar models of cyberspace for military operations. Research has also been produced on the techniques and methods for mapping cyberspace as well as the different presentations of the mapped information. Graph theory has for instance been used as a mathematical model of cyberspace. It is nonetheless unclear if there is some degree of universality in the elements that the different research presents. Which are e.g. the similar features between the cyberspace maps that are used for military operations, that describe the cyber environment of a country or between the elements used for modelling a cybersecurity system? This paper aims to present a solution to this challenge by systematically reviewing the research on Cyberspace Geography and Cyber Terrain using thematic analysis. The different elements of the maps of cyberspace are reviewed. The research will answer if a universal map, that can be used as a starting point for solving multiple challenges in cyberspace, can at present be prepared.

Detect, Deny, Degrade, Disrupt, Destroy, Deceive: which is the greatest in OCO?

Tim Grant — 2023-06-19

In the cyber kill chain literature, possible courses of action are listed as detect, deny, degrade, disrupt, destroy, and deceive (a.k.a. “the 6Ds”). These verbs denote defensive action to be taken against an intruder. By comparison, military doctrine for cyberspace operations encompasses cyberspace exploitation and attack, as well as defence. The question arises whether the 6Ds are also applicable to offensive action, i.e. exploitation and attack, or whether additional action verbs are needed. Military doctrine is evolving towards all-domain operations, in which action in cyberspace is integrated with action in the physical domains of land, sea, air, and space. This prompts the question as to whether the 6Ds are also suited to action in a physical domain. A pilot study of actual military operations that integrated cyber and physical action suggests that deception, delay, and denial of organisational and cyber entities is suited to cyber action, while seizure, capture, and destruction of physical entities is suited to physical action. Preference among action verbs may indicate when it is best to engage targets using cyber or physical resources and which action is preferred. This paper identifies which action verbs are best suited to offensive cyber operations in the context of all-domain operations. The paper reviews related theory on cyberspace and the cyber kill chain. It identifies action verbs in US Department of Defense (DoD) doctrine on information and cyberspace operations, comparing them to those in the US DoD Dictionary of Military and Associated Terms. After discussing the findings, the paper draws conclusions and recommends further work.

Known Unknowns: The Inevitability of Cyber Attacks

Virginia Greiman — 2023-06-19

As described by Former U.S. Secretary of Defense, Donald Rumsfeld in his 2011 book, Known and Unknown, “there are many things of which we are completely unaware—in fact, there are things of which we are so unaware, we don’t even know we are unaware of them. Throughout history the world has faced numerous catastrophic events that were not foreseen but in hindsight were discoverable including the devastating effects of Pearl Harbor, and the September 11 terrorist attacks. More recently, the potential for catastrophic loss has been magnified in the 2020 Solar Winds and 2021 Colonial Pipeline cyber-attacks. We may not know when or how these events will occur or how much damage or destruction will occur, but we do know that these events are possible. The literature differentiates between events that occur totally by surprise, and outcomes or events that actors have identified as possibly existing but do not know whether they will take place or not. The aim of this paper is to provide insight, based on an empirical review of selected attacks both within and outside the cyber space literature to uncover the underlying risk, uncertainty, and complexity that may have been known but not seriously considered by those who had the knowledge and capability to investigate the warning signs. Based on the case study analysis, this paper will present the reasons for inaction and how we can learn from these experiences. The following two theories – institutionalization and rationalization have been found to provide some reasons for the occurrence of behaviors which increase the possibility of unobserved risks. In this paper we explore these theories through case study analysis and propose a framework consisting of four concepts for increasing awareness of these situations.

Complicity in Unlawful Offensive Cyber Operations Under International Law on State Responsibility

Samuli Haataja — 2023-06-19

States are increasingly engaging in cybersecurity cooperation activities and providing support to other states in offensive cyber operations. While international cooperation is generally encouraged and many cybersecurity cooperation activities are lawful, there is also a risk of being complicit in the internationally wrongful acts of other states. This paper examines the risk of complicity in offensive cyber operations under international law on aiding or assisting. It argues that, while international law in this context applies to cyber operations by states, existing uncertainties and limitations around the key components of the law on aiding or assisting are compounded by competing interpretations about how international law generally applies to state conduct in cyberspace. The paper consists of four sections. Following the introduction in section one, section two outlines some of the ways in which states are cooperating in relation to cybersecurity and offensive cyber operations. Section three examines the key elements of international law on aiding or assisting as contained within article 16 of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts, and the extent to which these apply or are problematised in relation cyber operations. It demonstrates that article 16 adopts a broad approach to what constitutes ‘aiding or assisting’ and this captures various types of activities in support of cyber operations provided the aid or assistance contributes significantly to a wrongful act of another state, the accomplice state has knowledge of the factual circumstances and the illegality of the act by the principal state, and where the accomplice state and principal state are bound by the same legal obligation. Section four concludes by outlining the limits of cooperation in the cyber context and how states can mitigate the risk of complicity in violations of international law.

Semiotics of Strategic Narratives of "Antichrist" in Russia’s War in Ukraine

Michael Hotchkiss — 2023-06-19

The Russian war in Ukraine which began on February 24, 2022 coincides with the ongoing schism of the Moscow Patriarchate of the Russian Orthodox Church from the Ecumenical Patriarchate of Constantinople, to which the Orthodox Church of Ukraine affiliates. In this setting, spiritual and secular leaders in Russia and Ukraine have mutually utilised narratives of the Antichrist and Satan to explain Russian attacks on Ukraine, imbuing a “spiritual” dimension to the strategic communications in the conflict. This paper applies a semiotic approach to analysing the antichrist and satanic myths at play in the context of ideological “strategic narratives”, and the conflict of meanings which emerges from these competing narratives. In Russia, these ideomyths have long been utilised as ideological tools which place the nation metaphysically in perennial militant opposition to the West. However, Ukraine which is striving to leave the Russian orbit and join the West has reciprocally framed Russia and its leader in similar concepts. In conclusion, this paper argues that there is opportunity for the creation of political messaging which can frame the conflict in spiritual and moral terms that can resonate with both Western and Russian thinkers.

Processing Model and Classification of Cybercognitive Attacks: Based on Cognitive Psychology

Ki Beom Kim — 2023-06-19

Cybercognitive attacks, as witnessed in large and small wars and events along with the recent Russia-Ukraine war, are no longer traditional cyber operations, but are increasingly attacking the psychological weaknesses of targeted members of society and target organizations. Therefore, it is timely to systematically analyse and model cybercognitive attacks. Various definitions and case analyses of cybercognitive attacks are currently being actively conducted, but studies on clear classification and processing models of cybercognitive attacks are almost absent. Accordingly, this paper analyzed cases of cybercognitive attacks. The types derived through case analysis were divided into four categories, and cybercognitive attacks were classified and defined. On such basis, a processing model for cybercognitive attacks was designed, and furthermore, cybercognitive attack layers were classified and presented from the attacker and defender's perspective. The corresponding model and layer presented in this paper model both the countermeasures that can be used to perform cyber operations and the psychological mechanisms hidden in each response process. Specifically, a psychology-based cybercognitive attack processing model was designed to achieve goals by inducing behaviour from collecting information for system managers to inducing response/cognitive processing/decision making/compensation. As such, this paper focused on clarifying the definition of cybercognitive attacks and establishing performance procedures, which are only used as actions using deception by presenting cybercognitive attacks scientifically and logically using psychology descriptions. With that, this paper is expected to serve as the ground for cybercognitive kill chain research that can defend against further cyberattacks using cognitive vulnerabilities.

Designing an Email Attack by Analysing the Victim’s Profile. An Alternative Anti-Phishing Training Method

Dimitrios Lappas — 2023-06-19

According to Thomson-Reuters the top cyber threat today is phishing in which people are tricked either to click a malicious link or give out personal information. It’s a fact that 96% of these phishing attacks comes from emails, which amount to more than 3.4 billion daily, as reported by Cisco. Austrian aerospace company FACC, Belgian bank Crelan, Acorn financial services and many other companies were recently fell victims of phishing emails losing millions of dollars. Even if experts provide lists of signs that users should seek in an email in order to understand if it is legitimate or scam, the attackers have elevated the quality of the email messages making them believable and very hard to discern them. In order to respond to this elevated threat, unconventional user training is required, focusing on recognizing a phishing email. Knowing how an attacker thinks and prepares the attack vector against a target, we claim that it will make users more suspicious when they receive one. In this regard, an innovative education intervention (consisted of two phases) was designed and developed. In the first phase, 98 participants were asked to visit an artificial social media profile and prepare a phishing email in order to persuade the victim to click a link. Then, the participants were presented with an innovative guided workflow to prepare a spear phishing email which was based on social media intelligence. In the second phase, they were asked to prepare one more email for the same person applying this time the guided workflow. Comparing the two different emails created, we found that the guided workflow led to the creation of more authentic emails which could potentially trick the victim easier. Based on the theory of active learning, we believe that by teaching users how attackers exploit their personal information in order to develop their attack vectors, it will increase their awareness not only for the typical phishing emails but also for more sophisticated spear phishing attacks.

Designing Security for the Sixth Generation: About Necessity, Concepts and Opportunities

Christoph Lipps — 2023-06-19

Intelligent, comprehensive and, above all, secure wireless interconnection is the driving force behind technological progress. To ensure this, the development towards Sixth Generation (6G) Wireless Systems has been launched and is scheduled to be operational by 2030. This data technology of the future turns 6G into the infrastructure of a new generation of mobile, intelligent, and context-sensitive services, available everywhere and featuring high trustworthiness and performance, relying on both, network-side and off-network context sources. In addition, the networks themselves ought to become intelligent and thus more efficient and resource-saving, which requires a high degree of automated utilization of Artificial Intelligence (AI). Building upon the principles of information and communication theory for both the physical (bit)-transmission layer (PHY) and media access, new communication concepts for 6G will be developed providing the foundations for research into new single and multi-user operation, access and core networks. The flip side of this coin of opportunities: Sophisticated technology inevitably leads to additional security vulnerabilities, open access systems and Open-Radio Access Network (O-RAN) approaches imply new attack vectors. The holistic interconnection of everything renders it ever more attractive to attackers to harm systems, and create damage. Furthermore, enhanced computational power along with quantum computers make conventional systems more vulnerable than ever, and the value of the transmitted data increases tremendously: It is not only machine and sensor data, but also very personal and healthcare data transmitted with 6G. Therefore, the aim is to build a resilient and secure 6G system capable of recognizing attacks and uncertainties, flexibly absorbing them, recovering in a timely and sustainable manner, and compensating for impaired functionality through transformation. This holistic resilience-by-design approach is based, among other things, on technology such as Quantum Key Distribution (QKD) and Post Quantum-Crypto to achieve end-to-end security, Reconfigurable Intelligent Surfaces (RISs) to rely, control and manipulate the wireless transmission channel, Wireless Optical Communication (WOC), Physical Layer Security (PhySec), but also Body Area Networks (BANs), the integration of the human body relying on biometrics and the Tactile Internet (TI). These concepts will be discussed and shed light on in the scope of this work.

Tackling Uncertainty Through Probabilistic Modelling of Proportionality in Military Operations

Clara Maathuis — 2023-06-19

Just as every neuron in a biological neural network is a reinforcement learning agent, thus a component of a large and advanced structure is de facto a model, the two main components forming the principle of proportionality in military operations can be seen and are as a matter of fact two different entities and models. These are collateral damage depicting the unintentional effects affecting civilians and civilian objects, and military advantage symbolizing the intentional effects contributing to achieving the military objectives defined for military operation conducted. These two entities are complex processes relying on available information, projection on time to the moment of target engagement through estimation and are strongly dependent of common-sense reasoning and decision making. As a deduction, these two components and the proportionality decision result are processes surrounded by various sources and types of uncertainty. However, the existing academic and practitioner efforts in understanding the meaning, dimensions, and implications of the proportionality principle are considering military-legal and ethical lenses, and less technical ones. Accordingly, this research calls for a movement from the existing vision of interpreting proportionality in a possibilistic way to a probabilistic way. Henceforth, this research aims to build two probabilistic Machine Learning models based on Bayesian Belief Networks for assessing proportionality in military operations. The first model embeds a binary classification approach assessing if the engagement is proportional or disproportional, and the second model that extends this perspective based on previous research to perform multi-class classification for assessing degrees of proportionality. To accomplish this objective, this research follows the Design Science Research methodology and conducts an extensive literature for building and demonstrating the model proposed. Finally, this research intends to contribute to designing and developing explainable and responsible intelligent solutions that support human-based military targeting decision-making processes involved when building and conducting military operations.

Design Lessons from Building Deep Learning Disinformation Generation and Detection Solutions

Clara Maathuis — 2023-06-19

In its essence, social media is on its way of representing the superposition of all digital representations of human concepts, ideas, believes, attitudes, and experiences. In this realm, the information is not only shared, but also {mis, dis}interpreted either unintentionally or intentionally guided by (some kind of) awareness, uncertainty, or offensive purposes. This can produce implications and consequences such as societal and political polarization, and influence or alter human behaviour and beliefs. To tackle these issues corresponding to social media manipulation mechanisms like disinformation and misinformation, a diverse palette of efforts represented by governmental and social media platforms strategies, policies, and methods plus academic and independent studies and solutions are proposed. However, such solutions are based on a technical standpoint mainly on gaming or AI-based techniques and technologies, but often only consider the defender’s perspective and address in a limited way the social perspective of this phenomenon becoming single angled. To address these issues, this research combines the defenders’ perspective with the one of the offenders by (i) building a hybrid deep learning disinformation generation and detection model and (ii) capturing and proposing a set of design recommendations that could be considered when establishing patterns, requirements, and features for building future gaming and AI-based solutions for combating social media manipulation mechanisms. This is done using the Design Science Research methodology in Data Science approach aiming at enhancing security awareness and resilience against social media manipulation.

Teaching pentesting to social sciences students using experiential learning techniques to improve attitudes towards possible cybersecurity careers

Aleksandras Melnikovas — 2023-06-19

Labor market analysis shows that there is a significant shortage of experienced cybersecurity professionals, and this trend is expected to continue in the future. In addition, young people who are reluctant to choose STEM subjects in school typically do not see cybersecurity as a part of their future because they believe it demands exclusive technical knowledge that is beyond their reach. We aimed to change this perception among students of the social sciences, assuming that by providing social science students with the basics of cybersecurity, it would be possible to raise their awareness and encourage them to consider this field as a potential career option. Our team has designed a concise technical course based on Kolb's model that employs experiential learning to provide students with a basic knowledge of ethical intrusion (penetration testing). During the 32-hour subject, cadet officers with no prior IT education experienced all the steps of hacking both into a remotely accessible and physically accessible computer, including initial reconnaissance, vulnerability scanning, exploitation, and privilege escalation. A hands-on practical task of breaking into a highly vulnerable remote computer allowed for the evaluation of knowledge and skills as well as the reinforcement of learning experiences. In order to assess how the students' perceptions of the cybersecurity profession have changed based on the theory of planned behavior, they were asked to provide feedback immediately after the course and one year later. The results indicate that the short, technically challenging, but practical course based on experiential learning had a significant and positive effect on participants' attitudes: they were substantially more likely to consider cybersecurity as a future career, and some of them began participating in other cybersecurity courses or activities. It is reasonable to assume, therefore, that providing similar technical courses to social science students will encourage them to pursue cybersecurity-related careers in the future.

Spam Email Detection Using Machine Learning Techniques

Ioannis Moutafis — 2023-06-19

This paper focuses on the security of electronic mail, using machine learning algorithms. Spam email is unwanted messages, usually commercial, sent to a large number of recipients. In this work, an algorithm for the detection of spam messages with the aid of machine learning methods is proposed. The algorithm accepts as input text email messages grouped as benevolent (“ham”) and malevolent (spam) and produces a text file in csv format. This file then is used to train a bunch of ten Machine Learning techniques to classify incoming emails into ham or spam. The following Machine Learning techniques have been tested: Support Vector Machines, k-Nearest Neighbour, Naïve Bayes, Neural Networks, Recurrent Neural Networks, Ada Boost, Random Forest, Gradient Boosting, Logistic Regression and Decision Trees. Testing was performed using two popular datasets, as well as a publicly available csv file. Our algorithm is written in Python and produces satisfactory results in terms of accuracy, compared to state-of-the-art implementations. In addition, the proposed system generates three output files: a csv file with the spam email IP addresses (of originating email servers), a map with their geolocation, as well as a csv file with statistics about the countries of origin. These files can be used to update existing organisational filters and blacklists used in other spam filters.

Cyber Warfare and Cyber Terrorism Threats Targeting Critical Infrastructure: A HCPS-based Threat Modelling Intelligence Framework

Rennie Naidoo — 2023-06-19

Acts of cyber warfare and cyber terrorism (CWCT) that target a nation's critical infrastructure (CI) are quickly becoming a larger threat to national security than conventional kinetic warfare strategies. Adversaries or potential adversaries can target a nation's electrical grids, telecommunications, financial services, transportation, healthcare systems, and other forms of CI. These acts pose a major threat to a nation's CI and consequently exposes citizens to public health, safety, security, and economic development risks. Identifying cyber vulnerabilities and threats can help nations to improve their CI defence strategies. There is a crucial need for research that can aid in understanding the major types of CI threats and by what method they might occur. This paper conducts a systematic literature review to develop an initial threat intelligence framework of CWCT attacks on CI. Drawing from a Human–Cyber–Physical Systems (HCPS) lens, the threat intelligence framework classifies CWCT attacks according to the methods, weapons, vulnerabilities, targets and impact of the CWCT attack. The cyber warfare community can extend the proposed HCPS-based threat intelligence framework to develop more advanced cyber security mitigation strategies, training scenarios and simulations. Large-scale monitoring of CI threats requires in-depth threat intelligence analysis and a collaborative defence strategy. This calls for a higher degree of coordination and orchestration between the military, intelligence agencies, government departments, multinational allies, regulators, and commercial entities. Future research can customize the proposed HCPS-based threat intelligence framework to cater for the unique threats facing specific CI domains.

Determination of the end device risk likelihood using the Bayesian network tools

Tabisa Ncubukezi — 2023-06-19

All institutions use end devices for information processing which includes sending and receiving on the network. This process helps them to improve their business production as well as perform daily activities at a faster rate. However, the increased usage of end devices by both employees and criminals raises concerns and exposes businesses to a range of cyber risks. End devices can sometimes be used as agents and weapons to expose internal business operations. The vulnerability of the end devices to cyber threats and attacks compromises business data, its safety, and security. This paper determines the risk likelihood of the end devices using the Bayesian network tools. To achieve this, the study illustrates the connections of the end device variables to simulate the risk likelihood and its impact. The analysis and interpretation of the simulation are performed using decision tree analysis (DTA), scenario analysis, and sensitivity analysis techniques (Tornado graphs, conditional probability tables (CPT), and value of information configuration (VOI)). The relationship of the variables is demonstrated on the AgenaRisk package. Results revealed variables that influence the risk probability and its impact. End device risks can be caused by insiders and cyber criminals. The risks associated with end devices are influenced by the level of security implementation on different levels. The impact of the cyber risks was also accounted for and the concluding remarks were also made.

Enabling fine-grained access control in information sharing with structured data formats

Tatu Niskanen — 2023-06-19

The ongoing need for societal and industrial digital transformation requires rapidly expanding networks of interconnected organizations and dictates an increasing role for cybersecurity in information sharing. A typical setup consists of multiple stakeholders working closely together and needing efficient channels for sharing relevant information in a secure manner. This is especially prevalent with complex modern supply chains and critical information infrastructures. They often comprise of numerous co-operating organizations, people and in some cases smart devices having different levels of access to a variety of information. Granular access control plays a vital role when distributing information efficiently between stakeholders without revealing sensitive pieces of data to unwanted third parties. This article presents a novel framework for enabling fine-grained access control to share information efficiently and securely in these situations. Our motivation and use case for the framework originates from the secure sharing of cyber incident information in the maritime logistics industry. We present a novel solution to this problem by developing an information sharing platform and a meta-model, demonstrated using an implementation with structured JSON data formats, while supporting previously researched attribute-based encryption schemes. The proposed framework provides a broader context to the fine-grained data access control challenge in addition to the technical implementation.

Towards an active cyber defence framework for SMMEs in developing countries

Nombeko Ntingi — 2023-06-19

Small, medium, and micro enterprises (SMMEs) are obliged to adopt digital technologies to render services to their clients and remain competitive. The COVID-19 global crisis has accelerated the cyberfication of systems and services. The move to digital platforms has afforded SMMEs opportunities to offer their services to a broader geographical area. However, this has also presented opportunities for cybercriminals to invade the digital infrastructure. Adopting digital transformation has put SMMEs in a vulnerable position since they need to manage their cybersecurity while lacking the necessary skills and ICT infrastructure. The inability of SMMEs to defend themselves against cyberattacks compels them to outsource their security needs to external security service providers. These external security service providers offer security services based on a hierarchical operating model. Essential security services are offered at a lower level. If the paying clients require advanced security services, they may be provided as an add-on to the contractual agreement resulting in additional cost.

This paper explores the active cyber defence (ACD) approach to enhance cybersecurity defence while minimising service costs. Therefore, the primary objective and outcome of this paper are to identify some of the essential drivers that will contribute towards developing the active cyber defence framework for SMMEs in developing countries. For purposes of clarity, essential drivers are the gaps highlighted during the literature review and will be referred to as “essential drivers” throughout the paper. The essential drivers, together with suggested recommendations, will be consolidated. The essential drivers were drawn from existing literature by going through peer-reviewed academic papers and company whitepapers.

To achieve the primary objective, we need to establish whether SMMEs are utilising the services of external security service providers. The external security service providers will be referred to as “Security Operation Centre - SOC as a service” throughout the paper. The secondary objective of this paper is to determine whether SMMEs are utilising the SOC as a service and if they do, whether they realise value for money.

Participants Prefer Technical Hands-on Cyber Exercises Instead of Organisational and Societal Ones

Jani Päijänen — 2023-06-19

The current shortage of cybersecurity professionals is about 2 million people worldwide, and in Europe the industry is seeking for about 350 000 skilled professionals. There is also an enormous need for dedicated cybersecurity training courses for existing professionals who wish to acquire completely new skills or maintain their current ones. Due to the lack of new skilled workforce, the current cybersecurity personnel are overworked in their work. In order not to waste the valuable time of cybersecurity professionals with unnecessary training, cyber exercises should be well prepared. This article is based on research conducted in a European collaborative project and more specifically, a cyber exercise organised in early 2022. The purpose of our research was to conduct a preliminary assessment of the participants to learn about their skills and expectations before the cyber exercise. This assessment was used for fine-tuning the exercise. To achieve this, we identified common trends in the participants’ interests during the cyber exercise. The preliminary assessment was carried out as a web survey. The responses were cross tabulated to find meaningful indicators related to skills and interests of the participant group. We identified the most and least preferred knowledge areas for both the industry and public sector participants. Our findings show that the most interesting knowledge areas of all respondents were primarily technical in nature (Data Security, Connection Security, System Security), but Organisational Security was also reported. The least interesting knowledge areas were mostly non-technical in nature (Human Security, Organisational Security, Societal Security) but also Component Security was reported. We also enquired about the preferred team size. The majority of the respondents preferred a team size of three to four persons. The preferred single session duration was 46–60 minutes. The results help cybersecurity professionals to match their knowledge needs with the existing cybersecurity proposition and to determine the right and most beneficial training for them. The results also assist the providers of cyber training and other exercises to describe the targeted development of specific cybersecurity and other knowhow in a coherent, standard-like, way.

A Reflection on Typology and Verification Flaws in consideration of Biocybersecurity/Cyberbiosecurity: Just Another Gap in the Wall

Lucas Potter — 2023-06-19

Verification is central to any process in a functional and enduring cyber-secure organization. This verification is
how the validity or accuracy of a state of being is assessed (Schlick, 1936; Balci, 1998). Conversely, breakdown
in verification procedures is core to the interruption of normal operations for an organization. A key problem
for organizations that utilize biology as an interlock within their systems is that personnel lack sufficient ability
to verify all practically relevant biological information for procedures such as a nurse logging a blood draw, or a
molecular biology technician preparing agar to culture microbes for study. This has several implications, one of
which is our diminished ability to approximate and defend against emerging biologically-linked cyberthreats.
These could be in the form of mis- or dis-information, contaminants, or calculated threats to vital supplies.
Two important questions to ask are: “What may be the implications of diminished ability to undergo strict
verification measures (such as triple redundancy and technological distancing).” And “how does this impact
our ability to anticipate and make changes for verification of biological processes?” This paper aims to discuss
key areas where verification gaps exist and how to bridgethos gaps. Towards this, we cover data integrity,
implications of the lack of verification, triple redundancy, technological distancing, biosafety concerns, and
more. All of this will factor into the ability of organizations with proximity to biosecurity to anticipate national
changes to biological processes that are nationally relevant.

Assessment of Cyber Security risks: A Smart Terminal Process

Jouni Pöyhönen — 2023-06-19

In Finland, the connections to global maritime transportation logistics systems are an essential part of the national critical infrastructure. As a part of maritime logistics systems, the port's operations are important elements for global maritime traffic and the transportation supply chain. Digitalization of seaport services makes it possible to increase the efficiency of terminal systems in the logistic processes. At the same time, port logistic processes can notably reduce its CO2 emissions by optimizing port operations. The improvement of port processes relies very much on the development of Information and Communication Technology (ICT) and Industrial Control Systems (ICS) or Operation Technologies (OT) systems. In port environment there are parts that are controlled (ICS/OT) from the cyber environment but directly interact with the physical surroundings. These are called Cyber-Physical Systems (CPS). In this environment, the cyber security aspects of the port logistic need to be addressed. In Finland, the Port SMARTER research program has been on the way since 2021. The aim of the program is to create port services within new technology solutions, and that way improve cargo and people flows while improving the experience for all stakeholders. However, this development increase also complicated system dimensions in the use of ports and makes port operations complex systems of systems environment characterized by a conglomeration of interconnected networks and dependencies. This paper describes a practical approach to risk assessment work regarding the SMARTER research case. It provides a comprehensive cyber security investigation approach to port operations at the system level. In risk assessment work, the paper emphasizes the importation of description of probabilities to defend the system element against estimated probabilities of cyber-attacks at all parts of port processes. The findings of the study are related to the comprehensive cyber security architecture of the SMARTER research goals. The following research interests are related to the issue: "How a comprehensive cyber security investigation can be conducted in smart ports operations?” This paper emphasizes cyber security risks assessment work should be covered from services for operation, information flows in and between systems, as well as electricity supplies to achieve holistic risks assessment in the smart terminal process.

Governance and management information system for cybersecurity centres and competence hubs

Jyri Rajamäki — 2023-06-19

Information sharing allows organizations to leverage the collective knowledge, experience, and analytical capabilities of their sharing partners in a community of interest. Sharing information is made easier with the help of a suitable information system. The DYNAMO project (10/2022-9/2025) creates tools for the cyber situational picture to support decision-making. One task of its mode of operation is to continue the development of the assets designed in the ECHO project (2/2019-2/2023). This article examines the design of ECHO's governance and management information system and how it can be applied to support the organisational processes and information-sharing needs of the collaborative network as a part of the DYNAMO project.

Students’ Application of the MITRE ATT&CK® Framework via a real-time Cybersecurity Exercise

Aunshul Rege — 2023-06-19

The MITRE ATT&CK framework enables practitioners to understand and track cyber adversary behaviors. Concepts such as social engineering (SE) are not directly captured in current version of ATT&CK as an individual technique, though the application of SE is relevant to many technical behaviors. Utilizing the ATT&CK framework in an educational setting, specifically within a competition focused on SE, allows students to explore adversarial behavior through experiential learning and understand how SE is relevant within cybersecurity. The structure of the framework allows students to see and describe each behavior from the perspective of the adversary, motivating them to compile and question “why” and “how” each individual action contributes to the operational objectives. This paper shares students’ mappings of the ATT&CK framework to playbooks they developed during a real-time SE penetration testing competition. Students were given numerous flags to pursue during the competition and this paper will share their playbooks and mappings to the ATT&CK framework. This paper demonstrates that while someone with more knowledge and experience using the framework may map a SE case study differently than multidisciplinary students who are experiencing it for the first time, there is not a single correct way to map onto the matrix. Having students experience this mapping process allows them to understand the breakdown of an adversary’s behavior and interpret key tactics and techniques in a way that fits their mapping needs. This paper also demonstrates how a SE case study can be mapped onto the ATT&CK framework despite SE not being the focus of the framework, and that SE uses tactics and techniques that are also relevant to technical cyberattacks. The authors hope to encourage more interdisciplinary cybersecurity education by sharing this experiential learning event.

Role of Techno-Economic Coalitions in Future Cyberspace Governance: 'Backcasting' as a Method for Strategic Foresight

Mari Ristolainen — 2023-06-19

In an increasingly complex threat landscape, many nations struggle with developing and implementing effective cybersecurity policies for cyberspace governance at a national and international level. Balancing between the demands for establishing national sovereignty and strengthening international collaboration in cyberspace have become a problematic assignment. Collaborating with nations supporting extensively dissimilar ideologies and cybersecurity policies is controversial. Yet, it is almost impossible for a single country to achieve 'self-sufficiency' in cyberspace. Thus, in order to remain competitive, protected, and resilient one must either join or strengthen a developing techno-economic coalition with similar national cybersecurity policies and/or ideological framework. Consequently, this paper argues that techno-economic coalitions serve as an emerging issue or trend for strategic foresight in cyberspace governance in the future. This paper discusses the potential formation of techno-economic coalitions and shows how 'backcasting' can be used in strategic foresight. In this paper, 'backcasting' is not used as a method for creating a traditional strategic map to a future goal, but as a framework for determining what should have happened in order for the techno-economic coalitions to emerge in future cyberspace, i.e. for finding issues or trends that should be followed in strategic foresight today. Firstly, cyberspace governance in relation to national cybersecurity policies is contextualised. Secondly, the concept of techno-economic coalition is defined and the potential emerging techno-economic coalitions are explicated. Thirdly, 'backcasting' as a method for strategic foresight is described. Fourthly, the results of a 'backcasting' experiment in a strategic foresight workshop are presented. And finally, the future formation and role of techno-economic coalitions in cyberspace governance and in cyber defence both at a national and international level are discussed. The role of techno-economic coalitions in future cyberspace governance should be understood and considered today when developing strategic plans and implementing national and international cybersecurity policies.

Digital Streets of Rage: Identifying Rhizomatic Extremist Messages During a Hybrid Media Event using Natural Language Processing

Teija Sederholm — 2023-06-19

This research explores how to identify extreme messages during a hybrid media event happening in a small language area by utilizing natural language processing (NLP), a type of artificial intelligence (AI). A hybrid media event gathers attention all sides of the media environment: mainstream media, social media, instant messaging apps and fringe communities. Hybrid media events call attention for participation and activities both in the physical world and online. On the darker side of media events, the media landscape can act as a channel for all kinds of disinformation, hate speech and conspiracy theories. In addition, fringe communities such as 4chan also spread hate speech and duplicated content during hybrid media events. From theoretical point of view, this connection between the physical world and information networks can be seen as rhizomatic in nature, because information spreads without regard to a traditional hierarchy. The result is that when individuals participate in a big media event, there is a viral awareness of different viewpoints and all kind of topics may be posted online for discussion. In addition, in rhizomatic context different kind of arguments can twist each other, “copy and paste”, and create very diversity meanings of new comments. The role of extremist speech in online spaces can have effects in physical world.

The focus of this paper is to present the findings of a case study on messages posted online by three different actor groups who participated in demonstrations organized on Finnish Independence Day. In this research, two data sets were collected from Twitter and Telegram and Natural Language Processing (NLP) was used to classify messages using extremist media index labels. Three actor groups were identified as participating in the demonstrations, and they were labelled as: far-right, antifascists and conspiracists. Computational analysis was done by using NLP to categorize the messages based upon the definitions provided by the extremist media index. The analysis shows how AI technology can help identifying messages which include extremist content and approve the use of violence in a small language area. The model of rhizome was valid in making the connections between fringe, extremist content and moderate discussion visible. This article is part of larger project related to extremist networks and criminality in online darknet environments.

An Analysis of Critical Cybersecurity Controls for Industrial Control Systems

Nkata Sekonya — 2023-06-19

Industrial Control Systems (ICS) comprise software, hardware, network systems, and people that manage and operate industrial processes. Supervisory Control and Data Acquisition Systems (SCADA) and Distributed Control Systems (DCS) are two of the most prevalent ICS. An ICS facilitates the effective and efficient management and operation of industrial sectors, including critical infrastructure sectors like utilities, manufacturing, and water treatment facilities. An ICS collects and integrates data from various field controllers deployed in industrial contexts, enabling operators to make data-driven decisions in managing industrial operations. Historically, ICS were isolated from the internet, functioning as part of air-gapped networks. However, the efficiency improvements brought about by the emergence of Information Technology necessitated a shift towards a more connected industrial environment. The convergence of Information and Operational Technology (IT/OT) has made ICS vulnerable to cyberattacks. Due to the crucial nature of the infrastructure that ICS manage, cyberattacks against ICS may cause critical infrastructure sectors to experience downtime. This may have a crippling impact on a country's well-being and essential economic activities. Given the proliferation of cyber warfare, cyberattacks against ICS are increasingly significant at present, as was the case during the 2015 attack on Ukraine's power infrastructure, which was successful in causing a blackout that affected over 200 000 persons. The threat actors used malicious software known as "BlackEnergy3", which was created to interfere with the regular operation of the ICS in charge of controlling electrical substations. This was the first known instance of malicious software causing blackouts. In response to increasing cyberattacks against ICS, the SANS Institute, in a whitepaper titled “The Five ICS Cybersecurity Critical Controls”, present five critical controls for an ICS cybersecurity strategy. This paper discusses ICS and the increased convergence of IT and OT. The paper also outlines significant cyberattacks directed at ICS. The paper then follows an exploratory research methodology done in response to the Five ICS Cybersecurity Critical Controls to determine the state of ICS literature that can help ICS operators secure their environments in accordance with the framework. Additionally, the ICS Cybersecurity Critical Controls are mapped to the NERC CIP standards, which provide guidance on the security of the Bulk Electric System (BES) and associated critical assets in North America.

NCSS: A global census of national positions on conflict, neutrality and cooperation

Radu Antonio Serrano Iova — 2023-06-19

The ubiquity of ICT and the increase in cyber threats have pushed countries to view cybersecurity from a national perspective and draft appropriate national strategies on the topic. While containing similar terminology, these strategies are tailored to the national contexts and hence, differ across regions, cultures, and political contexts. Previous research of these documents has been focused on comparative analysis of countries that can either be considered well developed on this topic or for specific subtopics of cybersecurity. However, some of the subtopics have not been addressed, only now having become more prevalent due to current international conflicts and national / regional socio-political scuffles that have spilled into cyberspace. In our paper, we investigate all countries that have published a National Cyber Security Strategy - NCSS - (or any similar document under a different nomenclature, e.g., policy, decree, etc.), specifically in reference to their position on war, neutrality, and international cooperation. Countries maintaining an NCSS will first be identified using international databases, upon which further study of the aforementioned topics in the NCSSs will occur. We hypothesize, that while international cooperation will be present in most, if not all NCSSs, armed conflicts and neutrality will not be addressed at all nor in depth, in those that contain any reference to them. The resulting paper will present a near-global case study of these topics, which can then signify potential areas of improvement, capacity building, and strengthening of democratic coalitions, globally.

Developing Cybersecurity in an Industrial Environment by Using a Testbed Environment

Jussi Simola — 2023-06-19

Critical infrastructure protection requires a testing environment that allows the testing of different kinds of equipment, software, networks, and tools to develop vital functions of the critical industrial environment. Used electrical equipment must be reliable, capable and maintain a stable critical industrial ecosystem. An industrial business needs to develop cybersecurity capabilities that detect and prevent IT/ICT and OT/ICS threats in an industrial environment. The emerging trend has been to create security operations center (SOC) services to detect ICS-related threats in enterprise networks. The energy supply sector must consist of crucial elements for safe business continuity and supply chain management in the industrial sector. Threats have changed into a combination of threat types. Hybrid threats may prevent everyday industrial activities, processes, and procedures so that supply chain problems may become long-lasting and affects business continuity management.

The project CSG belongs to the (Cybersecurity governance of operational technology in the sector connected smart energy) research project consortium of Business Finland’s Digital Trust Programme.

The first research paper regarding the CSG (Cyber Security Governance) project concentrates on the applied theory background of this project. The research provides a research approach for investigating cyber security at the operational and technical levels. It answers the questions of where to concentrate on OT-related cyber security research and how we aim to deploy a testbed to develop a governance model in the CSG project. The study's primary purpose is to describe the operating OT-SOC environment and analyze system requirements for optimizing situational awareness in the testbed environment.

Smart Terminal System of Systems’ Cyber Threat Impact Evaluation

Jussi Simola — 2023-06-19

Systems of system-level thinking is required when the purpose is to develop a coherent understanding of the ecosystem where every user and system requirements are divided into specific parts. The smarter project, as a part of the Sea4value program of DIMECC, aims to develop harbor operations, including passenger and cargo transportation, in a way that port processes will improve, emissions will decrease, and overall security will enhance in smart ports. This paper describes cyber-attack impacts against the Smart terminal system of systems in the cyber realm by utilizing the MITRE ATTACK® framework to map the objectives of threat actors. The Smart Terminal system environment includes ICT, ICS networks and components, communication systems, and port service systems. Internal and external threat sources or actors are hard to divide exactly because of the diversity of the threats. Hybrid threats challenge maritime domain awareness globally. The cyber threat impacts on IT and OT environments are connected to each other because of the use of internal and external networks that impact each other by combining vulnerabilities and threats. Well-working port and terminal operations require not only protected operational systems or sensor systems, but human errors must also be minimized. Objectives of threat actors are presented, categorized, and listed. Threat scenarios illustrate that cyber threats and risks are mainly similar in the maritime global-linked port community and basic hinterland trade. The networked supply chain of the business causes evolving and combined threat scenarios. European and international standards, regulations, policies, recommendations, and, e.g., guidelines by the IMO, set new cyber-threat requirements for port and terminal services and facilities. Therefore, overall security must be considered when cyber-security is the development area. Information exchange in an understandable form is essential for maintaining business continuity. Threat information has to be transferred among stakeholders as well as cyber security codes have to be followed in the port operations of partners that are involved, for example, in operational and system-level actions. Digitalization in smart ports and terminals enhances the capacity to handle cargo and passengers more efficiently, but cyber threats evolve.

A Cyber Counterintelligence Competence Framework: Developing the Job Roles

Thenjiwe Sithole — 2023-06-19

In recent years, there have been intensifying cyber risks and volumes of cyber incidents prompting a significant shift in the cyber threat landscape. Both nation-state and non-state actors are increasingly resolute and innovative in their techniques and operations globally. These intensifying cyber risks and incidents suggest that cyber capability is inversely proportional to cyber risks, threats and attacks. Therefore, this confirms an emergent and critical need to adopt and invest in intelligence strategies, predominantly cyber counterintelligence (CCI), which is a multi-disciplinary and proactive measure to mitigate risks and counter cyber threats and cyber-attacks. Concurrent with the adoption of CCI is an appreciation that requisite job roles must be defined and developed. Notwithstanding the traction that CCI is gaining, we found no work on a clear categorisation for the CCI job roles in the academic or industry literature surveyed. Furthermore, from a cybersecurity perspective, it is unclear which job roles constitute the CCI field.

This paper stems from and expands on the authors’ prior research on developing a CCI Competence Framework. The proposed CCI Competence Framework consists of four critical elements deemed essential for CCI workforce development. In order of progression, the Framework’s elements are: CCI Dimensions (passive-defensive, active-defensive, passive-offensive, active-offensive), CCI Functional Areas (detection, deterrence, deception, neutralisation), CCI Job Roles (associated with each respective Functional Area), and Tasks and Competences (allocated to each job role). Pivoting on prior research on CCI Dimensions and CCI Functional Areas, this paper advances a proposition on associated Job Roles in a manner that is both intelligible and categorised.

To this end, the paper advances a five-step process that evaluates and examines Counterintelligence and Cybersecurity Job Roles and functions to derive a combination of new or existing Job Roles required for the CCI workforce/professionals. Although there are several cybersecurity frameworks for workforce development, establishing the CCI Job Roles is specifically based on the expression of the Job Roles defined in the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.

Static Vulnerability Analysis Using Intermediate Representations: A Literature Review

Adam Spanier — 2023-06-19

Analysis (SA) in Cybersecurity is a practice aimed at detecting vulnerabilities within the source code of a program. Modern SA applications, though highly sophisticated, lack programming language agnostic generalization, instead requiring codebase specific implementations for each programming language. The manner in which SA is implemented today, though functional, requires significant man hours to develop and maintain, higher costs due to custom applications for each language, and creates inconsistencies in implementation from SA-tool to SA-tool. A source of programming language generalization occurs within compilers. During the compilation process, source code is converted into a grammatically consistent Intermediate Representation (IR) (e.g. LLVM-IR) before being converted to an output format. The grammatical consistencies provided by the IR theoretically allow the same program written in different languages to be analyzed using the same mechanism. By using the IRs of compiled programming languages as the codebase of SA practices, multiple programming languages can be encompassed by a single SA tool. To begin understanding the possibilities the combination of SA and IRs may reveal, this research presents the following outcomes: 1) a systematic literature search, 2) a literature review, and 3) the classification of existing work pertaining to SA practices using IRs. The results of the study indicate that generalized Static Analysis using the LLVM IR is already a common practice in all compilers, but that the extended use of the LLVM IR in Cybersecurity SA practices aimed at finding vulnerabilities in source code remains underdeveloped.

Legal and ethical issues of pre-incident forensic analysis.

Iain Sutherland — 2023-06-19

Investigators searching for digital evidence may encounter a variety of different IoT (Internet of Things) devices. Data in such devices and their environments can be both valuable, but also highly volatile. To meet best practices and to process these devices in an expeditious and forensically-sound manner, an investigator should have a predefined plan. Developing such plans requires prior knowledge developed through the exploration and experimentation of the “target” devices. The expanding variety, number, and pervasiveness of IoT devices means there is an increasing need for pre-incident analysis to ensure forensic tools and techniques acquire, preserve and document evidence appropriately. Many of these IoT devices have proprietary file- and operating-systems and may employ mechanisms to protect intellectual property by limiting or preventing access by researchers. Disassembly of the device and circumventing these mechanisms may be restricted by contract, end-user licence agreement (EULA) or legislation regarding intellectual-property rights. Legislative exclusions exist for security research, in some jurisdictions, permitting legitimate analyses. The pre-incident analyses of hardware to establish a forensic process bear some similarity to vulnerability and security research, however there are distinct differences in their end goals. This paper discusses the legal and ethical issues that may be encountered when conducting pre-incident forensics analyses focussing on IoT hardware. It highlights areas of particular concern, identifies best practice and subjects requiring future work as presented in the literature before providing a series of recommendations for forensics investigators processing these types of devices.

Developing Robust Cyber Warfare Capabilities for the African Battlespace

Jabu Mtsweni — 2023-06-19

The evolution of technology in the African battlespace continues to pose a significant challenge to the African militaries. This evolution increases the need for the African militaries to be able to operate in the cyberspace strategically and effectively. Developing cyber warfare capabilities remains a challenge to many African militaries who are struggling to remain afloat due to ever decreasing resources, including budgets. This in turn reduces the effect of these militaries in the evolving battlespace. This paper seeks to present a comprehensive framework for developing cyber warfare capabilities for African militaries to be able to operate efficiently in the cyber battlespace. The proposed POSTEDFIT aligned framework, requires a comprehensive system thinking approach towards developing capabilities in a phased manner. This includes the ability to define the capabilities in terms of the requirements presented by the cyberspace, and the components forming these capabilities. The generic framework is based on the basic understanding of a capability, as the ability to do something, in this case, the ability to secure and operate in the cyberspace for African militaries, ability to conduct offensive cyber operations and ability to keep abreast with the evolving cyber battlespace.

Cybersecurity Through Thesis in Laurea University of Applied Sciences

Ilona Frisk — 2023-06-19

Information technology and its applications surround us and those have become crucial to our lives. However, the understanding of the digital world is not as strong. Successful and functional cybersecurity is a vital component for the defence of a civilised society. This study looks at how cybersecurity has been handled in thesis written at one University of Applied Sciences and what kind of topics have been chosen by thesis writers, and what is written about cybersecurity in them to understand how cybersecurity is seen in higher education. The goal of this paper was to find out how cybersecurity has been handled in theses and what kind of topics have been chosen by thesis writers. The two research questions are: what theses have been published that handle cybersecurity; and how does cybersecurity in them? As typical of a case study, attention is paid to a small number of cases (n = 15) attempting to describe the phenomenon they represent. Of the fifteen theses, two were master’s and thirteen bachelor’s theses, and mostly completed in Safety, Security and Risk Management, Security Management, and Business information technology programmes. Based on the results in this case, cyber security is being examined or developed from several, different points of view and in multidisciplinary ways.

On the software architectures for fog-based secure IOT deployments

christos tselikis — 2023-06-19

In this paper, we examine architectural designs for the support of demanding ad hoc IoT applications, such as industrial and large-scale IoTs. First, we examine the traditional software stack of nodes involved in centralized sensory applications. Then, we propose a highly distributed ad hoc architecture with increased node cooperation. Finally, we propose a secure fog-based hybrid model that offers optimizations with respect to performance and security and which facilitates the development of intelligent localized end-user applications with very strict latency requirements. In the three models that we examine we highlight operations at the routing layer and at the clustering sub-layer.

Towards Norms for State Responsibilities regarding Online Disinformation and Influence Operations

Brett van Niekerk — 2023-06-19

The Internet has provided a global mass communication system, and in particular social media technologies began a social revolution for the public sphere. However, these platforms have been exploited for the purposes of influence operations and disinformation campaigns to hinder or subvert national decision-making processes by affecting the policy makers, voters, or swaying general public opinion. Often this is achieved through manipulative means falling within a grey area of international and constitutional systems. Existing proposed normative frameworks for responsible state behaviour in Cyberspace have tended to focus on cyber operations. While online influence operations are recognised as a concern, they were not explicitly discussed in the frameworks, resulting in knowledge gaps related to countering influence operations and disinformation. There is a growing narrative that influence operations and disinformation campaigns are a cyber security issue and nations sometimes include legislation related to disinformation in cyber security. This indicates that existing cyber norms can be used to guide the development of norms for addressing disinformation and influence operations. This paper aims to propose a normative framework for state responsibility relating to influence operations emerging from thematic analysis of existing cyber norms and research on mitigating influence operations.

The Identification of Cybersecurity Work Roles for the Water Sector in South Africa

Sune von Solms — 2023-06-19

This paper presents the results of a content analysis conducted on the work roles of cybersecurity practitioners for the water sector of South Africa. The paper presents literature review findings on national and international frameworks and guidelines detailing cyber security considerations for the South African water sector as well as national and international guidelines and frameworks which detail the various work roles carried out by cybersecurity practitioners in an organisation. The study found that cyber security considerations and work roles such as physical security of assets, testing and assessment of cybersecurity methods, supply chains cyber security as well as incident investigation and interfacing with law enforcement, were not well defined for cyber security discipline. The study delivers a framework detailing the work roles of cybersecurity practitioners which can be applied to the South African water sector.

Cyber Lessons that the World Can Learn from Lithuania

Matthew Warren — 2023-06-19

In an era of rapid technological advancements and increasing online connectivity, the proliferation of cyber threats, including the spread of fake news and disinformation, presents a significant challenge to nations worldwide. Lithuania has emerged as a leading example in addressing these challenges, particularly concerning cyber groups such as Killnet and disinformation / fake news. This paper aims to explore the key cyber lessons that can be learned from Lithuania's proactive approach in dealing with Killnet and combating disinformation / fake news. By analysing Lithuania's cybersecurity strategies and initiatives, this paper identifies crucial lessons that can be applied globally. Firstly, Lithuania recognises the importance of co-ordinated cyber security technologies and national frameworks to counter cyber groups such as Killnet attacks. Secondly, Lithuania has effectively tackled the spread of fake news / disinformation through a comprehensive approach involving legislation, media literacy programs, and strong cooperation between government agencies, civil society organisations, and the private sector. The country's experience underscores the significance of collaborative efforts in combating misinformation, promoting media literacy, and fostering critical thinking skills among the population.

Legal Response to Social Media Disinformation on National Level

Murdoch Watney — 2023-06-19

Social media has an enormous impact on the manner in which society communicates and shares information. Digital is no longer a supplementary channel, but is the first place most people go to for news, information and communication. The transmission of social media disinformation has increased dramatically across the world and it necessitates a response. The discussion focuses on the response to social media disinformation on a national level. The discussion does not focus on foreign state or state-sponsored actors of misinformation. The focus and publicity may - within the context of cybersecurity - predominantly have been on cyberattacks, such as ransomware attacks. However, recent incidents - unrelated to foreign state interference and cyberattacks - illustrate that cybersecurity law must encompass the threat of disinformation. The 2020 COVID-19 pandemic, 2021 Washington, DC, United States, and South African as well as the 2023 Brazil riots illustrate the harmfulness of social media disinformation. Cognisance should be taken of the lessons learnt from the examples of social media disinformation as it may assist in determining a response to disinformation. There are various responses to national social media disinformation, such as legislative social media platform regulation, censorship, and criminalisation of the disinformation by itself. The response within the context of a cybersecurity threat landscape necessitates scrutiny as the response may impact on human rights. The trade-off between security and human right protection may be the violation of human rights to prevent harm from disinformation.

On Benchmarking and Validation in Wargames

Adam Wilden — 2023-06-19

There are multiple arguments for and against wargames. Many scientists do not recognise the science in wargames. It is suggested that there is not enough literature relating to wargaming, for there to be any large-scale research into wargames. This is primarily because scientists often refuse to publish results, thus creating a vicious cycle where research is not published because there is not enough research being published. This ultimately deters researchers from studying wargaming in any serious fashion. Owing to this limitation, published work on the results, and protocols of wargames are scarce in scholarly research. Wargaming has considerably less academic focus with a fragmented and practical focus on design and benchmarking. This is surprising given the long history of wargaming (dating back to the early 1600’s), when compared to the relatively recent history of other domains such as software engineering. To better understand the current state of research into wargaming in reference to benchmarking and validation, a scoping review (SR) was conducted. The scholarly research into wargaming reveals papers on general modelling, conflict modelling, influence modelling, evaluation of wargames, analytical tools, use of AI in wargame design, evaluation of predictive modelling in wargames, improving command and control through wargaming, and cost-benefit analysis for decision making. The initial analysis of the coverage of wargaming research, together with the limited number of papers found, indicate that there is a distinct lack of academic research into wargaming. Additionally, there is a wide variety of areas that are interested in the wargaming field, however, with no universal method of analysis or benchmarking, this limits the reproducibility of results, and the ability to judge the overall effectiveness of wargaming efforts. Wargame designers need to be able to assess wargame components to validate, compare, and predict the effects on gameplay and for decision-makers to draw conclusions with more confidence.

The UN Global Digital Compact (GDC), Achieving a trusted, free, open, and Secure Internet: Trust-building

Allison Wylde — 2023-06-19

A United Nations’ (UN) public consultation, underway, is reviewing requirements for the Global Digital Compact (GDC) to advance UN goals for an ‘open, free, and secure digital future for all’ (UN, GDC, 2022). Achieving the goals relies on proposed principles, including: connecting everyone; avoiding fragmentation; protecting data; applying human rights; accountability for discrimination and misleading content; regulation of artificial intelligence; digital commons as a public good; and ‘other’ areas. The purpose of this paper is to present an argument that trust must be included as a central ‘other’ principle. Although successful achievement of the GDC goals is contingent on building trust in each principle, a method for trust-building is not provided. Through leveraging well-established organization and conflict management trust-building literature the contribution of this paper presents a fresh conceptual framework, allowing trust and trust-building in the goals to be operationalized and assessed. In, addressing the research gap as to how build trust in the GDC goals as they are implemented, the novel trust-building process as presented helps policymakers, practitioners, and academics better address potential risks to the future internet, such as, increased; state isolation, sovereignty, and internet fragmentation. Limitations and calls for further research highlight that understanding state-level trust-building in policy is not yet mature. Further, scholars needs to better categorize the processes, dynamics and norms involved in state-level trust-building, helping to counter future internet challenges.

Editorial, Biographies and Review Committee

Antonios Andreatos — 2023-07-04

Hosted ByHellenic Air Force Academy (HAFA) and the University of Piraeus, Greece

Edited by Professor Antonios Andreatos, Hellenic Air Force Academy, and Professor Christos Douligeris, University of Piraeus.