European Conference on Cyber Warfare and Security

Systematically Integrating Cyber Threat Intelligence into Resilient Space-Cyber Architectures

Chathura Abeydeera — 2026-06-15

Space systems are undergoing unprecedented commercialisation, increased autonomy and expanded connectivity, bringing both operational efficiency and heightened exposure to evolving cyber threats. These systems underpin critical services such as communication, navigation and Earth observation, yet their cybersecurity practices remain inconsistent across the global space ecosystem. Although frameworks such as NIST SP 800‑160, NASA‑STD‑1006, ECSS‑Q‑ST‑80C and MITRE’s Cyber Resiliency Engineering Framework (CREF) provide guidance for secure engineering, they lack mechanisms for the systematic integration of Cyber Threat Intelligence (CTI). This paper examines current CTI integration practices and the organisational, technical, and regulatory barriers that hinder CTI‑informed resilience in space-cyber architectures. Drawing upon an extensive review of academic and industry literature, the study maps how CTI is currently applied across space-system lifecycles and identifies critical impediments to broader adoption. The findings reveal that CTI is primarily leveraged in an ad hoc, reactive manner for patching and advisory processes, with minimal integration into design or operations. Identified barriers include fragmented standards, limited automation in threat-intelligence consumption, cultural resistance to information sharing and divergent regulatory frameworks across jurisdictions. The paper concludes with analytical insights into how these findings can inform future policy and research directions aimed at improving intelligence-driven resilience within the space sector.

‘What’s in a Name?’: How Does the UK Government and Media Construct Cyber Actors?

Alice Brett — 2026-06-15

Understanding how cyber actors are labelled is important to effectively respond to cyber threats. It has been
suggested that cyber is becoming increasingly connected to national security concerns, a process called securitisation. This
research sought to take a first step towards understanding if securitisation is occurring through examining the evolving
conceptualisation of cyber actors in the UK. The research reviewed cybercrime reporting from the UK Government and three
UK media websites between 2019-2023, taking a mixed methods approach using thematic analysis to group cyber actors,
and content and statistical analysis to detect shifts in these categorisations. The research identified six primary categories
used to conceptualise cyber actors: Attackers, Companies, Criminals, White Hats, Hacktivists, and Nation States. The research
identified significant changes in multiple subcategories between 2019-2023, influenced by events such as COVID-19, the
2021 Colonial Pipeline ransomware attack, and the changing geopolitical landscape. Notably, there was an increased
tendency to associate cyber actors with nation states, particularly evident following the Colonial Pipeline attack which
correlated with a shift towards linking cybercrime groups to states, and the 2023 TikTok ban on government devices which
saw an increase in companies conceptualised as state influenced. The results also suggested the type of act does not always
determine the perception of cyber actors, instead geopolitics appears to have greater influence on conceptualisations. The
research additionally found that terms for cyber actors (such as Hackers) are often used loosely and interchangeably.
Furthermore, the categories of actors formed a spectrum, especially blurring distinctions between state and criminals. The
research recommends organisations consider language around cyber actors more carefully. Further study is recommended
to understand if the results found are evidence of securitisation of cyber actors or a consequence of increased state cyber
activity.

Beyond Obscurity: Developing CubeSat Cybersecurity

Joshua Davis — 2026-06-15

As modern space systems, particularly CubeSat constellations, are increasingly embedded in defence, industrial, and civilian operations, fulfilling an increasingly vital role in telecommunications, earth observation, and national security, their vulnerabilities to cyberattacks continue to grow. Despite the advantages of CubeSats; cost-effectiveness, scalability, and enhanced coverage; as satellite providers attempt to maximise payload capabilities, these systems are fundamentally constrained by Size, Weight, and Power (SWaP), imposing significant design trade-offs that limit onboard security. This has contributed to emerging U.S. national security requirements for commercial satellites supporting defence missions to implement real-time on-board intrusion detection and prevention systems forcing cybersecurity for satellite vendors to no longer merely be a desirable design feature, but an explicit mission-assurance and acquisition requirement for space systems used to support national security. This paper examines the growing cybersecurity risks faced by CubeSat constellations, focusing primarily on multi-stage attacks—complex sequences of interrelated behaviours that may appear individually benign but are collectively malicious. Where existing terrestrial intrusion detection systems have succeeded, they lack the distinctive dynamics of satellite networks, and publicly available satellite-oriented datasets to achieve the same success in the space domain. This necessitates the development of bespoke, packet-level datasets for effective cybersecurity modelling. To address the immediate need for enhanced resilience while bespoke datasets are developed, Through the review of existing cybersecurity measures and the integration of machine learning-based solutions, we propose a preliminary cybersecurity framework based on self-supervised learning. This approach uses contrastive learning to produce a nominal operational profile of the satellite’s systems. This profile serves as a baseline for an onboard anomaly detection system, aiming to identify deviations that could indicate a cyberattack. By developing adaptive intrusion detection systems (IDS) that prioritise resource conservation, we aim to enhance CubeSat security in future space missions, ensuring both operational integrity and data confidentiality. Furthermore, we propose the development of a minimum cyber resilience capability checklist, accompanied by a standardised testbench. This testbench would provide analogous testing to vacuum and vibration tests common in satellite engineering, covering core, low-cost, high-reward attack vectors such as authentication and encryption vulnerabilities, fuzzing, replay attacks, and Denial of Service (DoS). The results would be delivered to the satellite owner or producer in a simple pass/fail format, identifying which tests failed and recommending standard methods to mitigate the identified vulnerabilities. This framework aims to establish a foundational and verifiable level of cyber resilience for CubeSat missions.

Zero-Day Vulnerabilities, Cartography, and Quantification Initiative

Myriam Ouraou — 2026-06-15

Zero-day vulnerabilities have become a critical concern across security teams. Despite their growing frequency, they remain a largely uncharted domain: there is currently no consolidated information, statistical visibility, or cartography describing the true scale of the problem. Organisations lack metrics that would enable them to understand how zero-days are distributed among products or technological ecosystems, limiting their ability to anticipate, detect, and accurately assess the risks associated with these vulnerabilities. In the absence of a structural understanding of the phenomenon, organisations rely on linear, product-centred approaches inherited from traditional vulnerability management and built around indicators such as CVE identifiers, CVSS scores, or patch availability. Although these indicators are essential, they do not capture the multidimensional relationships and ecosystem-level dependencies that shape zero-day behaviour. Consequently, analyses remain confined to individual vulnerabilities rather than the structures that connect them, leaving organisations without models capable of describing how zero-days emerge, cluster, or propagate across technologies. To address this gap, this work begins with an in-depth a posteriori phase aimed at establishing the first consolidated inventory of past zero-days. This fundamental effort is intended to establish an initial structural basis that will enable further long-term research into the systemic characteristics of zero-day vulnerabilities. Afterwards, this study seeks to reveal “domino effects”, clusters of technological weakness, and cross-product propagation paths that remain invisible in traditional analytical frameworks. The goal is to provide a new visualisation to support not only future predictive models and improved detection strategies, but also more informed and contextualised risk assessments. By moving beyond linear scoring systems and embracing a structural, graph-driven perspective, this work lays the groundwork for a more proactive, comprehensive understanding of zero-day vulnerabilities and the technological ecosystems they inhabit.

Warfare in the Gray Zone: The Need for a Western Paradigm Shift

Austin Carter — 2026-06-15

This paper examines how China’s historical strategic culture informs the development of its information warfare doctrine and identifies the changes required for the United States to adapt. China’s contemporary approach to warfare extends beyond the traditional battlefield, integrating information, cognitive, and influence operations as central components of strategic competition. China’s strategic culture draws on classical and modern foundations, including Sun Tzu’s emphasis on deception (Sawyer, 1994), Mao Zedong’s theory of protracted conflict (Mao, 1938), and the concept of Unrestricted Warfare (Qiao & Wang, 1999). This study traces the institutionalization of the Three Warfares doctrine and the establishment of the Strategic Support Force, illustrating their application through case analysis in the South China Sea and Pacific Islands. The findings highlight key U.S. strategic vulnerabilities, particularly the continued treatment of information operations as peripheral rather than central to national strategy.

Banking Resilience: Building Cyber Incident Response in the Finnish Financial Sector

Jade Karrila — 2026-06-15

Cybersecurity incidents in the financial sector pose systemic risks to economic stability and societal continuity. Despite extensive regulatory oversight and generally high cybersecurity maturity, recent incidents in Finland have revealed persistent weaknesses in incident response and recovery. Using a recent incident at the Nordic bank Nordea as a descriptive case, the study examines governance structures, role allocation and skills coordination during cybersecurity incidents at the sectoral level. The research data consist of document analysis of public incident-related material and six semi-structured interviews with cybersecurity professionals experienced in the financial sector. The analysis is informed by established cybersecurity governance and incident response frameworks. The data were analysed using thematic analysis to identify key patterns and gaps in incident response practices. The findings indicate that while preventive controls in the Finnish financial sector are well-developed, effective incident response is constrained by rigid structures, fragmented accountability, and limited application of skill-based roles. Incident response is frequently managed within functional silos, reducing shared situational awareness and slowing adaptive decision-making. The study contributes to cybersecurity and crisis management literature by contextualising the European Cybersecurity Skills Framework within financial-sector incident response and highlighting the importance of continuous learning, clear role coordination, and flexible governance mechanisms.

AI Warfare

Dong Wang — 2026-06-15

Artificial intelligence (AI) is rapidly transforming military strategy, yet the idea of AI warfare remains loosely defined. This paper introduces a structured framework that views AI warfare as a form of strategic competition centred on algorithms, training datasets, AI-as-a-Service (AIaaS), and AI-generated content (AIGC). These technological instruments are used to influence adversaries’ decision-making and cognitive processes, while simultaneously undermining their defensive and command capacities. The analysis begins with the vulnerabilities of layered architecture of AI ecosystem—infrastructure, algorithm-data, foundation models, and applications—each containing vulnerabilities that can cascade through the system. AI systems also carry inherent limitations, such as unclear problem contexts, lack of creativity or emotional understanding, disembodiment, and weak collaboration between models. These traits distinguish AI warfare from conventional cyber operations and highlight why traditional cybersecurity measures often fall short. The proposed framework operates across three interlinked components: technological infrastructure—semiconductors, high‑performance computing, and high‑speed networks—sets the capability and flexibility of AI systems, while an opaque algorithm‑data core becomes a frontline where adversarial manipulations threaten reliability. At the operational level, AI is deployed through AIGC campaigns and AIaaS platforms, with feedback loops among these components driving continuous escalation and adaptation in AI warfare. Five critical focus areas emerge: (1) proprietary algorithms functioning as opaque “black boxes,” examined through a new Wargaming Design (WD) model using iterative red-blue team challenges; (2) vulnerable training datasets, tested for integrity via WD model’s consistency checks; (3) AIaaS platforms demanding security-by-design safeguards like role-based access and auditing; (4) AIGC as both an effective offensive tool and a potential source of self-sabotage; and (5) quantitative audience analysis to assess cognitive and behavioural outcomes. Defensive strategies include blockchain-based distributed architectures for resilience, secure interaction design, AI-native firewalls, interdisciplinary user/audience research drawing on sociology and psychology, and global governance structures akin to non-proliferation treaties. Through this approach, the paper explains why conventional defences fail against AI-specific threats. Future work will experimentally apply the WD model to existing AI systems, measuring its effectiveness in identifying algorithmic weaknesses and improving AI security. Ultimately, policymakers must balance the power of AI with the preservation of strategic stability and human agency.

Building Cyber Defenders of the Future: Curriculum Design for Emerging Roles

Toby Meyer — 2026-06-15

Creating and maintaining curriculum for emerging cybersecurity work roles is a significant challenge for organizations. Training is expensive, and quality curriculum requires careful curation and sustained effort. Such curriculum typically combines cognitive learning with a considerable amount of applied, hands-on practice. Data is currency, both for emerging cybersecurity work roles and for instrumenting the curriculum itself. We are developing courses for emerging work roles on Cyber Protection Teams (CPTs), specifically for the positions of Analytic Support Officer (ASO) and Data Engineer (DE). Analytic Support Officers learn to ingest cyber threat intelligence, analyze cybersecurity datasets, map enemy courses of action, develop analytics, and provide expert assessments in support of operational decision-making. Data Engineers learn to explore cybersecurity datasets, implement effective data models, collect information from key data sources, transform data for usability, and store data for future analysis. We take a learning engineering approach that incorporates instrumentation, data collection, and behavioral analysis to support curriculum development while maximizing the use of open-source tools and open standards. The effort also includes integrating hands-on virtual environments, competency frameworks, and open standards such as Experience API (xAPI) and Computer Managed Instruction (cmi5) to track training effectiveness and ensure alignment with training goals. This paper discusses the technical and organizational challenges of developing cognitive and hands-on content, aligning instruction with learner motivations and competency frameworks, and applying learning engineering methods and open standards to support modern cyber workforce development.

Cybersecurity Management Competencies in Critical Infrastructure Organizations. A Review and Research Agenda

Shehu Abubakar — 2026-06-15

Critical infrastructure is vital to the economic, social, and technological survival and welfare of nations. Attacks on these infrastructures can be devastating and can lead to serious consequences. The Top Management Team (TMT) is the highest decision-makers who seal the fate of such organizations when it comes to risk management. Regulations and best practices are demanding that the TMT take responsibility for the cybersecurity posture of the critical infrastructure organizations to protect that infrastructure or prevent further damage. Critical infrastructure organizations often have a combination of information technology and operational technology spread across a wider geographical area and extensive regulation that can affect security investments and the TMT composition. Consequently, to effectively carry out their responsibilities, the TMT requires cybersecurity competencies; therefore, the specific cybersecurity management competencies that constitute these requirements need to be identified and tailored to their roles. To identify research in this area, we surveyed prominent journals that publish on cybersecurity, management, and critical infrastructure. We used search terms that address cybersecurity skills, knowledge, and attitudes necessary for top management in strategic decision-making and cybersecurity risk management. To ensure the collection of relevant articles, the literature review follows a systematic review process. A qualitative analysis method was employed to identify five thematic areas, namely leadership, learning, organization, cybersecurity, and competency, through which management’s cybersecurity competencies are positioned as strategic requirements that can impact organizational cybersecurity resilience. The strategic responsibilities of the Top Management Team (TMT) are interestingly extending to cybersecurity management in organizations. They are also required to align cybersecurity management with the organization’s strategic objectives. Thus, to effectively carry out their responsibilities, the TMT requires cybersecurity competencies. This review has identified relevant cybersecurity skills, knowledge, and attitudes that can be constituted as cybersecurity management competencies that will support TMT in the critical infrastructure protection. The review also reveals research gaps due to the limited number of studies conducted considering the entire TMT cybersecurity management competencies. This review provides a foundation for developing a theoretical framework for studying TMT cybersecurity competencies in critical infrastructure organizations.

MAGNAS: A CCTV Searching Platform for Digital Investigation

Mahra Alameri — 2026-06-15

Closed-circuit television (CCTV) systems generate huge amounts of video material, making manual inspection slow, inefficient, and prone to missing evidence. As surveillance scenarios grow more complex, investigators require automated tools capable of understanding extensive, unstructured recordings and supporting natural-language search, which most existing systems cannot provide. Current video-analysis systems usually focus on isolated tasks such as detection, action recognition, or captioning, producing fragmented outputs that lack the consistency and explainability needed for forensic work. This research presents MAGNAS, an intelligent CCTV retrieval platform that converts raw footage into a searchable metadata index using a multi-phase pipeline integrating person detection, multi-object tracking, visual attribute extraction, and action recognition. It generates structured representations including bounding boxes, timestamps, appearance attributes, and actions stored in an SQLite database. Users describe people or events via a natural-language interface, and the system translates these into structured filters for accurate set-theoretic retrieval. MAGNAS was evaluated using mAP for detection, Recall@K and Precision@K for retrieval, and temporal IoU for action alignment. Results show strong person-detection performance and high retrieval accuracy, especially for queries with multiple appearance attributes. Attribute extraction was largely precise, despite challenges with delayed VLM processing, inconsistent action detection under difficult camera angles, and limited temporal accuracy (tIoU = 0.2649). Overall, MAGNAS significantly reduces search time and improves identification of people of interest in large-scale CCTV archives, highlighting the value of organized, explainable video indexing for future investigative technologies and law enforcement applications.

A Harmonised Dashboard for Smart Home Device Security

Samiah Alghamdi — 2026-06-15

Smart homes increasingly rely on Internet-connected devices, offering convenient services yet raising significant concerns regarding the protection of personal information. As the number and variety of devices continue to grow, users face fragmented and inconsistent security, privacy, and data-management controls across different manufacturer ecosystems. Although commercial smart home applications provide centralised access, their interfaces often lack coherent structures for managing essential protection features, making it difficult for users to locate controls, understand device status, and maintain awareness of how personal data is collected, stored, and shared. This paper presents the design and evaluation of a harmonised approach to simplify and unify the user experience, via an integrated security and privacy dashboard. The dashboard provides a unified interface for managing heterogeneous smart home devices, with core functionalities structured around Security, Privacy, and Data Management to support consistent navigation and user control. A task-based study with 16 smart-home users evaluated the dashboard against Google Home, Amazon Alexa, and Apple HomeKit applications. Participants completed scenarios involving software updates, microphone controls, reviewing and deleting voice-assistant recordings, checking camera footage, and managing location services. Performance was assessed using task completion rates, task completion time, number of clicks per task, and the System Usability Scale (SUS), alongside qualitative feedback from participants. Results showed that participants were able to complete every task using the dashboard, whereas completion rates on commercial applications were substantially lower. Tasks were completed more quickly and in fewer steps, and the dashboard achieved an “excellent” rating on the System Usability Scale. Qualitative feedback highlighted its intuitive navigation, unified structure, and clear organisation of device-related information. Overall, the findings demonstrate that a harmonised dashboard can reduce complexity, improve user control, and support informed decision-making within smart home environments, ultimately enhancing trust and security for everyday users.

A Multimodal Authorization Approach for Integrated Access Control Process

Shamma Alhameli — 2026-06-15

Traditional authorization mechanisms such as passwords, smart cards, and conventional biometrics remain vulnerable to spoofing, replay, and social-engineering attacks, particularly in IoT and cloud environments. Physiological biometrics, including electrocardiogram (ECG) and electromyography (EMG) signals, offer stronger resistance to forgery because of their biological origin while also capturing emotional and behavioral context. This study presents AlMuwathiq, an emotion-based multimodal authorization system that integrates ECG and EMG signals to support adaptive access-control decisions. Real physiological signals were collected and labeled using the Self-Assessment Manikin across five emotional states. After signal preprocessing and feature extraction, multiple machine learning models were evaluated, with a focus on explainable learning algorithms. Experimental results indicate that Random Forest and XGBoost achieved the most stable classification performance. The trained models were integrated into a real-time platform where access control authorization decisions are determined by emotional rules. The findings demonstrate that emotion-aware physiological authorization can enhance security, reliability, and context awareness in modern cybersecurity systems. This study thus advances the current state of the art in access control systems, especially in mission-critical infrastructures.

Beyond the Dashboard: Unseen Cybersecurity Vulnerabilities Caused by User Behaviour in Connected and Autonomous Vehicles Systems

Dimah Almani — 2026-06-15

As Connected and Autonomous Vehicles (CAVs) become increasingly integrated into Intelligent transportation systems, cybersecurity is no longer limited to protecting onboard technologies—it must also account for the everyday digital behaviours of the users who manage and interact with these vehicles. This paper introduces the concept of the “behavior-driven cyber-risk layer” in CAVs, a hidden but critical vulnerability surface created not by system flaws, but by routine user actions surrounding the vehicle ecosystem. Although CAVs rely on advanced communication, sensors, and cloud connectivity, small human habits—such as ignoring software update alerts, connecting infotainment systems to insecure personal devices, oversharing trip information, accepting unverified apps, or reusing credentials across applications—can undermine even the most sophisticated vehicle security architectures. This study examines how these seemingly minor behaviors interact with CAVs’ security mechanisms, including Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications, certificate-based authentication, and onboard digital systems. We show how attackers exploit predictable user routines—such as uploading navigation routes to cloud platforms, pairing phones via Bluetooth, or trusting unsolicited messages that appear to come from vehicle services—to introduce false data, manipulate trust decisions, or gain unauthorized access. Through real-world scenarios, we demonstrate how small mistakes can escalate into larger risks, enabling targeted tracking, spoofed messages, or remote access to vehicle functions. Instead of treating these behaviours as psychological tendencies, this paper frames them as operational cybersecurity weaknesses that directly affect the safety and reliability of CAVs. To illustrate, existing user awareness strategies are evaluated to highlight why they fail in high-convenience environments, where users expect seamless automation and often overlook security steps. Finally, a set of human-centered cybersecurity practices are proposed that are designed specifically for CAVs ecosystems, including simplified interface warnings, context-aware security prompts, secure-by-default connectivity options, and automated verification mechanisms that reduce reliance on user judgment. By revealing the hidden risks embedded in everyday interactions, this work emphasizes that the cybersecurity of CAVs depends not only on the technology itself, but also on how people engage with it.

Cybersecurity in the Era of Quantum Computing and Advanced AI: Emerging Threats and Future Directions

Hisham Alnabulsiyyah — 2026-06-15

Quantum computing and advanced artificial intelligence are beginning to disturb several assumptions on which
current cybersecurity practice depends. This paper reviews two related areas of risk: the possibility that cryptographically
relevant quantum computers could weaken widely deployed public-key encryption, and the ways in which generative AI
and large language models are already changing cyber operations. The analysis finds that quantum risk should not be
treated as a distant event only, since sensitive encrypted data can be collected now and decrypted later if suitable
quantum capability becomes available. It also finds that advanced AI is already affecting the scale, speed, and credibility of
social engineering, reconnaissance, vulnerability analysis, and misinformation. The paper discusses the current state of
these threats, outlines plausible future scenarios, and identifies practical defensive priorities, including post-quantum
cryptography migration, AI system hardening, red teaming, content authentication, workforce training, and governance.
The central argument is that quantum and AI security should be handled as near-term resilience issues, even where their
most severe effects may appear later.

Audio Deepfake Generation and Detection using Deep Learning for Digital Forensic Analysis

Mahra Alnaqbi — 2026-06-15

Deepfake audio technology has developed rapidly and now poses serious risks in cybersecurity and digital forensic analysis. Synthetic speech can imitate authentic human voices, which makes manual and automated detection difficult. This study investigates deep learning-based methods for detecting audio deepfakes generated using modern speech synthesis and voice conversion techniques. The work focuses on both generation and detection in order to understand how different deepfake methods affect detection performance. The study employs multiple audio generation models, including Coqui TTS, GAN, RealNVP, VAE, and WaveNet, to generate realistic speech. Several deep learning detection models are evaluated, including CNN, LSTM, BiLSTM, CNN-LSTM, CNN-BiLSTM, conditional GAN, and hybrid architectures that combine convolutional and recurrent layers. Three datasets are used for training and evaluation. These include a self-generated deepfake dataset, a public Kaggle deepfake dataset, and the ASVspoof 2021 deepfake dataset. This combination allows evaluation under both controlled and real-world conditions. Experimental results indicate apparent performance differences among model types. Simple sequential models, such as LSTM and BiLSTM, perform poorly when deepfake audio exhibits strong naturalistic characteristics. This issue is most evident in Coqui TTS-generated audio, which is difficult to detect because of its natural tone and smooth articulation. In comparison, hybrid models that combine convolutional and recurrent learning consistently achieve higher accuracy and stronger generalization across datasets. The Hybrid cGAN with BiLSTM achieves near-perfect detection performance and exhibits stable performance across cross-validation folds and on independent test data. These results confirm that combining spatial and temporal feature learning improves robustness against advanced deepfake attacks. The study also introduces AudioForenX, an interactive forensic tool that integrates the best-performing models. AudioForenX enables real-time analysis, waveform visualization, and classification of audio samples as authentic or synthetic. The findings confirm that hybrid deep learning architectures provide reliable, balanced, and highly accurate detection of synthetic audio. This study contributes practical insights for digital forensics and supports the development of effective tools to counter audio deepfake threats.

Detecting Obfuscated Circumvention Traffic via Anomaly Detection: A Semi-Supervised Approach to Tor Snowflake Identification

Ban Alomar — 2026-06-15

The widespread deployment of censorship circumvention tools presents critical challenges for network security monitoring and policy enforcement. Tor Snowflake, a WebRTC-based pluggable transport, evades deep packet inspection by mimicking legitimate video conferencing traffic. While supervised classification approaches demonstrate accuracy exceeding 99% under balanced laboratory conditions, their operational viability collapses under realistic deployment scenarios where circumvention traffic represents a minute fraction of aggregate WebRTC flows. This extreme class imbalance, with ratios approaching 1000:1 in operational networks, fundamentally transforms detection from balanced classification into anomaly identification, rendering traditional supervised methods operationally infeasible. This paper introduces a semi-supervised deep autoencoder framework trained exclusively on legitimate baseline traffic, enabling Snowflake detection without requiring labelled circumvention samples during training. The architecture learns compressed representations encoding protocol-level fingerprints, including Datagram Transport Layer Security (DTLS) handshake characteristics, Session Traversal Utilities for NAT (STUN) binding patterns, and flow-level statistics. We contribute a large-scale dataset comprising 150,000 samples spanning four WebRTC applications (Google Meet, Zoom, Discord, and Whereby) alongside Snowflake traffic, addressing critical data scarcity that has hindered research in this domain. Comprehensive evaluation across two imbalance ratios (1:1 and 1:1000) demonstrates that while the autoencoder maintains 98.47% recall at extreme 1:1000 imbalance, precision degrades from 97.24% to 87.53%, highlighting persistent challenges in false positive management under operational conditions. Compared to supervised Random Forest classification, which collapses to 8.7% precision at equivalent imbalance, the autoencoder achieves a 78.8 percentage point improvement, confirming operational viability. Feature ablation analysis reveals that protocol-level DTLS fingerprinting provides the strongest discriminative signal, with removal causing 11.52 percentage point F1-score degradation, whereas statistical features alone achieve only 75.58% F1-score.

Evaluating the Reliability of LLMs in OSINT Investigations: A Friend or Foe?

Errol Baloyi — 2026-06-15

This study investigates the use of Large Language Models (LLMs), including GPT, Claude 3, Gemini, Meta, DeepSeek, Qwen 2.5, Mistral Large, and Grok, in Open-Source Intelligence (OSINT) investigations, focusing on their capabilities, limitations, and practical implications. Using a controlled fictional organization, the CtrlZ Society, to simulate a plausible online footprint, the LLMs were provided with a synthetic dataset purportedly linked to the organization. The dataset included social media posts, a Reddit thread, a Pastebin document, a GitHub repository, a blog post, a Telegram broadcast, a WHOIS record, and a news article. Based on this dataset, the models were evaluated on accuracy, timeline reconstruction, account attribution, evidence traceability, susceptibility to hallucination, and handling of ambiguity and incomplete information. Results revealed substantial variation among models: Claude 3, GPT, and Qwen 2.5 demonstrated strong analytical performance and reliable synthesis of investigative outputs, while Gemini and DeepSeek exhibited weaker capabilities. Some models, including Meta were also prone to forced narrative construction when prompted adversarially, highlighting risks of misinterpretation or overreach. Despite these limitations, all LLMs provided valuable support for structuring and summarising complex data, demonstrating their potential as efficiency multipliers in OSINT workflows. Based on these findings, the study provides recommendations for practitioners, including rigorous human oversight, multi-model validation, adherence to verification protocols, and careful evaluation of outputs to mitigate risks and maximise the reliability of LLM-assisted investigations.

Expanding Tactical Cyber Operations for Information-Age Warfare

Archie Bass — 2026-06-15

The proliferation of information through cyberspace has reshaped the character of modern warfare and altered how power is generated and exercised. Digital systems now underpin intelligence collection, operational coordination, and influence activities across instruments of national power. This dependence creates a persistent capability–vulnerability paradox in which the same networked systems that provide operational advantage also introduce exploitable weaknesses. Although the United States has developed significant strategic cyber capabilities, operational authorities and execution remain largely centralized. Incident data show that espionage, access operations, and information manipulation dominate cyber-conflict patterns, while bespoke cyber tools remain constrained by access requirements, target specificity, and limited reuse. This paper argues that maintaining an advantage in the information age requires expanding cyber execution capability and selected authorities to operational and tactical levels. It examines how cyber power's low barrier to entry enables both state and non-state actors to generate disproportionate effects and how cyberspace, as a human-built domain, often favors offense over defense. The study outlines limits on the employment of strategic cyber tools, including tradeoffs among speed, intensity, and control, as well as the single-use nature of exposed exploits. The paper proposes a tactical cyber operations framework built on dispersed, hyper-enabled units operating under decentralized command and supported by operational-level artificial intelligence processing and human–machine teaming. The framework integrates distributed intelligence validation, signature reduction, deception and decoy practices, and ambiguity operations designed to slow adversary decision cycles and increase targeting uncertainty. The paper concludes that doctrinal and authority structures should evolve to support delegated cyber action aligned with the commander's intent in persistent cyber competition.

A Lightweight Real-time Framework for Detecting Rogue Switches in Wired Local Area Network

Vijay Bhuse — 2026-06-15

In today’s digital landscape, securing wired network infrastructure is essential, particularly for Small and Medium
Enterprises (SMEs) that often lack dedicated security personnel and resources. This project presents a fully automated, costeffective
method for detecting rogue switches, which are unauthorized devices that may be introduced by malicious insiders
or external attackers to bypass network controls. Unmanaged (dumb) switches facilitate lateral movement, network sniffing,
and long-term persistence, allowing adversaries to blend into legitimate traffic without detection. To counter this threat, the
proposed system employs a correlation-based detection mechanism, supported by a three-layer validation model, to
systematically verify infrastructure changes. The layered design reduces false positives and ensures accurate identification
of unauthorized network modifications. Tailored for SME environments, this solution removes the need for manual
inspection, offering a scalable, real-time response to rogue switch detection and mitigation.

Leveraging Open-Source Intelligence to Combat Cryptocurrency Investment Scams

Johannes George Botha — 2026-06-15

This paper presents a follow-up study to earlier research on cryptocurrency crime, again drawing on the case of an
elderly woman defrauded by an online platform known as RSI-Platform. Whereas the initial study focused mainly on onchain
analysis within the blockchain environment, the present work shifts attention to off-chain approaches, applying opensource
intelligence (OSINT) techniques to deepen investigations into crypto-related fraud. By systematically examining
diverse input data—such as names, phone numbers, email addresses, and URLs—this study conducts link analysis and aims
to build detailed profiles of potential suspects, thereby advancing understanding of the strategies and methods used in
cryptocurrency scams. The analysis aims not only to trace the scammers’ digital footprints but also to reveal networks and
connections to other fraudulent platforms that support these activities. Moreover, this research seeks to raise public
awareness about the scale and operation of fake online investment schemes in the crypto sector. By exposing the
vulnerabilities exploited by offenders and illustrating how OSINT can be used to detect and disrupt such scams, the paper
adds to ongoing discussions on cybersecurity and consumer protection in the fast-changing field of digital finance.
Additionally, the findings are intended to offer practical insights for law enforcement agencies, policymakers, and the wider
public, encouraging a more informed and proactive response to the threats posed by crypto-related fraud.

A Knowledge-driven, AI-assisted Cyber Defence Framework for IoMT Remote Patient Monitoring

Kulsoom S. Bughio — 2026-06-15

The rapid adoption of Internet Medical Things (IoMT) technologies in remote patient monitoring has reshaped healthcare delivery by enabling continuous, real-time clinical observation outside traditional care settings. However, this shift has also expanded the cyber-attack surface across heterogeneous, resource-constrained medical devices, wireless networks, cloud services, and third-party platforms. In cyber warfare, healthcare has become an incorporated target of geopolitics, with hospitals, remote monitoring systems, and emergency health systems being used to broaden the attack surface for adversaries to exploit. Existing security approaches for IoMT environments remain largely manual, fragmented, and reactive, limiting their effectiveness in dynamically assessing vulnerabilities and supporting timely defensive decision-making. In critical healthcare contexts, such limitations pose direct risks to patient safety, data integrity, and system availability. This research proposes a knowledge-driven methodology pipeline for semantic reasoning and partial automation to strengthen cyber defence in IoMT-enabled remote patient monitoring systems. The pipeline integrates domain ontologies, rule-based reasoning, and knowledge graph representation to formally model medical devices, vulnerabilities, attack vectors, potential cyber-physical impacts, and mitigation strategies. By structuring and linking heterogeneous security knowledge with external cyber threat intelligence, the proposed approach enables context-aware vulnerability detection, automated inference, and explainable security insights. The methodology follows a science and engineering research design, progressing from conceptual modelling to prototype development, semantic framework implementation, and validation. A vulnerability detection algorithm operationalizes the pipeline by systematically identifying exploitable weaknesses, assessing severity and impact, and recommending countermeasures through semantic queries and reasoning. Evaluation using representative remote patient monitoring scenarios demonstrates improved consistency, visibility, and timeliness in vulnerability identification compared to existing IoMT security frameworks. This work contributes to a practical, extensible, and automation-oriented semantic pipeline that enhances cyber resilience in healthcare systems considered part of the critical national infrastructure.

MITRE-ATT&CK Integration for Behavioural HARM-based Attack Simulation

Fomotar Nyuykighan Buhnyuy, — 2026-06-15

Automated attack simulation has emerged as an important approach for assessing the security of complex
networked systems in a scalable and repeatable manner. Frameworks based on the Hierarchical Attack Representation
Model (HARM), such as HARMer, support automated vulnerability discovery, attack-path generation, and attack execution.
However, existing HARM-based approaches remain largely vulnerability-centric, relying on Common Vulnerabilities and
Exposures (CVE) identifiers that provide limited insight into adversary behaviour. Consequently, generated attack paths are
often difficult to interpret from a threat-informed defence perspective. This research investigates the integration of the
MITRE ATT&CK framework into a HARM-based automated attack simulation pipeline to improve the behavioural
interpretability of simulation outputs. An experimental methodology was adopted using an enhanced HARMer framework
deployed within controlled and isolated environments. Vulnerability information obtained through automated scanning was
used to construct HARM models representing network reachability and host-level vulnerabilities. Identified CVEs were
systematically mapped to ATT&CK tactics and techniques using vulnerability descriptions, exploit documentation, and
ATT&CK framework definitions. The resulting behavioural information was incorporated into attack planning and
visualisation processes. To evaluate the effectiveness of the proposed enhancement, four evaluation indicators were
defined: Mapping Coverage Rate (MCR), Behavioural Annotation Rate (BAR), Technique Coverage (TC), and Attack Path
Preservation (APP). These indicators were used to assess the feasibility of behavioural enrichment while ensuring that the
automation and scalability characteristics of the original HARMer framework were maintained. The results demonstrate that
CVE-based vulnerabilities can be systematically enriched with ATT&CK semantics, enabling attack paths to be interpreted as
sequences of adversary behaviours rather than isolated technical exploits. Behaviour-enhanced attack planning preserved
the original path-generation logic while providing additional contextual information regarding attacker tactics and
techniques. Furthermore, ATT&CK-based visualisation provided an intuitive representation of behavioural coverage across
simulated attack scenarios, supporting clearer interpretation of attack activity. The study contributes a practical approach
for integrating behavioural threat intelligence into HARM-based automated attack simulation. By combining vulnerabilitydriven
attack modelling with ATT&CK-based behavioural semantics, the proposed framework advances automated redteaming
beyond purely technical exploit analysis towards more interpretable, threat-informed, and operationally relevant
security assessment.

Cyber Power Through Propagation Control

Gregory Carpenter — 2026-06-15

Enterprise cyber defense operates in telemetry-saturated environments, yet major incidents continue to escalate through rapid, large-scale propagation. Failure rarely stems from lack of visibility; it reflects inability to suppress spread across interconnected systems before compromise becomes self-sustaining. Contemporary cyber operations exploit trust relationships and identity infrastructure to convert initial access into distributed control, overwhelming response capacity despite extensive sensing. This exposes a measurement gap: defenders lack a defensible method for assessing whether an environment can contain propagation once intrusion begins. We propose a cyber-epidemiological model of intrusion propagation that treats the enterprise as a population distributed across a directed graph of trust, privilege, and service relationships. Compromise is modeled as a dynamic process rather than a binary outcome, and defensive cyber operations are treated as endogenous counterforces that directly compete with attacker-driven spread. We formalize a compartmental S-E-I-Q-R model in which susceptible, exposed, infectious, quarantined, and recovered states correspond to operational phases of cyber campaigns, including foothold establishment, activation, lateral movement, isolation, and remediation. This formulation extends prior cyber-epidemic models by explicitly incorporating enterprise identity architecture and active defensive response dynamics central to modern cyber conflict. Building on this model, we derive a cyber reproduction number, R₀, using a next-generation matrix approach. R₀ represents the expected number of secondary infectious compromises generated by a single infectious node in an otherwise susceptible environment. Interpreted as an environmental threshold, R₀ distinguishes escalation from containment: when R₀ exceeds unity, propagation outpaces defensive action; when R₀ falls below unity, containment dominates and campaigns tend to collapse. R₀ characterizes environmental susceptibility to sustained cyber operations, independent of attacker identity or tooling. To operationalize the framework without experiments, the paper proposes a telemetry-driven method for estimating model parameters from standard security operations center and incident response artifacts. The result is a defensible analytic lens linking security architecture, defensive operations, and campaign outcomes, supporting prioritization decisions that constrain adversary freedom of action, reduce coercive cyber power, and strengthen deterrence by denial at both enterprise and national scales.

Securing the AI Revolution: A Maturity Framework for Trustworthy and Resilient Software

Jami Carroll — 2026-06-15

Traditional software-development maturity models—CMMI, Agile, and DevOps—were designed for deterministic, human‑centric processes and struggle to govern the probabilistic, data‑driven nature of AI systems. As organizations embed Artificial Intelligence (AI) across the Software Development Life Cycle (SDLC), these legacy frameworks lack structures to manage AI‑specific risks such as governance, security, data provenance, and model behavior. Accelerated digital transformation and cloud‑native delivery amplify the consequences of unmanaged AI adoption, exposing firms to systemic security and supply‑chain vulnerabilities. This study uses constructivist Glaserian Grounded Theory to synthesize evidence from industry practitioners, academic researchers, FFRDCs, and scholarly literature, thereby creating an AI‑centric software maturity framework. This study develops a five-level AI maturity framework for developing trustworthy and resilient software, grounded in secondary data from industry documents, academic papers, and FFRDC reports using Glaserian Grounded Theory. The framework is empirically derived to identify recurring patterns across sectors, yet it is explicitly presented as a modifiable theory rather than a statistically generalizable model. Future work will validate the framework through primary research – interviews, surveys, and observations to capture informal decision-making practices omitted from the secondary corpus. This five-stage AI adoption model offers a progressive, security-oriented maturation through the stages of 1) Foundational Awareness & Governance—establish AI policies, ethics, and baseline literacy; (2) Experimentation & Initial Integration—enable controlled AI pilots in isolated environments; (3) Integrated Development—embed AI within CI/CD pipelines and business workflows; (4) Proactive Security & Trusted AI—scale AI with threat detection, adversarial testing, and model security; and (5) Adaptive Excellence—achieve continuous, closed‑loop optimization of AI performance, security, and impact. These findings leverage coaching, Vygotsky’s zone of proximal development, and Kolb’s experiential learning to reconcile rapid delivery with trustworthy, resilient software while aligning governance, automation, and security across all stages reduces systemic risk, strengthens supply‑chain resilience, and enables sustainable AI transformation.

Apache Daffodil for Network Traffic Validation

Benjamin Cavanagh — 2026-06-15

This paper explores the relative merit of Apache Daffodil for the automated generation of real-time network traffic validators associated with military vehicles. Daffodil is an "open-source implementation of the Data Format Description Language (DFDL)" which converts between natively formatted data and Extensible Markup Language (XML), JavaScript Object Notation (JSON) or other structures based on predefined schemas. Daffodil can also automatically generate executable parsers, and it is the efficacy and maturity of this facet of the technology for traffic validation that is our primary interest. Military vehicles have traditionally used compact protocols, such as Space Packet Protocol (SPP), MIL-STD-1553, or Controller Area Network bus (CAN bus), to enable real-time validation and limit malicious implants embedded in normal traffic. Over time, message traffic has grown increasingly complex due to increases in performance and use of commercial-off-the-shelf networking technologies leveraging Ethernet and TCP/IP protocols. Messages may now include mission-specific or recursively defined data embedded in the payload fields of variable-length packets. Consequently, it is valuable to assess Daffodil's ability to handle both existing formats and representative payload data within this emerging context. Here we directly compare DFDL schemas with equivalent grammars expressed in an extended version of Backus-Naur Form (xBNF) and Hammer to assess its expressive capability and succinctness. To assess the maturity of its validator generator, we compared Daffodil to the industry-standard Bison tool (for xBNF) and Hammer library. Though the comparison is based on numerous formats, here we present three examples: JSON numbers—a simple recursive data format; Micro Air Vehicle Link (MAVLink) messages—non-trivial byte-oriented traffic; and generic SPP messages—a bit-oriented, fixed-size format. Unfortunately, Daffodil's automated parser generation capabilities are currently neither mature nor robust. Daffodil is primarily useful for analysing fixed-length formats or variable-length components which follow descriptive header fields. Daffodil parsers can elegantly check compact bit-wise protocol formats, which is more difficult using Bison and some versions of Hammer. Daffodil is currently of limited utility in analysing recursive or non-prefixed formats such as JSON. Writing DFDL manually appears significantly more verbose and error-prone than both xBNF and Hammer.

RAG-H: A RAG-Hardened SOC Framework for Trustworthy Threat Intelligence and AI Defence

Daniela Ceraku — 2026-06-15

Retrieval-Augmented Generation (RAG) is now the dominant approach for enhancing Large Language Models in Cyber Threat Intelligence (CTI), yet it introduces a new attack surface: knowledge base poisoning and prompt injection. Existing defences address isolated stages of the RAG pipeline, offer no end-to-end integrity guarantees, and are evaluated on answer accuracy rather than Security Operations Center (SOC) mission impact. This paper introduces RAG-H, a multi-layer defence framework that secures the full RAG pipeline for SOC use. Ingestion enforces provenance checks and source-reputation scoring so that only trustworthy intelligence enters the knowledge base, retrieval combines semantic relevance with corpus-level credibility and analyst feedback to filter poisoned content, generation applies context sanitisation and self-verification to surface low-confidence outputs for analyst review. We evaluate RAG-H on a CTI corpus of 300 documents, 90 of which are poisoned, and measure which pipeline stages are most vulnerable, which layered controls most reduce the Poison Impact Rate without unacceptable latency, and how the defences affect incident response. Results show that layered trust, consistency, and governance controls significantly mitigate poisoning effects. The framework establishes a reproducible methodology for securing RAG systems in SOCs and introduces evaluation metrics that connect technical robustness to operational impact. An open-source proof-of-concept accompanies the work as a baseline for future research.

Defending the Cosmos: Honeypot-based Adversary Detection and Emulation System (HADES)

Yuk Tong Chan — 2026-06-15

This paper presents HADES (Honeypot-based Adversary Detection and Emulation System), a modular CubeHoneypot that is a ground-deployable cubesat-scale test bed honeypot architecture for cybersecurity research within space systems. Built using open-source technologies, including NASA’s Operational Simulator for Small Satellites (NOS3), NASA's core Flight System (cFS), NASA’s Open Mission Control Technologies (Open MCT) and the T-Pot honeypot platform, HADES emulates telemetry and command functions of real satellite subsystems. Unlike existing satellite honeypots, HADES is designed for both educational and adversary
behaviour research applications, enabling cost-effective experimentation and threat analysis in controlled, realistic environments. The paper outlines the design methodology, implementation stages, system components and early results from simulated attacks and telemetry operations.

Assessing Non-Kinetic Effects in Support of Military Operations: An Inference-Driven Framework

Bruce Chojnacki — 2026-06-15

Modern military operations increasingly integrate non-kinetic effects to support and enhance kinetic operations on the battlefield. Intelligence, surveillance, and reconnaissance assets provide a reliable means to measure kinetic effects on adversaries during combat. However, there is a gap in intelligence collection for assessing and quantifying non-kinetic effects, such as shaping perceptions, influencing decision-makers, or degrading adversary morale. These effects are difficult to measure with traditional intelligence techniques because they occur in the cognitive dimension, where observable indicators are limited, and measurement is complex. This limitation introduces operational risks for military leaders, as they cannot always be sure whether a non-kinetic asset will achieve the desired effect or if a behavioural change has taken place. This paper introduces a framework for developing measures of effectiveness for cyber, information warfare, and psychological operations planners to evaluate non-kinetic operations supporting kinetic actions. Drawing on case studies such as the Russo-Georgian conflict and the Second Nagorno-Karabakh war, the framework combines intelligence indicators from OSINT, social media analytics, changes in adversary leadership behaviour, shifts in military posture, and other measurable phenomena to generate quantifiable metrics. It also considers collateral, second-, and third-order effects to assess whether non-kinetic operations are achieving their operational objectives. By offering intelligence analysts, planners, and military leaders a rigorous method for planning, executing, and evaluating non-lethal effects, this approach improves effect synchronization, enhances risk assessment, and aids leaders' decision-making.

Graph Neural Networks on Phase Space Graphs for Cybersecurity

Parker Cole — 2026-06-15

Non-linear phase space analysis may be used to represent time-series data as graph data with transitions between states in the time domain. By studying these transitions, we can predict anomalies within the system. Previous research has demonstrated success in learning from phase graphs for malware and seizure detection. These solutions either require extracting global features or converting the graph into an image for convolutional neural networks (CNNs), which adds complexity and limits the potential expressiveness of a graph. To sidestep current limitations, this study proposes Graph Neural Networks (GNNs) for analyzing phase graphs. Unlike CNNs, which must transform graph data into an image representation that may not preserve isomorphism, GNNs operate on the graph data itself through message-passing mechanisms that naturally preserve graph structure. Four GNN architectures were evaluated on two cybersecurity datasets: the Canadian Institute for Cybersecurity Intrusion Detection System (CICIDS) 2017 dataset and a power usage dataset for rootkit detection. The CICIDS dataset was processed at three density levels by varying the symbol parameter. Findings reveal GNNs can be used successfully with phase space graphs, that the type of GNN impacts classification accuracy, and that variance in phase space parameters also impacts accuracy. GIN achieved the most consistent performance across all experiments, while graph density significantly affected results

AI Supporting Cybersecurity Curriculum

Henry Collier — 2026-06-15

Artificial Intelligence is the next frontier. As Machine Learning and Generative AI continue to advance, threat actors are using AI to increase the effectiveness of their attacks. Whether through AI-enhanced social engineering attacks or sophisticated malware that current methods cannot detect, AI is changing the threat landscape. It is imperative that students in the field of cybersecurity be taught to use AI to strengthen defensive measures. This paper outlines the need for and recommended best practices for implementing AI training in cybersecurity education to ensure that the defenders of our data are prepared for the next virtual battlefield.

Automatically Attacking Software Reverse Engineering AI Agents

Brian Crawford — 2026-06-15

Software tools for reverse engineering executable binary files, such as Ghidra, enable malware analysts to safely conduct robust static analysis without having access to original source code. Coupled with the analytic power of large language models (LLM), agentic systems enabled with tools, such as GhidraMCP, can allow analysts to automate a previously human driven process. Although this automation can increase the productivity of a single malware analyst, it also introduces a new area of vulnerability for malware obfuscation. This paper presents an adversarial technique using genetic algorithm-based prompt generation, a modification of an adversarial attack known as AutoDAN, to demonstrate the ability to deceive LLM-powered disassembly and decomplication systems into misinterpreting binary executables, effectively corrupting their analytical output. This proof-of-concept methodology exploits inherent vulnerabilities in how LLMs process and interpret decompiled machine code via prompt injection by using extraneous string variable assignments to pass surreptitious instructions to the LLM while not impacting the functionality of the executable file. We demonstrate this capability through several concise examples. This approach could enable attackers to bypass automated detection systems that rely on LLM-driven analysis pipelines. By studying and understanding this attack, insights can be gained regarding the security implication of integrating LLMs into cybersecurity toolchains and building more robust agentic code analysis systems.

Implementation and Analysis of SS7 Signalling Firewall Research Laboratory

Ahmet Mithat Demirkol — 2026-06-15

This report details the creation of a high-fidelity, isolated laboratory environment designed to practically analyze Signalling System 7 (SS7) protocol vulnerabilities and the defensive capabilities of modern signalling firewalls. The primary objective of the project is to transform telecommunications infrastructure security testing into an accessible and repeatable methodology using entirely open-source tools. The laboratory architecture is based on a classic Man-in-the-Middle (MITM) scenario involving an attacker (SigPloit), a target (Osmocom STP), and a defense mechanism (P1sec SigFW). This configuration allows all signalling traffic between the attacker and the target to pass through the interposed firewall, enabling a systematic evaluation of the firewall's effectiveness. The report provides a step-by-step guide for setting up the laboratory, configuring the components, executing the test scenarios, and analyzing the results obtained. The empirical findings indicate that while open-source firewalls offer viable mitigation capabilities against standard rule-based threats, they exhibit critical structural limitations when exposed to stateful tracking anomalies and advanced evasion techniques targeting protocol parsers. This work serves as both a theoretical foundation and a practical guide for professionals and researchers working in the field of telecommunications security.

Analysis of the Use of Module Lattice Key-Encapsulation Mechanism in Delay Tolerant Networks: A Survey

Fábio Moreira dos Santos — 2026-06-15

Cryptography plays a fundamental role in information security, being directly related to maintaining important
properties such as confidentiality and integrity. Many of the algorithms that form the basis of cryptography are based on
mathematically difficult computational problems, such as prime number factorization and discrete logarithm. However, the
use of quantum computing algorithms poses a threat to some of these cryptographic systems, making communication
systems and protocols that use them vulnerable. One example is Delay-Tolerant Networks (DTNs), which have high
applicability in space systems and military contexts, but present challenging characteristics for secure implementation. One
initiative to combat this threat is the development of algorithms resistant to quantum attacks, collectively known as postquantum
cryptography. These algorithms are based on other mathematical classes that do not have a known optimized
solution for quantum or classical computers, but, on the other hand, present greater computational, storage, and data
transmission demands. Due to these characteristics, their use must be evaluated according to the context, considering the
degree of security required in conjunction with processing, memory, and routing limitations. Thus, this work aimed to
conduct a survey of the main characteristics and challenges of cryptographic systems to counter quantum cryptanalysis,
paying special attention to the post-quantum algorithm Module-Lattice Key-Encapsulation Mechanism (ML-KEM), as well as
its vulnerabilities to hardware-level implementation attacks and spaceborne radiation environments. Furthermore, the main
architectural characteristics of DTNs were presented, and security aspects and challenges described in the Bundle Protocol
Security (BPSec)—specifically regarding the amplification of message-flooding vulnerabilities under expanded post-quantum
payloads—were addressed. Finally, suggestions for future work were presented based on opportunities identified
throughout the study.

Investigating AI Enabled Attacks and Malware Within Dark Web Ecosystems: An Updated Assessment

William Easttom — 2026-06-15

This paper provides a technically grounded assessment of how Dark Web ecosystems are intersecting with AI‑enabled offensive cyber capabilities to compress time‑to‑effect across the cyber kill chain. Hidden‑service marketplaces and broker forums have matured into resilient, quasi‑industrial supply chains for initial access vectors (credential dumps, VPN/RDP footholds), exploit artifacts, malware loaders, and operational services (bulletproof hosting, cryptomixers, DDoS booter capacity). Generative AI and machine‑learning–assisted tooling increases attacker throughput by automating target enumeration, vulnerability triage, exploit parameterization, and social‑engineering content generation, thereby reducing the marginal cost of tailored intrusion campaigns. We synthesize research on anonymity architectures, dark‑market economics, and emerging autonomous cyber systems to characterize an operational model in which AI agents execute multi‑step workflows: (i) harvesting and fusing threat‑intelligence signals from forum discourse and market telemetry; (ii) selecting targets via probabilistic scoring informed by asset criticality and exploitability; (iii) generating polymorphic payload variants and adversarial phishing lures; and (iv) iterating tactics in response to defensive controls through reinforcement‑learning–style feedback. This convergence enables hybrid state–criminal collaboration and proxy operations by decoupling capability acquisition from attribution and by supporting deniable command‑and‑control (C2) staging within onion‑routed infrastructures. Quantitative telemetry underscores the strategic relevance of this shift: the FBI’s IC3 reported losses exceeding US$16 billion in 2024, with cyber‑enabled fraud comprising approximately US$13.7 billion and ‘cyberthreats’ (including ransomware and data breaches) contributing more than US$1.5 billion, illustrating the scale of the economic attack surface. In parallel, breach forensics continue to show that initial access is frequently achieved through stolen credentials, vulnerability exploitation and social engineering, which are precisely the phases most susceptible to AI‑driven acceleration. We conclude that AI‑augmented Dark Web ecosystems materially increase campaign scalability, complicate attribution via supply‑chain opacity and pseudonymity, and elevate escalation risk by enabling rapid re‑tooling and persistent access. The paper closes with engineering‑oriented defensive implications, including telemetry‑driven detection, graph‑analytic threat‑hunting, and governance controls for AI‑enabled offensive automation.

Cybersecurity for Military Satellite Systems: Threats, Domains, and Engineering Countermeasures

William Easttom — 2026-06-15

Military operations increasingly depend on satellite-enabled services for beyond-line-of-sight command-and-control, intelligence, surveillance and reconnaissance (ISR), missile warning, and precision navigation and timing. As space becomes more contested, adversaries can achieve operationally significant effects by cyber-compromising the end-to-end satellite enterprise rather than physically destroying spacecraft. A prominent example is the 24 February 2022 KA-SAT incident, where an intrusion into terrestrial management infrastructure and downstream user terminals disrupted connectivity for tens of thousands of users across Ukraine and Europe (CyberPeace Institute, 2022; Viasat, 2022). This paper develops an engineering-oriented threat model for military satellite systems across the ground, link, space, and user segments, then translates that model into implementable security controls and mission assurance design patterns. Using a quantitative, model-based risk assessment (Monte Carlo simulation) and control-to-attack-surface mapping, the paper prioritizes high-leverage mitigations such as privileged access management for mission operations, authenticated command and telemetry protection using standards-based space data-link cryptography, and zero trust architectures adapted to intermittent, high-latency RF environments (CISA, 2024a; CCSDS, 2020). Finally, the paper synthesizes resilience engineering principles—redundancy, graceful degradation, rapid reconstitution, and cyber-informed autonomy—into a pragmatic roadmap that aligns security investments with operational tempo. The central finding is that satellite cybersecurity must be treated as mission assurance: an integrated set of architectural, procedural, and cryptographic controls that preserve capability under sustained cyber pressure and enable recovery within tactically relevant timelines.

Offensive Cyberspace Operations: Operational Logic, Strategic Utility, and Governance in Contemporary Cyber Conflict

William Easttom — 2026-06-15

Offensive cyberspace operations (OCO) have matured into a routine instrument of state power across the spectrum from day‑to‑day strategic competition to armed conflict. Yet OCO remains unusually difficult to conceptualize and govern because cyberspace is privately owned, technically volatile, and operationally interdependent with civilian critical infrastructure and global software supply chains. This paper develops a doctrinally grounded, technically informed framework for analyzing OCO across tactical, operational, and strategic levels of war while avoiding tradecraft. It models OCO effectiveness as an access‑to‑effects pipeline constrained by target system dynamism, intelligence requirements, identity and access management (IAM) complexity, tool exposure risk, and the probability of uncontrolled propagation or collateral impact. Empirically, contemporary intrusion data underscores that exploit‑driven initial access is common and that remediation timelines often lag adversary tempo, reinforcing the perishable nature of access (Verizon, 2025; Mandiant, 2025). Strategically, OCO can enable campaign disruption, deterrence by denial, and information advantage, but their coercive predictability is limited, and their escalation externalities can exceed those of conventional fires in tightly coupled socio‑technical systems. The paper synthesizes public doctrine, national strategies, and contemporary legal debates, emphasizing that credible governance must integrate military, intelligence, diplomatic, and software‑engineering risk perspectives, including vulnerability‑equities decisions and supply‑chain assurance. It further highlights accelerants—AI‑enabled capability scaling and the commodification of access through criminal markets—that compress decision timelines and blur state–non‑state boundaries. The conclusion proposes a research and policy agenda centered on measuring effects over time, institutionalizing robust review and oversight, and strengthening resilience to manage the distinctive systemic risks of offensive cyber power.

Information Campaigns in Irregular Warfare: A Framework for Expanding the Threshold of Competition

Nick Elekes — 2026-06-15

Contemporary irregular warfare increasingly unfolds through coordinated information campaigns designed to shape adversary perception, fragment decision-making, and expand competitive space below traditional escalation thresholds. While deterrence frameworks have historically emphasized military capability and economic leverage, modern competitors employ narrative operations, psychological pressure, and legitimacy contests to achieve strategic effects without decisive kinetic engagement. Classic coercion theory emphasizes that influence over adversary decision conditions often matters more than direct force application, particularly in ambiguous competitive environments (Schelling, 1966; Freedman, 2013). This paper proposes a decision-centric framework for information campaigns in irregular warfare that explains how coordinated narrative, psychological, and cyber-enabled information actions expand the threshold of competition. The framework integrates deterrence theory, irregular warfare doctrine, and gray zone competition research to show how information campaigns generate cumulative strategic effects through tempo disruption, legitimacy shaping, and perception control. Case evidence from Hizballah’s psychological campaign, Chinese gray zone coercion, and contemporary Russian information operations illustrates how sustained campaigns produce denial, cost imposition, and delegitimization effects without triggering conventional escalation (Wehrey, 2002; Lin et al., 2022; Kalenský and Osadchuk, 2024). The contribution of this study is a structured campaign framework that links information actions to decision advantage and operational outcomes. This model supports parallel, multidomain action and helps practitioners design campaigns that shape competitive conditions before escalation thresholds are crossed.

A Lightweight Automated SQL Injection Testing Tool with Integrated Discovery and Structured Reporting

Olusanjo Olugbemi Fasola — 2026-06-15

SQL injection (SQLi) remains one of the most persistent and high-impact vulnerabilities in web applications, consistently ranked among the OWASP Top 10 threats. Although mature tools such as SQLMap provide extensive detection and exploitation capabilities, their steep learning curve, complex configuration requirements, and command-line-driven interfaces limit accessibility for beginners, students, and small organizations with constrained technical resources. This paper presents the design, implementation, and evaluation of a lightweight, automated SQL injection testing tool that emphasizes usability, efficient detection, comprehensive endpoint discovery, and structured reporting. The proposed system integrates four classical SQLi detection techniques—error-based, union-based, boolean-blind, and time-based—within a modular scanning engine accessible through an intuitive graphical user interface. To improve assessment coverage, an automated discovery module identifies hidden and unlinked endpoints via robots.txt inspection, sitemap.xml parsing, and hyperlink crawling. A multi-format reporting framework generates human-readable and machine-processable outputs, including executive summaries, vulnerability evidence, and mitigation recommendations. Experimental evaluation was conducted using Damn Vulnerable Web Application (DVWA) and OWASP Juice Shop, representing standard testbeds for ethical and repeatable SQLi assessment. Results demonstrate detection success rates ranging from 79% to 93% across the implemented techniques, while integrated discovery increased endpoint coverage by more than 100%. Comparative benchmarking against SQLMap indicates that although SQLMap offers deeper exploitation capabilities, the proposed tool delivers superior accessibility, reduced configuration complexity, faster deployment, and structured reporting suitable for educational, developmental, and small-scale security testing environments. The findings validate that lightweight design can achieve effective vulnerability detection without sacrificing fundamental security capabilities, providing a practical entry point for SQL injection assessment.

A Hybrid Cyber Defense Framework for Indonesia’s Military Integration into National Cyber Resilience: A Counterfactual Stress-Test

Fibriansyah Fatahillah — 2026-06-15

The June 2024 ransomware attack on Indonesia’s National Data Center (PDN) disrupted hundreds of public services and exposed that the country’s cyber vulnerability extended beyond weak technical controls to include fragmented authority, unclear mandates, and slow coordination among state actors, which plausibly amplified the scale and duration of disruption. Existing work on Indonesia’s cyber defense and national cyber resilience often treats technological upgrades and institutional reform separately and rarely tests how alternative governance architectures might have altered the trajectory of a real incident. This paper asks whether a hybrid civil-military cyber defense framework could have reduced the operational impact of the PDN incident by mitigating coordination failures across detection, containment, and recovery phases. Drawing on open-source reporting, the study reconstructs an incident timeline and identifies three failure nodes: detection delay, containment delay, and recovery failure linked to backup governance. Conceptually, it refines existing socio-technical accounts by formalizing coordination failure as a second-order amplifier of cyber incident severity that links fragmented authority to decision latency and expanded incident impact once attackers gain a foothold. Building on prior work that designed a cyber defense framework for the Indonesian Armed Forces, the paper extends this architecture to a national civil-military setting by specifying a Hybrid Cyber Defense Framework centered on a civilian-led National Cyber Security Coordination Center (NCCC) with unified incident command and a Joint Cyber Defense Task Force (JCDTF) providing surge technical capacity under democratic safeguards. Using Counterfactual Process Tracing (CPT), grounded in an interventionist theory of causation, the analysis stress-tests this framework against the PDN timeline, holding baseline technical weaknesses constant while minimally rewiring decision paths and information flows at the three failure nodes. Analog evidence from NATO and Singapore suggests integrated monitoring, pre-designated leadership, and joint exercises can compress response cycles without replacing technical controls. The paper offers a mechanism-based template for stress-testing national cyber governance arrangements against concrete incident trajectories and clarifies the democratic boundary conditions under which hybrid civil-military integration is more likely to strengthen cyber resilience.

Gamified Provocations of Interest for Cybersecurity Awareness

Steven Furnell — 2026-06-15

Cybersecurity awareness is important for all users of digital technology, but it can often be challenging to capture the attention of those that need it. Gamification can potentially contribute in provoking interest and engagement, but consideration still needs to be given to potential barriers to entry (in terms of the time required to understand and play the game, and any prior knowledge or support that players may need to do so). Many current cybersecurity games are well suited for use in settings where time has been set aside to play them. However, they are less applicable to being used as initial provocations of interest, or to attract and engage players on a more casual basis. With this in mind, the paper presents three game-based activities that have been specifically designed to support short-form cybersecurity engagement and awareness: Cyber Defence Dice, Hacker Whacker, and Password Enlightener. The discussion highlights how these activities offer an entry point for additional cybersecurity engagement, providing a foundation for further awareness and education activities or a reference point that can be used within them.

A Systematization of Knowledge on Biomarker Based Encryption Keys

Matthew Gaber — 2026-06-15

Encryption keys require careful management, they must be securely stored, and if stolen or compromised, the consequences can be catastrophic. Ephemeral keys are created, used and then deleted, reducing the attack surface. As the tactics, techniques and procedures of threat actors continue to evolve, implementing an ephemeral encryption key would enhance the protection of critical infrastructure systems, sensitive data and communication systems. This research investigates the feasibility of generating a repeatable, unique, yet transient encryption key from human biomarkers. By deriving cryptographic keys directly from bioelectrical and biochemical markers, key management overhead and long-term exposure risks can be minimized. This Systematization of Knowledge (SoK) addresses two primary challenges. Firstly, determining the viability and limitations of deriving consistent keys from inherently variable biomarkers. Secondly, we propose a manifold encryption key derivation scheme using context dependent signals drawn from the network, device and environment to overcome the limitations of biometric based key generation, including irrevocability, noise, and entropy deficiency.

Preparing Industry for IIoT: Separate Sensor Networks for Industrial Automation Security

Ricky Green — 2026-06-15

Industrial automation has brought innovations in efficiency and safety to modern manufacturing. The emergence of big industrial data, AI and Internet-connected industrial automation systems promises many advantages in manufacturing, maintenance, health & safety, product customization, logistics, and reporting. The Industrial Internet of Things (IIoT) seeks to attach industrial systems to the Internet for data collection and processing. The Internet is not a secure place for many of the industrial systems in use today. Industrial networks are designed for speed, accuracy, and availability at the expense of security. In our experiments, we demonstrate how easy it would be for hostile actors to gather data that could be used to compromise the industrial automation systems if actors (a) had physical access to the internal network or (b) access to data streams that feed to the external network. To resolve some of these issues, we propose a hybrid solution of sensor data acquisition in which a secondary network with additional sensors and controllers are installed; the secondary network, sensors and controllers are isolated from the internal control system. The results show that our solution enables useful data collection without impacting the security, speed, accuracy, and availability of industrial control system. It also has the potential to permit anomaly detection using independent sensors on different networks.

A Physically Unclonable Function Authentication Protocol to Secure IEEE C37.118 Communications

Taylah Griffiths — 2026-06-15

This paper outlines the need for security on the smart grid, specifically for Phasor Measurement Units (PMUs) and Phasor Data Concentrators (PDCs). These devices are targeted due to their criticality to the smart grid and the insecure communication protocols used. Common attacks on these devices target the data sent between them. As such, integrity-based attacks are the focus of this paper, more specifically on False Data Injection attacks (FDIAs) and Time Synchronisation Attacks (TSAs). Security solutions are proposed throughout literature from mitigation and protection techniques to detection and resolution techniques. To secure the PMU and PDC, this paper proposes an authentication protocol, utilising Physically Unclonable Functions (PUFs). PUFs are utilised to ensure device-specific authentication, in addition to the use of other cryptographic techniques including fuzzy extractors, nonces, encryption algorithms, and identifiers. A testbed was developed, on which the protocol was implemented and tested against the integrity-based attacks, namely FDIA and TSA. Informal and formal security analyses were performed on the protocol, finding that the protocol was secure against multiple attacks, including the FDIA and TSA, and implemented mutual authentication and forward secrecy. The formal security analysis was implemented with Proverif, a software used to prove the security of authentication protocols. The informal security analysis is provided as a logical sequence to prove the protocol’s security against attacks and inclusion of security proofs. A performance analysis was performed to ensure the protocol had low enough computation, communication, and storage overheads.

The CTI Oligopoly’s Contractual Firewall: Restrictive Licensing as a Structural Barrier to Collective APT Defence

Raymond Hagen — 2026-06-15

Cyber threat intelligence (CTI) is widely promoted as indispensable for modern cyber defense, yet collective defense in practice is constrained by market concentration and restrictive licensing imposed by a small number of dominant vendors. This study analyses 34 publicly available documents; licence agreements, terms of service, API documentation, and pricing materials, across 15 major commercial CTI providers. Following a thematic analysis approach, we code restrictions across six dimensions: (1) access pathways and subscription gating, (2) redistribution and collaboration rights, (3) automation interfaces and rate limits, (4) portability and interoperability, (5) pricing transparency and contract flexibility, and (6) geographic and jurisdictional constraints. Findings confirm a highly concentrated oligopolistic market in which the top five to ten vendors control an estimated 50–80% of global revenue and a disproportionate share of APT telemetry. Recent consolidation, including Mastercard’s USD 2.65 billion acquisition of Recorded Future in December 2024, further reinforces this concentration. Licence terms systematically prohibit redistribution to third parties, constrain automation through non-cumulative quotas and unstable APIs, and obscure pricing behind enterprise sales funnels. These patterns constitute what we term a contractual firewall, a structural barrier that prevents threat intelligence from flowing between defenders even where policy frameworks encourage sharing. The contractual firewall creates asymmetries in defensive capability that disproportionately affect SMEs, public-sector entities, and sector consortia. These constraints do in some instances conflict with European collective defense mandates like NIS2, but fundamentally fragment the defender ecosystem, leaving smaller entities vulnerable to sophisticated threat actors. We suggest some procurement-focused recommendations for redistribution carve-outs, export and portability requirements, API stability guarantees, and multi-source resilience strategies. Future work should validate these patterns against negotiated enterprise terms and assess operational impact in incident response environments. We conclude that resource-constrained defenders facing APTs are caught in a systemic double bind: the ’contractual firewall’ restricts the intelligence access necessary for pro-active defense, while regulatory frameworks like NIS2 impose sharing mandates that these commercial restrictions effectively render impossible to fulfill.

The End of Infodemic? The 2021-2024 UN Effort to Ensure the Integrity of Public Information

Teemu Häkkinen — 2026-06-15

This article examines the United Nations’ efforts between 2021 and 2024 to promote the integrity of public information through the development of the Global Principles for Information Integrity. Responding to the growing threat of misinformation, disinformation, and hate speech, the study analyses how the UN sought to construct a non-binding, multilateral and multistakeholder response. Using qualitative textual analysis of UN reports, resolutions, and policy documents, the article traces the institutional process initiated by the Secretary-General’s call for a global code of conduct and culminating in the adoption of the Global Principles in 2024. The findings highlight both the potential and the limitations of multilateral cooperation in a fragmented information environment marked by geopolitical rivalry and technological change. The study contributes to debates on global governance by illustrating how normative frameworks can be mobilized to address information integrity while navigating tensions between human rights, state interests, and platform governance.

The University of Maryland’s Cyber Events Database 2.0: A Systematic Framework for Analyzing Global Cyber Threats

Charles Harry — 2026-06-15

Cyberattacks are increasing in scale, scope, and impact, yet systematic, accessible data on these events remain
fragmented, narrowly scoped, or methodologically opaque. Existing cyber incident datasets often focus on specific threat
types or high-profile cases, are proprietary, or lack transparent coding rules, limiting comparative analysis and cumulative
research. This paper introduces the Cyber Events Database 2.0 (CEDB 2.0), a publicly sourced, event-level repository of global
cyber incidents from 2014 onward designed to support reproducible research and strategic cybersecurity analysis. The CEDB
2.0 employs a mixed-methods data collection approach that combines automated web scraping with multilingual, near–realtime
news monitoring, integrating the Global Database of Events, Language, and Tone (GDELT) Project beginning in 2025. As
of February 2026, the database contains 16,382 coded cyber events across 175 countries and 1,431 distinct threat actors.
Each event is classified using a theory-informed taxonomy capturing actor type, motive, target sector, affected country, and
observable effects. By enabling cross-sectional and longitudinal analysis at scale, the CEDB allows researchers to move
beyond anecdotal case studies toward systematic, evidence-based assessment of state and non-state cyber behavior. The
paper details the database’s methodology, structure, applications, limitations, and future development.

Incorporating S.P.I.C.Y. DICOM Polyglot Threats into Cyber Warfare Exercises

Danny "Danhammer" Hetzel — 2026-06-15

The technical feasibility of crafting polyglot files, objects valid under multiple file formats, has been repeatedly demonstrated in various contexts, including the DICOM medical imaging standard. While prior work has established that DICOM polyglots are technically constructible, a significant operational gap exists between this known vulnerability and the preparedness of healthcare organizations to detect and mitigate such data-centric threats. This paper addresses this critical oversight by shifting the focus from how to construct DICOM polyglots to why they pose an unmitigated, systemic risk in clinical workflows. We argue that this operational gap stems from three primary issues: non-uniform inspection across heterogeneous security tools, misplaced trust in the structural compliance of medical data, and insufficient threat modelling for automated pipelines. Our feasibility analysis, using a controlled DICOM/Portable Executable (PE) polyglot, demonstrates that mainstream security tools exhibit substantial inconsistencies in detection, with different systems interpreting the same object according to varying, often shallow, parsing assumptions. This non-uniform inspection allows the polyglot to remain stealthy and polyglot. To provide a structured framework for analyzing and mitigating this threat, we introduce the S.P.I.C.Y. framework, defined by five operational characteristics: Stealthy, Polyglot, Infiltrative, Cascading, and Yield. S.P.I.C.Y. helps practitioners measure the operational impact of malicious data artifacts that propagate through trusted, automated workflows, such as Picture Archiving and Communication Systems (PACS) and Vendor Neutral Archives (VNAs). The Infiltrative and Cascading characteristics highlight how an object, once past initial inspection, maintains its dual functionality across multiple automated processes. Finally, we redefine Yield to include not just execution, but the operational value gained from persistence within trusted infrastructure. By applying the S.P.I.C.Y. framework, organizations can move beyond traditional security models and strategically address the critical blind spots created by operational complexity and the assumed trust placed in medical data standards.

An Integrated Framework for Ransomware Mitigation: A NIST-Aligned Defense Model Linking Cyber Insurance and Risk Management

Li Huang — 2026-06-15

Ransomware attacks have become one of the most disruptive cyber threats to modern organizations, causing significant financial losses, operational disruptions, and reputational damage across sectors. While organizations increasingly adopt security measures to mitigate risks, the fast-evolving role of cyber insurance-supported mitigation services in ransomware defense remains insufficiently understood. Cyber insurance has evolved from just a reactive compensator to a proactive security partner. It now offers pre-incident services to mitigate attack severity and post-incident services for quick recovery, reducing loss impacts. Cyber risk management and cyber insurance practices are often divided among different disciplines. Actuarial underwriting seldom integrates risk management models, and cybersecurity experts rarely include insurer mitigation tools in governance plans. This disjointed approach restricts organizations from effectively using insurance services as part of a comprehensive ransomware resilience strategy. This study investigates how cyber insurance-supported services aligned with the NIST Cybersecurity Framework reduce the impact of ransomware incidents. Building on prior empirical research identifying socio-technical drivers of ransomware losses, this paper proposes an integrated mitigation framework that combines security governance functions with insurance-supported services including vulnerability assessment, forensic readiness, incident response coordination, and recovery assistance. The framework conceptualizes ransomware risk mitigation as a layered process in which socio-technical risk drivers shape both the likelihood of incidents and the effectiveness of mitigation mechanisms. By incorporating the socio-technical factors that shape the impact of ransomware incidents, the proposed framework provides a more comprehensive defense posture against ransomware threats. Through analytical modeling and scenario-based evaluation, this study demonstrates how coordinated implementation of NIST-aligned cyber insurance services can significantly reduce expected ransomware losses and accelerate organizational recovery. The findings emphasize integrating technical cyber practices with insurance expertise to strengthen cyber resilience. By linking cyber risk management and insurance, this research enhances understanding of ransomware mitigation and offers practical insights for organizations managing ransomware risks in a rapidly evolving threat landscape.

Future Smart Devices in Future Digital Environments

Aarne Hummelholm — 2026-06-15

Our modern smart cities and societies are rapidly changing in all aspects. These entities can be described as digital, multidimensional hybrid entities, where everything is interconnected and where different technologies are used to acquire, transmit, exchange, process, use, and store information. We need to look at these multidimensional information and communication system entities in a new way. The information and data models we use, and their functionalities, require communication systems that consist of air-space-land-sea communication networks (ASGM), in which the different components work seamlessly together. These digital, multidimensional hybrid systems include several parts and functions, such as various digital platforms and their services; a range of technologies, including artificial intelligence (AI), machine learning (ML), and virtual reality (VR) solutions; blockchains; digital twins; quantum technologies (communication, cryptography, and computing); metaverse environments; and various data center functions. These environments also use the Large Language Model (LLM). Our new smart devices must be developed to adapt and operate in these environments, using the services they provide, and they must function regardless of time and place across all usage contexts, including extraterrestrial networks. Data center capabilities, MECs, and edge systems are also rapidly evolving due to emerging communication requirements. Quantum computing, cryptography, and communication, alongside ML, are becoming available, and their integration must be explored, as they introduce additional challenges for device design and functionality. We must ensure sufficiently low transmission and synchronization latencies so that physical and virtual environments can interact seamlessly without failures. In this article, we examine smart devices designed for future communication environments. These devices will utilize artificial intelligence, machine learning, and virtual reality to support the services of future smart societies across operational domains, including those beyond Earth. We also analyze cybersecurity threats to end-to-end services in different use cases and explore device-level functional enhancements.

On Definition of Vulnerability Discovery

Simo Huopio — 2026-06-15

The adaptation and exploitation of security vulnerabilities in military operations is a complex, multidisciplinary problem that calls for precise foundational definitions. This paper establishes such groundwork by discussing the principal elements of the topic from the perspective of security vulnerability research. We first characterize the sources and details of vulnerability and weakness information, describe common collection and presentation practices, and identify the principal consumers of this data. Next, we distinguish between vulnerability research and vulnerability discovery, explaining the processes that generate vulnerability information and highlighting the subtle but important differences between these activities. Finally, we examine principles governing the operational use of the vulnerabilities in military context and assess the respective contributions of research and discovery to achieving operational objectives. Within cyber domain operational planning we elaborate on (principle of) non-forceability. The primary hypothesis of non-forceability is that in cyber domain an adversary cannot induce an adverse effect on the logical components of a target system without proof of an exploitable logical vulnerability. This claim requires a precise explanation of the logical part of a system, which we define to include software, data, configurations, and formally defined user procedures and training; it explicitly excludes underlying processing platforms (hardware) and human actors (users and administrators). Under these definitions, external adverse effects on the logical system necessarily imply the proof of a vulnerability. Finally, the role of proof-of-concept (PoC) code in the operational utilization of software vulnerabilities has to be elaborated. We argue that the utility of vulnerability information is highly related on intended use and the level of technical detail provided. For defensive purposes, identification of a vulnerable component and its triggering mechanism is typically sufficient to trigger defensive actions. By contrast offensive operations require validation of adversaries’ defensive capabilities before PoC code baseline capabilities, further development objectives and possible actions of objectives (impact) can be evaluated as an operational course of action.

Balancing Security and Safety: A Look at Emergency Access Solutions for Implantable Medical Devices (IMDs)

Austin James — 2026-06-15

Wireless implantable medical devices (IMDs) have transformed clinical care but have also created a cyber-physical attack surface in which security failures can cause direct physiological harm. This tension is most acute in emergency access: clinicians must rapidly interrogate or reprogram devices under conditions that invalidate normal authentication. Security measures can delay critical care; mechanisms guaranteeing rapid access introduce vulnerabilities. This paper offers a critical review treating IMD emergency access as a safety-critical socio-technical exception regime, not merely a technical backdoor. We synthesise major access mechanisms—proximity triggers, break-glass credentials, external mediators, and manufacturer-mediated approaches—and analyse them through threat models, safety failure modes, human factors, and governance structures. We emphasise how cognitive load, workflow disruption, and long device lifecycles amplify risk during urgent interventions. The analysis shows that these mechanisms redistribute risk among patients, clinicians, manufacturers, and regulators, and that both security and safety failures can be catastrophic. We argue that no single mechanism can simultaneously maximise safety, security, and accountability across diverse contexts. We conclude by specifying the governance interventions required to make emergency access defensible in practice.

Toward Better Use of Cyber Threat Models in Defence Environments

Steve Johnson — 2026-06-15

Threat modelling in cybersecurity is a systematic process for identifying, analysing, and prioritising threats in a system. However, it is a highly challenging task in the defence sector, since military capabilities present a broad attack surface. This problem is compounded by the widespread use of civilian threat models, designed for specific systems or security aspects, in the defence sector, which often lack the breadth required to analyse military capabilities. In this paper, we identify gaps in state-of-the-art threat models in their ability to represent threats in the defence sector, using TEPIDOIL, a framework that captures the components required to maintain effective defence capabilities. We then present a novel framework called Universal Defence Framework, and demonstrate, through a case study and evaluation, that it enables the use of existing (civilian) threat models in the defence sector and addresses the identified gaps. Our evaluation showed that integrating threat models into our framework provides the broader view required to analyse threats in complex, integrated systems, as typically found in the defence sector.

Cyber Early Warning System on Security Operations Center

Timo Koskimäki — 2026-06-15

An Early Warning System (EWS) is a framework or collection of tools developed to identify and deliver timely alerts about potential threats, risks, or adverse events across various situations. Its main objective is to support decision-makers in implementing preventive actions that reduce the impact of possible hazards or disasters, thereby protecting lives and resources. Modern digital society depends on the interconnection and collaboration of essential infrastructures, which require adequate situational awareness (SA) to manage growing cyber risks. In the cyber domain, a key priority is safeguarding critical infrastructure (CI) against threats amid a surge in both the frequency and sophistication of cyberattacks. These evolving attacks allow adversaries to disrupt vital services remotely, creating significant risks and uncertainty in the absence of adequate SA and thus protection. The Cyber Early Warning System (CEWS) is essential within the cyber domain, integrating for example artificial intelligence (AI) to introduce a new approach to early warning capabilities. As a component of the cyber threat intelligence (CTI) process, CEWS offers an innovative methodological framework for navigating and operating in today’s complex cyber environment. In large networked systems, CEWS gathers and correlates heterogeneous information from multiple sources, delivering timely and actionable insights to help prevent or mitigate potential risks by supporting effectively an organization's SA. Security Operations Center (SOC) is a key element to protect an organization's digital assets by continuously monitoring, detecting, investigating, and responding to cyber threats. The SOC is an essential part of an organization’s SA and risk management, as it particularly supports risk identification, monitoring, and control by continuously providing information to detect, assess, and manage cybersecurity risks. This paper highlights the importance of collaborating with the Cyber Early Warning System and the Security Operations Center.

A Capability-Based Approach to Evaluate and Mitigate Identified Cybersecurity Gaps in Critical Infrastructures

Eetu Jalmari Johannes Laakso — 2026-06-15

Recently, the number of cyber threats has shown a rapid increase all over the world. Different public and private infrastructure organisations of a society have varying capabilities and resources to address these threats and protect themselves from their harmful impact. Among these sectors, critical infrastructures are most vulnerable as they hold valuable data, the protection of which is both crucial and expected from a societal perspective. As data protection relies on different capabilities, it is vital to understand what a specific capability a particular infrastructure sector and an individual company will need and can achieve. There is a wealth of high-quality information available on the best practices of cybersecurity, for example in frameworks like the ISO series and the National Institute of Standards and Technology Cybersecurity Framework (CSF) 2.0. These frameworks contain actions that are generally considered beneficial for any company but provide limited guidance on how individual controls translate into actionable capabilities in a specific organisational context. However, very few companies have the resources to implement all the controls presented in these frameworks to reach the highest maturity levels possible in cybersecurity. In these situations, it is crucial to maximise the benefits gained from any chosen action. In this paper, we investigate how a capability-based assessment model, developed originally for the defence domain, can be adapted to evaluate cybersecurity capabilities in the context of critical infrastructure and explore its performance when applied to a healthcare sector company. This model assesses capability gaps by comparing the current state with a target level capability and applies this approach to the cybersecurity context of a healthcare organisation. The general aim of our study is to support simpler and more effective decision-making when selecting the next cybersecurity upgrade or systemic improvement. In future research, we plan to extend this model to other critical infrastructure sectors and compare its performance and generalisability to these sectors.

Bayesian Modeling of Uncertainty in Anti-Phishing Training: A Serious Game for Adversarial Email Crafting

Dimitrios Lappas — 2026-06-15

This paper presents a Bayesian-driven serious game designed to support human-centered anti-phishing training through explainable artificial intelligence and adversarial gameplay. As phishing attacks increasingly leverage personalization and AI-assisted social engineering, traditional training approaches and opaque detection systems offer limited support for developing strategic awareness and decision-making under uncertainty. The proposed framework addresses this gap by combining Bayesian explainability with an interactive, adversarial learning environment. The serious game was implemented in a military academy context and centers on a sandboxed anti-phishing platform powered by a Bayesian Network. Participants are tasked with crafting targeted phishing emails for simulated victims using social media-derived contextual information. Each email submission is analyzed by the Bayesian engine, which outputs both a probabilistic phishing likelihood score and an explanation highlighting the linguistic features that contributed most strongly to the classification. Learners then iteratively revise the same email to reduce detectability, effectively attempting to “fool” the system while preserving semantic intent. Evaluation was conducted using two complementary data sources: interaction logs from the game and a post-activity questionnaire. Τhe results suggest that integrating explainable Bayesian models into adversarial serious games can effectively enhance phishing awareness, strategic thinking, and sensitivity to uncertainty. The study highlights the potential of explainable AI not only as a defensive mechanism, but also as a powerful educational tool in cybersecurity training.

On the Establishment of Trust: Rethinking Trust in the Age of Artificial Intelligence

Christoph Lipps — 2026-06-15

Trust has always been a fundamental element of organisational and social structures, enabling cooperation in situations where uncertainty or vulnerability cannot be fully eliminated. As societies and infrastructures have become increasingly interconnected, the foundations of trust have shifted from interpersonal relationships toward complex institutional and technological arrangements. This evolution has reached a new turning point: digital infrastructures, autonomous systems, and data‑driven decision‑making processes increasingly mediate interactions that once relied on human reasoning. Artificial intelligence (AI) is reshaping expectations of reliability, transparency, and accountability, prompting a reassessment of what it means to trust in environments where human and machine actions are intertwined. In this context, the notion of trustworthy AI has emerged as a key prerequisite for the responsible integration of AI systems into social and technical ecosystems. Core principles such as robustness, explainability, fairness, and security are widely regarded as essential for fostering a balanced relationship of trust. These requirements become especially significant in domains where AI supports or controls essential services. This is particularly true for critical infrastructures -energy grids, transportation systems, healthcare services, and communication networks-, where AI‑driven decisions may trigger cascading effects that extend far beyond individual users. Ensuring trustworthy behaviour in such settings requires not only technical reliability but also governance structures that provide oversight, recourse, and continuous assurance. Despite broad agreement on the importance of trustworthiness, a substantial trust gap persists. Users often struggle to understand how AI systems reach their decisions, leading to scepticism or disengagement. Conversely, operators may place unwarranted confidence in automated outputs, especially in high‑pressure or resource‑constrained environments. Organisations face challenges translating abstract principles into operational practices, and regulatory frameworks remain inconsistent across sectors and jurisdictions. These tensions illustrate that trust cannot be created through technical means alone; it must be cultivated through transparent design, institutional accountability, and alignment with societal values.

Cognitive Deception: Cognitive Hacking Phenomenon and Cognitive Security

Mikko Luomala — 2026-06-15

Cybercriminality is an actively discussed topic in in criminology. While technical cybersecurity has evolved, increasing number of different types of technical solutions have been created to defend against cyberattacks. In security and cybersecurity, the weakest link is often considered to be a human. It seems that while malware attacks are increasing in numbers, also social engineering or cognitive hacking has increased. This paper explores the use and definition of a concept of cognitive deception in previous studies. Used dataset for this study was taken from SCOPUS database and qualitative meta-analysis (QMA) was used for analysing the content of the documents. The QMA method was selected for its suitability in content analysis of scientific-, as well as potential grey literature. Evolving technology has created new approaches for manipulating people. The analysis of research data indicates that cognitive hacking relates to definitions of cybercrime, cyberattack, warfare, and hybrid threats. This study contributes to the discussion about cognitive security.

Artificial Immune System for Proportionality Assessment in Military Operations

Clara Maathuis — 2026-06-15

This article presents an Artificial Immune System (AIS) algorithm for conducting the proportionality assessment in military operations that integrates an in-depth evaluation in relation to the detection of disproportionate collateral damage in military operations under two modelling settings, as follows defined. In the first modelling setting, the collateral damage only includes physical harm, and in the second modelling setting, the collateral damage includes both physical and psychological harm. In this context, various algorithms were implemented and compared. By employing a Clonal Selection algorithm, the possible scenario‐feature combinations are treated as antigens and evolve a detector repertoire via affinity‐based cloning, mutation, and replacement and aspects such as detection rate, false‐positive rate, and detector diversity are tracked over generations. By employing Negative Selection and Immune Network paradigms, it can be seen that in Case 2 superior disproportional detection is achieved and through a more in-depth network analysis the core communities that underpin disproportionate judgments are analysed. Hence, the AIS models developed demonstrate that incorporating psychological considerations not only improves detection performance, but also shapes the structural properties of immune repertoires, providing a novel computational perspective on the proportionality assessment execution in military operations.

Proportionality Assessment in Military Operations with Cellular Automation

Clara Maathuis — 2026-06-15

In this research a Cellular Automation (CA) approach to model the proportionality assessment in military operations is introduced by capturing spatial-temporal dynamics of this complex decision-making process. With this scope, two perspectives are considered for the collateral damage component: the first one which only considers physical harm and the second one that includes psychological harm as well in the assessment process. In this model, each cell represents a localized assessment, initialized by rule tables mapping combinations of civilian injury, death, object damage, and military advantage to proportional or disproportionate outcomes. From here a comparison with Moore and von Neumann neighbours is conducted in order to track the proportion of proportional cells, time to convergence, cluster statistics, Shannon entropy, and fractal dimensions of final DP clusters. Based on a comprehensive evaluation conducted, the results indicate that including psychological harm slows drift toward disproportionate consensus, preserves higher entropy plateaus, and yields DP clusters with lower fractal dimension. This implies resilience from the proportional judgments. Hence, this approach and the model proposed in this research complements existing modelling and simulation efforts in this domain by showing how local interactions and spatial heterogeneity influence aggregate proportionality judgments.

System Dynamics Model for Proportionality Assessment in Military Operations

Clara Maathuis — 2026-06-15

This research introduces a System Dynamics (SD) model for proportionality assessment in military operations. This is done under a broader perspective adopted for the collateral damage component considering two cases, as follows. In the first case only collateral physical effects are considered and in the second case a combination of physical and psychological collateral effects are considered. Furthermore, the model comprises feedback loops by linking civilian injury, death, damage to objects, and military advantage to a proportionality assessment stock. With this scope, Monte Carlo simulations over 100 time steps are conducted and revealed that incorporating psychological damage reduces the share of proportional assessments by 7 percentage points and slows the accumulation of proportional judgments. At the same time, the sensitivity analysis shows a steeper decline in proportional outcomes when psychological impacts are included. In addition, further statistical tests are conducted and from a comprehensive evaluation it can be seen that the model provides a robust and interpretable tool for exploring how different collateral‐damage considerations shape proportionality decisions and can inform military rules of engagement and policy debates.

Deepfake Technology in Social Engineering: Threats, Detection and Defence Strategies

Tanaka Makamure — 2026-06-15

Big developments in the field of Artificial Intelligence (AI) have significantly improved deepfake technology, allowing individuals to create realistic synthetic media. As a result, deepfakes have become a very effective tool for social engineers by allowing them to accurately impersonate colleagues and authority figures to gain the trust of individuals and manipulate them. High-profile cases such as the Arup scam and the UAE fraud case highlight how attackers are leveraging these techniques in real-world scenarios and the devastating financial consequences they bring. In response, several technical detection tools have been developed, many of which rely on deep learning techniques. However, these should not be used in isolation. An effective defence strategy requires organisations to supplement these technological tools with other strategies, such as employee training, awareness campaigns and secure security policies. This creates layers of security, capable of mitigating risks posed by deepfake social engineering.

Detecting DDoS Attacks in IoT Healthcare

Eurydice Makena — 2026-06-15

The increased adoption of IoT devices in healthcare domains has significantly increased the attack surface, leaving critical infrastructure vulnerable to attacks such as Distributed Denial of Service (DDoS). Our work investigates the role of feature selection and temporal dependency modelling in detecting MQTT (Message Queuing Telemetry Transport) DDoS attacks using the CICIoMT 2024 dataset. We compare two approaches; using the Naïve Bayes model which assumes flow independence and Long Short-Term Memory (LSTM) model, which captures sequential dependencies in the raw network flows. Feature selection was also performed to reduce 84 raw features to 31 informative features. Our preliminary results show that the LSTM model outperformed naïve bayes by leveraging the temporal patterns that are characteristic of DDoS traffic. This study evaluates the importance of guided feature selection and temporal dependency modelling in DDoS detection in IoT healthcare networks.

A Potential Digital Evidence classification model for 5G NFV Environments Using Supervised Machine Learning Algorithms

Sheunesu Makura — 2026-06-15

The adoption of fifth-generation (5G) mobile networks has increased significantly due to enhanced bandwidth, reduced latency, and support for heterogeneous services. Key enabling technologies such as Network Function Virtualisation (NFV) and network slicing introduce flexibility and scalability but also expand the attack surface for cyber threats. These threats complicate digital forensic investigations, particularly the identification and classification of Potential Digital Evidence (PDE) in dynamic virtualised environments. This paper proposes a machine learning-based classification model for PDE in 5G NFV environments to support digital forensic readiness (DFR). The model integrates digital evidence collection, preservation, and storage processes with supervised machine learning algorithms to automatically classify forensic artefacts. A Random Forest classifier was evaluated using a combined dataset consisting of CIC-IDS 2017 traffic and real 5G packet captures. Experimental results demonstrate high classification performance, achieving a weighted precision of 0.97, recall of 0.93, and F1-score of 0.95. Feature importance analysis further highlights key traffic characteristics relevant to forensic investigations. The proposed model enhances forensic readiness by enabling automated identification and categorisation of relevant evidence, reducing manual effort and improving investigation timeliness in 5G NFV environments.

Immersive Cyber-Verse: The State of Immersive Learning Techniques in Cybersecurity Education in Small Colleges

Sayonnha Mandal — 2026-06-15

In our current predicament of alarming rise of cyberattacks, social engineering attempts and an evolving need for encrypted security, the importance of cybersecurity education and training cannot be overstated. The need to equip the current and future generation of students with all the necessary tools, knowledge and expertise to combat this ever-increasing threat is paramount. Big institutions, including R1, 2 and 3 universities have already been striving to train a cybersecurity trained workforce and providing substantial resources and funds to continue research and exploration of this area. On the other hand, smaller institutions, including private liberal arts colleges, four-year universities and various urban colleges are often grappling with the obstacles of limited funds and the inability of utilizing expensive infrastructure to continue research in niche cybersecurity topics, such as quantum information systems, critical infrastructure systems, etc. This paper provides an overview of the various challenges faced by these smaller institutions in terms of resources for their students for the required cybersecurity training and discusses potential teaching techniques using immersive learning methods of augmented reality (AR) and virtual reality (VR). The use of these technologies is already being prevalent in imparting student learning in complex and inter-disciplinary cybersecurity topics. This paper aims to identify the challenges associated with the utilization of these technology in smaller higher learning institutions. It further discusses potential strategies to overcome these shortcomings to eventually help these universities to proactively join the commitment of building a cybersecure workforce.

The Forgotten Stub: Exploring Malicious Use of the PE DOS Header

Sayonnha Mandal — 2026-06-15

Malicious actors increasingly employ sophisticated concealment techniques within Windows Portable Executable (PE) files to evade static and dynamic detection, complicating incident response and digital forensics. Detecting malware in PE files has become a central challenge in modern security research, leading to a mix of complementary analysis methods. Current approaches range from traditional signature-based scanning, which identifies known byte patterns, to heuristic systems that flag unusual structural traits such as abnormal section sizes, entropy spikes, and inconsistent header values. Machine learning models now play a role, using features like opcode sequences, imported API functions, and metadata patterns to classify files at scale. Deep learning models, including convolutional and recurrent networks, learn higher-level representations directly from raw binaries or extracted features. However, many or most systems designed to detect malicious software in PE files deal with the portion of the file structure specific to Windows. A section of the file called the “DOS Header” is generally ignored by malware analysis. This paper describes a method whereby hand-crafted malware can be hidden in the DOS Header of the PE file, thus evading detection by many analysis methods.

Cyber and Electromagnetic Activities (CEMA) in a Multi-domain Battlefield

Juha Kai Mattila — 2026-06-15

Contemporary adversaries aim to integrate lines of operations across information, cyber, electromagnetic, and kinetic domains. They take advantage of the digitalisation of the information realm, which opens avenues to deliver impact at the cognitive and social levels. Simultaneously, the demand for mobility and dispersion on the battlefield multiplies the need for transceivers and wireless communication. Naturally, this increases the targets for electronic attacks; for example, battlespace transceivers open new avenues for breaching isolated cyber domains. The military is gradually generating cyber and electromagnetic abilities into its capability portfolio, but often lacks appreciation for their combined impact on a modern multi-domain battlefield. Therefore, the paper uses design science methods to develop a model of CyberElectromagnetic Activities (CEMA) and Enterprise Architecture (EA) views, illustrating them in the context of a modern multi-domain battlefield. First, the paper aims to define modern CyberElectromagnetic battlespace and to derive its tenets from real-world cases. Secondly, the paper elaborates on the combined CEMA in the context of multidomain operations. Thirdly, the paper designs a CEMA model and illustrates it using views typical of enterprise architecture. Finally, the paper tests the feasibility of the abducted model with operational scenarios. The CEMA model is intended for Cyber and EW operational planners and orchestrators as a foundation for CEMA operations. The findings of this research provide insights and explanations to planners and researchers of operational art that: CEMA is always a part of multi-domain
operations because of its omnipresence CEMA, being a composition of many abilities, needs collaborative
planning and orchestration of execution, both in defensive and offensive operations Interrelationships among
CEMA, information operations, and kinetic operations need to be understood to assess the combined systemof-
systems impact, Asymmetric operational thinking opens a spectrum of means and ways to effect in a
multidomain battlefield, Rapidly evolving technology opens both vulnerabilities and avenues of effect for
defensive and offensive operations, and Advanced digital force will dominate a force with commercial or dualuse
technologies in modern multi-domain operations.

A Hybrid, Transparent Trust and Risk Assessment Framework for Cryptocurrency Exchanges

Bongani Mawhayi — 2026-06-15

Cryptocurrency exchanges act as critical intermediaries within the digital asset ecosystem, yet users currently rely on largely opaque, platform-defined trust scores to assess their reliability and risk. Existing industry frameworks, notably those produced by CoinGecko and CoinMarketCap, provide useful signals related to liquidity and volume integrity but suffer from limited transparency, fixed weighting schemes, and the absence of sentiment-based assessment. This paper presents HTREx (Hybrid Trust and Risk Evaluation framework for exchanges), a semi-automated, modular trust and risk assessment framework for cryptocurrency exchanges that addresses these limitations. The framework integrates five dimensions of exchange integrity: user sentiment, regulatory compliance, technical security, transparency, and incident history. Sentiment is quantified using transformer-based natural language processing applied to user-generated content from mobile application reviews and online forums. Compliance is assessed through structured extraction of regulatory and operational disclosures from Terms of Service documents using large language models. Security, transparency, and incident history are evaluated through a combination of publicly verifiable indicators, third-party assessments, and a recency-weighted incident scoring model. All components are normalised and aggregated into a composite score using user-adjustable weights, enabling personalised risk prioritisation while retaining a defensible default configuration for comparative analysis. The framework is demonstrated using four prominent exchanges—Kraken, Coinbase, Binance, and Uniswap—highlighting clear differences between centralised and decentralised platforms and illustrating how sentiment, compliance, and historical incidents materially influence overall trust assessments. The results suggest that transparent, extensible, and user-configurable scoring models can provide a more interpretable and context-sensitive evaluation of exchange risk than existing monolithic trust scores, with direct relevance for both retail and institutional participants.

An Assessment Methodology for Learning Mission Characteristics

Joshua Meise — 2026-06-15

This paper presents a novel methodology for assessing the effectiveness of machine learning algorithms in deriving a protocol specification from a set of network traffic captures. Such specifications describe the data formats and mission characteristics associated with valid messages and form the basis for protecting military vehicles from malicious traffic. This paper enhances previous work, which automatically generates a hardware guard from a hand-written grammar, to produce a fully automated, end-to-end process that generates a parser, either in software or as a hardware guard, directly from mission training data sets. A hardware guard is realized as a Field Programmable Gate Array (FPGA) circuit block implementing a parser. The parser performs deep packet validation, checking that every message conforms to the associated grammar and rejecting invalid packets. Several modern machine learning algorithms and specification inference tools exist that can be leveraged to automatically infer a specification from a data capture. Unfortunately, to date, there has been a paucity of mission data sets to provide ground-truth, and the lack of a common set of metrics to assess learning algorithms. To this end, this paper introduces a parser repository that provides a ground-truth data set for a variety of formats and protocols, alongside equivalent protocol specifications expressed in several formalisms, namely BNF, Hammer, Daffodil, and Daedalus. Each set of equivalent specifications is provided with a common collection of true and false test vectors to validate their operation and benchmark learning performance using appropriate metrics. Specifications for standard formats, including JavaScript Object Notation (JSON), Universal Resource Locators (URLs), and Hypertext Transfer Protocol (HTTP), provide the basis for generic testing. The Micro Air Vehicle Link Protocol (MAVLink) and Space Packet Protocol (SPP) are used as examples of mission-oriented grammars. MAVLink is a byte-oriented protocol, while SPP is a bit-oriented protocol, leading to fundamental differences in the way that learning algorithms must operate to validate packets; the latter is also indicative of the complexities involved in parsing of SAE J1939 – used on ground vehicles – and MIL-STD-1553 – used on aircraft.

Sridut: Securing Multi-Controller SDN Integrity with State-Aware Multi-Consistency Storage and Provable Convergence

Adir Miller — 2026-06-15

Software Defined Networking (SDN) is a network paradigm that decouples the control and data planes, enabling centralized network control. The single centralized controller of the original paradigm, however, created a single point of failure, which was overcome with the introduction of multi-controller networks. These networks, however, introduce new security challenges as the availability and integrity of the networks now depend on state consistency mechanisms and their inherent trade-offs. For example, multi-controller networks that solely support strong consistency enforce correctness at the cost of availability due to their susceptibility to Denial of Service (DoS) attacks and maliciously induced partitions. Alternatively, some designs employ hybrid consistency or multi-consistency, sacrificing correctness guarantees to strike a balance between correctness and availability. However, these designs lack mechanisms for provably verifiable convergence, resulting in critical integrity violations such as corrupted and conflicting security and Quality of Service (QoS) policies. This critical gap is exploitable by adversaries, enabling them to trigger policy conflicts and bypass security perimeters. These security implications are further amplified by the lack of transparency between the application layer and consistency state events. This transparency hampers the ability of the controller to react and recover from consistency-based attacks. To address these challenges, this paper introduces Sridut, a secure multi-consistency storage model providing strong consistency, strong eventual consistency, and consistency state awareness. The model provides multiple storage backends with varying degrees of consistency guarantees, allowing for more granular control of the inherent security trade-offs. Additionally, the consistency state, health, and critical events are made transparent, further improving an application's ability to react to consistency-based attacks. The model leverages Conflict-free Replicated Data Types (CRDTs) and anti-entropy mechanisms to achieve strong eventual consistency. This mechanism allows divergent states to be safely merged, preserving integrity of critical data such as network policies. Consequently, this approach mitigates exploitable security risks associated with divergent states. Ultimately, the state-aware architecture and provable convergence of Sridut provide a robust defence against both malicious threats and inherent network partitions, helping preserve integrity and availability in SDN multi-controller networks.

Information Ethics & Social Context as Drivers of Cybersecurity Resilience in South Africa’s Uneven Digital Landscape

Elekanyani Mukondeleli — 2026-06-15

South Africa’s rapid digital transformation has expanded socio-economic participation while simultaneously intensifying exposure to cyber risks. These risks are unevenly distributed across society due to persistent digital inequalities, infrastructure gaps and variations in digital literacy. This paper argues that cybersecurity resilience in South Africa cannot be achieved through technical controls alone but must be grounded in information ethics and social context. Using an integrative systemic literature review, the study synthesises research on cybersecurity resilience, information ethics and socio-technical systems within South Africa and comparable environments. The findings reveal recurring socio-ethical patterns in which ethical governance, trust, digital justice, and community-level practices either enable or constrain resilience at the individual, institutional, and societal levels. The paper proposes a Socio-Ethical Cybersecurity Resilience Framework that integrates ethical governance, social behaviour, and institutional responsibility. The framework offers context-sensitive guidance for policymakers, educators and practitioners seeking to strengthen inclusive and sustainable cybersecurity resilience.

From Play to Mobilization: A Sociotechnical Pathway from Youth Gaming Communities to Geopolitical Cyber Operations

Anvesha Nigam — 2026-06-15

Digital gaming communities have become dexnse sociotechnical environments in which youth develop trust,
technical fluency, identity, and coordination practices that extend far beyond gameplay. This paper investigates how such
communities can, under particular structural conditions, evolve into networks that participate in cyber activities with
geopolitical relevance. Rather than treating this transition as primarily ideological from the outset, the paper argues that the
pathway is initially sociotechnical: repeated interaction builds social cohesion, status systems reward experimentation and
technical competence, and platform migration enables tighter coordination across gaming, chat, and adjacent online spaces.
Drawing on prior work on youth gaming, online extremism, gaming-adjacent radicalization, and child involvement in cyber
operations, the paper develops a four-stage lifecycle of formation, capability building, alignment, and deployment. It then
illustrates this lifecycle through three case studies that show both prosocial and harmful trajectories. The central claim is
that escalation is better explained by evolving community structure and task organization than by overt political language
alone. The paper concludes by proposing youth-centered interventions, platform governance strategies, and early warning
indicators that can reduce exploitative mobilization while preserving the legitimate social and educational value of gaming
culture.

Enhancing Credit Fraud Detection in e-Payments through Predictive Analytics using Machine Learning: A Scoping Review

Zenande Nondula — 2026-06-15

The rapid global expansion of e-payment has created new opportunities for sophisticated, evolving financial fraud, leading to substantial financial losses and undermining or eroding customer trust, despite new security efforts. This scoping review examines how the application of predictive analytics, utilising machine learning and data analytics techniques, can enhance credit fraud detection and prevention in e-payments. The Joanna Briggs Institute protocols for scoping reviews were used to identify literature published between 2019 and 2025 from multiple academic databases, resulting in the selection of 30 relevant studies. Data mapping and analysis were applied to the selected studies, enabling insights into how financial institutions can leverage machine learning and data analytics to detect and prevent fraud more effectively across diverse digital payment environments. The review revealed various fraudulent methods, including complex transaction-like fraud, card-not-present fraud in online purchases, account takeover, identity theft, and high-frequency, small-scale fraud targeting vulnerable time windows, with emerging threats in DeFi platforms that pose unique detection challenges and high vulnerability. These findings demonstrate that fraud patterns are increasingly dynamic, adaptive, and designed to blend in with legitimate customer behaviour, making early detection more challenging. The study’s findings also highlight that advanced machine learning models, such as ensemble methods, deep learning, neural networks, anomaly detection algorithms, and data analytics methods, can significantly improve real-time fraud detection and outperform traditional rule-based approaches that rely on static thresholds, manual review, or historical assumptions. Despite these benefits, the review highlights persistent issues that limit practical implementation. These include data imbalance, high rates of false positives and false negatives, challenges with model transparency, privacy concerns, and integration challenges with legacy systems. Addressing these technical and operational challenges is therefore essential to enhancing the effectiveness of predictive analytics in safeguarding digital payment ecosystems and supporting a more trusted and resilient digital financial environment, while also informing regulatory compliance, operational risk management, and future research directions on fraud detection in e-payment systems.

Integrating Cybersecurity Risk Management and Business Continuity of Family-Owned Businesses in Anambra State, Nigeria: A Conceptual Model.

Chinwe Gloria Obananya — 2026-06-15

With the growing dependence on digital technologies and integrated systems, the contemporary business environment is becoming more susceptible to cyber threats, especially family-owned businesses which in most cases have loosely organized cybersecurity systems. Family-owned businesses in the Anambra State of Nigeria contribute to economic growth in the country, however, family-owned businesses in the developing economies are the most vulnerable to cyber-attacks and most times they operate informal structures which are not well equipped to survive external cyber threats. Affirming business continuity theory and protection motivation theory, cybersecurity risk management ensures business detects, evaluates, and reduce possible threats while maintain operations during and after disruptions. Thus, this study is an effort to propose a cyber-resilience integration model to help family-owned businesses incorporate cybersecurity risk management into structures of business continuity and core strategy of organizational survival. With direct synthesis of relevant literature, this study postulates how cybersecurity risk management can be applied to business continuity planning amongst family-owned enterprises. In specific, it delineates risk identification, threat assessment, and incident response planning and recovery strategies contribution to business continuity of family owned enterprises. This paper offers useful information to business owners, policymakers, and researchers because it offered a guide to enhancing the preparedness of cybersecurity and the need to maintain sustainable business operations. This contribution is an important move towards making the family-owned businesses within emerging economies to be more resilient.

Enhancing Cybersecurity Resilience in the Real Estate Industry: Mitigating Phishing and BEC Attacks

Oludolamu Ademola Onimole — 2026-06-15

As real estate transactions continue to shift toward fully digital workflows, the sector has become an attractive target for phishing and BEC attacks that exploit trust, time pressure, and fragmented communication channels. This paper contributes to cybersecurity research by moving beyond high level discussions of email fraud and focusing directly on the real estate industry as a primary domain of analysis rather than a peripheral use case. The study synthesizes existing academic and industry literature with a structured examination of multiple real-world incidents drawn from residential, commercial, and cross border property transactions. By analysing these cases collectively, the paper identifies recurring patterns in attacker techniques, Organizational weaknesses, and decision-making failures that enable financial loss. Attention is paid to how human behavior, process design, and informal verification practices interact with technical shortcomings to create exploitable conditions. A clearly defined methodology outlines the case selection criteria, temporal scope, and analytic approach, allowing the study to be replicated or extended by future researchers. This methodological transparency strengthens the academic value of the work while grounding the findings in observable evidence rather than assumptions. Based on the cross-case analysis, the paper proposes a practical, sector specific framework that aligns cybersecurity controls with the operational realities of property transactions, including third party coordination, legal timelines, and high value fund transfers. The findings offer practical relevance for cybersecurity professionals, real estate practitioners, and policymakers by translating incident analysis into concrete risk reduction strategies. At the same time, the paper advances scholarly understanding by presenting an industry focused model for addressing cyber enabled financial crime in trust-based transaction environments.

Exploring Personalized Personnel Protection within Cybersecurity

Oludolamu Ademola Onimole — 2026-06-15

Due to their substantial cross-platform exposure, high-profile persons are disproportionately at danger as cyber threats grow across linked digital ecosystems. Most prior research has focused on discrete platform vulnerabilities; however, the ways in which interconnections across services create compound socio-technical hazards have received less attention. By taking a socio-technical systems approach, this study highlights a major flaw in current methods that treat users as a homogeneous population, despite notable differences in exposure and behaviour. The study identifies recurring vulnerability patterns and illustrates how coordinated adversarial activity leverages digital interdependencies to cause financial, reputational, and physical harm through a cross-sector analysis of five high-demand service categories, ranging from remote healthcare to on-demand gig services. It identifies recurring structural vulnerability configurations across sectors, demonstrating that risk stems from shared choices rather than platform specifics. This paper contributes a cross-platform vulnerability map, a socio-technical risk model for high-visibility individuals, and a unified framework linking adversarial behavior to privacy erosion across interconnected services, offering practical insights for developing targeted cybersecurity strategies. Findings show how attackers exploit digital interdependence to achieve blended online compromise, financial loss, reputational harm, and physical danger. The study concludes by proposing a paradigm shift to personalized, privacy-centric, multi-layered cybersecurity capable of safeguarding both high-profile and everyday users emphasizing the importance of adapting security measures to individual user needs while prioritizing the protection of sensitive information. This study employs a socio-technical systems framework, acknowledging that cybersecurity risk arises from the interplay of human behaviour, platform structures, and data flows, rather than from isolated technical vulnerabilities.

Mapping the Authentication Landscape: A User-Centric View

Hanna Paananen — 2026-06-15

Authentication is the frontline security control that protects the digitalised society—and paradoxically, it is also the most frequently exploited in breaches. As online services permeate every aspect of life, from banking and healthcare to workplace systems, authentication has become a critical safeguard for citizens and organisations. Yet, the complexity of managing multiple credentials and diverse authentication methods introduces vulnerabilities that attackers routinely exploit. Despite this, research has often examined authentication in isolation—focusing on single methods or user behaviours—without considering the broader ecosystem users navigate daily. This paper reframes authentication as an authentication landscape, a multidimensional environment encompassing all features and experiences users encounter when accessing digital systems. Through a systematic literature review of 43 peer-reviewed articles from leading Information Systems, Cybersecurity, and Human-Computer Interaction journals, we identify ten key features shaping this landscape: (1) services and systems, (2) diversity of methods, (3) guidance and restrictions, (4) devices, (5) security products, (6) use context, (7) culture and relationships, (8) user responsibilities, (9) accessibility, and (10) threat outlook. Our analysis reveals that authentication complexity—driven by proliferating accounts, evolving technologies, and inconsistent policies—creates fertile ground for security lapses. Different aspects of the landscape may lead users to trade security for convenience, adopt risky coping strategies, or struggle with contradictory guidance, amplifying systemic vulnerabilities. The implications are urgent: strengthening authentication cannot rely on piecemeal improvements to individual methods when advances in technology demand a comprehensive readjustment. Designers, policymakers, and security professionals must address the authentication landscape holistically to reduce attack surfaces and enhance resilience. Future research can operationalise the identified features to study users’ landscape perception. For practice, this perspective informs the design of authentication systems and awareness programs that align with users’ lived realities. By recognising authentication as a complex, interconnected landscape, we advance the discourse toward strategies that safeguard not just individual accounts but the integrity of the digital society itself.

Predicting Sabotaged Open-source Libraries

Alexander Petty — 2026-06-15

Open-source software provides free and publicly available software maintained by the open-source community. The variety of contributors creates an environment conducive to the intentional and unintentional introduction of software bugs by participating organizations. Enemy nation-states and independent hackers can exploit these attack vectors to gain access to industry and government systems. Repositories of known vulnerabilities and tools to check vulnerable versions and analyze code exist, but realistically, reviewers can miss issues within many repositories due to constant updates and technological advances. Hence, this research investigates an alternative, non-code-based method for identifying high-risk repositories using repository metadata and commit history, which, when coupled with machine learning, enables us to identify at-risk repositories at rates above 60%. This was achieved using a dataset composed of 41,710 repositories. The contribution of this research is twofold. First, it presents an empirical evaluation of the viability of a non-code-based analysis approach to detecting high-risk, i.e., potentially compromised code repositories. Second, it provides foundational research for non-code-based filtering of open-source repositories, potentially accelerating software investigations and reducing resource requirements.

Privacy Under Pressure: Assessing Online Commercial Surveillance Countermeasures and Gaps

Christian Preti — 2026-06-15

Ubiquitous technical surveillance is reshaping the modern information environment. Commercial web-tracking technologies have evolved into a pervasive technical surveillance infrastructure, enabling the large-scale collection of data from everyday activities as people participate in modern society. With sufficient analysis, this data can reveal sensitive information - posing risks to individuals, organizations, and national security. Several software packages exist to limit the exposure of personal information collected online. In recent years, laws and regulations, such as the GDPR and CCPA, have been implemented to help users protect their personal information, with varying degrees of success. This paper examines the recent scholarly literature on web tracking and commercial surveillance techniques. We then synthesize these studies to outline the methods that enable large-scale commercial surveillance on the Internet. Then, we analyze countermeasures designed to limit commercial data exposure, specifically assessing their effectiveness, technical constraints, and operational challenges. Our analysis reveals gaps in existing countermeasures and identifies opportunities for both technical and policy-based improvements to mitigate vulnerabilities introduced by commercially available information. These findings clarify the limitations of current web browser defenses and provide researchers and policymakers with directions on where further effort and investment are most needed.

From Evidence to Decisions: Interview-Based Study of Reporting Practices in Defensive Cyber Operations

Justin Raynor — 2026-06-15

Defensive cyber operations (DCO) missions demand rapid decision-making under active digital threats. Established doctrine and industry standards provide technical procedures for handling incidents. However, they offer little guidance on how reporting artifacts, such as data analytics, visualization, and briefs, are produced, adapted, and communicated for decision-making. To address this gap, we conducted an empirical investigation of reporting practices in DCO through semi-structured interviews with 15 cybersecurity practitioners (managers, analysts, infrastructure technicians, and developers) engaged in incident response and threat hunting. We derived a three-dimensional model of the reporting lifecycle structured around reporting roles, purpose, and operational timeline that characterizes how network data and analytic outputs are represented in reporting artifacts such as templates, risk matrices, and briefs under time pressure and organizational constraints. Our findings highlight how reporting is shaped by trust, audience language, and the balance of standardized and flexible templates. We point to the need for traceability-linked modules, audience-aware data analytics and visualization tools, and playbooks that incorporate reporting artifacts with flexible guidance in DCO.

Cybersecurity Entry Points to the Energy Sector and Their Time-To-Compromise

Engla Rencelj Ling — 2026-06-15

Digitalisation has increased the cybersecurity vulnerability of critical sectors. It is essential to improve and gain knowledge of these sectors to minimise the risk of successful cyber-attacks. The energy sector is a vital part of society since infrastructures, such as healthcare and transportation, rely on it. Cyber warfare targeting the energy sector can cause severe consequences. The energy system consists of many, and distributed, parts for generation, transmission, distribution and consumption of electricity. A digital energy system also consists of Advanced Metering Infrastructures (AMIs), Electric Vehicle Charging Systems (EVCSs) and other smart grid components. This makes it difficult to gain an overview of where the energy system is the most vulnerable and where cybersecurity defence measures should be prioritised. In this paper we outline the most vulnerable cybersecurity entry points to the energy systems by analysing the known vulnerabilities. We compile a dataset of vulnerabilities within the energy systems domain based on Common Vulnerabilities and Exposures (CVEs) of the Industrial Control System (ICS) advisories from the Cybersecurity and Infrastructure Security Agency (CISA) for the energy sector. Thereafter, we focus on the 2717 vulnerabilities with the attack or access vector “Network”, which indicates vulnerabilities that are exploitable via cyber-attacks. The dataset is categorised based on the type of vulnerability and the Smart energy Grid Architecture Model (SGAM) domain that it belongs to. With the dataset we are able to estimate the Time-To-Compromise (TTC) for different types of vulnerabilities and domains of the energy system. The dataset also allows for other conclusions, for instance that the most commonly found type of vulnerabilities are due to web-based weaknesses. Furthermore, the SGAM domain in which most vulnerabilities are found is the Customer Premises. TTC values are used to assess the cybersecurity of systems to make more informative decisions of where to prioritise defence measures. The values can be added to risk assessments, such as threat modelling frameworks and attack graphs to estimate which entry point an attacker is most likely to target.

Digital State Erasure: Data as Both a Target and a Vector of Political and Military Influence

Mari Ristolainen — 2026-06-15

Modern states increasingly rely on digital infrastructures and critical data for continuity, governance, and societal resilience. As national functions become more and more digitalized, the accumulation of sensitive data increases data-related risks, including hostile interference and exploitation. This paper introduces the concept of digital state erasure as an analytical framework, defined as the deliberate destruction, manipulation, or strategic exploitation of a nation’s critical data in ways that undermine its ability to govern, provide services, authenticate its population, or defend itself. Unlike conventional cyberattacks, digital state erasure targets datasets whose compromise can dissolve a state’s operational capacity and institutional coherence. Drawing on critical data studies, this paper conceptualizes critical national data as three interlinked categories and demonstrates how disruptions in either the target or vector dimension can cascade across national systems. This paper further argues that control over critical data constitutes the foundation of state authority and continuity in cyberspace. Losing that control risks digitally erasing a state, even in the absence of conventional military conflict.

A Framework for Privacy-Preserving Data Analytics Using Differential Privacy

Huwida E. Said — 2026-06-15

This paper presents a comprehensive privacy-preserving analytics framework that embeds differential privacy principles across the entire data lifecycle, from collection and preprocessing to analysis, interaction, and output generation. Unlike approaches that simply apply existing differential privacy libraries, the proposed platform emphasizes end-to-end integration, ensuring that privacy guarantees are continuously maintained throughout the analytical process. An adaptive privacy management layer dynamically regulates privacy budgets and mechanisms based on data sensitivity, analytical objectives, and real-time system conditions, enabling a balanced trade-off between privacy protection and analytical utility. The framework also supports real-time privacy-preserving analytics, demonstrating that strong confidentiality measures can coexist with responsive and practical data-driven decision-making. A proof-of-concept prototype demonstrates the architecture's feasibility and illustrates its applicability to high-sensitivity domains that require rigorous privacy assurances.

LLM-Assisted Forensic and Compliance Auditing for Public Sector Organizations

João Santos — 2026-06-15

From an IT perspective, modern organizations often exhibit a dichotomy between day-to-day operational practice and formal policy enforcement for security, quality, and regulatory compliance. Reconciling these dimensions remains challenging, particularly in large-scale infrastructures that generate high-volume, heterogeneous, and unstructured data, while relevant policies and standards are typically expressed in natural language and therefore difficult to translate into actionable rules and automated compliance checks. This paper presents FOCUS-PA, a project that develops methods and tools to strengthen digital forensics and continuous auditing for compliance management in the Public Administration (PA) sector. FOCUS-PA delivers a Forensic and Compliance Auditing (FCA) platform tailored to public-sector environments, explicitly accounting for the specific characteristics of administrative information systems, their data sources, workflows, and domain-driven legal and privacy constraints. The platform is designed for the continuous ingestion and analysis of operational data, enabling both ongoing compliance monitoring and the forensic investigation of security incidents. To address these requirements, FOCUS-PA introduces an agentic framework that leverages Large Language Models (LLMs) via a Retrieval-Augmented Generation (RAG) approach. By adopting the Model Context Protocol (MCP), the platform provides a unified mechanism to connect natural-language policy documents with structured operational logs, supporting consistent interpretation, correlation, and evidence-driven auditing. A central contribution of FOCUS-PA is reducing the cost of security policy engineering in compliance-auditing solutions. Today, experts must translate regulatory texts and internal procedures into machine-readable specifications - a process that is slow, expensive, and quickly becomes outdated as policies and regulations evolve. We investigate how large language models (LLMs) can help extract and structure policy specifications from unstructured documents (e.g., procedure manuals) and observed operational data, facilitating their conversion into machine-verifiable rules (“Policy as Code”). This approach aims to accelerate policy onboarding and maintenance and to enable the timely adoption of emerging regulations and standards (e.g., NIS2) by streamlining the translation of high-level requirements into actionable compliance checks. We detail requirements for PA deployments and LLM-assisted policy engineering, describe the platform architecture and implementation, and discuss integration aspects, demonstrating how FOCUS-PA can improve compliance governance and accelerate incident investigation through scalable analytics and expert-supervised automation.

What Motivates Cyberattacks: Lack of Consequences or Abundance of Attack Vectors?

Matthias Schulze — 2026-06-15

This study examines whether cyber-attacks are motivated by attacker impunity due to lack of deterrence or ease-of-attack due to offense dominance. We empirically measure whether ease-of-attack, measured through Common Vulnerabilities and Exposures (CVEs), drives cyberattack activity. Using global CVE and cyberattack data from 2000 to 2024, we find a statistically significant—though modest—correlation, with the strongest alignment appearing at a one-year lag. This suggests attackers typically take about a year to exploit new vulnerabilities. The findings lend conditional support to deterrence-by-denial, indicating that reducing vulnerabilities can meaningfully influence adversary.

Testing ML-KEM Implementations for Side-Channel Vulnerability: The Airtight Framework

Isaiah Seals — 2026-06-15

As quantum computing advances toward operational capability, traditional public-key communication schemes are becoming obsolete. Algorithms like Rivest-Shamir-Adleman and Elliptic Curve Cryptography cryptosystems, foundational to current secure communications, are vulnerable to Shor’s algorithm, which can efficiently factor and compute discrete logarithms once large-scale quantum systems emerge. In anticipation of this threat, the National Institute of Standards and Technology (NIST) has standardized the Module-Lattice Key Encapsulation Mechanism (ML-KEM), derived from the Crystals KYBER family, as a post-quantum cryptographic (PQC) solution designed to secure communications against both classical and quantum attackers. However, while ML-KEM’s lattice-based cryptographic system provides provable resistance to cryptanalytic attacks, its real-world implementations are susceptible to side-channel attacks (SCA). These attacks, which exploit timing variations, power consumption, or electromagnetic emissions, bypass the algorithm’s theoretical security by extracting secret keys from physical leakage. Even as cryptographic design moves beyond quantum threats, physical-layer vulnerabilities reintroduce risk at the hardware level. These physical-layer security vulnerabilities are a looming threat to future PQC security. Given the dangers posed by correlation power analysis, cryptographic programs must be implemented to mitigate these vulnerabilities, or else the increased security provided by PQC methods will be in vain. In this paper, we assert that the secure adoption of PQC in defense communication systems demands accelerated implementation of ML-KEM within secure communication protocols to ensure post-quantum readiness and rigorous evaluation of its side-channel resilience through experimental validation and countermeasure integration. We survey recent research into ML-KEM side-channel resistance, identify existing countermeasure frameworks (masking, constant-time operations, noise injection), and propose Airtight: a framework for standardized testing of secure communication methods.

Satellite Cyber Security Assurance Framework – Assured Unified SPARTA-COSMOS2 Assessment Notation (AUSCAN)

Sam Seo — 2026-06-15

Satellite systems present unique cyber security challenges that distinguish them from conventional IT infrastructure. Once deployed, physical intervention is virtually impossible, leaving operators unable to patch, repair, or replace compromised hardware in orbit. These systems operate under severe constraints in power, processing capability, and bandwidth, limiting the complexity of onboard security measures. Furthermore, the growing integration of commercial off-the-shelf components and IP-based networking has significantly expanded the attack surface, while the increasing dependence of critical sectors on space-based assets has elevated the consequences of a successful attack. Despite these unique risk characteristics, current assessment approaches often treat space systems as standard IT networks, failing to account for the architectural context in which threats occur. Existing cyber security frameworks address either threat identification or architectural classification, but not both simultaneously. SPARTA provides a comprehensive taxonomy of space-specific Tactics, Techniques, and Procedures (TTPs), while COSMOS2 defines the architectural segments of space missions. However, no standardised method currently exists to quantify risk at the intersection of these two frameworks. To address this gap, this paper proposes AUSCAN (Assured Unified SPARTA-COSMOS2 Assessment Notation), a quantitative, segment-aware risk assessment framework. AUSCAN synthesises SPARTA's threat intelligence with COSMOS2's architectural segmentation and applies NIST FIPS 199 impact standards to assign criticality weights to each mission segment. The resulting risk scores are aligned with NASA NPR 8000.4C governance directives to enable actionable decision-making. A hypothetical Ground Segment command injection scenario is used to validate the framework. The results demonstrate that AUSCAN effectively quantifies the impact of security control maturity on risk, reducing the score from 38.4 (Medium/Yellow) to 9.6 (Low/Green) when verified mitigations are applied. This research makes three contributions to space cyber security. First, it establishes a quantitative methodology that integrates SPARTA threat intelligence with COSMOS2 architectural segmentation, grounded in NIST FIPS 199 impact standards. Second, it introduces segment-aware risk scoring, ensuring that identical threats are assessed differently depending on whether they target a recoverable ground station or an irrecoverable satellite. Third, through the inclusion of dynamic vulnerability factors, the framework is adaptable to missions with varying criticality profiles and risk appetites.

A Framework for Automated STIG Compliance for Navy Ships

Margaret Graves — 2026-06-15

Historically, U.S. Navy ships have faced challenges in meeting the requirements of Cybersecurity Inspections (CSIs), with persistent Security Technical Implementation Guide (STIG) compliance gaps as a major contributing factor. Ships have relied on manual remediation processes that are often time-consuming and error-prone, given IT staff and operational constraints. Existing STIG automation tools do not address unique afloat challenges, such as intermittent connectivity, diverse network architectures, integration with cyber-physical systems, and split authorities between ship and Program of Record (PoR) managers. Commercial tools like SteelCloud ConfigOS, Ansible Automation Platform, and Microsoft PowerSTIG demonstrate automation feasibility in traditional enterprise environments, but do not adequately accommodate maritime operational realities, where ships undergo extended periods of limited network connectivity. This research developed an automated STIG compliance toolkit framework to address maritime constraints by systematically analysing existing tools, identifying cybersecurity capability gaps, and deriving requirements from documented CSI deficiency patterns and operational constraints. The framework's modular design includes asset discovery with coverage validation, compliance assessment with baseline deviation detection, risk-stratified automated remediation, and human oversight through Information Systems Security Manager (ISSM) decision support, while respecting authority boundaries between shipboard IT teams and PoR managers. Validation of the framework employed requirements traceability analysis, mapping 48 requirements to design components, workflow analysis, tracking data flow through representative compliance scenarios, and engaged with experts at Naval Information Warfare Center Pacific cybersecurity specialists to evaluate operational feasibility. The results confirmed the framework's validity and practicality while revealing that organizational factors beyond technology, including formal sustainment authority assignment, improvements in PoR baseline documentation processes, and enhanced network inventory data quality, are essential to successful framework deployment. The framework provides a comprehensive requirements baseline, modular architecture supporting platform diversity, and authority-aware decision logic that preserves operational safety. Future work on this research will include developing a system prototype, integrating machine learning for predictive risk management, and expanding research to examine additional CSI improvement factors.

Beyond Missiles and Marines: A Multidomain Strategy for Deterring a PRC Invasion of Taiwan

Timothy Shives — 2026-06-15

The People’s Republic of China (PRC) poses a critical challenge to regional stability and U.S. security interests, advancing a strategy of Unrestricted Warfare that outpaces traditional battlefield engagements. A Taiwan crisis may unfold through cyberattacks, economic coercion, and disinformation designed to fracture alliances and erode public trust long before the first missiles are launched. If U.S. deterrence remains narrowly focused on kinetic superiority, it risks failing to leverage an Inverse Unrestricted Warfare Framework which—combined with U.S. Marine Corps Force Design 2030 (commonly referred to as “Force Design”)—offers a multidomain approach that mirrors and counters the PRC’s own tactics. This paper proposes a multidomain strategy to deter a PRC invasion of Taiwan through a cohesive framework that applies the logic of Unrestricted Warfare against the PRC itself. The framework consists of five mutually reinforcing lines of effort: Military Denial Through Distributed Operations; Non-Kinetic Domain Deterrence; Cognitive and Informational Maneuver; Asymmetric Disruption and Escalation Options; and an Integrative Principle of Preemptive and Parallel Shaping. Beyond kinetic means, the framework emphasizes cyber resilience, legal warfare, and economic pressure as critical tools for shaping the pre-invasion battlespace. The result is a layered deterrence strategy that combines denial, cost imposition, and delegitimization, leveraging the PRC’s own tactics against it to impose strategic costs. An Inverse Unrestricted Warfare framework integrates military innovation with non-kinetic resilience, ensuring Force Design enables deterrence that is credible, adaptive, and global—preventing conflict before it begins and safeguarding Taiwan’s future.

Operationalizing Cyber in Multi-domain Operations: A Kill-Chain- Centric Approach for Cyber Strike Packages

Timothy Shives — 2026-06-15

This paper examines the challenge of integrating cyber capabilities into NATO Multi-Domain Operations (MDO) at the operational level. While doctrine emphasizes convergence across domains, cyber is not consistently incorporated into execution processes, particularly within the joint targeting cycle. Drawing on a NATO-aligned instructional vignette and student planning exercises, this study proposes a kill-chain-centric framework using Cyber Strike Packages (CSPs) to synchronize cyber effects with other domains. Observations from the instructional environment indicate that cyber capabilities are frequently underutilized or misaligned with operational timelines when planners lack a structured integration framework. Application of the CSP model improved alignment between cyber effects, targeting decisions, and cross-domain coordination. The findings suggest that cyber integration is primarily a problem of structure and timing rather than capability alone. In particular, planners struggled to align cyber preparation timelines with rapid operational decision cycles. The proposed framework addresses this challenge by organizing cyber effects around target, timing, effect, and assessment within the kill chain. The paper concludes that improving cyber integration in NATO operations does not require entirely new doctrine, but more effective incorporation of cyber into targeting processes, planning timelines, and operational decision-making.

Toward Identifying Role-Aligned AI Governance Needs in Mixed-Trust Environments

Bijesh Shrestha — 2026-06-15

The rapid emergence of AI is driving governance challenges in security-sensitive organizational settings. For example, deploying AI in these contexts typically requires embedding automated or semi-automated decision-making into mixed-trust environments characterized by legacy systems, uneven access to and visibility into governance-relevant artifacts, and strict operational, security, and compliance constraints. In such environments, governance decisions, system design, and day-to-day operations are often handled by distinct organizational roles, leading to different expectations and dependencies among stakeholders. Despite growing work on AI governance, there is limited, role-specific guidance that clarifies what governance leaders and oversight bodies should require, what engineers and implementers must ensure, and what operators and system administrators can rely on when deploying and operating AI in mixed-trust environments. This leaves organizations without a shared basis for translating general governance principles into concrete deployment requirements, compliance controls, risk assessments, and ongoing operational accountability. Current and emerging AI governance and risk management frameworks largely provide lifecycle-based approaches to AI risk, establishing a common vocabulary and baseline for AI use within organizations. However, they provide limited guidance on how responsibilities should be interpreted and enacted across organizational roles, particularly in constrained, security-sensitive deployments. In this paper, we analyze widely adopted AI governance and risk-management frameworks and prior synthesis literature through the lens of three stakeholder layers: governance leaders and oversight bodies; engineers and implementers; operators and system administrators. For each layer, we examine what current frameworks explicitly and implicitly address and where role expectations remain underspecified. Building on this analysis, we propose an initial set of role-aligned governance needs and highlight cross-cutting socio-technical factors that shape the enactment of AI governance in practice. The goal is to inform future research, policy work, standards development, and operational planning by moving AI adoption in mixed-trust contexts from aspirational frameworks toward practical, accountable, and auditable implementations.

Data Governance Frameworks for Enabling Responsible AI in Small, Medium, and Micro Enterprises: A Systematic Literature Review

Nokuthaba Siphambili — 2026-06-15

Disruptive technologies such as Artificial Intelligence (AI) have brought about changes in how organisations function. The adoption of AI has been applied in various industries, ranging from smart energy, smart transportation, smart health such as cancer treatment to managing automated cybersecurity threats and responding to sophisticated cyber threats. This presents opportunities and challenges as small, medium and micro enterprises (SMMEs) are also adopting AI to drive innovation, efficiency, and competitiveness. When compared to large organisations, SMMEs often lack the resources, expertise, and infrastructure necessary to implement comprehensive data governance frameworks, which are essential for responsible AI deployment. This study aims to investigate how data governance frameworks can enable responsible AI practices, specifically within the context of SMMEs. This study adopts a systematic literature review where the PRISMA framework is used to extract information on the data governance principles, challenges and opportunities that SMMEs can use for responsible AI. This study's findings reveal that effective governance plays a critical role in the adoption of AI within SMMEs. Existing data governance frameworks provide guidance, even though they are complex, which is a limitation for SMMEs. This study highlights opportunities for SMMEs in the data governance frameworks in enabling responsible AI. This study also reveals the need for a universal data governance framework.

A Double-Edged Sword: How Lab Cameras may Enable Cyber Deception in Biosecurity

Rachid Soro — 2026-06-15

Cameras keep individuals and assets safe by monitoring behavior, configurations or indications of concern. Cameras are utilized throughout daily life; supporting lifestyles, greater domestic, civil, industrial or and laboratory infrastructure. Cameras monitor plants in controlled experiments, capturing images analyzed by AI to decide when to provide water or nutrients. This setup sounds efficient and reliable but introduces new risks. Internet-connected cameras can be hacked. If that happens, an attacker could fake the footage, hiding an intruder entering a high-security lab or tricking an automated system, like the AI-powered machine, into damaging crops. A tool meant to protect can easily turn into a threat. This paper explores how lab cameras act as both protectors and sources of risk in biosecurity laboratories. We combine research papers and real-world examples in a narrative review to understand how these systems are used and where they fail. We classify risks ranging from weak software and unprotected networks to tampered camera feeds and flawed security updates. Alongside this taxonomy, we discuss solutions such as better network isolation, automated checks for altered footage, and stronger device verification protocols. This review reveals that current research often treats cybersecurity and biosecurity as separate fields, leaving a critical gap where these domains overlap. Relatively few studies have examined how deceptive camera data could disrupt lab operations, cause security breaches, or lead to worse outcomes. Furthermore, few have examined the intersection of biosecurity, cyber-physical security, and cybersecurity. By connecting these domains, this paper highlights the necessity for an integrated approach to improve camera safety and reliability in laboratories. Implementing stronger standards and security practices is essential to prevent these vital devices from becoming vulnerabilities rather than assets. Integrated security efforts can benefit from closer inclusion of camera functions, uses, and forensics.

Targeting the Human Factor: OSINT in Healthcare

Marie Soukupová — 2026-06-15

Patients increasingly report that physicians spend more time on the computer than on their examination. While digitalisation is a necessary development in healthcare, it unfolds in a sector constrained by shortages of medical and administrative staff, outdated software and technical infrastructure within the facilities, and uneven levels of digital literacy of medical staff, with the vision of fully paperless healthcare still largely unrealised. At the same time, healthcare has become a target of frequent and sophisticated cyberattacks. In the attempts of a data-driven society, healthcare faces growing demands for efficiency of care provided, interoperability, and timely access to patient data through eHealth solutions. The adoption of emerging technologies, including diagnostic LLMs, is often initiated by medical professionals, sometimes without supervision of IT departments or security teams. As a result, digital transformation increasingly relies on healthcare staff who embrace expanded operational, managerial, and digital responsibilities. This evolution significantly increases the human digital footprint of healthcare professionals and broadens the potential attack surface. As an essential sector under current cybersecurity frameworks, healthcare operates across both professional and private cyberspace. While cybersecurity measures may be implemented by employers during working hours, responsibility for security in private contexts largely depends on individual healthcare workers. Open-Source Intelligence (OSINT) techniques can exploit publicly available data related to professional tasks, online behaviour, and leisure activities, often revealing sensitive insights into clinical practices and personal routines of healthcare staff. From a cybersecurity perspective, healthcare can be perceived as a supply chain in which general practitioners frequently serve as the first point of contact. Due to their limited technical and financial resources, they may represent a structurally vulnerable link within this chain. Although cyber incidents affecting large hospitals attract greater media attention, smaller healthcare providers experience similar threats, which—given the interoperability vision—can have severe implications for the broader healthcare chain. This paper therefore examines OSINT-based human targeting of general practitioners and discusses how information obtained can be leveraged in cyber operations against the healthcare sector.

Lost at Sea: GPS Spoofing Threats to Maritime Shipping

Sandali Srivastava — 2026-06-15

As global shipping increasingly depends on Global Navigation Satellite Systems (GNSS), cybersecurity threats that
target maritime navigation systems have rapidly become a growing concern. Maritime GPS spoofing has significant
implications for global trade and safety as false position data can lead to route deviations, collisions, or even cargo theft. To
gain a better understanding of these risks, this research analyzes real-world datasets to determine how spoofed signals can
influence vessel navigation accuracy under different signal to noise conditions. By analyzing real-world AIS and GNSS logs,
the study identifies localized anomalies consistent with spoofing or interference. This research investigates GPS spoofing
attacks on commercial vessels and assesses real-world vulnerabilities to propose and develop effective countermeasures.
Using data collected from Automatic Identification System (AIS) and GNSS receiver logs, the study measures the impact of
spoofed signals on ship positioning accuracy and identifies potential weaknesses in onboard navigation procedures. The
project also explores policy and training aspects by proposing updated cybersecurity protocols for ship crews and
recommending that maritime authorities integrate spoofing detection into standard navigation safety audits. Based on this
analysis, the project proposes low cost detection and mitigation strategies, which includes anomaly detection indicators and
onboard incident response frameworks. The findings aim to improve awareness of GPS spoofing risks, strengthen maritime
cybersecurity policy, and provide training guidelines for ship operators to reduce the likelihood of navigation manipulation,
hijacking, and information theft. Ultimately, this research aims to contribute to the broader understanding of how
cyberattacks intersect with physical infrastructure in the maritime domain. It emphasizes that cybersecurity at sea is not only
a technical challenge but also an organizational and policy issue requiring coordinated international action. The outcomes
are expected to strengthen industry resilience, improve situational awareness, and support the development of
comprehensive maritime cybersecurity frameworks that safeguard both economic and human interests.

Significance of Biological Design-based Strategies Towards Sustainability and Security in Space Biology Research: A Partial Taxonomy and Exploration

Aswati Subramanian — 2026-06-15

Biological design offers a promising framework for addressing the sustainability and security challenges associated with long-duration space exploration. By drawing upon biological principles such as resource cycling, modularity, hierarchical feedback, self-repair, and adaptive response, biological design can support the development of regenerative life-support systems, resilient infrastructure, and closed-loop operational architectures beyond Earth. As biological and digital systems become increasingly integrated within future mission environments, however, new cyberbiosecurity challenges emerge at the interface between living systems, automation, artificial intelligence, and cyber-physical infrastructure. This perspective paper examines the role of biological design in advancing sustainable and secure space biology. Through an exploratory review of relevant literature and the development of a partial taxonomy of biological design domains, the paper evaluates applications including autonomous biosafety, space bioprocess engineering, in-situ biomanufacturing, biologically grown architecture, and astro-ecological systems. Particular attention is given to Digital-to-Biological Attack Vectors, defined as pathways through which compromise of digital systems may produce unintended biological consequences within mission-critical environments. The paper offers the consideration that biological design should be considered as a sustainability strategy as well as a cyberbiosecurity imperative for future deep-space missions. By integrating biological resilience with secure digital architectures, biological design can contribute to the development of adaptive, regenerative, and cyber-resilient extraterrestrial ecosystems capable of supporting long-term human presence beyond Earth.

Hybrid Threats against the Finnish Society: Reported by YLE News

Ilkka Tikanmäki — 2026-06-15

Hybrid operations aim at malicious political outcomes in targeted states and societies with strategic deception and shaping civic opinion. Some common hybrid threats are cyber-attacks on critical systems and disruptions of critical services, e.g. healthcare or rescue services. This study looks at how hybrid threats are communicated in mainstream Finnish media. The Finnish public broadcasting company YLE was chosen as the data source because it has a legal obligation to communicate issues without prejudice. Also, this makes it possible to conduct a future comparative study by selecting similarly relevant national news feeds from other countries. The sample, 57 news articles from the YLE English language news feed from between 2022 and 2025, discus hybrid threats. These articles in English were chosen for text analysis with Modeller 18.5 software which does not understand Finnish. Results identify "hybrid impact" as the most used term, with 27 articles mentioning it, while 15 articles mention "hybrid threats" and "hybrid warfare". Analysis of co-occurrences reveals substantial links between government actions, security institutions, and Russia as a major geopolitical actor. The findings indicate that hybrid threats are multifaceted challenges that require coordinated national and international responses. The study helps comprehend how media portrays hybrid threats and suggests the need for more research using native language analysis and broader media sources. The study identifies the frequency and boundaries of key terms related to hybrid threats, in particular hybrid impact, hybrid threats, and hybrid warfare, in YLE news coverage. The analysis of co-occurrence patterns and conceptual connections in the sample texts reveal how hybrid threats are related to actors, institutions, and geopolitical contexts. This scientific contribution of this study is deeper understanding how media contribute to and shape public awareness and understanding of hybrid threats and national responses in Finland; and the practical contribution of the study are its insights into hybrid threats and suggestions on response and future research directions.

ECUInjector: An Automotive ECU Security Analysis Tool

James Todd — 2026-06-15

Electronic Control Units (ECUs) are responsible for a significant number of systems in modern day vehicles. If these systems are compromised, the resulting attacks will result in road accidents. Therefore, increased adoption of these systems has significantly widened vehicle attack surfaces. As a result, it is important to devise methods of identifying and investigating vulnerabilities within automotive control systems, allowing them to be patched before they are exploited by an attacker. To this end, we present ECUInjector, an open-source application designed to assist in the discovery of vulnerabilities within diagnostic interfaces and ECU communications. The software is designed in a modular way allowing it to be universal across ECU vendors and provides the ability to communicate via vehicle diagnostics buses and build vulnerability detection tools that can assist in locating potential weaknesses. We also provide some of our applications of using the software to communicate with and analyse various ECUs.

Officers' Perceptions on Cyberwarfare Enhanced with Artificial Intelligence

Maija Turunen — 2026-06-15

The use of artificial intelligence (AI) in both cyberwarfare and conventional warfare is increasing, as is the debate over its ethical acceptability. At the same time, technological development is shaping our perceptions of the character of war. Military decision-makers play a central role in the development and employment of artificial intelligence and cyber power in warfighting. To understand the ethical considerations surrounding the use of these emerging technologies, it is vital to examine military decision-makers’ perceptions of the topic. This paper presents the results of surveys conducted among students of the Finnish General Staff Officer Course in 2023 and 2025. The surveys specifically aimed to evaluate officers’ attitudes toward the acceptability of employing artificial intelligence and developing cyber warfare capabilities within military operations. The study sought to clarify how officers conceptualise these topics within military thinking and how this understanding shapes future cyber warfare. The main results indicate that officers strongly support using artificial intelligence for demanding military tasks, provided human involvement in decision-making (Human-on-the-Loop) is retained. Respondents were sharply divided on the likelihood of war occurring solely in cyberspace in the near future. Overall, military necessity remains the main consideration shaping attitudes toward AI's military use.

Intrusion Detection System for Software-defined Satellite Networks

Uakomba Uhongora — 2026-06-15

Software-defined networking (SDN) has been proposed as a potential enabler of programmability, flexibility, and dynamic resource allocation in satellite network environments. Despite the benefits, SDN introduces cybersecurity risks to satellite networks, such as controller compromise, flow rule manipulation, and distributed denial-of-service (DDoS) attacks. To address these challenges, this paper explores intrusion detection mechanisms based on anomaly detection techniques in machine learning for detecting cyberattacks in software-defined satellite networks (SDSNs). To support experimentation with the different IDS approaches, an SDSN simulation platform was used to simulate a Walker-Delta satellite constellation for the Earth observation use case. This simulation enables experimentation with solutions that take into consideration the dynamic inter-satellite links (ISLs) and network topology, which most of the existing IDS solutions do not take into consideration. The IDS is implemented on a POX controller leveraging the southbound interface capabilities provided by OpenFlow. The paper reports on the different classification techniques investigated for the IDS, namely, Random Forest, Support Vector Machine, k-nearest neighbour (KNN), convolutional neural network (CNN) - Long Short-Term Memory (LSTM), and multidimensional Matrix Profile. While prior work has demonstrated the efficacy of machine learning and deep learning approaches for SDN, this work further validates the efficacy of the approaches in the context of dynamic topologies characteristic of satellite networks.

Supervised Classification of Cloud Workload Behavior Using Out-of-Band Performance Metrics

Maureen Van Devender — 2026-06-15

Technological advances have significantly improved the flexibility, scalability, and efficiency of computing resource utilization. The adoption of orchestration systems to manage virtual containers is one such example. In these environments, containers can be deployed for the duration of a task and then removed to release resources back to the system. While orchestrated containerization allows for efficient and flexible use of computing resources, concerns have been raised about the ability to detect anomalous behavior and to conduct forensics investigations in the environment. Monitoring temporal readings of system performance metrics offers a potential solution to anomalous behavior detection, and storing the performance readings away from the transient containers could be a solution to support forensic investigations. However, the resultant storage can become expansive over time, making it an expensive and often-impractical solution. In this research, we analyze temporal readings of out-of-band performance metrics gathered from various layers of the technology stack while trials of four distinct benchmarking workloads were running. Our objective was to determine if machine learning (ML) techniques could reliably distinguish between the running workloads based on the performance metrics. After conducting proof-of-concept experiments using various ML methods, we applied a random forest classifier to all readings and metrics in our datasets. The classifier was able to identify with a high degree of accuracy the workload that was running on the system based upon the readings. Furthermore, we found that a relatively small subset of the performance metrics was significant for accurate classification. This indicates that the problem of extensive storage and processing requirements could be improved. Our results indicate that a ML model trained on patterns of normal behavior could be used to monitor live metrics for the purpose of anomaly detection. These findings support the feasibility of using continuously collected performance metrics to enable real-time anomaly detection and improve forensic readiness in environments where logging may be transient or incomplete such as in orchestrated container systems.

Social Engineering of AI Agents

Jukka Vuorinen — 2026-06-15

Large Language Models (LLMs) are increasingly embedded within autonomous agents that plan, reason, and interact with external systems through tools such as APIs, databases, and web services. These tool integrations allow agents to overcome the static and outdated nature of LLM knowledge, granting them real-time access to dynamic information sources and operational capabilities as demonstrated in frameworks like ReAct and MRKL. However, this architectural shift also exposes a new and insufficiently understood attack surface. Prior cybersecurity threats targeting application interfaces—such as SQL injection—have relied on injecting structured malicious commands into well-defined syntactic channels. In contrast, LLM agents operate primarily through natural language: both internal planning and external tool selection are mediated linguistically rather than programmatically. This change has profound security implications. Agent behaviour relies heavily on informal language and semantic interpretation. Traditional attack detection fails because it requires rigid markers like command prefixes or specific character patterns. Adversaries exploit this vulnerability by subtly altering the context the agent considers trustworthy. Recent work on tool metadata manipulation demonstrates how adversaries can exploit linguistic cues, authority signals, and persuasive descriptions to influence which tools an agent selects for a task. By modifying tool descriptions—while the tool’s programmed functionality is opaque to the agent—attackers can induce the agent to route sensitive data or actions to malicious endpoints without any direct prompt injection, code execution, or user deception. It is argued that such attacks constitute a new form of machine-targeted social engineering. Traditionally, it is seen that social engineering exploits cognitive biases in humans as the “weakest link” in security. Here, the weakness emerges instead from the ambiguity, informality, and contextual nature of natural language reasoning inside autonomous agents. The agent can be persuaded into harmful behaviour. It is discussed how such threats can be categorized within emerging agent security frameworks such as OWASP and MAESTRO, and defensive strategies designed to safeguard tool-using LLM systems from intentional manipulation are outlined. The findings indicate that cognitive security must now extend beyond users to the autonomous systems increasingly acting on their behalf.

Cyber Security at Universities: Comparison of Australia, Lithuania and Ukraine.

Matthew Warren — 2026-06-15

Universities are common across all countries and perform a key function in terms of research and knowledge development as well as the development of the next generation of professionals. In this study the focus is the university sector of Australia, Lithuania and Ukraine. Each country manages their university sector differently from a security perspective. Australian universities operate under critical infrastructure regulations and foreign interference guidelines. Lithuanian institutions benefit from EU NIS2 directives and national collective defense systems. Ukrainian universities, facing intense cyber attacks since 2014 and have developed exceptional resilience through distributed infrastructure and international cooperation. This paper examines the distinct cyber security postures of the Australia, Lithuania and Ukrainian university sector.

Digital Sovereignty and Cross-Border Compliance in Internet Governance

Murdoch Watney — 2026-06-15

The internet was once imagined as a global, interoperable infrastructure, transcending borders, and fostering openness. John Perry Barlow and other early theorists envisioned a decentralised digital commons governed through shared technical standards rather than sovereign authority. By 2026, however, this vision has been profoundly challenged. Governments worldwide exert control over online spaces through surveillance mandates, data localisation laws, and content regulation, reshaping the contours of digital governance. This discussion examines the legal dimensions of digital sovereignty and its practical manifestation in cross‑border compliance, focusing on how states assert authority over infrastructures and platforms. Case studies illustrate divergent approaches. Russia’s ban on WhatsApp and Telegram calls reinforces sovereignty through communication restrictions. The United Kingdom’s Online Safety Act prioritises user protection but raises freedom of expression concerns. The European Union’s Digital Services Act harmonises accountability across member states while adding compliance burdens. In the United States, the extraterritorial reach of the CLOUD Act and Federal Trade Commission warnings against foreign pressures on encryption highlight tensions between national security and global interoperability. South Africa’s July 2025 ruling compelling Facebook to disclose offender identities in a child protection case demonstrates how domestic law can override corporate resistance. Australia’s ban on social media for children under sixteen further illustrates sovereignty extending into social policy. These examples reveal how sovereignty pressures accelerate fragmentation, eroding interoperability, weakening trust in multilateral institutions, and extending into societal domains such as safety, identity, and cultural values. Platform responses ranging from localisation to global adoption of strict standards mitigate risks but also entrench fragmentation. Viewed collectively, digital sovereignty is not merely a regulatory trend but a structural transformation of internet governance. Rather than converging toward consensus, the internet is increasingly defined by jurisdictional conflicts and sovereign claims. The central question is whether reconciliation through multilateral frameworks and technical standards remains possible, or whether fragmentation will persist as the defining condition of the digital order.

AI to AI Autonomous Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

The phrase “AI‑to‑AI autonomous cyber warfare” refers to an emerging and/or anticipated type of digital conflict in which artificial intelligence systems engage in cyberwarfare without any direct intervention by humans. In this type of conflict AI systems will carry out the collection of data through sensing, decision‑making, and responses to adversaries as cyber conflicts unfold in cyberspace. AI to AI Autonomous Cyber Warfare needs to be examined at several levels as part of defense theory, cybersecurity research, and in anticipation of future risks related to cyber warfare. AI to AI Autonomous Cyber Warfare must be thought of as potentially related to the automation of both cyber offense and cyber defense, where both friendly and adversarial machines will interact with machines at speeds humans cannot match. In cyberwarfare humans usually set goals, define rules, and identify constraints, but AI systems in AI-to-AI warfare will execute all actions independently of human agency. The idea behind AI-to-AI Autonomous Cyber Warfare is that they are like autonomous systems employed as defense agents today—they are just more advanced and will have more authority. Currently AI systems exist on opposing sides, and they are already identifying, analyzing, and/or responding to each other. Cyber operations happen at machine speed, which is much faster than humans. Current systems of AIs may adapt strategies based on the opponent’s behavior. This has led to an environment where two or more autonomous AI agents can currently learn, escalate, and counter each other dynamically. What already exists are: (1) Automated intrusion detection systems using ML. (2) Autonomous patching or quarantine systems. (3) Malware that is self-adapting. What is expected to exist in the future are (1) Fully autonomous offensive systems. (2) AI agents that will be able to strategically outmaneuver each other. (3) Self‑modifying agents that will be able to escalate activities without human oversight. It is currently agreed that fully autonomous AI to AI cyber warfare is a major global risk, but that it is not a current capability. The current set of risks related to the development of AI‑to‑AI autonomous cyber warfare include: (1) Speed-of-Conflict Escalation. (2) Unpredictability. (3) Accidental conflicts (4) Arms Race Dynamics. (5) Loss of Human Control. This analysis will focus on ethical and anticipated ethical issues with the development of AI‑to‑AI autonomous cyber warfare.

Artificial Intelligence, Drones and Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

Artificial Intelligence plays an active role when both drones and Cyber Warfare are introduced into kinetic wars. The importance of drones for kinetic warfare points to the importance of cyber warfare for countering drone warfare. A drone that flies, reroutes, and avoids threats without human interaction no longer operates as a remote-controlled vehicle. Instead, it acts autonomously in combat situations. Small quadcopters in Ukraine were equipped with AI navigation packages, enabling them to complete their missions even after Russian troops had jammed their GPS signals. Programs in the US, such as Darpa Evade, are deploying Sikorsky's autonomy MATRIX software in vertical takeoff drones, which nominally have the capabilities of flight and fight without communication with an operator, while they have situational awareness, and continue to achieve their objectives. The most contentious application of AI in targeting military drones is the recognition of targets. Using deep learning models trained on massive amounts of image data, drones can recognize vehicles, artillery, or even people. The AI models utilize visual patterns and infrared signatures to help identify and distinguish between an enemy armored vehicle on a battlefield, hidden in a field, or a civilian tractor, also hidden in the same spot. Russia's KUB loitering munition features an AI visual identification module designed to enhance its search range and accuracy. The Bayraktar TB2 features onboard targeting systems that provide unified target designation and tracking. The TB2's follow-on munition, the Kamankes loitering munition drone, is advertised to have AI-guided optics that enable it to loiter, identify, and autonomously kill any targets (Aviacionline, 2023; Baykar Technology, 2026). A drone that could perform all of these activities could loiter for hours, detect a missile launcher or armor target, and kill without verification by human input at any point. Ukraine's advances in AI are even more unprecedented when factoring in that they are using modular AI kits to sever the "last mile" of the target kill chain, reducing the time from hours to minutes. AI proponents argue that accuracy enables speed and precision with minimal risk of unintended consequences. Critics caution that algorithmic-driven lethal decisions can go wrong if an object is incorrectly identified, leaving the laws of armed conflict with challenging and fuzzy questions of moral, legal, and professional liability. This analysis is concerned with identifying how AI can be applied in the context of cyberwarfare to counter the capabilities of AI being employed to enhance the capabilities of Drones as they are currently employed in military operations. In addition, this analysis will focus on ethical and anticipated ethical issues related to how AI can be applied in the context of cyberwarfare operations to counter the capabilities of AI being employed to enhance the capabilities of Drones as they are currently employed in military operations.

AI, Urban Warfare and Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

The integration of AI into urban warfare and cyber warfare is reshaping the landscape of military operations. AI is being leveraged to enhance military capabilities, improve defense strategies, and address the evolving threat environment in military operations. AI has had an influence in these fields in the following areas: (1) in Urban warfare AI technologies are being integrated into smart city projects reshaping urban environments and operational strategies directed at smart cities. (2) In Cyber warfare AI is transforming cyber warfare by enabling faster destructive digital attacks. It is being employed to develop new categories of cyber weapons including autonomous malware and deepfake-driven disinformation and misinformation campaigns. (3) In military operations AI is reshaping military operations by improving speed, scale and clandestine attacks as well as enhancing mission command and network resilience. (4) In Cyber defense AI is being utilized to leverage AI proactive threat identification, automated incident response and predictive analytics are used to counter AI-driven threats.

This analysis will focus on ethical and anticipated ethical issues with AI, Urban Warfare and Cyber Warfare to AI autonomous cyber warfare. The method that is employed is a standard conceptual analysis of key issues, combined with careful definitions of terminology including key applications of conceptual distinctions applied to case studies. The method of ethical analysis follows the standard practice of applying ethical concepts and terms issues within case studies. The issues that will be addressed will include (1) The idea of machines making independent decisions about targeting and attack execution without human “in the loop” oversight is deeply troubling. (2) Accountability: If an autonomous AI system causes widespread damage or civilian harm, who is responsible? The programmer? The commander who authorized its deployment? The AI itself? (3) Escalation Control: How can the use of autonomous cyber weapons be controlled to prevent unintended escalation of conflict? A rapid, AI-driven counterattack might be perceived as a disproportionate response, triggering a spiral of retaliatory actions. (4) Unintended Consequences: AI systems, while powerful, can be unpredictable. A bug or an unforeseen interaction could lead to catastrophic outcomes that were never intended by human operators. These concerns highlight the urgent need for international dialogue and the establishment of norms around the development and use of AI in warfare.

The Baseband Sovereignty Paradox: Anticipated Ethical and Technical Issues of Baseband Processors

Richard Wilson — 2026-06-15

Users and administrators of mobile devices focus on hardening the defenses of the devices to the application processors and Operating Systems (OS) of these devices. Meanwhile an unrestricted, parallel computing environment operates unchecked beneath the surface of these systems: the Baseband Processor (BP). This paper examines the "Baseband Sovereignty Paradox," where the chip responsible for cellular communication possesses Direct Memory Access (DMA) to the entire device while remaining completely opaque to the user, the main OS, and security software (Weinmann, 2012). The Baseband Sovereignty Paradox refers to the following items: A nation state wants full control over its mobile communications infrastructure, but must often rely on foreign, opaque, un‑auditable baseband chips and firmware. This paradox creates a strategic dependency that directly undermines state centered technological and national sovereignty (Brey, 2012). The relevance of these items to cyberwarfare can be described as follows: Baseband compromises allow within mobile devices deep, persistent access invisible to OS defenses. Nation‑states can weaponize baseband vulnerabilities for the purposes of disruption of communications, espionage, and supply‑chain cyber-attacks and interference. The reliance on foreign basebands by nation states becomes a potential geopolitical attack vector, while putting future cyber network generations potentially at strategic risk. In this analysis we follow a standard conceptual analysis where define concepts and terminology related to the baseband paradox which are then applied to case studies. examine historical precedents, such as the Pegasus spyware, to demonstrate how the BP in mobile devices can be exploited to gain SYSTEM privileges, bypass encryption, and exfiltrate data (Amnesty International, 2021). This research highlights the persistent nature of baseband communications in mobile devices, which maintain contact with cell towers even when the device is in "Airplane Mode" or powered down, which allows them to act as an unmitigable tracking beacons. We argue that the Baseband Processor constitutes a "Fifth Column" for cyber warfare. Baseband processors are a ubiquitous, privileged, and unmanageable hardware component within mobile devices that fundamentally undermine the concept of user privacy and device ownership and control (Johnson, 2010). Our analysis will conclude with an ethical and anticipated ethical analysis of The Baseband Sovereignty Paradox which when exploited by adversaries can used in support of cyberwarfare.

Forever Days, Silicon Immutability and the Crisis of Unpatchable BootROM Vulnerabilities in Cyberwarfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

Modern mobile security architecture relies on a hardware Root of Trust, which is a set of capabilities in a device’s hardware that functions as anchor for all security operations within that system. (Rambus Press) This is exemplified by components such as the Apple Secure Enclave (Touch ID or Face ID use a separate processor to handle your biometric information which is called Apple Secure Enclave) (Pot, 2018). However, the reliance on immutable Silicon, specifically BootROM code (Bootrom (or Boot ROM) is a small piece of mask ROM or write-protected flash embedded inside the processor chip (What is Bootrom). It contains the very first code which is executed by the processor on power-on or reset), introduces a very critical risk: the "Forever Day" vulnerability. Unlike software flaws, vulnerabilities within the BootROM cannot be patched once the chip leaves the manufacturing plant. BootROM code itself isn't used in cyber warfare; rather, vulnerabilities in BootROM become powerful footholds for: persistent espionage, secure‑boot bypass, hardware‑level compromise, supply‑chain infiltration, cryptographic key extraction, attacks on critical infrastructure devices. Because of its immutable nature, a single BootROM vulnerability can become a strategic cyber weapon—especially for well‑resourced nation‑state adversaries. Ethical issues arise due to how malicious adversaries could exploit the immutable nature of BootROM vulnerabily. According to Furrow ethics is related to the intentions, actions and outcomes produced by agents involved in decision making. To intentionally manufacture technology with vulnerability built into immutable silicon is an ethical issue. This analysis, using case studies investigates the technical outcomes of such exploits, where a single compromised read-only sector renders millions of devices permanently vulnerable to compromise regardless of OS security updates. We further analyze the tension between the commercial imperative to rush new silicon models to market for profit and the rigorous security validation required for immutable code. Finally, the paper discusses the role of state actors, such as the NSA, in the disclosure versus hoarding of these hardware level exploits. We conclude that "Forever Days", (a Forever Day bug refers to security vulnerability in a software application or system that remains unpatched for an extended period of time ) (Forever Day Bug, 2023) represent a fundamental failure in the current hardware lifecycle, leaving a permanent window for exploitation that persists for the lifespan of the physical device. The analysis will conclude with an ethical and anticipated ethical analysis of BootROM code when it is used in support of cyberwarfare.

Weaponizing Firmware, Cyberwarfare and Battery Management Systems: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

As the Internet of Things (IoT), which is made up of “smart” devices, expands, in the cyber security space issues arise because cyber security which has traditionally focused on data privacy and service availability. However, a critical and under-analyzed threat vector lies in the weaponization of firmware to inflict kinetic physical damage on battery powered devices and battery management systems. This research analyzes the technical reality of manipulating Battery Management Systems (BMS) in civilian devices. By overriding safety protocols and de-throttling thermal limits, attackers can induce thermal runaway in lithium-ion batteries. This process effectively converts smartphones, laptops, and electric vehicles into incendiary devices. There is a reason why BMS security matters: The BMS directly governs safety limits; malicious interference could lead to device failure and fire risk, or grid instability when scaled. Modern connected devices increase the “attack surface” for cyber warfare via telematics, mobile apps, cloud APIs, and service diagnostics. Key risk categories (without operational details) include but are not limited to: Supply chain and tampering with components/firmware, insecure third‑party libraries. There are issues related to Firmware/boot including unsigned updates, insecure bootloaders. With communications (Comms) there are weak or missing authentication on CAN or diagnostic interfaces; replay or spoofing risks. Issues with applications include Cloud/app weak API/auth controls, insecure mobile app backends. There are also Safety/security co‑engineering gaps when functional safety (e.g., ISO 26262) and cybersecurity (e.g., ISO 21434) are not jointly considered. This paper explores the specific firmware vulnerabilities that allow for voltage manipulation and the bypass of hardware cut-offs for devices requiring batteries. Beyond the technical mechanics of batteries, we examine the ethical and legal implications of this "dual use" technology. This is where consumer electronics can be remotely triggered to cause fires or explosions. We argue that the potential for physical harm necessitates a reclassification of firmware vulnerabilities in power regulation modules, moving them from standard cybersecurity concerns to issues of public safety and kinetic warfare. This analysis will conclude with an ethical and anticipated ethical analysis of BootROM code when it is used in support of battery powered devices in cyberwarfare.

The Military Tech Complex and Cyberwarfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-15

In this analysis we examine how the military-industrial complex has now been expanded into the digital realm, forming what’s often called the military-digital complex (MDC). The ecosystem of MDC links defense contractors, governments, and Big Tech companies to the development and deployment of cyberwarfare capabilities. The capabilities of the MDC are of information technology weapons that are of both an offensive and defensive nature. How does the Military Tech Complex Connect to Cyberwarfare? The development of the MDC has led to the Militarization of cyberspace. Governments and militaries treat cyberspace as a battlefield. The U.S. created Cyber Command to oversee offensive and defensive cyber operations, including hacking, digital espionage, and electronic warfare. Partnerships with Big Tech Companies like Microsoft, Google, Amazon, and Apple provide cloud infrastructure, AI tools, and cybersecurity expertise. These partnerships blur the line between civilian use of technology and military applications. Defense contractors and startups Traditional defense firms (Lockheed Martin, Raytheon) now invest heavily in cyber tools, while Silicon Valley startups receive Pentagon funding to innovate in specific areas like AI-driven cyber defense. When the intentions of rational agents within government and corporations are connected to duties, conflicts arise with government having duties to civilians and corporates having duties to investors. This conflict of duties is what is focused on in our discussion which relates to how intentions and duties are linked in deontological ethics. This analysis begins by examining technical issues including the Cloud as a Battlefield, the “Kill Chain” and Algorithmic Warfare and The Zero-Day Economy and VEP. The analysis continues with a discussion of ethical issues related to The Principle of Distinction (Just War Theory), The troublesome Incentive of the "Cyber-Industrial Complex," and Accountability and Epistemic Opacity. Three case studies are then presented that give examples of the technical and ethical issues presented in the earlier parts of our analysis. This is followed by an anticipatory ethical of potential future developments and four recommendations are then made related to the concepts previously discussed and the case studies we have examined before we conclude we propose the following four reforms to help overcome how the MDC government and corporate partnerships act in collusion to intentionally blur the line between civilian use of technology. This original research and analysis is concerned with how Big Tech companies profit from cyber warfare contracts and how nation-states weaponize AI in cyber conflicts and finally with the ethical and anticipated ethical issues that arise because of these developments.

Trustworthy Secure and Measured Boot on a Raspberry Pi 4

Torben Woltjen — 2026-06-15

The Raspberry Pi is a widely used platform deployed across numerous domains, including Industry 4.0 environments. This places requirements on hardware and software in terms of IT and OT security. The whole platform has to be secured in a way that integrity and trustworthiness can be guaranteed – even when it is deployed in uncontrolled environments and operating outside the manufacturer’s physical control. Currently, that often is not the case and basic Trusted Computing concepts are not implemented in Raspberry Pi-based platforms. The presented approach enables entities such as SIEM systems and backend services to make use of the established Trusted Computing mechanism Remote Attestation to verify the integrity of a Raspberry Pi 4 and its software. Remote Attestation, in turn, depends on Measured Boot to record integrity measurements (hash values) of each boot stage into a TPM 2.0. However, the Raspberry Pi 4 official bootloader supports Secure Boot only. It neither provides Measured Boot functionality nor integrates with a TPM 2.0, preventing the establishment of a hardware-anchored measurement chain required for Remote Attestation. To address these limitations, this paper proposes a method that combines Secure Boot with Measured Boot to enable Remote Attestation on the Raspberry Pi 4. This combination establishes a complete Chain of Trust. While it comes with some shortfalls and cannot defend against sophisticated hardware-based attacks, it still results in a much higher security level for the Raspberry Pi. The proposed concept makes use of the official bootloader’s Secure Boot to load a signed second stage custom bootloader image based on U-Boot. Following that, U-Boot acts as the Measurement Root of Trust and measures the subsequent boot stages into the PCRs of a TPM 2.0. Although the proposal builds upon existing technologies, their integration into the Raspberry Pi boot chain has not been available in this form. The security enhancements have a significant impact on many use cases involving Raspberry Pi-based hardware, including industrial devices. It is particularly worth considering if the hardware platform already integrates a TPM 2.0 chip.

Disinformation and Trust in digital environments: Expert decision-making, dismiss or discuss?

Allison Wylde — 2026-06-15

Leveraging a management and organizations sciences perspective, this paper conceptualises AI, security and
information warfare practitioner decision-making as a decision to trust or distrust, mediated by intuition. To explore how
practitioners navigate trust in digital environments and benchmark to concerns a survey was conducted among 95 expert
cyber security AI and information warfare practitioners. Questions explored practitioners’ thoughts on sources of trusted
material, intuition, and approaches to managing disinformation. Scenarios were included to explore practitioners’ thoughts
on unusual incidents and help elicit future threats and solutions. Findings highlight variations in decision-making
approaches according to age, experience and domain. For trust in intuition, early-stage career and military/ defence
individuals were found less likely to rely on intuition than public and private sector peers. When faced with out-of-theordinary
events practitioners were spilt among four responses, re-checking data (37%), dismissing out-of-the-ordinary
events (30%), pausing decision-making (19%), or seeking discussing (13%). Experience levels matter, with mid-career
practitioners behaving distinctly from those at early- and late-stage careers. The contribution of this paper have direct
implications for policy-makers, including recommendations for personalised stage-appropriate training in decision-making
across age groups, and domains. Given the increasing velocity and uncertainty of the current and future threat landscape
more precise calibration of practitioner decision-making is urgently needed.

NEXUS-HC: A Framework for Technology Foresight in Strategic Communications

Yukai Zeng — 2026-06-15

Strategic communications teams increasingly operate in an information environment shaped less by what people say to each other and more by what platforms choose to show, boost, or hide. Automation, synthetic media, and faster technology cycles mean influence activity can scale quickly, while decision-makers must still choose what to monitor, test, and prepare for. Many organisations track technology “hype” informally through news and vendor claims, but this often fails to produce clear priorities or explainable trade-offs. This paper introduces NEXUS-HC (Navigational Examination and Understanding System for Hype Cycle Analysis), a decision-oriented framework that adapts the familiar hype-cycle idea for contested, next-generation information environments. NEXUS-HC standardises technology assessment through a lightweight cross-impact rubric to compare likely effects, and links assessment to action through five portfolio postures: Monitor, Pilot, Adopt, Govern/Harden, or Counter. The framework separates (a) maturity and diffusion signals, (b) disruption mechanisms relevant to influence and integrity, and (c) adversarial leverage and governance readiness. We provide practical guidance for running the workflow in a small StratCom team, recording evidence notes and confidence, and setting reassessment triggers. A short three-technology illustration and light-touch retrospective validation—synthetic media, algorithmic Information-Operations (IO), and AI avatars—demonstrate how technologies associated with synthetic saturation, algorithmic contestation, and reality mediation can still lead to different actions depending on leverage and governance. The contribution is a repeatable approach that improves transparency (how judgements were made), comparability (across technologies and time), and briefing value (clearer decisions for leaders). NEXUS-HC is designed to complement, not replace, deeper intelligence assessments and technical evaluation. It is intended primarily for StratCom teams, with cyber or technical specialists contributing when required. It provides a common language for briefings, helps teams avoid over-reacting to short-lived attention spikes, and highlights when governance should start early because standards, labelling practices, and organisational controls often lag behind capability diffusion. When applied on a quarterly cadence, NEXUS-HC produces an auditable decision record that captures evidence, confidence, and triggers for reassessment—supporting learning across cycles and reducing reliance on individual judgement.

Securing the Decentralized Edge: An Integrated Approach to Endpoint Security Monitoring and Threat Detection

Victor Bungei — 2026-06-21

Modern IT infrastructure is undergoing a significant transformation, becoming increasingly complex and decentralized as organizations move away from centralized on premise data centers toward hybrid, multicloud, and edge computing models. This is a shift driven by the demand for higher resilience, lower latency, and the specialized requirements of modern AI workloads running on the edge. While this shift improves operational efficiency, it introduces significant challenges including limited visibility, legacy network bottlenecks, operational complexity, and a broadened attack surface as a result of the decentralized edge based infrastructure requiring new security approaches that go beyond traditional perimeter security. Adversaries increasingly exploit these decentralized environments for ransomware, espionage, or coscripting devices into botnets for large scale attacks. The resulting breaches carry severe consequences including financial loss, penalties from regulators, non-compliance and irreparable reputational damage. To address the aforementioned challenges, this paper proposes a zero Trust Architecture integrated with Wazuh. Using Wazuh’s comprehensive monitoring and incident response capabilities, organizations can implement a "never trust, always verify" framework that protects the decentralized edge against modern threat vectors. This paper provides practical guidance for IT professionals and students seeking to implement modern endpoint security and defend infrastructure against evolving cyber threats.

The Weaponization of the Marketing Funnel: Adapting Commercial Targeting Strategies for Disinformation Campaigns and Troll Detection

Petr Gallus — 2026-06-21

In the era of hybrid warfare, the operational mechanics of troll farms have shifted from random disruption to
highly organized campaigns that mirror commercial digital marketing. This paper, grounded in the HYBTRINT project
research, investigates how standard marketing strategies—specifically the "marketing funnel"—are weaponized to
manipulate the information environment and proposes a technical framework for their detection. The study demonstrates
how influence operations guide users from initial sensation to radicalization by exploiting societal "pain points" and
creating "dopamine loops" for artificial community validation. To counter these sophisticated strategies, we define a
detection framework based on a multimodal scoring system involving linguistic toxicity, reaction latency, and behavioural
parameters such as "Activity Consistency". The findings, validated within a controlled experimental "Playground"
environment, offer a model for distinguishing between organic engagement and coordinated inauthentic behaviour. The
research is supported by an analysis of an experimental asset pool with a cumulative monthly reach exceeding 10 million
impressions, providing a statistically significant basis for behavior profiling. This research serves as a basis for developing
adaptive monitoring modules for defence and security institutions.

Reviewing Machine Learning Algorithms for Threat Detection in Cybersecurity

Aidan Gatenbee — 2026-06-21

The recent increase in the prevalence and popularity of artificial intelligence in everyday life, such as chat agents like ChatGPT, Claude, and Google Gemini, has led to its incorporation in many fields, cybersecurity notwithstanding. In particular, machine learning, a subset of the artificial intelligence field, has led many researchers to investigate this promising technology as a method to better optimize cybersecurity applications for threat detection. The rise in machine learning comes alongside, and potentially is caused by, an ever-increasing volume of cyberattacks. As attackers have access to more sophisticated tools, using Artificial Intelligence for vectors such as social engineering and automation, cybersecurity specialists are also forced to turn to AI to match the increasing fervor. But are all algorithms created equal? The paper focuses on IEEE-sponsored journals and conferences, identifying keywords like threat detection and machine learning, using studies published within the last year. In doing so, this paper focuses on recent works that relate machine learning to cybersecurity, specifically threat detection models. This survey identifies the types of algorithms used in these applications and how they are implemented. Several baseline algorithms, such as support vector machines, k-nearest-neighbors, and convolutional neural networks, were featured in several works, while others compounded these baseline models into an ensemble algorithm, using various methods. This survey identifies strengths and weaknesses in machine learning threat detection by comparing various researched algorithms and implementations. In doing so, opportunities for future research become apparent, where researchers could attempt to defeat these algorithms or even exploit the algorithm itself to bypass detection. Another avenue for future research involves strengthening the algorithms in areas where they performed poorly by combining models into a new end product or layering them to address specific weaknesses.

Strengthening Analytical Competence in (Cyber) Intelligence

Gazmend Huskaj — 2026-06-21

Sweden’s intelligence education system lacks the technical-domain competence required to meet the analytical demands of contemporary cyber intelligence. This finding emerges from a diagnostic analysis of eleven international intelligence education programmes using the Intelligence Competence Framework (ICF), which combines a multi-level analytical structure (strategic, operational, tactical) with the domain classification (technical, formal, informal) of the Systemic-Holistic Approach. When applied to the programmes referenced by Sweden's government inquiry on intelligence reform (SOU 2025:78), the framework reveals that formal and informal domains receive strong coverage across all programmes while the technical domain is systematically underarticulated — particularly at the tactical level, where only one of eleven programmes achieves strong coverage. Three interdependent capability requirements emerge from an analysis of SOU 2025:78, five international programme models (the German BND, the Danish MICS, the French DIReM, the ICE CIADM module, and the Norwegian Etteretningsskolen), consultations with Swedish intelligence practitioners, and contemporary analyses of AI-supported intelligence (NSCAI, Snow Globe, Emergent Intelligence). Organisationally, the proposed intelligence academy requires a professional authority function that sets competence standards across the intelligence community rather than delivering education alone. Educationally, programmes that integrate technical content with professional practice through apprenticeship models, twin-track specialisations, and practitioner-led instruction produce broader competence coverage than purely academic programmes. Technologically, baseline digital literacy encompassing data provenance, tool limitations, and AI-assisted analytical workflows must be treated as a structural requirement in curriculum design rather than as an optional specialisation. The practitioner consultations identified three specific capability gaps in the current Swedish system: OSINT training that moves beyond keyword searching, exposure to AI-assisted analytical workflows before operational deployment, and secure technical environments for realistic practice. A Swedish intelligence academy built on existing European models will inherit the same technical-domain deficit unless technical competence is embedded as a design principle from the outset.

Cyber Warfare, Cyberbullying and Psychological Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-06-21

This analysis takes as its starting point the view that ideas that originate in the civilian arena can migrate to the area of warfare and cyber warfare. The central idea is that distinctions that apply for cyberbullying can be applied to issues in cyber warfare. The analysis addresses the escalation of individual-level psychological warfare exhibited in cyberbullying to the level of psychological warfare in cyber warfare by analyzing the intersection of social engineering and algorithmic vulnerabilities. It is in this way that cyberbullying is related to cyber warfare. This discussion employs a method that draws upon distinctions taken from computer science, conceptual ethical analysis and case studies. Utilizing case studies from the domain of cyberbullying, this analysis examines four distinct incidents involving Tyler Clementi, Amanda Todd, Jay Taylor and Elijah Heacock. Cyberbullying represents a form of psychological operation that can also operate in cyberwarfare because it weaponizes digital communications to manipulate emotions, erode morale, and destabilize individuals and groups. The goal of the analysis is to identify the evolution of threat modalities related to psychological warfare involving cyber bullying from unauthorized webcams to AI powered velocity sextortion and gamified harassment groups, to the domain of cyber warfare. The cyberbullying cases are analyzed through the lens of Anticipatory Ethics, which is ethical analysis focused on developing technologies, specifically highlighting the failure of social media platforms to uphold the “Sociotechnical Imperative” and the “Post-Deployment Mandate.” To mitigate against human factor risks associated with psychological warfare and cyberbullying and cyber warfare, various defensive AI frameworks can be implemented: Behavioral Graph AI to break grooming funnels, Stylometric Analysis to prevent ban evasion and Acoustic Coercion Analysis to detect the real-time sources of psychological distress. This research, employing analysis and definitions of standard concepts from cyberbullying and Cyberwarfare, concludes that proactive, AI driven detection grounded in ethical analysis and the ACM Code of Ethics is essential for securing the safety of the human element in digital infrastructure. Future analysis will explore more directly how cyber bullying is being employed in cyber warfare.

Towards a Resilience Framework for Securing ADS-B Surveillance Systems in Air Traffic Management

Victoria Mofolo — 2026-06-15

Automatic Dependent Surveillance–Broadcast (ADS-B) has become a cornerstone of modern air traffic surveillance, enabling real-time aircraft tracking and supporting enhanced situational awareness within Air Traffic Management (ATM) systems. However, the open and unauthenticated nature of ADS-B transmissions introduces significant cybersecurity vulnerabilities, including spoofing, jamming, and data injection attacks. These threats pose risks not only to surveillance integrity but also to operational trust and decision-making in safety-critical environments. This paper presents a resilience-based cybersecurity framework for securing ADS-B systems within ATM environments, with particular consideration of resource-constrained and evolving airspace environments. The proposed framework integrates technical detection mechanisms, operational response strategies, and governance principles to enhance system robustness against cyber-physical threats. A scenario-based approach is adopted to illustrate how the framework supports the detection and management of anomalous ADS-B behaviour, while maintaining continuity of surveillance services. The contribution of this work lies in bridging the gap between theoretical vulnerability analysis and practical resilience design in aviation surveillance systems. The framework provides a structured foundation for enhancing cybersecurity posture in ADS-B-enabled environments and supports ongoing research into resilient and trustworthy air traffic systems.

AI Safety Under Uncertainty: Hallucinations and Unpredictable Failures

Joon Park — 2026-06-15

With the rise of AI-supported tools across mission-critical workflows in medicine, finance, commerce, education, and cybersecurity, their errors and incorrect decisions can pose safety risks. In our broader study of safety challenges in AI applications, we identify and analyze various safety concerns related to AI-supported tools, including hidden dangers in AI-generated content, the misuse of AI-supported tools for cyberattacks, and their societal impacts. In this particular work-in-progress paper, we focus on our analyses of unpredictable failures and hallucinations in AI-supported systems. We analyze how generative AI models can produce fluent, convincing, yet misleading results, and how they can contaminate mission-critical applications, such as healthcare/medical decision-making, software development, cybersecurity, privacy/data governance, and workflows with agentic AI-supported systems. We survey use cases across domains to articulate the vulnerabilities. We discuss how agentic AI-supported workflows can amplify small errors into significant damage by automatically feeding erroneous outputs and actions. We also propose practical countermeasures to minimize the hallucinations and unpredictable failures with continuous monitoring and evaluation. In our future work, we will integrate this analysis with other areas of AI safety to develop a comprehensive framework and strategies.

Compliant Cyber Threat Intelligence Sharing in Hospitals: Evaluating the Data Anonymisation Tool

Ilkka Tikanmäki — 2026-06-15

Healthcare organisations face an unprecedented surge of cyberattacks targeting patient data, clinical systems, and connected medical devices. This study examines two ransomware and data breach cases in the United Kingdom and Finland over the past eight years. Both incidents reveal common weaknesses that could have been mitigated through robust Cyber Threat Intelligence (CTI). Despite its benefits, CTI sharing among hospitals remains rare due to privacy concerns, fear of regulatory violations, and limited institutional trust. Under the General Data Protection Regulation (GDPR) and the emerging EU Cyber Resilience Act (CRA), CTI often includes personal or sensitive system data requiring strict protection and traceability, creating tension between collaboration and compliance. This research evaluates whether the Data Anonymisation Tool (DAT) can enable secure, auditable, and GDPR-compliant CTI sharing. The methodology combines a systematic literature review, regulatory mapping of GDPR and CRA obligations, and a functional assessment of DAT’s anonymisation and audit capabilities. Simulated CTI-sharing scenarios test how anonymised threat data can flow between healthcare organisations without exposing identifiable information. Findings indicate that DAT integrates technical, legal, and governance safeguards into a single process. It delivers GDPR-compliant anonymisation, preserves CTI utility, and ensures full traceability through verifiable audit logs, addressing CRA requirements for accountability and resilience. While governance challenges persist, particularly around trust models and sector-specific standards, DAT demonstrates strong potential to transform compliance barriers into enablers of collaboration. Privacy-preserving CTI sharing is feasible when supported by structured anonymisation and auditing mechanisms. DAT offers a viable pathway to enhance healthcare cyber resilience and aligns with European efforts to promote secure data sharing in critical sectors.

Enhancing Cybersecurity in Water Plant Infrastructure with SecureAI

Ilkka Tikanmäki — 2026-06-15

Water plant industries are a critical infrastructure that relies on legacy Supervisory Control and Data Acquisition (SCADA) systems, which were not designed to address modern cyber threats. Attackers utilise these vulnerabilities to create significant risks to the industries. As an example, recent incidents such as the attack on the Demin water plant and the Oldsmar water facility, where attackers gained unauthorised remote access to these water plants' systems. This emphasises the urgency of strengthening cybersecurity in this sector. This study investigates SecureAI, an AI-driven cybersecurity tool developed through the Dynamo project. SecureAI provides real-time anomaly detection, recommends isolating protocols to contain threats early, and generates post-incident training materials to improve operator readiness. To ensure that SecureAI implemented into critical infrastructure cannot become autonomous, the EU AI Act requires mandatory human oversight for all high-risk systems. The study includes an evaluation of SecureAI’s strengths, weaknesses, and ethical safeguards that align with the EU AI Act, the NIS2 Directive, and the NIST Cybersecurity Framework. Mock-up data on attack scenarios, best practices for the deployment of SecureAI, and an incident response script designed for operator use based on SecureAI alerts. This study bridges the gap between technical detection and regulatory compliance and extends the body of knowledge on AI-enabled cybersecurity measures in water plants. Moreover, SecureAI offers a scalable, operator-centric solution that strengthens resilience while ensuring transparency, compliance and human accountability.

Privacy-Preserving Cyber Threat Intelligence Sharing in Healthcare: Automated Anonymisation Under EU Regulations

Ilkka Tikanmäki — 2026-06-15

Healthcare organisations face increasing cyber threats, making cyber threat intelligence (CTI) sharing an essential component of resilience. CTI sharing from hospitals often contains highly sensitive information such as patient identifiers, internal domains or IP addresses that can lead to re-identification if shared without proper protection. When this information is shared without protection, it can allow for re-identification or system mapping, exposing healthcare organisations to additional cyber and privacy risks. Under the emerging EU Cyber Resilience Act, ensuring secure and privacy-preserving cyber threat intelligence exchange becomes critical, requiring tools and processes that safeguard personal and organisational data while maintaining the analytical utility needed for threat detection. This study provides a theoretical framework for evaluating automated anonymisation in the sharing of healthcare cyber threat intelligence (CTI). It explains how to utilise tools such as ARX and DAT to execute privacy-preserving CTI exchange that is compliant with the EU Resilience Act (CRA) and the NIS2 Directive. The framework establishes evaluation criteria that balance anonymisation risk and analytical utility using synthetic CTI data (such as MISP feeds). The evaluation is intended to evaluate the efficiency of anonymisation by using re-identification risk metrics and retained CTI utility (such as Indicator of Compromise, IOC correlation). The model proposed follows European privacy and resilience rules and establishes the foundation for practical and compliant sharing of CTI in healthcare ecosystems.

The Future of Authentication: Not as Simple as Providing a Secure Solution

Naomi Woods — 2026-06-15

In recent years, the number of online and digital accounts have grown, with the average user needing over 100 passwords. With so many passwords, users often struggle, and therefore, there are many password authentication alternatives on the market, including password managers, biometrics, passkeys, and multifactor authentication (MFA) to add security to passwords. All of these solutions have their pros and cons, and if the user manages them well, they are a secure means to authenticate without relying on multiple passwords and the issues that passwords bring to authentication. For several years, the technology and cybersecurity industries have been calling for the death of passwords, and yet they are still among us. Previous research has identified reasons why password alternatives and solutions are not widely accepted by users. These include users’ trust, new technology usage and acceptance, perceptions of privacy, financial cost, and misguided security perceptions. With the introduction of newer and more convenient technologies such as passkeys, it is hoped that passwords will finally die. However, from initial interviews, those working in the technology and cybersecurity industries are reporting resistance from users. This study aims to examine users’ perceptions of authentication methods, and their intentions for improving the security of their digital lives in the future. A mixed-method approach will conduct questionnaires, measuring user perceptions and attitudes towards authentication methods, their motivations for securing their own and organizational digital services, as well as demographic data that could indicate any interaction effect. Furthermore, interviews will be conducted to delve deeper into participants’ responses. The results will shed light on factors that are influencing the uptake of secure authentication solutions, and will have several implications establishing a comprehensive view of different user factors that influence authentication decision-making that could ultimately shape the future of the authentication solution industry.

No Rules: Can Removing Password Creation Rules Improve Password Memorability and Security?

Naomi Woods — 2026-06-15

Many users have significant issues in remembering all their passwords. There are several authentication technologies available on the market to help with these issues, for instance, password managers. However, many users still choose to rely solely on their memory. Creating and recalling multiple strong passwords often leads many users to adopt insecure password practices, such as, creating weak passwords and writing passwords down. Insecure behaviours result in substantial security breaches and financial losses. Therefore, password creation requirements imposing complexity (e.g., X number of higher and lower case letters, numbers and special characters), and length (e.g., X number of characters) are implemented to ensure that users create passwords with a standard or minimum level of strength. Previous research has examined password memory and security issues, suggesting various ways to improve memorability. Furthermore, previous research has also examined users’ perceptions and interactions when attempting to meet password creation requirements, and the impact they have on users’ password management. Previous results suggest that users struggle to meet password creation rules and often circumvent security by, for instance, reusing the same password or modifying passwords for multiple accounts, which is a significant security issue unto itself. In this study, we will examine whether removing the complexity password creation rules will have beneficial effects on memorability and security. Using a mixed-method study, we will examine password creation and recall, using an online laboratory study, observing the strength of the passwords, and whether focusing solely on creating and not meeting rules will improve password memorability. Follow-up questionnaires will measure user perceptions and attitudes, and interviews will be conducted to deeper examine motivations for digital security while not imposing rules. The results will have important implications for research and practice, and especially for professionals who make recommendations and guidance for password management. This is because, improving password memorability and security could reduce insecure password behaviours and reduce financial losses associated with passwords.