International Conference on Cyber Warfare and Security

SLMs Meet GraphRAG: A Structured Approach to Context-Aware Cybersecurity Hint Generation

Ishan Abraham — 2026-02-19

Generating hints for learners who are engaged in hands-on cybersecurity exercises is the goal of our research. Learners sometimes get stuck or frustrated, they head in the wrong direction or are missing information that is necessary for solving an exercise. While using large language models (LLMs) is an option, LLMs typically require the sharing of student data with third-party AI providers. In order to improve privacy and minimize cost and computational overhead, previous research has explored using locally deployed small language models (SLMs) with retrieval-augmented generation (RAG). However while RAG has been shown to enhance SLM capabilities without the need to fine tune, it falls short when answering open-ended or multi-step questions that require reasoning across interconnected concepts. This limitation is particularly evident in cybersecurity education, where students often need help understanding how threats, tools, and strategies relate to one another. The cybersecurity hint system EDUHints (Wolff et al, 2025) currently relies on a standard RAG pipeline. In classroom testing, students were unsure whether generated hints meaningfully answered their questions. To address this challenge, we present a custom GraphRAG approach that builds on a proposed cybersecurity education focused ontology and knowledge graph called AISecKG. We extend the ontology to let us incorporate natural language-to-bash command mappings, a valuable feature as students tend to ask questions regarding command-line use. Graph data is extracted using multiple methods and semantically scored to prioritize only the most relevant results. Our pipeline currently employs Microsoft’s Phi-3-mini-4k-instruct SLM, integrates LangChain for modular orchestration, and uses Neo4j as the graph database. We survey cybersecurity instructors to rate responses generated by the EDUHints and our GraphRAG system. Results show that hints generated using a GraphRAG are preferred almost three times more by cybersecurity instructors. This suggests that an SLM’s educational hint generation abilities can be improved through our GraphRAG architecture.

Systematic Literature Review: Challenges And Issues in the Adoption of SOAR Technology in Cybersecurity

Turki Alshammari — 2026-02-19

With the increase in the rate of cyber threats, such as ransomware, social engineering, and zero-day exploits, it is urgent to adopt new security mechanisms like Security Orchestration, Automation, and Response (SOAR) systems. The increase in cyber threats has not only amplified in frequency but also in sophistication. This escalation has forced organizations to rethink traditional defense strategies. SOAR has shown itself to be an important solution by automating repetitive tasks and helping security teams in focusing on strategic threat hunting as well as mitigation. The integration of AI and ML in SOAR frameworks helps in predictive analytics, in which systems can anticipate potential breaches based on pattern recognition from vast datasets. The role of blockchain is to enhance data integrity and help enable secure and decentralized threat intelligence sharing between stakeholders. This paper presents a systematic literature review (SLR) on recent advancements in SOAR technologies, especially the incorporation of artificial intelligence (AI), machine learning (ML), and blockchain; it also reviews case studies across various industry sectors, such as healthcare, finance, industrial control systems, and critical infrastructures, as well as the challenges facing SOAR adoption. By examining 29 studies from academic research, industry case studies, and technical reports, the review synthesizes methodologies, architectures, and performance outcomes to summarize the current state of SOAR systems. The research found that SOAR can significantly reduce incident response times and improve threat detection accuracy, with findings indicating that SOAR can lower response times by up to 80% compared to legacy systems, although implementation costs may reach as high as $5 million. Additionally, specialized personnel are still needed to operate these systems. The skills gap increases barriers to adoption, as few professionals possess expertise in cybersecurity as well as in automation tools. Future directions emphasize developing hybrid models that blend human intuition with machine efficiency for more robust defenses. Finally, the review discusses future research directions to help SOAR further scale, interoperate across platforms, and enable autonomous decision-making

The Cyber-Physical Immune System: A Self-Healing V2X Framework for Global Defense and Healthcare

Babajide J. Asaju — 2026-02-19

The cyber-physical immune system (CPIS) is an important field in healthcare security, a chemistry reactor-based, AI-friendly framework that shields healthcare and urban structures like the human immune system. This self-sufficient network identifies a threat, contains it, and neutralizes it in minutes without any disruption to company operations. John Arquilla (2021) coined this era of social networks and” netwars.” Cyberwarfare is on the rise around the world, and individuals, commercial companies, and institutions of all kinds are among the first to feel its sting. AI and real-time CPIS analytics allow for the expansion of coverage based on new threats, thus connecting cybersecurity and critical infrastructure protection. These ideas make it possible to identify the conceptual background, main components, and transformative characteristics of CPIS, as well as to consider its potential use in V2X communications, worldwide defense and medicine to overcome difficulties and facilitate further development. In this paper, we present the current threats in research with the prevailing challenges of current self-healing in CPIS for both global defense and healthcare systems. We explain the key components of the self-healing functionality of the CPIS in healthcare.

The Evolution of Penetration Testing in the Era of AI

Errol Baloyi — 2026-02-19

Over the past several decades, penetration testing has transitioned from a predominantly manual, expert-driven activity to a mature discipline supported by automation, modular frameworks, and artificial intelligence (AI)-assisted tools. This study provides a descriptive review of the historical evolution of penetration testing tools, highlighting the major technological and methodological advancements that have shaped the field. In addition, a practical comparative evaluation of two widely used tools, Burp Suite Professional and the Open Worldwide Application Security Project (OWASP) Zed Attack Proxy (ZAP) was conducted using a controlled vulnerable web application, Damn Vulnerable Web Application (DVWA), to assess their performance and usability in a realistic testing environment. The study further examines the impact of AI on the contemporary and emerging landscape of penetration testing tools. The findings suggest that AI is augmenting existing tools through enhanced automation and more effective vulnerability identification, while simultaneously enabling new paradigms in both offensive and defensive cybersecurity practices. This work contributes to the understanding of the evolving role of penetration testing in an AI-influenced context and discusses the implications of these developments for researchers, practitioners, and tool developers.

Bridging the Cyber Gap: Mapping Misalignment Between Digital Adoption and Cybersecurity Capacity

Zakariya Belkhamza — 2026-02-19

The rapid pace of digital transformation has revealed a structural asymmetry between technological expansion and protective capabilities. As digital adoption speeds up across economies, cybersecurity frameworks tend to develop more slowly, creating what this paper calls the cyber gap: a persistent misalignment between the trajectories of digital adoption and cybersecurity readiness. This gap is not a temporary delay but an institutional condition that arises when digitalisation advances faster than the laws, institutions and technical competencies required to secure it. This imbalance transforms cybersecurity from a discrete technical function into a systemic feature of digital governance. Building on strategic alignment and socio-technical systems theory, this paper introduces the cyber gap assessment (CGA), a conceptual framework designed to make this misalignment visible through analysis. CGA considers digital adoption and cybersecurity capacity as parallel yet interdependent trajectories, distinguishing between two complementary dimensions: level gaps, which measure the magnitude of divergence at a given time, and pace gaps, which capture the difference in their rates of change. Together, these parameters form a two-dimensional diagnostic that indicates whether states are converging or diverging in their capacity to align technological growth with institutional protection. A typology based on this structure identifies four configurations: high adoption/low capacity; low adoption/high capacity; high adoption/high capacity; and low adoption/low capacity. Each configuration reflects a unique sequence of digital reform, institutional design and governance logic. This analysis demonstrates that high level gaps correspond to structural exposure, where digital systems extend beyond protective reach, while sustained pace gaps generate compounding vulnerabilities across cyber-physical sectors such as energy, transport and e-government. Conversely, convergence across both dimensions signals institutional agility and anticipatory governance. By formalising these relationships, CGA reframes cybersecurity capacity as a co-evolving dimension of digital transformation rather than an ex-post control mechanism. This paper concludes that narrowing the cyber gap requires synchronised governance, adaptive regulation, secure-by-design infrastructures and investment in human capital. This study offers policymakers and researchers a reproducible framework to diagnose structural imbalances and align digital ambitions with resilience.

Evaluating an Investigative Process for Cryptocurrency-Related Crimes

Johnny Botha — 2026-02-19

This paper evaluates a previously proposed investigative process for cryptocurrency-related crimes, originally
introduced by the authors (Botha, Singh, & Leenen, 2025a), through the application of a real-world case study. The process
covers crime reporting and case registration, on-chain analysis, off-chain analysis, and the transformation of investigative
intelligence into court-admissible evidence. The current study focuses on a new, active case involving an elderly South African
(SA) woman who was defrauded of a substantial portion of her pension through a fraudulent investment scheme known as
###-Platform (redacted). The case is presently under investigation by the Directorate for Priority Crime Investigation (DPCI),
a specialised unit of the South African Police Services (SAPS) tasked with addressing serious economic crimes and commonly
referred to as the Hawks. By systematically applying the proposed investigative process to this case, the study assesses the
framework's practical utility, adaptability, and effectiveness in real-world conditions. The analysis further reflects on legal,
technical, and procedural challenges encountered during the investigation, offering critical insights for law enforcement,
regulators, and cybersecurity professionals. It also highlights broader systemic vulnerabilities that facilitate such scams,
particularly among elderly and non-technical populations. The findings underscore the need for enhanced public education,
improved regulatory oversight, and international cooperation in combating cryptocurrency fraud. Ultimately, the paper
contributes to the evolving discourse on financial crime in the digital age and aims to support the development of more
secure and accountable crypto-investment environments.

Social Media’s Role in Cyber Warfare: Attack Vectors, Space Ecosystem Integration, and Impacts

Gregory Broomfield — 2026-02-19

Prompted by confusion surrounding several recent cyber incidents, this study examines how quickly social media
has shifted from basic communication to a primary tool of modern cyber conflict. Platforms such as X (formerly Twitter),
Telegram, TikTok, and others are rapidly being repurposed for sophisticated propaganda, targeting infrastructure, and
concealing hostile motives behind waves of deliberately orchestrated false information. The Russia–Ukraine war, for
example, demonstrates how fluid and adaptive these influence operations have become. Recent events have highlighted
persistent vulnerabilities linked to growing connections between ground‑based and satellite systems. Recent analyses
indicate that the targeting of satellite‑linked messaging services is more direct than previously recognized, and that AI‑based
botnets and deepfakes are proliferating rapidly in contemporary digital environments. This interdisciplinary study utilizes
comparative case analysis and qualitative document analysis, integrating examples from the United States, European Union,
China, Russia, and India to assess the evolving impact of hybrid space-cyber warfare. Theoretical models such as the Space-
Cyber Hybrid Attack Matrix are referenced to categorize emergent threats, while global regulatory environments are
contrasted to highlight transnational data governance challenges. Methodological rigor is supported by triangulating
empirical data from documented incidents, governmental reports, and published cybersecurity expert testimony.
Examination of international case studies and published accounts from cybersecurity professionals indicates that
government responses are struggling to keep up, especially as disinformation spreads across borders at a daunting pace.
Drawing from global case studies, this paper argues for the urgent need to rethink international cyber standards and adapt
space‑cyber treaties for robust security. The optimal path forward is through stronger coordination between the public and
private sectors to effectively meet threats now manifesting at the intersection of social media algorithms, AI-generated
influence operations, and expanding orbital communications ecosystems in both peace and conflict.

Secure Cross-Domain Data Validation with Field Programmable Gate Arrays

Abigail Cliche — 2026-02-19

Cross-domain systems have traditionally employed virtualization to isolate security domains, providing communication though standard TCP/IP networking stacks coupled with access permissions and credentials to enforce isolation. This deep and complex chain of trust typically depends upon a hardware base, such as a Trusted Platform Module (TPM) chip combined with a secure bootstrapping process. This paper describes a novel and high-performance alternative, Secure Transfer Link (STL), leveraging the unique architectural characteristics of the AMD UltraScale Multi-Processor System-on-Chip (MPSoC) device family: CPU affinity, an on-chip field programmable gate array (FPGA), and bus-mastering. These architectural characteristics make it possible to construct a secure data transfer path within the FPGA that can control which virtual machines may access and transfer data, enforcing isolation. The abstraction can be extended to include deep packet inspection and validation, such as parsing that checks adherence to the JavaScript Object Notation (JSON) protocol. Validation is achieved through the combination of formal grammars with a pushdown automata (PDA) parser and automatic transformation into an FPGA hardware configuration, resulting in a formally verifiable and hardened intellectual property (IP) called the Data Validator. The Secure Transfer Link is constructed by combining this Data Validator with another IP, the Memory Guard, which enforces access controls. These hardware Ips, together, comprise a system which prevents malicious software resident on a processor from undermining access policies or transferring malicious data. The presented IPs are performant. Their throughput improvement over traditional UDP/IP networking stacks is dramatic: speedups of up to 7x for tactical length messages and up to 4x for larger messages. The IPs are created using High-Level Synthesis (HLS), making it possible to formally specify a broad range of alternative policy and enforcement options then automatically include them in the Secure Transfer Link, constituting a novel isolation enforcement solution that is higher throughput than state of the art alternatives and enables selective domain access contingent upon formal verification of data.

Malinformation, Deepfakes, and Cyber Warfare: Ethical and Anticipated Ethical Issues

Noah Donnelly — 2026-02-19

Malinformation and deepfakes are closely connected in cyber warfare because both involve the use of true or realistic-looking information in harmful ways. Malinformation is genuine (truthful) information used maliciously to cause harm. Unlike disinformation (false) or misinformation (false but unintentional), malinformation is based on truth, but truth that has now been weaponized. Examples include, leaking private emails, exposing sensitive military data, or releasing authentic documents but out of context. Deepfakes can be AI-generated synthetic media (video, audio, images) that convincingly mimic real people or events. They can be employed to fabricate speeches, fake evidence, or impersonate leaders. Malinformation and Deepfakes Intertwine in several ways. They involve authenticity exploitation. Deepfakes often mix real content with fabricated elements. When genuine material is combined with manipulated media, it becomes malinformation — because the truthful parts lend credibility to the fake narrative. Example: Real leaked emails paired with a deepfake video of a politician “admitting” corruption. They promote context manipulation. Malinformation thrives on taking real information out of context. Deepfakes amplify this by visually or audibly presenting “evidence” that seems authentic. Example: A real battlefield video edited with deepfake audio to suggest atrocities that didn’t occur. They have a psychological impact. Malinformation already erodes trust by exposing sensitive truths. Deepfakes magnify this by making it harder to distinguish between genuine leaks and fabricated ones. Example: Soldiers’ real identities leaked (malinformation) alongside deep-fake videos of them committing crimes. Cyber warfare Strategy. Both are used to destabilize societies, discredit leaders, and manipulate public opinion. Deepfakes transform malinformation into a more persuasive weapon by adding visual proof. Analysts’ warn that the “malinformation–deepfake nexus” is one of the most dangerous aspects of modern cyber warfare. Malinformation and deepfakes become tools of cyber warfare by bringing truth and illusion together, making it extremely difficult for societies to defend against manipulation. Malinformation and deepfakes intersect with cyber warfare because both weaponize elements of truth and realism to cause harm, erode trust, and destabilize societies. Deepfakes often transform malinformation into a more persuasive and damaging tool. This analysis will identify the ethical and anticipated ethical issues with the use Malinformation and Deep Fakes in Cyber Warfare.

The Efficacy of WPA3 in Enhancing Human-Centered Privacy in Wireless Networks

Godisang Abigail Duma — 2026-02-19

This paper examines the extent to which the Wi-Fi Protected Access 3 (WPA3) security protocol enhances human-centred privacy protection in wireless network environments. There is an increasing emphasis on personal information protection and communication privacy as wireless networks become an integral part of everyday human endeavours. Improved user privacy through Simultaneous Authentication of Equals (SAE), the addition of support against offline dictionary attacks, and personalised data encryption are the key features of WPA3, which are discussed in the paper regarding its predecessor, Wi-Fi Protected Access 2 (WPA2). This paper statistically compares exposures to data segmentation across devices, password cracking, and eavesdropping through two test-beds that simulate real-world free Wi-Fi hotspots with WPA2 and WPA3 security, respectively, using a combination-method evaluation approach. Some areas that require improvement and implementation problems have been identified in the results, which indicate that the privacy of end-users has been significantly enhanced.

LLM-Assisted CPSTRIDE Threat Modeling for Critical Water Infrastructure

Dallas Elleman — 2026-02-19

Critical infrastructures face hybrid threats that threat modeling frameworks like STRIDE, MITRE ATT&CK, and Cyber Kill Chain are ill-suited to capture. These frameworks focus on cybersecurity, leaving blind spots, and their reliance on human expertise limits scalability. Attacks on critical water infrastructure underscore the importance of cyber-physical threat modeling, as does the emergence of autonomous vehicles as hybrid attack vectors. This research presents CPSTRIDE, a framework for cyber-physical threat modeling that extends Microsoft's STRIDE. CPSTRIDE defines security properties for cyber-physical systems and exposes vulnerabilities, threats, and attack vectors that conventional approaches miss. We also introduce an LLM-assisted methodology, leveraging Anthropic's Claude Sonnet 4.5 as a domain expert. We apply this approach to construct a comprehensive threat landscape for a water treatment facility, articulating hybrid attack scenarios involving unmanned aerial and underwater vehicles.

New Naval Strategy, Not Cyberwar: China’s State-Sponsored Maritime Cyber Operations

Francesco Ferazza — 2026-02-19

This paper analyzes state-sponsored cyber operations by the People’s Republic of China (PRC) against the global maritime sector from 2015–2025. It moves beyond isolated technical analysis to frame these campaigns as a coherent strategic logic. Using a structured, focused comparison of three PRC-linked intrusion sets—Volt Typhoon, APT40, and Mustang Panda—this analysis assesses their operational characteristics against prominent cyber strategy theories, including capability-intensity barriers, the intelligence-contest logic, and persistent engagement. The findings demonstrate a consistent pattern of behavior across all three cases: operations are capability-intensive, espionage-forward, and prioritize secrecy over overt signaling. This contrasts with other state actors who have used disruptive signaling in the maritime domain. We argue this pattern is explained by Smeets’ capability-scarcity logic: high-capability maritime accesses are too costly to expend on peacetime signaling. This behavior aligns with PRC doctrinal concepts of "informationized warfare" which prize system-mapping and pre-positioning. The paper concludes by reframing this activity not as "cyberwar" but as a form of "new naval warfare"—a persistent, below-threshold competition for control over the core components of seapower.

Implementing Countermeasures for Evasive VPN Clients in Educational Institutions

Jason Folker — 2026-02-19

This research demonstrates that educational institutions face significant challenges from evasive Virtual Private Networks (VPNs) that employ sophisticated protocol hopping, traffic obfuscation, and HTTPS simulation to circumvent traditional detection mechanisms. Through analysis of current evasion techniques and evaluation of a commercial evasive VPN (X-VPN), the study reveals that conventional perimeter-based security approaches prove increasingly ineffective against these advanced methods. The research findings indicate that effective countermeasures require integration of traffic pattern analysis, signature-based detection, and DNS proxy monitoring to identify unauthorized VPN usage despite encryption. However, technical solutions alone are insufficient. The study concludes that institutions must implement complementary administrative approaches including comprehensive acceptable use policies, security awareness training, and Zero Trust principles to maintain secure learning environments. The integrated approach enables educational institutions to balance open access to information with essential security requirements while addressing evolving evasion techniques through AI-enhanced detection systems and cross-institutional collaboration.

Agentic AI-Driven Social Engineering: An Elicitation Simulation for Cybersecurity Education

Audrey Fruean — 2026-02-19

The Elicitation Simulation is an interactive cybersecurity training tool designed to model social and prompt engineering through realistic conversational scenarios. Users engage with three AI “characters” and attempt to extract sensitive information, governed by a Trust Flag System that assigns sensitivity rankings (Level 1–10) to personal data, from easily disclosed facts, such as family names, to highly confidential details such as SSNs or credit card numbers. Sessions are orchestrated through n8n, which manages conversational flow and memory buffers to maintain user-specific context, while Pinecone stores vectorized scenario data for context retrieval. Each AI character dynamically adjusts its trust level based on the user’s prior interactions, which determines whether it will disclose sensitive information to the user. The simulation challenges users to employ subtle elicitation techniques such as indirect questioning, framing, and rapport-building while avoiding overt or coercive tactics that trigger conversational shutdowns. By mirroring authentic social engineering behavior, the tool cultivates strategic communication skills essential for understanding and defending against real-world elicitation and social engineering attacks.

Cybersecurity Threats Targeting Remote Workers: A Review

Ngomani Fundiswa — 2026-02-19

Remote workers encounter numerous cybersecurity risks that differ significantly from those faced in traditional office settings. These threats can range from cybersecurity risks, such as phishing attacks and data breaches, to challenges like feelings of isolation and work-life balance issues. The widespread use of insecure home networks further exacerbates these risks, as many employees connect their devices to Wi-Fi networks that lack essential security measures like strong passwords and encryption. As remote employees operate beyond the protective perimeter of an organisation’s secure systems, businesses are increasingly dependent on robust cybersecurity frameworks, best practices, and comprehensive policies to protect their data and assets. The primary objective of this paper is to tackle the urgent issues related to cybersecurity management in remote work settings. This study presents a systematic review of research on cybersecurity risks targeting remote workers, following the PRISMA framework. A total of 20 studies published between 2019 and 2025 were reviewed from Scopus and Google Scholar. The results showed that phishing, malware, ransomware, insecure networks and human factors such as the lack of cybersecurity awareness training are among the most frequently reported threats. The most common mitigation strategies include employee training and awareness, VPNs, multifactor authentication (MFA) and the adoption of the zero-trust framework. Recommendations include offering relevant, current, and personalised cybersecurity awareness training for remote workers, as well as implementing and training on security tools such as multi-factor authentication (MFA) and the use of strong passwords.

The Conceptualisation of a National Malware Intelligence Laboratory for South Africa

Wian Gertenbach — 2026-02-19

South Africa has become an increasingly attractive target for cybercriminals, with malware and ransomware attacks on critical national infrastructure and public institutions rising in both frequency and severity. High-profile incidents, such as ransomware attacks on Transnet, the Department of Justice, and the Government Employees Pension Fund (GEPF) highlight the scale of the threat. These attacks result in severe operational disruption and financial losses, often due to inadequate readiness and response mechanisms. This paper presents the conceptualisation of a national malware intelligence laboratory (NMIL) for South Africa, designed to strengthen domestic readiness and response to malware-related threats. A literature study was carried out to determine the main gaps. This was complemented by a stakeholder interview and questionnaire. This led to a gap analysis, and the examination of existing models as reference for the proposed design of the NMIL. This process not only identifies systemic weaknesses in the national cyber defence capabilities of South Africa but also evaluates how an NMIL could be integrated into existing national cybersecurity processes. The gap analysis revealed limited coordination of malware intelligence sharing across sectoral computer security incident response teams (CSIRTs), the potential to improve the ability of the National Cybersecurity Hub (CSHUB) to aggregate and disseminate actionable threat data, and insufficient hands-on exposure to malware in current cybersecurity education and training programs. In response, the paper introduces a framework and reference model that defines NMIL functions and its manner of integration into the national cybersecurity ecosystem. Specifically, the laboratory would provide high-quality malware intelligence to the CSHUB, including sample analysis results, threat profiling, and advisory support on removal tools, to improve effective response coordination. Additionally, the laboratory would offer access to a sandboxed training environment to educational institutions, thereby adding greater depth to cybersecurity education and promoting national cybersecurity readiness. The framework and reference model is developed using a systems engineering approach, to detail the NMIL’s information flows, interfaces and functional domains. It is anticipated that the formal process resulting in conceptual laboratory provides a replicable approach for institutionalising national malware laboratories. This model offers both strategic and operational insights for South Africa as well as other developing countries.

Cyber–Space Governance: Securing Orbit through Resilient Global Traffic Management

Philippe Goffin — 2026-02-19

This paper analyses the effectiveness of the international legal framework in mitigating the combined risks of orbital collision and cyber interference, and assesses how a global Space Traffic Management (STM) regime could enhance stability and security in outer space. Using Yin’s single-case study design, the global space governance regime is examined through Bowen’s qualitative document analysis of treaties, policies, and twelve scholarly studies, interpreted via Dunn’s public-policy analysis framework. The findings show that existing instruments establish broad norms of responsibility and liability but lack operational authority, cyber-resilient procedures, and enforceable “rules of the road.” Fragmented institutions and divergent national strategies perpetuate legal ambiguity and impede coordinated manoeuvre decisions. Cyber dependencies in orbital systems further magnify risks of misinterpretation and escalation. The study argues that an integrated STM regime—combining binding collision-avoidance authority, mandatory cyber-security standards, and interoperable data architectures—would materially reduce uncertainty and strengthen collective security. Policy recommendations include establishing a supranational coordination centre, codifying minimum separation and priority rules, and linking participation to verifiable cyber compliance. The proposed framework operationalises due regard through authority, assurance, and accountability, transforming space governance from permissive norms to enforceable safety mechanisms. By fusing legal, institutional, and technological dimensions, the research provides a practical pathway toward a secure and predictable orbital environment.

Ontological Security and Threat Mitigation in Healthcare: A Descriptive Exploration

Brandon Griffin — 2026-02-19

Abstract: The healthcare sector’s growing reliance on interconnected cyber-physical systems, from electronic health
records (EHRs) to networked medical devices, has expanded both operational capabilities and systemic vulnerabilities. The
costs associated with cyber-attacks have become a financial burden for the global healthcare sector, with estimates whose
substance is capable of bankrupting institutions. These costs underscore the urgent need to analyze expanding attack
surfaces at the intersection of cybersecurity and biosecurity [cyberbiosecurity (CBS)/biocybersecurity (BCS)], requiring
systematic identification of targetable assets and corresponding defense protocols. This paper analyzes healthcare’s
evolving threat landscape through the lens of ontological security. The commentary focuses specifically on threats to living
systems and biological data integrity (e.g., genetic, biometric), suggesting how a focus on these unique biological targets
necessitates a shift from purely IT-centric defense to a human-centric risk posture. Addressing this, we draw on the
synthetic definition of ontological security which addresses stability from continuity of experience in one’s life and apply it
to the healthcare space. From here, we build on the notion of perceptions of secure healthcare spaces aiding care
received, we attempt to spotlight potential consequences relating to vulnerabilities in healthcare that could link to lapses
in patient care, including identity fragmentation during biometric theft, temporal collapse from ransomware-induced care
delays, and spatial destabilization via telemedicine breaches. The paper provides a commentary that draws on select
literature, drawing on a combination of techniques and observations that can restore lapses in ontological security. We
address ethical imperatives for protecting biometric and genetic data, as central targets in this expanded threat landscape,
while outlining policy measures to future-proof healthcare systems against AI-driven threats. By centering existential safety
alongside technical safeguards, this work redefines healthcare cybersecurity as a covenant of human security in an
increasingly digitized care ecosystem. The goal of this exploration is to provide global health institutions with
considerations to aid care strategies that simultaneously protect patient safety, provider integrity, and institutional
resilience.

The APT Paradox: Sophisticated Simplicity in Nation-state Cyber Operations (2024–2025), Trends, Detection Provenance, and Practical Gaps

Raymond André Hagen — 2026-02-19

Advanced Persistent Threats (APTs) present a paradox in cybersecurity: sophisticated state actors use both zero day exploits and old social engineering tricks, maintaining complex infrastructure while exploiting basic misconﬁgurations. This study analyzes 60 veriﬁed APT campaigns from January 2024 to July 2025, providing an empirical snapshot of current threat actor behaviour, targeting patterns, and detection dynamics. Using a reproducible methodology with clear inclusion criteria based on state backing, persistence, and sophistica- tion indicators, we address four research questions: which actors are active (RQ1), what sectors they target and how this varies by actor (RQ2), which initial access methods dominate (RQ3), and who detects campaigns with what implications for visibility (RQ4). All data are archived in a public repository to enable validation and extension. Our ﬁndings reveal concentration among four primary state clusters: Russia (17 campaigns), China (16), North Korea (15), and Iran (9), accounting for 95% of attributed activity. Actor sector relationships show clear patterns: Chinese actors focus on telecommunications and government networks, Russians target diplo- matic infrastructure, North Koreans emphasize ﬁnancial and cryptocurrency platforms, while Iranian operations cluster around regional events. Social engineering dominates initial access (40%), followed by web/network exploitation (21.7%) and N day exploitation (13.3%), with zero days appearing in only 8.3% of campaigns, chal- lenging assumptions about APT sophistication. Critical to defensive planning, we identify systematic detection gaps from vendor centric discovery that creates predictable blind spots in regions with limited commercial se- curity deployment and sectors using legacy infrastructure. The 18 month persistence of speciﬁc actor sector relationships indicates sustained rather than episodic interest, requiring continuous defensive evolution rather than one time responses. These ﬁndings require rethinking defensive strategies from isolated organisational responses to collaborative ecosystem approaches. The paradoxical nature of APT operations, advanced yet ba- sic, strategic yet opportunistic, reﬂects fundamental asymmetries in cyber conﬂict where attackers need only single successes while defenders must maintain continuous vigilance across expanding attack surfaces. Eﬀective defense requires not just technical controls but coordinated, cross sector frameworks based on observed rather than theoretical threat behaviours. Scope and limitations: Findings reﬂect publicly reported activity within January 2024–July 2025 and may under-represent restricted disclosures (e.g., Five Eyes and allied operations). We analyse observable evidence in this window, not an exhaustive census. Practical implication: Although actors often chain techniques [Cybersecurity and Infrastructure Security Agency, 2025], we treat the ﬁrst successful foothold as the decision-relevant initial access because it drives earliest containment and triage; later steps reﬁne rather than replace these priorities.

Quantifying the Economic Impact of Ransomware: Cyber Risk Modeling with Gamma Regression

Li Huang — 2026-02-19

Ransomware has evolved into one of the most disruptive forms of cybercrime, resulting in severe financial and operational losses for organizations across various sectors. Despite its increasing prevalence, quantitative models for evaluating the drivers of ransomware losses remain underdeveloped, limiting both academic insight and practical risk management. This study addresses this gap by developing and empirically validating a statistical framework for quantifying the financial impact of ransomware incidents. Drawing on ransomware cases extracted from the Advisen Cyber Loss Database, we employ a generalized linear model (GLM) with Gamma regression and log link to estimate how socio-technical factors shape loss severity. Our analysis examines four categories of predictors: (1) Technology, operationalized via database server involvement in incidents; (2) Preparedness, captured through insurance coverage ratios; (3) Settlement Length, reflecting negotiation and resolution timelines; and (4) Multi-entity Connections, representing the number of affected organizations in an incident. The results indicate that each factor influences the anticipated magnitude of losses. Insufficient preparedness is correlated with greater financial damages, whereas incidents involving database servers and prolonged settlement periods result in disproportionately substantial losses. Moreover, multi-entity connections exacerbate losses due to cascading effects across organizational networks. To assess the robustness of the model, bootstrapping techniques are employed, confirming the stability of the coefficient estimates and underscoring the model’s reliability under resampling. By providing empirical evidence of the drivers of ransomware loss severity, this study contributes to both academic research and practical cybersecurity governance. For scholars, it demonstrates the utility of Gamma regression in modeling highly skewed cyber loss distributions. For practitioners, it highlights quantifiable indicators that can inform cybersecurity investment and organizational preparedness strategies. More broadly, the findings highlight the importance of interdisciplinary approaches that integrate cybersecurity management with socio-technical dimensions of cyber risk. This work lays a foundation for future studies that extend to newer datasets and explore AI-enhanced risk prediction, thereby advancing both theoretical understanding and applied resilience against ransomware in the evolving cyber threat landscape.

First Steps, Lasting Impact: Platform-Aware Forensics for the Next Generation of Analysts

Vinayak Jain — 2026-02-19

The reliability of cyber forensic evidence acquisition is strongly influenced by the underlying operating systems, Windows, macOS, and Linux - due to inherent variations in file system structures, encryption protocols, and forensic tool compatibility. Disk forensics, one of the most widely used techniques in digital investigations, faces distinct obstacles on each platform. Windows, with its predominantly NTFS and FAT file systems, typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit. However, encryption features frequently pose challenges to evidence acquisition. Conversely, Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency, yet the transient nature of log retention often complicates forensic analysis. In instances where anti-forensic strategies—such as encryption and compression— render traditional disk forensics insufficient, memory forensics becomes crucial. While memory forensic methodologies demonstrate robustness across Windows and Linux platforms forms through frameworks like Volatility, platform-specific difficulties persist. Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition; nevertheless, live memory acquisition on Linux can still present challenges. This research systematically assesses both disk and memory forensic acquisition techniques across samples representing Windows and Linux systems. By identifying effective combinations of forensic tools and configurations tailored to each operating system, the study aims to improve the accuracy and reliability of evidence collection. It further evaluates current forensic tools and highlights a persistent gap: consistently assuring forensic input reliability and footprint integrity. By integrating static analysis with temporal performance evaluations, this study emphasizes the importance of developing standardized forensic procedures to ensure the integrity and admissibility of evidence across diverse platforms. Establishing such standardized methodologies is imperative to maintaining the credibility and reliability of cyber forensic investigations in heterogeneous operating system environments.

Regulatory Challenges in Maritime Cybersecurity: Evidence from Expert Workshops

Bilge Karabacak — 2026-02-19

The maritime transportation sector is crucial for nations worldwide, as the Maritime Transportation System (MTS) facilitates over 90% of international trade through an extensive network of ships and ports. As digitized maritime operations become increasingly prevalent, advanced technologies are being integrated into these systems. MTS’s critical importance, along with its dependence on interconnected systems and new digital technologies, renders it vulnerable to cyberattacks at ports and other key points. Consequently, implementing cybersecurity regulations in the maritime sector is essential to ensure operational safety and security. However, organizations within this sector encounter significant challenges in adopting and adapting to these regulations, highlighting the need for robust, clear, and enforceable standards. Previous studies have identified various gaps and challenges in maritime cybersecurity regulations, including fragmented, outdated, and inconsistent enforcement. To address these issues, this paper employs a qualitative analysis through expert workshops to evaluate whether the findings effectively reflect real-world experiences with operational and regulatory applications. The study aims to identify and analyze gaps and challenges in existing regulations, policy standards, and frameworks for maritime cybersecurity.

Migrating Time and Security-Critical PKIs to Post-Quantum Cryptography: SWIM and C-ITS

Anni Karinsalo — 2026-02-19

Public Key Infrastructures (PKIs) are foundational to time- and security-critical systems such as air traffic management and cooperative intelligent transport systems (C-ITS). These PKIs rely almost exclusively on classical public-key cryptography, which will become vulnerable once cryptographically relevant quantum computers emerge. Migrating such systems to post-quantum cryptography (PQC) is therefore necessary but non-trivial, as these environments impose strict constraints on latency, bandwidth, interoperability, long system lifetimes, and regulatory compliance. This paper presents a comparative, constraint-driven analysis of PQC migration for time- and security-critical PKIs. Focusing on System-Wide Information Management (SWIM) and C-ITS, we examine how PQC signature and key sizes, verification costs, and certificate structures affect real-time communication, certificate validation, and session establishment. In particular, we analyze the impact of certificate size growth and verification latency on time-critical messaging using published benchmarks and protocol specifications. Rather than proposing new cryptographic primitives or implementations, this work synthesizes existing benchmarks, standardization documents, and protocol specifications to identify feasibility limits, migration risks, and design trade-offs. The analysis shows that certificate chain length and signature overhead can dominate session establishment time in short communication windows, particularly in C-ITS environments, even when individual cryptographic operations remain computationally efficient. We further discuss the operational risks introduced by hybrid cryptographic deployments, including increased system complexity, negotiation failures, and insecure fallback behavior. In addition, we highlight how long system lifetimes and slow standardization cycles in safety-critical sectors complicate timely cryptographic transitions. The results indicate that migration feasibility is often determined by system-level constraints, such as certificate handling, protocol overhead, interoperability requirements, and regulatory alignment, rather than by the performance of individual PQC algorithms alone. Based on this analysis, we present a benchmarking-based migration framework tailored to critical PKIs, highlighting where hybrid cryptographic approaches are unavoidable, where they introduce new risks, and which classes of PQC algorithms are conditionally viable under strict timing and bandwidth constraints. The paper concludes with concrete recommendations for system designers and policymakers to support crypto-agile PQC migration without compromising operational safety.

From Water Plants to Nuclear Reactors: Mapping SCADA Vulnerabilities in Small Modular Energy Systems

Shreyas Kumar — 2026-02-19

Supervisory Control and Data Acquisition (SCADA) systems are responsible for helping to manage a
large portion of the industrial process, which keeps the economy running. In Small Modular Reactors (SMRs),
SCADA helps with monitoring reactor conditions but is responsible for the careful variable control, which keeps
reactors running optimally. Due to the far-reaching benefits of SCADA involvement, when there is a SCADA
related attack, the consequences are also far-reaching. SMRs rely even more heavily on interconnected digital
systems, meaning similar attacks could destabilize reactors, shut down industrial sites, or disrupt critical
facilities such as refineries and military bases. This paper takes a closer look at SCADA vulnerabilities in the
context of SMRs. Through analysis of the National Vulnerability Database, we compiled likely attacks on SMRs
and evaluated them for threat severity and likelihood. Using trend analysis, topic modelling, and economic
impact assessment, we show how these weaknesses could affect energy infrastructure and, more importantly,
the many industries that rely upon it. Our findings underline the urgent need to strengthen the infrastructure
defences, specifically in the realm of small modular nuclear reactors.

Cyber Security in the Subsea Telecommunication Cable Networks

Martti Lehto — 2026-02-19

More than 95% of international internet and telecommunication data is transmitted through subsea fiber-optic cables, valued for their cost-efficiency, low latency, and high capacity. The cables connect the network of data centers around the world to form our internet. This physical infrastructure is critical to the modern world as most modern services depend on it. There are currently over 550 commercial subsea telecommunication cables in-service and many more planned or being constructed. It is crucial to provide resilience of the subsea cables against environmental, human, and other activities that may break any one or multiple cables. Despite their critical importance to global communications, these vast networks remain vulnerable to a range of cyber threats. The remote location of subsea cables does not preclude risks; rather, their endpoints, landing stations, and network management systems are susceptible to malicious actors seeking to intercept, disrupt, or manipulate data flows. As international reliance on these information systems increases, so does the strategic imperative to secure them against espionage, sabotage, and emerging cyber-attacks. Successful cyber-attacks are predicated on exploiting system vulnerabilities. Vulnerability can be defined as exploitable weaknesses or deficiencies in a system, device or its design that allow cyber attackers to execute cyber-attacks. A weakness in system security procedures, software applications, policies and procedures and regulatory compliance may be caused by vulnerabilities. The inherent weakness in the system caused by vulnerability increases the probability of a harmful occurrence or exacerbates its consequences. Vulnerabilities can be divided into those that exist in people’s actions, processes in the organizations, and technologies. The paper discusses cyber vulnerabilities, threats and management thereof in the telecommunications network.

On the Establishment of Trust: Challenges, Opportunities and Socio- Cultural Factors

Christoph Lipps — 2026-02-19

Trust is one of the fundamental necessities of human beings and, according to Stephen R. Covey, not simply the “glue of life”, but also the “most essential ingredient in effective communication”. Even though the principles and importance of trust are as old as humanity itself -in ancient times, trusting strangers could mean the difference between life and death, and thus pose an immediate threat to one's social tribe- trust is gaining increasing attention, particularly in light of tomorrow's all-electric society and the decentralization and globalization associated with it. Contrary to previous decades, physical proximity is no longer necessary to access a system; access is possible (almost) anytime, (almost) anywhere. However, trust is a multidimensional concept depending on a multitude of aspects, such as the specific application, the value of the resource, and the available technology, but also -for instance- on the people who are managing access to systems and applications. As societies become increasingly aware of data breaches, algorithmic surveillance, and commercialization of personal data, cultural values have shifted toward individual agency and distrust of centralized institutions. As trust could never be taken for granted it rather must be earned, orchestrated and continuously verified. Technologies like multi-factor authentication (MFA) reflect this, offering multi-layered mechanisms for identity verification and access protection. These developments illustrate a broader societal reshaping of trust -from implicit trust toward conditional, data-driven security- and show how technological design is shaped by evolving social anxieties and expectations. Against this background, this work focuses on socio-cultural influences on the definition of trust and trustworthiness, such as origin (geography, culture, political system) or educational background and training. In particular, it follows research questions including: i) How do socio-cultural perceptions of trust and identity shape the development and adoption of digital security technologies such as MFA; ii) in what/which ways does the rise of digital surveillance and data breaches influence societal expectations of privacy and trust in technological systems?; and iii) how is the concept of trust redefined in the digital age, and what role do authentication technologies play in mediating this transformation?

Q-Learning Model for Proportionality Assessment in Military Operations

Clara Maathuis — 2026-02-19

In the context of military operations, accurate and transparent proportionality assessment is essential to ensure
compliance with international humanitarian law. On this behalf, this research presents and evaluates two Q-learning
models designed to build the proportionality assessment in military operations. In this sense, the first model considers
collateral damage exclusively in physical terms (excluding psychological harm), while the second model explicitly integrates
psychological damage as part of the collateral damage effects. Both models encode operational rules as multi-attribute
states encompassing injury severity, fatalities, object damage, and military advantage, differing only in the inclusion of
psychological factors. From training and simulation results, it can be seen that this approach provides a valuable
classification approach for proportional and disproportional outcomes within their respective scenario sets. This shows
that AI (Artificial Intelligence) provides effective methods and techniques that allow both modelling and the expansion of
existing definitions and perspectives of existing challenging concepts in the uncertain and dynamic space of the military
domains while accounting and respecting legal and ethical considerations in order to build responsible and trustworthy
military AI systems.

Proportionality Assessment in Military Operations based on SARSA and PPO Models

Clara Maathuis — 2026-02-19

This research proposes a novel decision‑support framework for proportionality assessment in military operations integrating on‑policy and policy‑gradient reinforcement‑learning methods to encode expert rules and automatically classify engagement scenarios. On this behalf, two modelling perspectives are considered implementing SARSA (State-Action-Reward-State-Action) and PPO (Proximal Policy Optimization) algorithms, and two approaches are adopted, i.e., in order to consider or not the integration of psychological effects or harm as part of collateral damage. Further, various optimization methods and simulation scenarios are considered in order to understand the effectiveness and robustness of the modelling techniques developed. From the results obtained, it can be seen that while SARSA achieves rapid reward stabilization but exhibits limited accuracy due to potential bootstrapping bias and insufficient exploration in larger state spaces, PPO’s clipped surrogate updates yield robust, monotonic improvement, consistently realizing high classification accuracy across both cases, albeit over longer training horizons. To this end, a comparative analysis is conducted based on simulation results, learning curves, Q‑value/policy distributions, and confusion matrices to illustrate each algorithm’s strengths and limitations. Hence, this research demonstrates the viability of reinforcement learning models as transparent, adaptable tools for proportionality assessment for supporting real‑time operational decisions

Genetic Algorithms for Proportionality Assessment in Military Operations

Clara Maathuis — 2026-02-19

This research proposes the application of Genetic Algorithms (GAs) as an effective computational approach for proportionality assessment in military operations. With this scope, two distinct GA-based models are proposed: one evaluating proportionality excluding psychological damage from collateral damage considerations, and another integrating psychological damage into the collateral damage component of this assessment. Each model encodes the operational assessment rules as binary classification policies, mapping multidimensional states defined by levels of injury, death, object damage, and military advantage to proportional or disproportional decisions. Through evolutionary optimization involving selection, crossover, mutation, and fitness evaluation across generation, the GAs search for classification rules that maximize alignment with expert-defined proportionality judgments. From the evaluation conducted which includes accuracy, fitness progression, population diversity, and confusion matrices, it is seen that the models converge reliably to high-performance solutions, achieving high classification accuracy within the deterministic rule sets. Further, the influence of psychological damage is assessed in relation to the behaviour convergence and classification outcomes. The results show the utility of GAs in automating this military decision-making process as a responsible, transparent, adaptive, and interpretable mechanism for proportionality assessment that is able to incorporate both legal and ethical considerations in operational environments.

Beyond Posters: A User-Centric Digital Twin Framework for Cybersecurity Awareness

Fhatuwani Makharamedzha — 2026-02-19

Traditional cybersecurity awareness (CSA) methods, such as posters, flyers, and static training modules often fail to engage users or drive lasting behavioural change. To address these limitations, this paper proposes a novel, user-centric approach to CSA using Digital Twin (DT) technology integrated with machine learning (ML). The proposed framework introduces the concept of a User-Centric Digital Twin (UCDT)-CSA, a dynamic digital replica of each user modelled on their cybersecurity knowledge, behaviours, and risk profile. While UCDTs have been applied in domains such as construction, aquaculture, and healthcare, this work pioneers their use in the cybersecurity context. The system begins with a pre-assessment to capture individual user responses, which are used to configure a personalized training path. Through ongoing interaction with adaptive simulations and scenario-based learning, the UCDT-CSA evolves in real time, enabling training that continuously adjusts to user performance and behaviour. ML models analyse these interactions to refine each twin’s profile, delivering increasingly targeted content and interventions aimed at improving secure behaviours. This approach transforms CSA from a static, compliance-focused exercise into an engaging, data-driven, and behaviourally adaptive learning experience. The paper outlines the architecture of the UCDT-CSA framework, discusses key implementation considerations, and sets the stage for future empirical validation and deployment in government, Small and Medium-Sized Enterprises (SMEs) and academic environment.

Architectural Framework for an Enhanced Multi-Party Fully Homomorphic Encryption Scheme

Joshua Edward Mamza — 2026-02-19

The Common Vulnerability Scoring System (CVSS) depends on reliable vulnerability data from expert, but the current process of vulnerability score generation and transmission remain exposed to data manipulation and interception. Existing research work used supervised machine learning to automate CVSS scoring with up to 90% accuracy, but their plaintext-based approach lacked cryptographic protections, leaving it vulnerable to Man-in-the-Middle (MitM) attacks. Another research work introduced a homomorphic encryption-based framework that preserves data confidentiality during computation and offers moderate performance gains. However, their dependance on a single trusted aggregator, static key management, and absence of dynamic integrity threshold mechanisms left the system exposed if the aggregator’s key or channel were compromised. An architectural framework for an Enhanced Multi-Party Fully Homomorphic Encryption Scheme (EMHES) was designed to combat Man-in-the-Middle (MitM) attacks targeting Vulnerability Score manipulation. By employing Homomorphic Encryption, the framework enables computations on encrypted vulnerability scores, ensuring confidentiality throughout their lifecycle. Key enhancements include integrating digital signatures to authenticate classified scores before encrypted transmission to cloud environments and verify the integrity of decrypted results post-processing. Digital signatures and regulatory oversight significantly strengthen security properties like non-repudiation, integrity, and confidentiality for cloud-based data computations. The EMHES architecture features a secure transmission channel with multiple security layers within the cloud service provider infrastructure. Additional security mechanisms include secure key management protocols, zero-knowledge proofs for integrity verification, and a resilient secure aggregation protocol designed to counter MitM attacks. From a computational analysis, baseline algorithms exhibit constant time complexity O(1), while the EMHES architecture operates with linear time complexity O(n). The result shows that EMHES provides superior security, integrity and performance on large datasets.

Blockchain Use in Disbursing Financial Aid at Higher Education Institutions

Livhuwani Mathintha — 2026-02-19

Financial aid plays a crucial role in ensuring access to education, particularly for individuals from disadvantaged financial backgrounds. Education is a powerful driver of cultural and national development. By facilitating education, financial aid cultivates young professionals capable of driving progress across various fields. Notably, approximately 84 percent of students benefit from financial aid scholarships. In South Africa, bursaries and scholarships play a crucial role in providing essential financial support to students. However, the existing disbursement process is fraught with significant challenges. The manual nature of these processes leads to time-consuming operations, a high risk of errors, delays in fund distribution, and vulnerability to fraud. These inefficiencies hinder the timely delivery of financial aid, posing severe risks to students' academic success. To address these pressing challenges, it is imperative to transition to automated systems that streamline operations, minimise errors and delays, and enhance security against fraud. This transformation will ensure that financial aid reaches deserving students efficiently and securely. Therefore, this study conducts a systematic literature review to thoroughly investigate the challenges faced by financial aid institutions and students in fund disbursement at higher education institutions. Additionally, it examines the potential of Blockchain technology in improving fund disbursement processes. Findings indicate that the current scholarship disbursement procedures in South African institutions are manual, inefficient, and prone to errors, resulting in delays and opportunities for fraud. The urgency of this issue cannot be overstated, as students suffer from both hunger and frustration, while some lose their funds altogether. Importantly, the research highlights that a Blockchain ledger is inherently challenging to tamper with, thereby providing enhanced security. In a Smart Contract Blockchain-based system, every transaction is meticulously recorded on a distributed, publicly visible ledger, ensuring traceability and transparency of all disbursements and significantly reducing the risk of fraud.

Human Cognition is a Tool in Warfare in the Cyber Domain

Niina Meriläinen — 2026-02-19

Warfare in cyber domains has evolved into a battleground for both defensive and offensive geopolitical objectives, exploiting cognitive vulnerabilities, credibility, and authority. Artificial intelligence (AI), information communication technologies (ICT), digital platforms and gaming are increasingly used to influence cognitive elements such as attitudes, biases, beliefs, perceptions, and psychological susceptibilities. Cognitive warfare is now an integral part of international relations, posing serious threats to individuals, critical infrastructure, and national security. Human cognition serves as a powerful instrument in this domain. As AI, ICT tools and digital platforms continue to advance, cyber warfare is becoming more complex, with diverse threat vectors and networks of adversarial actors. Tactics such as psychosensory warfare and white noise jamming are proving effective in cognitive operations, where fear and the loss of hope play a central role in digital battlefield strategies.

A Hybrid Machine Learning Approach for Red Team Log Analysis

Nickolas Mohr — 2026-02-19

Red teaming is a common cybersecurity practice that simulates real-world adversarial cyber operations on defended systems to identify vulnerabilities. Current red team tools often have limited logging capabilities, resulting in insufficient analysis that prevents red teams from receiving real-time feedback and insights after operations. The application of machine learning for automating the analysis of red team operations is severely constrained by the scarcity of labeled, real-world log data. This research addresses this challenge by exploring the potential of using synthetic data to train attack-detection models for Cobalt Strike logs. We systematically evaluate three different training approaches for analyzing Cobalt Strike operational logs: synthetic-only, real-world-only, and a hybrid approach that combines both data types. Our methodology employs a comprehensive feature engineering pipeline that includes both programmatic log generation for creating large-scale structured data and large language model techniques for introducing variety and edge cases. We transform each log file into a high-dimensional vector that includes event types, command verbs, temporal activity patterns, and mappings to the MITRE ATT&CK knowledge base. Random Forest classification models are trained using this feature set to distinguish between successful and failed attack scenarios. By rigorously testing each training approach against a manually labeled ground-truth set of 112 authentic Cobalt Strike logs, we quantify the performance and limitations of each strategy. Our main contribution is demonstrating that a hybrid training strategy achieves 94% accuracy, greatly surpassing synthetic-only models (56%) and real-world-only models (79%). This combined approach effectively addresses both the domain gap in synthetic data and the data scarcity in small, real-world datasets. The hybrid model learns attack diversity from over 30,000 synthetic scenarios while grounding understanding in the authentic structural patterns of real logs, providing a 15 percentage-point improvement over real-data-only approaches. This research offers a practical framework for enhancing limited real-world cybersecurity datasets by strategically integrating synthetic data, enabling immediate use in Department of Defense red team operations and wider cybersecurity machine learning applications.

A Key Rotation Management System: Design and Implementation for Improved Data Security

Malibongwe Ntalali — 2026-02-19

Organizations in today’s rapidly changing digital world use various channels, such as secure APIs and encrypted communications, to enhance collaborations and information sharing. While these systems assist in enhancing productivity, innovation and collaboration, they can also introduce major security risks for protecting sensitive information. The core of data protection depends on cryptographic key management, with key rotation playing a vital role, yet often neglected. Key rotation, a well-established cryptographic practice, is essential for minimizing data exposure, mitigating key compromise risks and ensuring regulatory compliance. However, inconsistent implementation of key rotation policies across organizations often results in varied security practices. The proposed Key Rotation Management System functions as a solution that automates and standardizes all stages of the key lifecycle process. The system implements a three-tier Model-View-Controller framework which combines different functional components that include user authentication together with role-based control, automated key generation, secure storage and distribution, periodic rotation, dashboard visualization and proactive alert systems. The proposed system resolves fundamental problems which arise from human involvement in administration and irregular scheduling and insufficient user understanding and insecure distribution methods. The solution provides real-time key ageing visibility through its dashboard interface, while its scheduling and reminder features assist in automated rotation interval execution. It includes a centralized service request-response module together with automated email notification to help organizations maintain effective communication and monitor compliance standards. The evaluation results show that the proposed system enhances user responsiveness and decreases expired key occurrences while decreasing manual work and assisting organizations in meeting industry international standards. The system design with role-based access controls provides both security measures and system accountability features. The proposed Key Rotation Management System combines automation, visualization and security to offer a scalable solution that can strengthen the cryptographic strength of digital infrastructures.

Explainable AI in Insider Financial Fraud Detection Models: A Review of Transparency and Trust

Hillary Kwame Ofori — 2026-02-19

Financial and insider fraud increasingly intersect with broader cybercrime ecosystems, creating attack vectors that undermine national cyber resilience and the integrity of digital financial infrastructures. As organizations turn to machine learning (ML) and deep learning (DL) models for automated fraud and insider-threat detection, the opacity of these systems presents strategic risks for cyber defense: unexplainable alerts weaken analyst trust, complicate incident response, and challenge regulatory and forensic accountability. This study presents a systematic review of 107 empirically validated works (2015–2025) examining how Explainable Artificial Intelligence (XAI) techniques enhance transparency, trustworthiness, and operational readiness in AI-driven fraud detection systems. Using a mixed bibliometric–thematic methodology, the review maps the evolution of ML/DL architectures, XAI adoption patterns, evaluation practices, and dataset limitations within security-critical environments. The findings highlight a sector-wide dependence on post-hoc feature attribution and reveal emerging shifts toward intrinsic interpretability through attention mechanisms and hybrid temporal models. Despite progress, gaps persist: limited use of sequential behavioral models, narrow evaluation metrics, and overreliance on structured datasets weaken real-world resilience against adaptive adversaries. To address these challenges, the paper proposes a Three-Pillar Framework: Algorithmic Transparency, Evaluation Accountability, and Data Traceability that positions explainability as a foundational architectural property for cyber defense systems. By aligning model interpretability with security operations, regulatory requirements, and analyst cognition, the framework strengthens organizational readiness against insider threats, financial fraud, and AI-targeted adversarial manipulation, key considerations in modern cyber warfare and security operations.

Cyber-Physical Incident Attribution in UAV/Rail Attacks

Isaac Ojeh — 2026-02-19

As unmanned aerial vehicles (UAVs) and smart rail systems become increasingly integrated into critical
logistics infrastructure, they also present new surfaces for hybrid cyber-physical attacks. Coordinated adversarial
actions such as cyber intrusions that manipulate physical trajectories, sensor spoofing, or disruptions to control
systems pose significant challenges for real-time detection and post-incident analysis. Effective attribution of such
incidents is crucial not only for identifying responsible parties but also for enhancing resilience and enabling
coordinated defense responses across infrastructure operators, governments, and private stakeholders. This paper
examines the problem of cyber-physical incident attribution in the context of combined UAV/rail attacks, where
attack vectors may span networked systems, edge devices, and physical actuators. We propose a layered
attribution framework that fuses telemetry from cyber logs, UAV flight data, rail signaling systems, and
environmental sensors to reconstruct the sequence and origin of coordinated attacks. The system leverages graph-
based causality analysis, trust scoring mechanisms, and cross-domain forensic correlation to associate anomalies
with likely sources and attack pathways. Our approach combines both deterministic rules and machine learning
models trained on simulated and real-world incident data to balance explainability and adaptive intelligence. This
paper, overall, adopts an exploratory perspective, examining foundational challenges and design trade-offs
involved in attributing cyber-physical incidents within a multimodal UAV/rail logistics environment. Rather than
proposing a finalized solution, the work seeks to identify key data-fusion requirements, threat-modeling gaps, and
policy implications to inform future technical and legal frameworks for attribution. Preliminary results from
simulated hybrid attacks using a digital twin environment show promising attribution accuracy, particularly when
incorporating temporal patterns and system interdependencies. However, limitations in sensor coverage and
adversarial evasion tactics underscore the need for multi-source trust validation and international collaboration in
standardizing attribution protocols. Ultimately, this research aims to lay groundwork for a scalable, context-aware
attribution system that can support accountability, deterrence, and rapid response in the evolving landscape of
autonomous transportation.

Zero Trust Architecture for UAV/Rail Logistics Ecosystem

Isaac Ojeh — 2026-02-19

As unmanned aerial vehicles (UAVs) and smart rail systems become increasingly integrated into logistics
and supply chain operations, ensuring secure, resilient communication and coordination between these
components is critical. Traditional perimeter-based security models are no longer sufficient for such dynamic,
distributed ecosystems. This research proposes a Zero Trust Architecture (ZTA) tailored to the UAV/rail logistics
domain, addressing the challenges of securing multimodal transport nodes, autonomous coordination, and real-
time data exchange across untrusted and heterogeneous networks. Unlike conventional models that assume
implicit trust within a network boundary, ZTA continuously validates every user, device, and service attempting to
interact with the system, enforcing strict access controls and real-time behavioral monitoring. This paper adopts an
exploratory approach to assess the feasibility and impact of applying Zero Trust principles to a complex,
multimodal logistics ecosystem. Rather than presenting a finalized solution, the work investigates key design
considerations, architectural trade-offs, and implementation challenges unique to UAV and rail system integration.
The proposed architecture is designed to authenticate and authorize interactions across UAVs, rail infrastructure,
edge nodes, and command-and-control centers using principles of least privilege, micro-segmentation, and
continuous verification. Machine learning models are incorporated to detect anomalies in system behavior, such as
route deviations or unauthorized data flows, enabling rapid threat identification and mitigation. Furthermore, this
approach integrates policy-based access control with identity-aware proxies to enforce trust decisions dynamically
and contextually based on device posture, geolocation, and real-time mission parameters. The implications of this
work extend beyond protecting individual assets; they enable the secure orchestration of complex, time-sensitive
logistics chains involving autonomous and semi-autonomous agents. This work demonstrates that implementing
Zero Trust in UAV/rail logistics is both technically viable and operationally beneficial, offering a path toward
resilient, adaptive infrastructure capable of withstanding evolving cyber threats without compromising
performance or interoperability.

Policing Vulnerability to Criminal Persuasive Technology Use on Futurist Moon Bases

Tim Pappa — 2026-02-19

There have been increasing demonstrations of criminal enterprises normalizing the adaptation of persuasive
technologies to target and victimize people all over the world online and offline. Persuasive technologies include any
software or hardware that we interact with that can influence our behaviors, including changing our behaviors or maintaining
our behaviors, making people vulnerable to behavioral or technical exploitation of our information and communication. This
vulnerability may be heightened in isolated environments like futurist Moon Bases, suggesting there may be a unique
victimology for people living and working on a Moon Base. To counter this activity, in theory, policing criminal persuasive
technology use on a Moon Base environment must consider the behavioral design of persuasive technologies and this unique
victimology. This practitioner’s paper will discuss the shifting research direction of persuasive technologies toward
deception, since the introduction of this model focused on improving people’s health almost two decades ago, suggesting
that generative artificial intelligence and machine learning will accelerate adaptive, deceptive persuasive technologies. This
paper will visualize theoretical scenarios describing how criminal enterprises could victimize people on Moon Bases with
persuasive technology design specific to that environment. This paper provides a comparative example when considering
Arctic contexts as similar isolated environments. These futurist theoretical scenarios provide some demonstrations of
criminal behaviors using persuasive technologies to victimize people, highlighting the unique victimology of users in isolated
environments of interest to criminals and nations alike.

How Ends, Ways, and Means are Manifested in the Cyber Defense Strategies of Superpowers

Piia Perälä — 2026-02-19

Cyber Power refers to the capacity to project and promote national interests in and through cyberspace. The military contributes to multiple aspects of cyber power, with cyber warfare capabilities being a central component. Numerous state and non-state actors have come to regard cyber ends, ways and means, as a powerful force multiplier, essential to achieving their objectives. Military cyber actors employ malicious cyber operations to gain asymmetric advantages, targeting critical infrastructure and undermining the opponent’s military superiority in cyberspace. The development of cyber warfare has seen a convergence with other non-kinetic warfare operations. Superpowers adopt distinct approaches to cyber warfare, with varying definitions, strategic objectives, and methods for achieving them. They have also established their own command structures and cyber forces. This paper aims to provide an understanding of how superpowers use cyber capabilities and leverage asymmetric advantages to achieve their strategic objectives. The research material consisted of publicly available documents on national strategic cyber defense plans. Lykke’s framework was applied as a structured approach to review superpowers’ strategic plans by identifying the desired outcomes (Ends), the methods used to achieve them (Ways), and the resources required (Means).

From Surveillance Monocultures to Agroecological Defense: A Sovereignty-centered Framework for Agricultural Cyberbiosecurity

Rolando Perez — 2026-02-19

Agricultural cyberbiosecurity (CBS) scholarship may have overwhelmingly adopted centralized, national-securityoriented
frameworks that leave community-governed and agroecologically-grounded alternatives unexplored. Recent AI
safety research demonstrates that provably safe Artificial General Intelligence is mathematically incompatible with trust
and alignment, casting doubt on the viability of general-purpose, centralized safety regimes versus bounded or
decentralized ones (Panigrahy and Sharan, 2025). Some leading expressions of the centralized CBS paradigm propose
billions in surveillance architecture spanning unified biological intelligence (BIOINT), national bioaudit systems, and
coordinated governance bodies. Centralized approaches often compellingly diagnose monoculture vulnerabilities,
biosurveillance urgency, and the need for novel governance mechanisms. However, in these centralized architectures,
communities receive biosecurity services but do not co-govern biosurveillance priorities, data use, or safety specifications,
and agriculture remains a critical infrastructure to be defended from above. Even when such centralized paradigms
propose distributed biological sensing, such as engineered sentinel plants and living biosensors, these systems require
routine community-level care, maintenance, and trust relationships that centralized architectures cannot deliver, and will
demand iterative updating as threat landscapes evolve. The empirical record confirms the costs of centralization: $11
million in ransom paid by JBS, 40% of U.S. grain production disrupted by a single cooperative's software failure (Yazdinejad
et al., 2021; Cartwright and Cartwright, 2023). Coordination gaps are real, and new institutions are necessary to address
them. However, coordination without corresponding community-level governance authority reproduces the monoculture
pattern at the institutional level. This paper argues that agricultural defense must be rooted in the slowest and most
durable layers of change identified by Stewart Brand's pace-layer framework: nature and culture. We advance three
interlocking components: (1) agroecology as defensive architecture, in which biological diversity and functional redundancy
constitute the primary cyberbiosecurity strategy; (2) sovereignty-preserving biosurveillance, in which community-governed
federated sensing networks retain local data authority while enabling collective threat detection through privacypreserving
mechanisms; and (3) cooperative assurance from below, in which safety specifications are collectively
deliberated and verified through participatory guarantee systems rather than centralized certification hierarchies
(Dalrymple et al., 2024; Carroll et al., 2023; Manoj et al., 2025). This framework does not preclude centralized pathogen
detection where necessary, but insists that top-level and community-level institutions must be in relation so that
coordination flows bidirectionally rather than exclusively from above. Rather than claiming comprehensive safety
guarantees, we demonstrate how bounded formal assurances, when integrated with agroecological resilience and
community governance, can materially improve the security of food systems under real-world constraints.

From Hoax to Reality: Deepfake-Driven Misinformation and the Death of Ozzy Osbourne

Alexander Pfeiffer — 2026-02-19

Deepfakes are AI-generated images, videos, and texts that convincingly mimic real individuals. In recent years, such forgeries have proliferated across social media, and their role in fraud cases has increased markedly. However, detection tools often fail in real-world conditions; open-source detectors typically perform only half as well on "in-the-wild" content compared to curated test sets. This performance gap heightens the risk that fabricated content will undermine public trust and foster a climate of suspicion in which even authentic recordings are questioned—a phenomenon known as the "liar's dividend." In this case study, we examine how the July 2025 death of rock icon Ozzy Osbourne became a focal point for deepfake-driven misinformation and public speculation. Following a seated farewell concert in Birmingham, multiple synthetic videos surfaced, including one in which a digitally recreated Osbourne claimed he knew he was about to die. The clips sparked speculation about assisted suicide, prompting his daughter Kelly to publicly denounce the videos as fake and criticise those who shared them. When Osbourne died two weeks later, some commentators treated the deepfake as prophetic, fuelling conspiracy theories and amplifying public grief. This case illustrates broader ethical and governance challenges related to generative AI. Voice cloning and face-swapping services can create convincing media from minimal training data, yet developers rarely address issues of consent or privacy when sourcing material. Psychological factors such as fear of missing out (FOMO) encourage the viral spread of sensational content without verification. This paper’s primary contribution is a theoretical synthesis, which integrates existing technical, psychological, and governance perspectives on deepfake-driven misinformation through a single illustrative case study. Effective countermeasures must combine technical innovations—such as blockchain-based provenance tracking and robust detection—with clear policy frameworks that regulate data use and require transparent labelling of synthetic media. Public education remains essential to help individuals recognise deepfakes and preserve trust in authentic digital communication.

How Did They get Aboard my Ship?: Analysing Vessel Cyber Incidents Using the Cyber Kill Chain

Jeroen Pijpker — 2026-02-19

The Global Maritime Transportation System (GMTS) is increasingly reliant on digitized and interconnected systems. This trend also applies to one of the most essential elements of the GMTS, vessels themselves. The Maritime Cyber Attack Database (MCAD) contains listings of maritime cyber incidents from public sources, including those involving vessels. Utilizing MCAD in this paper, we categorize and analyse these specific listings related to vessels. Vessels have complex networks of Information Technology (IT) and Operational Technology (OT). In this paper, we further categorize and systematically analyse selected cyber-attacks against vessels with the Lockheed Martin Cyber Kill Chain. This work also shows a significant rise in attacks against vessels since 2016. These case studies help industry more clearly understand the specific tactics and techniques used in cyber-attacks on vessels.

A Governance Model for Cyber Threat Information Sharing in the Healthcare Sector

Jyri Rajamäki — 2026-02-19

Cyber Threat Information (CTI) sharing is a vital component of cybersecurity in the healthcare sector, where protecting sensitive patient data and the continuity of critical services are paramount. It's implementing faces socio-technical complexity and strict EU requirements, including the General Data Protection Regulation (GDPR), the Network and Information Security Directive 2 (NIS2), the Cyber Resilience Act (CRA), and the AI Act. This paper applies the Design Science Research (DSR) methodology to develop a governance model that enables secure, compliant, and context-aware CTI sharing. The model integrates systems theory, socio-technical principles, information systems governance, and cyber resilience. It is informed by empirical studies and practical insights from SOC/CERT frameworks. It leverages the DYNAMO platform and tools such as Early Warning System (EWS), open-source software solution MISP, and Data Anonymisation Tool (DAT), to support structured, interoperable, and regulation-compliant threat intelligence exchange. A phased implementation strategy is outlined, beginning with pilot testing in hospitals, then regional integration with CERTs, culminating in national deployment. Evaluation is conducted using realistic assessment and case analysis, with metrics guiding iterative refinement. The model addresses the research question: How can a governance model for cyber threat information sharing be designed for the healthcare sector under EU regulatory constraints? This work contributes a scalable, adaptable governance framework that enhances cyber resilience and fosters trust-based collaboration across healthcare ecosystems.

Designing Modular Cybersecurity Education for Healthcare: Integrating XiA and ManagiDiTH Frameworks with CyberSecPro Insights

Jyri Rajamäki — 2026-02-19

The healthcare sector faces increasingly complex cybersecurity threats due to its rapid digital transformation, including the adoption of electronic health records (EHRs), connected medical devices, and telehealth services. This paper presents a modular and interdisciplinary model for cybersecurity education tailored to healthcare professionals. The model integrates three EU-funded initiatives: the XiA Framework’s microlearning approach, the ManagiDiTH master’s programme’s strategic and human-centric curriculum, and the CyberSecPro project’s hands-on, scenario-based training modules. Together, these components form a comprehensive educational ecosystem that supports continuous professional development, microcredentialing, and alignment with European standards such as the European Qualifications Framework (EQF), the NIST Cybersecurity Framework, and ENISA’s European Cybersecurity Skills Framework (ECSF). The paper outlines the pedagogical foundations of microlearning, the structure of Micro-Content Learning Blocks (MCLBs), and the curriculum design principles that foster cyber resilience in healthcare. It concludes with a discussion on implementation potential, impact indicators, and future directions for research and practice.

Military Leadership in the Age of Cognitive Warfare

Mikko Salminen — 2026-02-19

In many definitions of cognitive warfare, it is highlighted that the target is human mind, and not only the contents of it but the various cognitive processes, such as attention and decision making. The aim in cognitive warfare is often defined to be the influencing of how individuals think, not what they think. Social media is often mentioned as one of the main platforms by which these cognitive influence operations are conducted, possibly enhanced with big data analytics and artificial intelligence (AI) tools. In some definitions it is also included, that in addition to behavioral and cultural sciences, also the exploiting of neuroscience for even more effective and more precisely targeted influences on individual cognition could be considered. The intertwined cognitive, technological, and information dimension form new types of threats which call for a close evaluation of possible effects and countermeasures. The DOTMLPF-I framework (Doctrine, Organization, Training, Materiel, Leadership & Education, Personnel, Facilities, Interoperability) is used in armed forces to guide capability development. This study is a conceptual analysis within these dimensions, with the focus on Leadership and Education dimensions and how they should adapt to face these new types of threats. Military leadership is expected to be fast rational decision-making under uncertainty. However, cognitive warfare challenges this with disinformation and emotional manipulation, for example. Introducing AI functionalities to decision support systems may enhance situational awareness and decision-making speed, but the algorithms may be biased and the systems may operate in a non-transparent way, thus eroding trust towards them. Resilience against effects of cognitive warfare requires training in media literacy and critical thinking, but also in emotional skills. The forming of situational understanding is one of the main targets in cognitive warfare and it should be supported with specialized training, for example by targeting the underlying cognitive processes of forming situational understanding. For this purpose, cognitive training should be targeted to, for example, attention control, working memory, and mental flexibility. In the current manuscript the challenges posed by cognitive warfare to military leadership are reviewed with suggested solutions.

Evaluation of AI Agent Accelerated Cyber Operations Planning

Pietari Sarjakivi — 2026-02-19

As societies become increasingly digital, they are more exposed to cyber threats that have the potential to harm human life and damage critical infrastructure and other assets. To counter these fast-paced threats, Defensive Cyber Operations (DCO) leaders must enhance their capabilities for rapid decision-making and response. Artificial Intelligence (AI), as a radical levelling technology, has the potential to accelerate DCOs; however, the existing solutions frequently focus on narrow technical use-cases and lack emphasis on the leadership dimension of DCO. The purpose of this paper is to address that gap by researching how AI can accelerate one of the most relevant DCO use-cases identified in the author’s earlier research, course of action recommendation, especially in operations planning. The study is based on case study methodology, where AI agent-generated operations plans are compared to real-life DCO operations plans made by leading experts in the world’s most complex defensive cyber exercise, NATO Locked Shields 2025. The study focuses on two of the most critical decisions a DCO leader needs to make during the primary process of DCO: Prioritization of defended capabilities and assets, and the right resourcing and allocations. The selected exercise provided an excellent platform for this study to compare multiple human-made plans to machine-made plans, as 17 world-class blue teams were given the same exercise scenario and operation order. As a result, this paper demonstrates that with proper architecture and context engineering, AI can significantly accelerate DCO leaders’ decision-making in operations planning, while human-machine teaming is still needed to navigate a complex operating environment where cyber operations are typically conducted. The main contributions of this paper are 1. evaluation of an AI agent’s performance in DCO operations planning in comparison to human experts, and 2. construction of a reference architecture for the DCO planning agent. Future research can be built to improve the results of the reference architecture. As AI’s capabilities are developing rapidly, it is expected that the capabilities of autonomic AI agents will increase.

VAOS: Vulnerability Attribute Ontology Score Framework for Evaluating Vulnerability Databases

Johnny Shaieb — 2026-02-19

Vulnerability repositories play a foundational role in enabling organizations to perform vulnerability scoring, prioritization, and threat modeling; however, they vary widely in the vulnerability attributes they define, require, and make available within their repository schemas. Although existing taxonomies describe numerous vulnerability characteristics, limited research evaluates how effectively real‑world repositories support these practical security activities. This paper introduces the Vulnerability Attribute Ontology Score (VAOS), a framework for evaluating vulnerability repositories rather than individual vulnerabilities. VAOS defines nineteen weighted attributes organized across mandatory, recommended, and optional tiers. The framework is applied to ten vulnerability repositories spanning more than five decades, revealing substantial variation in attribute coverage—particularly in contextual attributes—and demonstrating VAOS’s value for repository evaluation, selection, and integration.

Digital Forensic Readiness to Mitigate Insider Threats in the SaaS Cloud Environment

Gabriel Shoderu — 2026-02-19

Insider threats continue to pose significant risks in Software-as-a-Service (SaaS) environments, where
legitimate users hold varying levels of access and control. Existing mitigation measures remain largely reactive,
focusing on post-incident investigation and evidence recovery, which often result in delayed detection and
incomplete forensics. A proactive and forensically sound approach is therefore required to identify and contain
insider activity before major compromise occurs. This paper presents the Digital Forensic Readiness to Bust Insider Threats (DFR-BUST) model, a framework that embeds forensic readiness principles within SaaS environments to enable early detection, secure evidence
capture, and legally defensible investigations. The model is aligned with the ISO/IEC 27043 digital investigation process, operationalising its readiness, acquisitive, and concurrent process classes. The model was evaluated using an experimental setup based on publicly available insider-threat datasets to demonstrate its readiness and detection capability. The evaluation confirmed that the proposed architecture supports proactive evidence generation, integrity verification, and traceable anomaly detection within a
controlled environment. Unlike conventional reactive approaches, DFR-BUST provides a proactive, evidence-centric mechanism that enhances both detection accuracy and forensic admissibility. Its modular design ensures adaptability across cloud platforms while maintaining compliance with international forensic investigation standards. Overall, this work bridges the gap between intelligent analytics and digital forensic readiness. By ensuring that insider detection outputs are accompanied by verified, admissible evidence, the framework contributes a practical foundation for developing forensic-aware, cloud-based security systems.

Social Media Misinformation in Europe and Africa: A Systematic Literature Review

Nokuthaba Siphambili — 2026-02-19

In an era of rapid digital transformation, social media has emerged as a dominant source of information and is also used for misinformation. This creates a significant challenge because misinformation can influence public perceptions and behaviours related to online security. As a result, this paper compared how misinformation spreads on social media in Europe and Africa. Exploring the key factors influencing misinformation dynamics, the role of regulatory frameworks, and the effectiveness of fact-checking initiatives in both regions. It also assessed deepfakes' role in strengthening the spread of misinformation. A systematic literature review was used to gain these insights, which included exploring social media's role in spreading misinformation. The results highlighted the need for awareness and exposed the threat posed by deepfakes. Furthermore, the results also yielded that to tackle misinformation in this digital era, there is a need for a multi-stakeholder approach and cross-regional collaboration and use of deepfake detection tools to foster a more informed digital society.

Revisiting Biometrics in Cybersecurity: Do AI Methods and Zero‑Trust Architectures Drive Innovation?

Siphesihle Sithungu — 2026-02-19

Biometric authentication has long been regarded as a foundational element of identity verification, leveraging unique physiological and behavioral traits to enhance security beyond traditional passwords. While it offers notable advantages such as convenience and resistance to identity theft, concerns are mounting regarding privacy, susceptibility to spoofing, and the irreversibility of compromised biometric identifiers. These weaknesses are becoming increasingly critical as digital infrastructures evolve into distributed, dynamic environments in which static trust models are no longer sufficient. Moreover, several traditional modalities- such as fingerprints, iris scans, and voice recognition- have already been breached. However, Artificial Intelligence (AI) methods are reshaping this landscape by introducing adaptive and context‑aware features into biometric systems. Machine Learning (ML) techniques enhance accuracy, enable continuous authentication, and support multimodal fusion, while anomaly‑detection mechanisms improve resilience against sophisticated attacks. Generative AI (GenAI) plays a particularly significant role, though it introduces a paradox: it empowers defenders through realistic attack simulations and robustness testing, yet simultaneously equips attackers with tools for producing deepfakes and synthetic identities, thereby expanding the attack surface. In this evolving security landscape, Zero‑Trust Architectures (ZTA) have gained prominence as a model that replaces assumptions of inherent trust with continuous verification mechanisms. The use of biometric data within ZTA can enhance the reliability of identity verification; however, it also intensifies several existing issues. Biometric identifiers must be handled and stored in ways that safeguard individual privacy and align with relevant legal requirements, and the incorporation of AI‑based assessment methods introduces additional concerns regarding potential bias, transparency, and oversight. Moreover, combining AI‑supported biometric systems with Zero‑Trust principles raises further questions about scalability, system compatibility, and the broader ethical consequences of more pervasive identity monitoring. This work therefore examines the convergence of biometrics, AI, and Zero‑Trust principles from a critical perspective. It highlights the dual role of AI as both a source of innovation and a generator of new threats, while identifying opportunities for adaptive security, real‑time threat detection, and improved user experience. By analyzing technical and operational dimensions, the work proposes a roadmap for integrating biometrics into ZTA that balances innovation with accountability and supports trustworthy, resilient cybersecurity frameworks.

AI Agents vs. Human Investigators: Balancing Automation, Security, and Expertise in Cyber Forensic Analysis

Sneha Sudhakaran — 2026-02-19

In an era where cyber threats are rapidly evolving, the reliability of cyber forensic analysis has become increasingly critical for effective digital investigations and cybersecurity responses. Artificial Intelligence (AI) agents are being adopted across digital forensic practices due to their ability to automate processes such as anomaly detection, evidence classification, and behavioral pattern recognition, significantly enhancing scalability and reducing investigation timelines. However, the characteristics that make AI indispensable also introduce notable risks. AI systems, often trained on biased or incomplete datasets, can produce misleading results, including false positives and false negatives, thereby jeopardizing the integrity of forensic investigations. Furthermore, AI agents typically lack the contextual comprehension and ethical judgment required to interpret nuanced or legally sensitive scenarios. This study presents a meticulous comparative analysis of the effectiveness of the most used AI agent, ChatGPT, and human forensic investigators in the realm of cyber forensic analysis. Our research reveals critical limitations within AI-driven approaches, demonstrating scenarios in which sophisticated or novel cyber threats remain undetected due to the rigid pattern-based nature of AI systems. Conversely, our analysis highlights the crucial role that human forensic investigators play in mitigating these risks. Through adaptive decision-making, ethical reasoning, and contextual understanding, human investigators effectively identify subtle anomalies and threats that may evade automated detection systems. To reinforce our findings, we conducted comprehensive reliability testing of forensic techniques using multiple cyber threat scenarios. These tests confirmed that while AI agents significantly improve the efficiency of routine analyses, human oversight remains crucial in ensuring accuracy and comprehensiveness of the results. Our work validates the need for a hybrid forensic framework that combines the strengths of both AI automation and human expertise. Our study concludes by advocating for an integrated forensic analysis approach, proposing targeted strategies to incorporate both AI-driven efficiencies and human analytical insights. This collaborative model enhances overall forensic reliability, ensuring robust outcomes in the face of increasingly sophisticated cyber threats.

Advancements in Developer-Focused IDE-Integrated Mobile App Security Scanning and Testing Tools

Franck Monga Tamala — 2026-02-19

The increasing number of mobile applications in modern society has significantly increased the possibility of security vulnerabilities, particularly as users increasingly rely on these applications for sensitive tasks such as banking, communication, and e-commerce. Any flaw within a mobile application may result in significant privacy violations, financial loss, or data exposure. The development of secure mobile applications presents a persistent challenge, especially for novice developers who often lack the expertise or tools to detect vulnerabilities during the early stages of coding. As mobile platforms become increasingly complex and threats become more sophisticated, integrating effective security practices into the software development lifecycle (SDLC) has become imperative. While a variety of security tools exist to support vulnerability detection, many fail to offer real-time, developer-friendly support embedded directly within Integrated Development Environments (IDEs), leaving a critical security gap, especially for novice developers. This paper conducts a systematic literature review on developer-focused tools available for real-time mobile app security scanning and IDE integration. The review emphasises tools that assist developers directly within Integrated Development Environments (IDEs), focusing on practical support during coding rather than post-deployment analysis. The objective was to thoroughly identify both the strengths and weaknesses of the existing tools that provide real-time mobile app security scanning. The PRISMA 2020 statement, which provides a comprehensive framework for conducting systematic literature reviews, served as the foundational guideline for this study. A thorough search was conducted to retrieve relevant journal articles and conference papers published between 2020 and 2025. This selection criterion ensured that the study incorporated the most recent and relevant findings in the field. Each identified publication was meticulously evaluated for its relevance, quality, and contribution to the existing body of knowledge, thereby enriching the systematic review process. The findings suggest that while existing tools contribute significantly to automation, benchmarking, privacy scanning, malware detection, and dependency management, they remain fragmented and largely external to developer workflows. Most require execution outside the IDE, lack lightweight integration, and fail to deliver real-time vulnerability feedback during coding. Even industry tools such as MobSF, NowSecure, and Checkmarx provide powerful analysis but operate as standalone platforms rather than IDE-embedded solutions. This gap is particularly critical in agile and novice development contexts, where immediate, contextualised security feedback is necessary to prevent vulnerabilities at their source.

SentinelSphere: AI-Driven Cybersecurity Platform Combining Threat Detection with Security Awareness

Nikolaos D. Tantaroudas — 2026-02-19

The growing complexity of cyber threats coupled with the widening cybersecurity knowledge gap presents new challenges in the organisational security domain of the business sector. This paper introduces SentinelSphere, an innovative platform that redesigns cybersecurity defense by integrating advanced threat detection with interactive cybersecurity awareness education, creating a unified approach to building organisational cyber resilience. SentinelSphere employs an Enhanced Deep Neural Network model with specialised feature engineering to significantly reduce false positives while maintaining high detection accuracy across diverse attack vectors. The system includes a Traffic Light System (TLS) to transform complex threat intelligence into intuitive visual indicators, serving simultaneously as an operational tool for security professionals and an educational interface for non-technical users. This paper further presents a Large Language Model that delivers real-time, context-aware cybersecurity guidance and training. This conversational AI agent operates efficiently on standard enterprise hardware, making advanced security education accessible without requiring specialised infrastructure. SentinelSphere is validated using industry-standard datasets, achieving enterprise-grade performance in threat detection with a 94% F1 score and 69.5% reduction in false positives compared to baseline models. The system successfully processed nearly 11 million security events in 30 minutes, demonstrating scalability for enterprise deployment. This work contributes to the cybersecurity field by demonstrating that effective defense requires not just technological sophistication but also systematic enhancement of human security awareness.

Aligning DYNAMO Framework with the EU Cyber Resilience Act in the Energy Sector

Ilkka Tikanmäki — 2026-02-19

The importance of robust cybersecurity frameworks has been raised by the digitalisation of critical infrastructure, particularly in the energy sector. The European Union (EU) launched the Cyber Resilience Act (CRA) in 2022, establishing uniform cybersecurity standards for products with digital elements at all lifecycle stages to address this issue. CRA describes requirements for software and hardware products with digital elements placed on the EU market. This study examines the CRA's effects on the energy sector and evaluates how the DYNAMO platform can support compliance and enhance sectoral resilience. The platform's key element is a dynamic resilience assessment methodology, which combines business continuity management (BCM) and cyber threat intelligence (CTI). Significant cybersecurity vulnerabilities in the energy sector are identified in the study, which include a growing attack surface, complex supply chains, and convergence of operational technology (OT) and information technology (IT) systems. CRA's inability to address OT-specific challenges, particularly in legacy systems like SCADA, is highlighted in the study through a literature review and case study analysis. The gap analysis shows that although CRA follows standards like NIST and ISO 27001, it doesn't have provisions for real-time monitoring, adaptive risk management, and OT-specific protections. To resolve those gaps, the research suggests that DYNAMO include 24-hour incident reporting to the European Union Agency for Cybersecurity (ENISA), structured vulnerability disclosure protocols, and post-market surveillance mechanisms. Additionally, DYNAMO must develop customised plans for OT environments, which involve retrofitting outdated systems and improving threat detection abilities. The findings show that cybersecurity in the energy industry requires a more dynamic and functionally integrated approach. Aligning DYNAMO and CRA will support regulatory compliance and strengthen the industry's resilience to evolving cyber threats. The next stage of research should be to validate these recommendations via empirical testing and explore cross-sector applications of the DYNAMO framework.

The Life Cycle Approach to Effective Crisis Communications in Mitigating Cyber Threats and Attacks

Jussi Toivanen — 2026-02-19

Cyberattacks pose multifaceted risks, including physical, digital, economic, reputational and societal harm. Often starting as an attack on an organization’s intangible assets but quickly spreading to endanger tangible assets, cyberattacks are increasingly common globally. Once an attack becomes public, the targeted organizations faceintense scrutiny from employees, customers, the media, the wider public and the authorities. At this point, effective crisis communication becomes critical for mitigating damage and recovering from the crisis. Decision-making andcommunication during cyber incidents are complicated by uncertainty, operational issues, incomplete information, and even the potential for attackers to shape narratives through extortion or leaks. This paper examines communication challenges in cyber crises through the lens of framing theory and situational crisis communication theory (SCCT). Based on data analysed from interviews with key experts of eight organizations during recent Finnish cyberattacks, the paper identifies key factors that constitute effective cyber crisis communication. These include (1) organizational preparedness, (2) efficient information sharing and coordination, (3) a deep understanding of target audiences and the information environment, and (4) the essential role of communication in leadership. The findings highlight the importance of proactive, transparent and coordinated communication to maintain trust and boost organizational resilience. Practical recommendations in the form of three “no-L-principles” are provided: 1. Do not lessen, 2. Do not lie, and 3. Do not linger. Practical recommendations are provided to enhance crisis communications preparedness, improve real-time crisis communication, reduce risks, and strengthen organizational capacity to manage cyber crises.

Hybrid Learning Techniques for Image Forensics and Privacy Protection in the Face of Deep Fake Threats

Arif Ullah — 2026-02-19

This study investigates the detection of deepfake images and videos on social media platforms such as Instagram
for forensic analysis using hybrid-learning approaches. It highlights the critical importance of safeguarding privacy and
authenticity in digital media. The background draws attention to the growing threat posed by deepfakes, which pose
significant challenges across multiple domains, such as politics and entertainment. Existing methods often depend on visual
features specific to a dataset and struggle to generalize across different manipulation techniques. Moreover, most
approaches focus exclusively on either temporal or spatial features, which limits their capacity to identify complex anomalies
involving fused facial features like the mouth, nose and eyes. Important solutions to these challenges include Convolutional
Neural Network (CNN), Recurrent Neural Networks (RNN) and hybrid architectures that simultaneously capture spatial and
temporal information in deepfake content, such as Convolutional Neural Network - Long Short-Term Memory (CNN-LSTM),
Gated Recurrent Unit (GRU) and Vision Transformers (ViT). Additionally, this paper introduces a novel combination of artifact
inspection and facial landmark recognition to enhance detection accuracy and employs Gated Recurrent Units (GRUs) and
Vision Transformers (ViT) for data augmentation thereby improving model robustness. The effectiveness of the proposed
approach is validated through experiments demonstrating substantially improved deduction accuracy, with improvement
exceeding 1.5% across multiple datasets. However, several challenges remain, including limited robustness to noise, difficulty
in detecting deepfakes in compressed video formats, and dataset imbalances issues. The proposed enhanced hybrid model
exhibits superior detection performance while maintaining adaptability across multiple datasets. Future research will focus
strengthening model generalization to effectively counter emerging deepfake generation techniques.

VessiGuard: AI-Driven Anomaly Detection for Maritime Cyber Defence

Ravi Varma Kanumuri — 2026-02-19

The maritime industry is undergoing a rapid digital transformation, driven by the adoption of technologies such as the Automatic Identification System (AIS), advanced navigation software, and onboard Internet of Things (IoT) sensors. These innovations have significantly improved operational efficiency, safety, and situational awareness. However, this increasing reliance on interconnected digital systems also expands the sector’s exposure to cyber threats. Traditional rule-based monitoring and siloed intrusion detection systems often fail to identify coordinated multi-modal attacks, leaving vessels vulnerable to sophisticated, stealthy intrusions. The dual nature of this transformation underscores the urgent need for more sophisticated and adaptive cybersecurity strategies. This study introduces VessiGuard, an AI-driven anomaly detection system designed to detect and mitigate abnormal vessel behaviour as an early indicator of potential cyber intrusions, system failures, or operational anomalies. The approach leverages two complementary artificial intelligence techniques: Long Short-Term Memory (LSTM) neural networks, which model temporal dependencies in vessel movement, and Isolation Forest algorithms, which excel at detecting rare and unusual behaviour patterns. By fusing navigational telemetry with operational technology (OT) sensor readings, specifically engine temperature and fuel consumption, the model creates a unified, cross-domain anomaly score that is robust against single-variable manipulation. A prototype anomaly detection system was implemented and evaluated using controlled simulation and publicly available maritime datasets that reflect real-world operational scenarios. Results demonstrate that VessiGuard effectively detects anomalies, including GPS spoofing, sensor drift, and structured interference. Experimental validation indicates a detection accuracy of approximately 94.2% for trajectory anomalies and 92.8% for sensor deviations. Furthermore, the system demonstrates modality-specific responsiveness, identifying operational sensor faults in under four minutes while accurately accumulating evidence for trajectory deviations within five to eight minutes. This work presents a practical pathway towards adaptive, data-driven cybersecurity solutions by situating anomaly detection within the broader maritime operational ecosystem. The findings highlight how AI-based anomaly detection can complement existing maritime defence mechanisms, support decision-making under dynamic threat conditions, and improve incident response readiness. Furthermore, the results lay the groundwork for future research into autonomous and semi-autonomous detection architectures, ultimately contributing to a more resilient, secure, and intelligence-driven digital maritime domain.

The Informed Fake News Advisor (IFNA): Toward Sociotechnical Solutions for Fake News Detection

Namosha Veerasamy — 2026-02-19

The detection of fake news is a multidimensional challenge that demands solutions extending beyond purely computational approaches. Although advances in natural language processing, machine learning, deep learning, and multimodal analysis have strengthened technical capabilities, misinformation continues to proliferate. Fake news thrives within environments shaped by complex social interactions, platform-specific advantages, and human judgement. Social factors (such as user profiles, sharing behaviours, engagement metrics, network structures, and crowd-sourced credibility signals) play a critical role in how misinformation is created, propagated, and perceived, yet these contextual nuances are often overlooked in algorithmic models. These social dimensions operate alongside technical elements, including linguistic cues, visual content, temporal dissemination patterns, and hybrid feature integration. Drawing on a review of the recent literature, this work synthesises sociotechnical elements to inform the development of an integrated approach to the detection of fake news. We introduce the SHAPE conceptual framework to guide the development of the Informed Fake News Advisor (IFNA). This conceptual framework will guide the creation of IFNA, which will consist of detection tools that combine technical precision with sensitivity to social context. By framing fake news detection as a sociotechnical problem, IFNA shifts the focus from isolated technical optimisation towards a holistic design philosophy, supporting the development of solutions that are both effective in detection and responsible in deployment within complex information ecosystems.

Rethinking the Human–Technical Split in Cybersecurity

Jukka Vuorinen — 2026-02-19

This paper re-examines one of the most enduring assumptions in cybersecurity and information systems: the split between the human and the technical. For decades, research and professional practice have portrayed the human as an unpredictable source of error—“the weakest link”—in contrast to the supposedly rational and controllable domain of technology. While this separation appears practical, it stems from a deeper lineage of Western thought that positions humans and nonhumans as fundamentally separate spheres. Drawing on thinkers such as Michel Foucault and Bruno Latour, this paper traces how this conceptual division has become embedded in security discourse, from early information systems design to contemporary frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework. These standards institutionalize the split through parallel categories for “technical controls” and “human factors,” shaping how security responsibilities are assigned and how failures are understood. The paper then explores what happens when this separation is challenged. Using examples such as intrusion detection systems and Trojan attacks, it shows that social and technical elements are inseparably mixed: anomalies, mimicry, and deception all rely on both code and conduct. Security decisions—from asset valuation to risk analysis—likewise emerge from socio-technical negotiations between what is desired and what is possible. To move beyond the limitations of this dichotomy, the paper introduces two frameworks that enact symmetry between human and technological agency. Conceptually, Actor–Network Theory treats both humans and artefacts as actors whose agency lies in their effects on others. Practically, Zero Trust security architectures operationalize the same symmetry by applying continuous verification equally to users and devices. Taken together, these perspectives suggest that cybersecurity should not be understood as two interacting domains but as a blended field of heterogeneous actors whose relations continually produce security. Recognizing this mixture does not dissolve the technical or the human but allows researchers and practitioners to see more clearly how each side folds into the other, reshaping what security can mean in practice.

Legal Protection against Digital Personal Identity Fraud in South Africa

Murdoch Watney — 2026-02-19

As digital transformation accelerates worldwide, personal identity authentication has become a global issue. In South Africa digital personal identity has become central to how individuals interact with government services, financial institutions, and online platforms. Digital identity refers to the authentication of users through personal attributes such as biometric data, voice, image, and behavioural patterns. While these systems offer efficiency and accessibility, they also introduce significant threats. Increasingly, digital personal identity is being cloned, manipulated, or misused through techniques like deepfakes, voice cloning, and biometric spoofing. The discussion examines whether South African law adequately protects individuals against the misuse of digital personal identity, particularly in the context of fraud. While financial gain is a common motive, misuse may also result in reputational harm, privacy violations, and unauthorised commercial exploitation. The analysis considers the legal framework governing digital personality fraud under the Protection of Personal Information Act (POPIA), the Cybercrimes Act, the Consumer Protection Act (CPA), and the common law remedy of actio iniuriarum, within the framework of constitutional rights to dignity and privacy. Comparative insights from Denmark, Tennessee (United States), the European Union, and the United Kingdom help contextualise South Africa’s approach. The discussion argues that while South African law provides substantive protection, enforcement remains challenging due to technological complexity, evidentiary burdens, and limited institutional capacity. Strengthening technical expertise, public awareness, and regulatory enforcement is essential to ensure meaningful protection for digital citizens. Drawing on global approaches, the discussion proposes targeted legal reforms to enhance accountability and safeguard digital personal identity against fraud.

Critical Infrastructure, Industrial Control Systems and Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-02-19

Cyber-attacks on Critical Infrastructure and Industrial Control Systems within nation states are very dangerous. They can damage the services and systems that a country needs to maintain safety and stability. There are reasons why these attacks are so problematic. First, Critical Infrastructure and Industrial Control Systems are very important. They regulate the operation of services that are vital to the public such as power grids, water services, roads, hospitals, and banks. Industrial Control Systems also control how things are made in industries like energy and manufacturing. Critical Infrastructure and Industrial Control Systems play a role in keeping a country running. When these systems are disrupted, the economic paralysis, civilian risks, and military vulnerabilities are very similar to what happens in a war. The effects of the disruption of Critical Infrastructure and Industrial Control Systems have large consequences. The way these attacks occur shows that they can cause a lot of problems and help aggressors achieve their goals. These attacks are analogous to bombings. Instead of using physical weapons, belligerents use computers. Because these attacks on infrastructure systems like power and water can cause real physical damage, stop production, or make water undrinkable, they fail to differentiate between military targets and civilians. The economic paralysis, civilian risks, and military vulnerabilities caused by these attacks on Critical Infrastructure and Industrial Control Systems are a problem. These attacks are like acts of war. We are going to examine IC and ICS attacks from two sides, the technical side and the ethical side. We will use examples like Stuxnet, the Ukraine Power Grid compromises the Colonial Pipeline ransomware event, Triton/Trisis safety breaches the Oldsmar water facility incursion, and the JBS meat processing interference. These examples will show what aggressors are trying to accomplish by attacking industrial control systems, how the attacks affect ICS, and how large these operations are, that that these cyber-attacks are really like warfare against the nation states where industrial control systems are located. The attacks upon Industrial control systems are like acts of war. Moreover, this discussion will explore both the ethical dilemmas and anticipated ethical issues with cyber-attacks on CI and ICS. Furthermore, it addresses the morality of categorizing these cyber-attacks as cyber warfare. As a result, examining these cases will help clarify the greater implications of cyber-attacks on nation state CI and ICS systems for national and global security as well as the ethical frameworks governing cyber engagements.

Smart Phones and Current Developments in Cyberwarfare: An Ethical and Anticipatory Ethical Analysis

Richard Wilson — 2026-02-19

Smartphones in cyber warfare raise serious ethical concerns due to a number of factors including obscuring the line between civilian and military technology, how they expose non-combatants to harm, and how they lack clear international regulation. The central ethical issues related to the use of smart phones in cyber warfare include: (1) Civilian vs. Combatant Distinction. Smartphones are primarily civilian devices, yet they can be weaponized allowing civilians to engage in cyber-attacks. This development undermines the principle of distinguishing between combatants and non-combatants, a cornerstone of international humanitarian law. (2) Collateral Damage. Malware or cyber operations launched via smartphones can unintentionally spread to civilian networks, hospitals, or financial systems. Unlike traditional weapons, cyber tools are hard to contain, making unintended harm more likely. (3) Privacy Violations. Smartphones store vast amounts of personal data. Using them in cyber warfare risks mass surveillance, identity theft, and exploitation of private information, raising ethical questions about consent and proportionality. (4) Accountability and Attribution. Cyber-attacks via smartphones are difficult to trace. This creates ambiguity about responsibility, making it harder to hold aggressors accountable under international law. (5) Escalation of Risks. Since smartphones are ubiquitous, their use in cyber warfare lowers the threshold for causing a conflict. Everyday devices could become tools of state-sponsored attacks, increasing the risk of escalation into broader wars. (6) Lack of Regulation. Unlike conventional warfare, cyber warfare has no equivalent of the Geneva or Hague Conventions. The absence of agreed-upon rules leaves smartphone-based attacks in a legal and ethical gray zone. This analysis will identify the ethical and anticipated ethical issues with the use of Smart Phones in Cyberwarfare and the ethical and anticipated ethical issues with identifying smart phones as an important factor in cyber warfare.

Russia, Weaponized Social Media and Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-02-19

Russia’s weaponization of social media refers to how Russian state-associated actors used and continue to use social media platforms such as Facebook, Twitter, Instagram, and YouTube to influence public opinion, spread disinformation, and destabilize societies, especially during elections and political crises. This strategy relies on multiple essential tactical components. The first tactical component is Disinformation Campaigns, where Russian operatives created fake accounts and groups posing as ordinary citizens to spread falsified stories on politically divisive topics (race, immigration, gun rights) to drive up political polarization. Secondly are Troll Farms like the Internet Research Agency (IRA), which employed thousands of people to post inflammatory content with the aim of manipulating online discourse. The third strategy is Bot Networks, utilizing automated accounts to amplify hashtags and create the illusion of widespread support for fringe narratives. The fourth strategy is Microtargeting, where malicious actors purchased ads exploiting emotional triggers and psychographic data to influence voter behavior. Finally, these campaigns Exploited Algorithms that prioritize engagement, making sure sensational content became viral. The goal of this weaponization is to destabilize trust in democratic institutions, amplify social division, and influence election outcomes to favor Russia’s geopolitical interests. This analysis identifies the ethical and anticipated ethical issues with the Russian weaponization of social media as a form of Cyber Warfare. There is an interdisciplinary method employed in this analysis that draws upon distinctions taken from computer science, conceptual ethical analysis and case studies.

Echo Chambers, Filter Bubbles, and Cyber Warfare: An Ethical and Anticipatory Ethical Analysis

Richard Wilson — 2026-02-19

With the development of the internet in the information era and the wide access to information the internet makes available, Echo Chambers and Filter Bubbles have developed. Echo Chambers and Filter Bubbles are a consequence of Reinforcement Learning Algorithms. An Echo Chamber is an environment where people only encounter beliefs or opinions that reinforce the beliefs and opinions to which they are already committed. (Sunstein, 2017). This serves the purpose of creating a constant positive feedback loop, which continually reinforces one idea or set of ideas (Murphy, 2022). A Filter Bubble develops when recommendation algorithms feed users content based on what narratives the recommendation algorithm determines an audience wants to hear to maximize user engagement (Pariser, 2011). Echo Chambers and Filter Bubbles are relevant to Cyber and Cognitive Warfare because state actors can take advantage of the existence of these environments and use them to influence discourse and public opinion. In the context of cyber warfare attackers can use bots and fake accounts where they pretend to be citizens of the target nation to flood these Echo Chambers with narratives that align with the audience’s current belief system and while also benefiting the attackers (Singer & Brooking, 2018). In the context of cyber warfare attackers can abuse Filter Bubbles by using data breaches and advertising data to infiltrate the Filter Bubbles and direct them towards the attackers desired narrative (Matz et al., 2017). These abuses rise above the level of mere internet trolling, they are intentional and targeted acts of Cyber Warfare aimed at influencing the cognitive space of a nation’s population (Claverie & du Cluzel, 2022). Echo Chambers and Filter Bubbles are constructed to accomplish a strategic objective, in this case they are aimed at influencing the decision making and opinions of an audience to influence elections, policy, protests, or overall public sentiment. These strategic objectives are accomplished by using non-kinetic weapons to destabilize society, diminish decision making capabilities, and erode trust in democratic institutions. This type of cyber-attack was made apparent in the COVID-19 disinformation schemes when wellness communities on social media platforms were flooded with anti-vaccine and medicine narratives leading to distrust in the medical system, and the politicians who promoted them (Dawson & Innes, 2019). This paper identifies the technical, ethical, and anticipated ethical issues of Filter Bubbles and Echo Chambers and proposes a technical and policy framework to classify and prevent these acts of Cyber Warfare.

Cyber Operations and the Threshold for Cyber Warfare: Ethical and Anticipated Ethical Issues

Richard Wilson — 2026-02-19

Determining whether a cyber operation meets the threshold for being designated cyber warfare involves ethical, technical, and strategic criteria. These are primarily derived from international law frameworks such as the Tallinn Manual 2.0 and principles of the UN Charter. What are the primary criteria for cyber operations to be called acts of Cyber Warfare Threshold? (1). Scale and Effects of cyber operations. The cyber operation must cause effects comparable to a kinetic attack, such as: Physical destruction (e.g., damaging power plants, pipelines). Loss of life or serious injury. Severe disruption of essential services (power, water, healthcare). Example: Stuxnet physically damaged Iranian centrifuges, meeting this criterion. (2). The Intent and Purpose of the Cyber Operation. The cyber-attack must be strategically motivated and aimed at: Weakening an adversary’s military or economic capability, Coercing or punish a state. Achieving political or military objectives. Example: Ukraine power grid attacks were linked to geopolitical conflict. (3) Cyber operation must be attributed to a State. The cyber operation must be attributable to a state or conducted under its direction/control. State sponsorship or direct involvement elevates an attack from the level of being a cybercrime to the level of acts of cyber warfare. Example: WannaCry and NotPetya were attributed to North Korea and Russia respectively. (4) There must be severity and consequences related to cyber operations. The impact of cyber operation must be significant enough to trigger international legal obligations, such as a Breach of sovereignty. The possible classification of the cyber operation as a “use of force” under Article 2(4) of the UN Charter. Example: Triton/Trisis targeted safety systems in petrochemical plants, risking catastrophic damage. (5) The Target Type of cyber operation. Attacks by the cyber operation on critical infrastructure or military systems are more likely to meet the threshold. Civilian systems may also qualify if disruption is widespread and severe. (6) The Context and Scale of the cyber operation. The cumulative effects of cyber operations mean that: repeated or coordinated attacks may collectively meet the threshold even if individual cyber operations do not. This analysis will identify the ethical and anticipated ethical issues with the identification of Cyber Operations and the ethical criteria for these operations to reach the threshold for being classified as acts of Cyber Warfare. Our methodology will employ an interdisciplinary method that draws upon distinctions taken from Bratman’s BDI Model of rational agency, computer science, and conceptual ethical analysis with reference to specific case studies.

Lessons Learned While Performing 'Hands On' Teaching in a Live Environment

Adam Yusuf — 2026-02-19

In West Virginia (WV) the county sheriff’s office is a central point of interaction between the local government and the people who are served by these elected officials. While law enforcement extends well beyond, this central point of contact, typically the county sheriff website, is not only a great starting point for the citizens to interact with local law enforcement, but also an entry point for potential illegal activities. The county sheriff’s offices websites in WV are also the central point for online payment of local taxes, thus making these sites a potential target for electronic misdeeds that would range from defacement to theft and potentially beyond. This study team examined the websites for the 55 counties of WV, in part as a classroom exercise, for potential vulnerabilities ranging from standard server scans to potential exposure through social media (SM) sites where information can be inferred. The majority of SM usage showed professional pages on LinkedIn and Facebook and newer SM sites were not used. The study findings suggest that an overwhelming majority have outsourced services to third party cloud service providers. Overall WV sheriff offices practice good cyber hygiene however, two areas of potential problems are in the duplicate IP addresses found in the cloud service providers shared servers, running multiple services with multiple tenants on the same physical server and the existence of legacy information. The study was neither comprehensive, nor intrusive in nature, but did serve to verify the security posture of the various counties sheriff offices allowing for a fingerprinting of a group of sites in the same industry allowing for a general overall view of security by sector in the public service space. The study also suggested the need for periodic re-checking suggesting a less intense degree, a practice that should be performed regularly in any secure architecture and acts as a public record for interested citizens. A final lesson from the class experience re-iterates the importance of proper scoping.

A Review of the Maritime Cybersecurity Regime Over the Last Decade

Leigh Armistead — 2026-02-19

This paper discusses the development of how the Maritime Cybersecurity regime has evolved over the last
decade due to new instructions, mandates, doctrine and criteria that has been established to better protect both the
traditional Internet Technology (IT) assets as well as the Industrial Control Systems (ICS). The methodology of this paper is
to layout the new regulations over the last 10 years, and to showcase how these mandates affect operational issues at sea.
The key factor, that will pervade all of the discussions of cybersecurity in the maritime domain, is the intense focus on
safety, only to be followed by availability. This is unique, as the IT sector traditionally is focused on confidentiality, but
Operational Technology (OT) or Facility Related Control Systems (FRCS) are a different set of systems, which require
continuous operation, hence the need to always be on. In addition, the author will lay out in a systematic function, all of
the new regulations in the last 10 years, why they were needed, and how did they change the training, skillsets, as well as
processes that have been implemented to ensure compliance moving forward. Peregrine Technical Solutions, LLC.
(Peregrine) is led by Dr Leigh Armistead, CISSP, who has conducted a number of maritime cybersecurity same tasks since
2014. It is a small business, based in Juneau, Alaska (US), specializing in ICS/OT/FRCS cybersecurity, where we have
successfully conducted assessments over the last decade for the US Department of Defense (DoD) as well as academia. We
are currently the prime contractor for the US Coast Guard Advanced Metering Systems, and we won an Army contract in
2023 for Facility Related Control Systems (FRCS) cybersecurity. From 2017-2021, we were the lead for the Platform
Resilience Mission Assurance (PRMA) for the DoD, plus we have the first Cybersecurity Department of Labor Registered
Apprenticeship Program (RAP) in the nation for adults (2016) /Youth Registered Apprenticeship (YRA) (2019). Dr Leigh
Armistead was a member of the NATO project, SAS-163, Energy Security in the Era of Hybrid Warfare. This paper is a series
of case studies of contracts and research efforts that Peregrine staff conducted over the last decade. It lays out a series of
scenarios, using action research, as part of a qualitative methodology, to demonstrate the changes for the maritime
community from a cybersecurity aspect. As this is a series of operational actions, there is not a literature review as such
but instead, we abide by regulations, mandates, instructions and notices that are issued by a variety of regulatory bodies
and organizations. The key participants are as follows: International Maritime Organization (IMO) – Regulatory Body.
Peregrine Technical Solutions – FRCS Cybersecurity Provider. Academic Research Fleet (ARF) – 18 Ships. National Science
Foundation (NSF) – Contract Sponsor. University of California San Diego (UCSD) – Original Organization requesting Support.
Woods Hole Observatory Institute (WHOI) – Follow-on Contract Sponsor

Automated Threat Modeling using Artificial Intelligence on User Stories within the SDLC to Generate Security Tasks

Shantu Asif Hossain — 2026-02-19

This research presents an AI-driven system that integrates automated threat modeling directly into the Software Development Lifecycle (SDLC) during the early user story creation phase. Traditional threat modeling is often manual, delayed, and disconnected from developer workflows, resulting in missed vulnerabilities and reactive security measures. The proposed system employs a Large Language Model (LLM)-based Threat Modeling Engine to analyze user stories-textual descriptions of software features from an end-user perspective-and identify potential security threats. Leveraging advanced LLM algorithms, the system correlates detected risks with known threat patterns (e.g., STRIDE) and dynamically maps them to multiple pluggable security and compliance standards such as NIST CSF, ISO 27001, PCI DSS, HIPAA, SOC 2, OWASP, and GDPR. The engine automatically generates prioritized, technical security tasks aligned with these standards, which are seamlessly integrated into popular development tools like Jira, GitHub Issues, or Azure DevOps. This process enables proactive, traceable, and consistent enforcement of security controls throughout the development workflow, reducing human error and enhancing compliance with relevant regulations. A human-in-the-loop approval mechanism ensures full oversight and iterative refinement of threat modeling outputs. Furthermore, the system parses security standard documents in native formats (e.g., PDFs) to maintain up-to-date mappings without manual intervention. By embedding intelligent threat mitigation early in the SDLC, this research improves software security posture, development efficiency, and compliance adherence. It addresses a critical gap in current DevSecOps practices by automating and contextualizing security task generation from user stories, enabling development teams to build secure, compliant software aligned with national and international cybersecurity frameworks.

SOC Puppets: How Whaley’s Theory of Outs and ‘Noisy’ Sock Puppets Encouraging Discovery of Network Deception Could Enhance Security Operations Center Analysis

Tim Pappa — 2026-02-19

This practitioners’ position paper suggests an unorthodox approach integrating Whaley’s Theory of Outs and
“turnabout” deception techniques to encourage an attacker’s discovery of deception on a network. Although the late
American deception and communication researcher Barton Whaley appeared to differentiate the categorization of
deception techniques such as “turnabout” and planning for backup deception techniques if discovered or if the deception
appeared to fail, we explore the integration of these approaches to deception design in a cyber context, mainly in situations
where analysts in the Security Operations Center (SOC) are looking for higher fidelity alerting on anomalous events and
suspected attacker activity on the network. Because attackers appear to generally demonstrate greater confidence in their
network movement after discovering what they believe is deception, we visualize how ‘noisy’ controlled deception sock
puppets inside of a network prompting optimized query returns on their content could draw attackers to later stage
deception functions and effects, and more enhanced SOC analysis following alerting on those functions and effects. This
practitioners’ position paper suggests our unorthodox approach offers an alternative strategic and tactical approach to
collaborative cyber deception design and SOC alerting, by highlighting ‘noisy’ deception on a network to lure and influence
attackers.

Applicability Of Industry 4.0 Technologies in Combating Fraud in the Financial System

Jennyfer da Conceição Fonseca Santos — 2026-02-19

The increasing digitalization of financial services has brought significant benefits, such as speed and convenience,
but it has also increased exposure to sophisticated fraud schemes, including identity theft, card fraud, and money laundering.
In this context, Industry 4.0 (I4.0) technologies—particularly Machine Learning (ML) and blockchain—have emerged as
strategic tools for enhancing security and mitigating risks in the banking sector. This study aims to examine the applicability
of these technologies in detecting and mitigating financial fraud, addressing the following research question: How have
blockchain and ML technologies contributed to mitigating different categories of fraud? To answer this question, a
Systematic Literature Review (SLR) was conducted using the Scopus and Web of Science databases, focusing on open-access
articles published between 2021 and 2025 that were aligned with the research topic. Following the PRISMA protocol, 27
articles were selected and analyzed through bibliometric analysis, content analysis, and mapping of future research
directions. The originality of this research lies in the integration of cutting-edge ML and blockchain analyses to mitigate
financial fraud, bridging technology, challenges, and gaps. Despite these advances, challenges remain, including data
imbalance, the need for model interpretability, and ethical and regulatory concerns. Future research should focus on
integrating ML and blockchain, improving algorithms to handle imbalanced datasets, and developing explainable and secure
solutions. This study contributes by providing an up-to-date and comprehensive overview of current trends and research
gaps in the application of I4.0 technologies to financial security, serving as a foundation for scientific progress and the
adoption of these tools by banking institutions.

Doctrine-to-Deployment: Role of Advanced Persistent Threats in Russia’s “Information Confrontation” Doctrine

Elia Gelati — 2026-02-19

In 2022, before the outbreak of the full-scale war in Ukraine, many analysts feared the possibility of a Russian “Bitskrieg”: overwhelming cyberattacks directed at Kyiv’s command and control systems and critical infrastructures, that would facilitate a ground invasion by plunging Ukraine into darkness. The leading entities behind these kinds of operations are advanced persistent threat groups: experienced and well-funded cyberspace actors often enjoying State sponsorship. Russia employs a number of these under the direction of its intelligence services, which are already known for cyberattacks such as the 2015 breakdown of the Ukrainian energy grid and the 2020 SolarWinds data breach. This research aims to understand their role within the Russian doctrine of “information confrontation” (or IPb), a comprehensive approach that utilises cyberattacks to achieve political, economic, and military objectives during both peacetime and wartime. While a rich body of technical research exists on APT groups, as well as the risk they pose at a geopolitical level, few analyses exist on the integration between these units and doctrinal developments for various States. The research does so by reviewing the works of Russian military theorists and analysts on IPb and assessing the role of APTs through a qualitative case study analysis with three examples: the 2015 attack on the Ukrainian energy grid, the 2020 data breach on the SolarWinds supply chain and the APT campaigns in the war in Ukraine. The research offers the following conclusions: i) that APT groups are the prime operators of IPb in the cyber domain, as opposed to other more loosely coordinated actors such as patriotic hackers; they indeed showcase consistent alignment with Russian strategic objectives and aims; ii) that APT operations achieve tactical gains rather than strategic outcomes, with even sophisticated attacks proving limited against prepared adversaries with resilient infrastructure. By providing a doctrine-to-deployment analysis of APT units within IPb, this research clarifies a lesser-known aspect of cyber warfare: the operational role of State-sponsored APTs under Russian command.

Cybersecurity Issues and Solutions Within the South African Small and Medium-Sized Enterprises

Benediction Kitwa Kalombola — 2026-02-19

This systematic literature review paper presents the main cybersecurity issues and their challenges within the Small and Medium-sized Enterprises (SMEs) in South Africa. The SMEs play a very crucial role in the growth of the country’s economy and Gross Domestic Product (GDP). However, following the global pandemic, the economy has become increasingly dependent on technology as a driver in different sectors. With the rapid adoption of technology, SMEs constantly face significant cybersecurity issues and challenges that regularly demand proactive and effective measures. These measures guard against exposure to sophisticated cyber-attacks. This study examines the state of cybersecurity within South African SMEs by assessing the effective use of cybersecurity measures, exploring the extent of their implementation, and identifying best practices to strengthen cyber resilience within these SMEs. To achieve this aim, a systematic literature review is conducted to examine high-quality peer-reviewed journals from 2021 to July 2025, providing more insight into the issues associated with cybersecurity in SMEs. Results highlight the vulnerability of SMEs to various cyber threats, including phishing, insider threats, and ransomware. The lack of awareness among employees, inadequate cybersecurity measures, limited resources, the shortage of professional experts, and the absence of effective measures specifically tailored to the needs of SMEs. Additionally, the mitigation strategies emphasize the adoption of robust security measures that are specifically tailored to the needs of SMEs. To enhance cyber resilience, this study also recommends the use of cybersecurity measures tailored to SMEs, encouraging employee education training programs, and the creation of reliable strategies.

AI-Augmented Proactive Cyber-Detection and Mitigation of Cybersecurity Threats in the Banking Sector

Prince Rotondwa Mulea — 2026-02-19

The digital transformation of the financial services sector, accelerated by the emergence of neobanks and advanced online platforms, has markedly increased its exposure to sophisticated cyberthreats. High-profile incidents, such as coordinated attacks on financial institutions in Iraq, have demonstrated the severe operational, economic, and reputational consequences that can arise from delayed threat detection and inadequate mitigation. Traditional cybersecurity measures, including firewalls, antivirus software, and signature-based intrusion detection systems, remain constrained by their dependence on known attack signatures, thereby leaving financial networks susceptible to zero-day exploits, AI-driven intrusions, and complex multi-vector threats. This study proposes and evaluates a supervised machine learning intrusion detection and prevention model aimed at proactively securing financial networks at a network level. To simulate realistic network conditions and generate representative traffic data, a banking environment was constructed using GNS3. To address class imbalance within the dataset, the Synthetic Minority Oversampling Technique (SMOTE) was employed, thereby improving the detection of minority-class attack instances. Several machine learning algorithms, including Support Vector Machine, Multi-Layer Perceptron Neural Network, and Long Short-Term Memory, were assessed using key performance metrics to determine their effectiveness. The Decision Tree model demonstrated superior performance, achieving an accuracy rate of 99.98%, perfect precision and recall, zero false positives, and only thirteen false negatives. These results underscore its capacity to deliver highly accurate, real-time threat detection while minimising operational disruptions caused by false alarms. Its transparent decision-making process enhances explainability, supports regulatory compliance, and fosters institutional trust, factors that are critical in financial cybersecurity. The findings validate the viability of interpretable, high-performance machine learning models for the real-time detection and mitigation of advanced cyberthreats, including Distributed Denial-of-Service (DDoS) attack patterns. Future research should prioritise scaling the simulation framework to encompass more complex financial network topologies, integrating adaptive online learning capabilities, and incorporating explainable artificial intelligence (XAI) techniques to investigate whether enhanced model interpretability improves threat detection accuracy and analyst response times.

Analysis of Cybersecurity Strategies Across Continents

Pekka Pirinen — 2026-02-19

Cyberthreats are a global challenge and because of that countries across the world have been establishing and developing national cybersecurity strategies (NCSS). NCSSs are a way in which countries can present their political and social approach to cybersecurity in the sense of national security. The main principles of a NCSS are addressing the current cybersecurity landscape that the country in question has, the goals of future national cybersecurity development and how to achieve that desired state of national cybersecurity affairs. Being part of the country’s national, political and cultural landscape, the actual cybersecurity strategies naming policies may differ from country to country. Although the most common goals are similar between different states’ cybersecurity strategies, they have different emphasis regarding the role of citizens, the private sector and the public sector in national cybersecurity. This study aims to analyze and compare NCSSs from different continents and recognize the focus areas in the three crucial target groups: citizens, private sector and public sector. NCSSs of 20 different countries from Africa, Asia, Europe, North America, Australia and Oceania and South America were analyzed. All the strategies were collected from public sources and represent the latest version of selected countries’ cybersecurity strategies. The strategies were analyzed using the Commitment to Development (C2D) approach. The Democracy Index was utilized in the study to recognize and differentiate countries based on their index rating. The main findings of this study were that with a few exceptions countries sharing similar Democracy Index rankings have similar attitudes towards their citizens, private sector and public sector. The results also varied in a continental perspective, and some continents align better with each other than others.

Wargaming Design for Cyber Warfare

Dong Wang — 2026-02-19

Wargaming design serves as a critical tool for military simulation, analysis, training, and strategic planning. Throughout history, innovations in wargaming have paralleled the introduction of new weapons and technologies. As information technology advances rapidly, cyber warfare has emerged as a fundamental component of modern conflicts. However, systematic studies of cyber warfare wargaming design remain inadequate compared to conventional kinetic warfare simulations. The cyber domain has not received appropriate attention within wargaming design frameworks, leading to conceptual confusion among terms such as "Cyber Warfare," "Cyberwar," and "Information War.” This paper addresses this imbalance by synthesizing insights from traditional wargaming design and cyber warfare analysis. After examining the basic structure of traditional wargaming and assessing its adaptability to cyber warfare scenarios, this paper identified fundamental design challenges specific to cyber warfare wargaming. This research proposed an original framework based on analysis of real-world wargaming activities, particularly drawing from China's national wargaming competitions hosted by the Chinese Institute of Command and Control (CICC). The primary contributions of this research include: (1) summary and analysis of traditional wargaming structures, (2) integration of classic models with cyber warfare's unique natures, and (3) identification of key design questions requiring further studies.

Cyberbiosecurity in Action: Securing the Biological Battlespace from Digital Subversion

Adya Daruka — 2026-02-26

Cyberbiosecurity is an emerging discipline at the intersection of cybersecurity and life sciences, as digital
dependence across genomics, laboratory automation, biomanufacturing, and digital health expands the attack surface of the
bioeconomy. This paper synthesizes peer-reviewed literature, government reports, and public incident investigations to map
cyber-biological threats, document observed incidents (e.g., healthcare ransomware and documented proofs-of-concept for
DNA-encoded exploits), and identify systemic gaps in preparedness, workforce capacity, and governance. The literature
indicates recurring vulnerabilities in healthcare and biotechnology supply chains, demonstrated operational impact from
ransomware incidents, and credible research demonstrating new attack vectors such as malware encoded in synthetic DNA
sequences. Drawing on these sources, we present the Integrated Cyberbiosecurity Defense Framework (ICDF) - a proposed
multi-layered strategy combining bio-risk assessment, AI-driven detection, digital-twin simulation, fusion centers for crossdisciplinary
response, and workforce development - and recommend policy, technical, and organizational steps for
immediate adoption.

Cybersecurity Issues and Solutions Within the South African Small and Medium-Sized Enterprises

Benediction Kitwa Kalombola — 2026-02-26

This systematic literature review paper presents the main cybersecurity issues and their challenges within the
Small and Medium-sized Enterprises (SMEs) in South Africa. The SME’s play a very crucial role in the growth of the
country’s economy and Gross Domestic Product (GDP). However, following the global pandemic, the economy has become
increasingly dependent on technology as a driver in different sectors. With the rapid adoption of technology, SMEs
constantly face significant cybersecurity issues and challenges that regularly demand proactive and effective measures.
These measures guard against exposure to sophisticated cyber-attacks. This study examines the state of cybersecurity
within South African SMEs by assessing the effective use of cybersecurity measures, exploring the extent of their
implementation, and identifying best practices to strengthen cyber resilience within these SMEs. To achieve this aim, a
systematic literature review is conducted to examine high-quality peer-reviewed journals from 2021 to July 2025, providing
more insight into the issues associated with cybersecurity in SMEs. Results highlight the vulnerability of SMEs to various
cyber threats, including phishing, insider threats, and ransomware. The lack of awareness among employees, inadequate
cybersecurity measures, limited resources, the shortage of professional experts, and the absence of effective measures
specifically tailored to the needs of SMEs. Additionally, the mitigation strategies emphasize the adoption of robust security
measures that are specifically tailored to the needs of SMEs. To enhance cyber resilience, this study also recommends the
use of cybersecurity measures tailored to SMEs, encouraging employee education training programs, and the creation of
reliable strategies.

Biosecure-LLM Framework: Protecting LLMs from Cyberbiosecurity Threats and the Case for Independent AI Safety Governance

Xavier-Lewis Palmer — 2026-02-26

Large Language Models (LLMs) are becoming critical infrastructure in scientific, healthcare, and governmental contexts. As frontier AI laboratories increasingly partner with government agencies, a fundamental question arises: Who should control the safety and policy-enforcement layers that constrain model behavior? Current safety mechanisms (LLM guardrails) are typically designed for generic "harmlessness" and operate by detecting semantic patterns and refusing requests. However, they are inadequate governance instruments because they cannot implement auditable, domain-specific controls tied to external regulatory policy objects (e.g., control lists or rules governing personally identifying information). Even a perfectly aligned model is not able to express institution-specific policy without an external control layer. This paper argues that the logical separability of policy enforcement from model inference, demonstrated by firewall-style architectures, demands corresponding institutional separability as well. Concentrating both model development and safety governance within the same commercial entities creates unacceptable conflicts of interest, regulatory capture risks, and accountability gaps. We propose that the policy control layers must be housed within independent regulatory bodies, governmental agencies, or trusted third parties rather than the organizations that build and profit from the underlying models. Drawing on the Biosecure-LLM framework as a technical proof-of-concept, we demonstrate that such separation is architecturally feasible and argue it is well-suited for verifiable compliance.

A Comprehensive Cyber Defense Framework for the Indonesian National Armed Forces: Bridging Governance Gaps for National and ASEAN Cyber Resilience

Timothy Shives — 2026-02-26

Indonesia's National Data Center (PDN) was targeted by a ransomware attack on June 20, 2024, paralyzing 210 government agencies, causing manual immigration procedures, and exposing significant weaknesses in Indonesia's cyber governance system. The National Cyber and Crypto Agency (BSSN) was mandated under Presidential Regulation 47/2023 to coordinate the response, but the response operation remained disorganized due to various agencies working independently without a unified leadership system, including the Indonesian National Armed Forces (TNI) operating independently despite possessing a Cyber Unit (Satsiber) with adequate cyber warfare capabilities. The attack on the PDN ultimately revealed three governance weaknesses: a lack of a unified command system for conducting national-scale response operations, the separation of military resources from the protection of civilian infrastructure, and a systemic failure to maintain adequate operational readiness. Through a comparative analysis of cyber command models in the United States, Singapore, South Korea, and Australia, combined with an institutional assessment using the McKinsey 7S and NIST frameworks, we propose an integrated defense architecture. The establishment of a Joint Cyber Defense Task Force (JCDTF) operating under a proposed civilian-military organization, the National Cyber Security Coordination Center (NCCC), would create a single command system for crisis response and maintain democratic civilian control through established legal authority, mandatory parliamentary oversight, and limitations on operational areas. This framework would address existing governance weaknesses through democratic cyber governance principles that can also be used by ASEAN countries to address their civil-military integration challenges in handling national-scale cyber incidents.

Cyber-Security in Cyber-Physical Systems and Critical Infrastructure: A Self-Healing Federated Learning Intrusion Detection Framework

Francisca Ezulike — 2026-02-19

Cyber-Physical Systems (CPS) underpin critical infrastructures such as power grids, water treatment facilities, and transportation systems. Their increasing connectivity, combined with legacy physical components and modern digital interfaces, expands the attack surface and exposes CPS to sophisticated cyber threats. The resulting heterogeneous, latency-sensitive environments challenge conventional security mechanisms, while centralized Intrusion Detection Systems (IDS) introduce privacy risks and fail to meet real-time operational constraints. To address these challenges, this paper proposes a hybrid framework that integrates Federated Learning (FL) with a Lightweight Intrusion Detection System (LIDS), augmented by Model-Agnostic Meta-Learning (MAML) and a self-healing feedback loop. Edge-based LSTM anomaly detectors are collaboratively trained using FedAvg to preserve data locality and privacy, meta-learning enables rapid adaptation to zero-day attacks, and the self-healing mechanism supports automated rollback, isolation of compromised clients, retraining, and feedback-driven threshold adjustment. We further present a practical deployment blueprint for production CPS environments, leveraging edge gateways with MQTT telemetry, Flower for FL orchestration, KubeEdge or AWS IoT Greengrass for edge management, and secure aggregation protocols, along with an analysis of communication overhead and mitigation strategies. The framework is evaluated on the ICS-AD and SWaT datasets, as well as a synthetic digital twin environment. Data preprocessing includes min–max normalization, 50-timestep sliding windows, and SMOTE-based class balancing. Experiments simulate 50 non-IID federated clients over 100 rounds with a two-layer LSTM architecture (128 and 64 units, dropout 0.3), trained using Adam. Results demonstrate strong detection performance (mean F1-score ≈ 92.4% ± 1.2) and low detection latency (≈ 1.2 s ± 0.1), with improved resilience to zero-day attacks compared to centralized baselines, albeit with increased communication overhead. Key limitations include federated communication cost, model drift, and deployment complexity. This work contributes an integrated self-healing federated IDS framework with meta-learning, designed for privacy-preserving, adaptive, and practical CPS security deployment.

PRISM-APT: A Model-First Synthesis for APT Defence

Raymond André Hagen — 2026-02-19

We present PRISM-APT, a practical APT defence model for smaller organisations that integrates governed CTI, behaviour-centric rules, and sovereignty-by-operation thresholds (S-CAP). Advanced Persistent Threats (APTs) routinely exploit the gap between widely used theoretical frameworks and day-to-day operational practice, leaving Security Operations Centres (SOCs) with fragmented, vendor-locked, or jurisdictionally misaligned defences. To address this problem, we introduce PRISM-APT, a model-first synthesis for governed APT defence developed through a multi-year research programme. PRISM-APT operationalises defence as a cyclical, five-phase model; Preparation, Recognition, Intelligence, Synthesis, and Mitigation & Measurement, designed for heterogeneous SOC environments, governable via reciprocity contracts and explicit human-in-the-loop decision gates, and auditable through sovereignty-by- operation (SoO) metrics and evidence-centred traceability maps. In practice, the model treats ATT&CK as a shared language rather than a process, complements governance frames such as NIST CSF with operational hooks, and replaces purely linear threat models with an auditable loop that surfaces bias, provenance, and accountability at each gate. The paper makes four contributions. First, it specifies the PRISM-APT model and its governance hooks for bias-aware, explainable, human-in-the-loop defence in SOCs operating under legal and organisational constraints. Second, it provides an explicit evidence-to-model derivation, linking nine empirical studies to concrete operational artefacts . Third, it offers an evaluation plan with measurable criteria for coverage, auditability, and SoO, including adoption and audit pathways for single organisations and federated consortia. Fourth, it distils implementation guidance for phased roll-out in resource-constrained environments, with emphasis on rules portability, minimal viable telemetry, and governance-by-contract to reduce lock-in while maintaining compliance.

Frequent Itemset Mining for Model Data Reduction

Blake Johns — 2026-02-19

Network intrusion detection systems (NIDS) are in constant battle to come up with new techniques, whether it is a new machine learning model or viewing the data in a new form, to stay ahead of the curve. Recent work has shown that using Deep Learning, coupled with an image-based representation of packet-level data, achieve a high detection rate for a wide number of attacks. Key to the image construction was removing information that can cause misalignment or potentially bias in the Deep Learning model. However, while image-based Deep Learning is known to be good at extracting relevant information from images, it is proposed that using additional preprocessing can result in both improving training and detection time while potentially providing insight into bytes that are frequently occurring in attacks. To this end, this paper proposes the use of Frequent Itemset Mining (FIM), which is a powerful tool that allows the identification of frequent (commonly occurring) itemsets (bytes) from transactional data (bytes in a packet). By identifying the frequent bytes from within the packets of a flow, the feature space can be greatly reduced, which would permit a quicker classification time. This approach is tested on image representations of CICIDS-2017 data where the first n packets of a flow are transformed into an image and then fed into a Convolutional Neural Network (CNN) model architecture. Results show that the use of frequent itemsets to identify frequent byte positions of a packet yield comparable results to images that do not use FIM to reduce the number of packet bytes. The feature reduction results in the need for 99% less data, which reduces the training complexity. We also show better or comparable results to models using the non-reduced packets when reducing the number of packets in a flow (ranging from eight packets to five).

Sleeper Code in Protein Data Files as Cyber Adversarial Vectors

Tia Pope — 2026-02-19

Scientific protein data formats are widely assumed to be inert, yet their use in automated and AI-driven research environments creates overlooked pathways for cyberbiosecurity risk. This work examines sleeper code patterns, defined as structured non-executable strings embedded in FASTA files, CIF metadata, and protein sequences that persist through downstream processing. A controlled simulation framework models ten representative adversarial use cases and reveals that many workflow components carry these patterns forward without removal, including cloud alignment tools, high-performance computing pipelines, visualization utilities, and transformer-based protein models. Across the ten simulations, nine workflows preserved at least one embedded pattern, which confirms broad systemic tolerance for structured symbolic content. Results show that permissive parsing rules and AI prefix conditioning allow symbolic content to survive reformatting and, in some cases, to become further embedded within generated outputs. These findings indicate a structural blind spot in scientific workflows where biological trust assumptions obscure computational vulnerabilities. To address this gap, the paper introduces a multilayer mitigation framework that combines input sanitation, anomaly detection, AI model guardrails, workflow provenance, and federated containment. Taken together, the study reframes protein data formats as potential cyber vectors and highlights the need for interdisciplinary approaches that strengthen digital resilience across computational biology and national research infrastructure.

Exploring NIS2 Compliance in the Energy Sector Using AI-Driven Cyber Threat Intelligence

Jani Siivola — 2026-02-19

The NIS2 Directive introduces stricter requirements for how essential entities, including energy-sector operators, must manage cybersecurity risks and report incidents. In practice, many organisations face difficulties in transforming these legal obligations into concrete, daily security operations, especially in operational technology (OT) environments where visibility, logging, and coordinated responses are often limited. This paper examines how SecureAI, an AI-based anomaly detection and enrichment tool within the Cyber Threat Intelligence (CTI) ecosystem, can help energy operators meet key NIS2 obligations. The study is based on a qualitative desk-research approach, a comparative mapping of SecureAI capabilities against NIS2 Articles 20-26, and a realistic OT case scenario based on recent intrusion patterns. Prior research shows that AI can detect industrial anomalies faster and more accurately than rule-based systems, and that automated CTI processing can turn raw alerts into structured and shareable intelligence. At the same time, NIS2 requires accountable use of such tools, meaning that human oversight, transparency of analysis, and reliable evidence generation must be part of AI-supported workflows. These requirements guided the assessment. The analysis shows that SecureAI supports several key NIS2-related tasks. It identifies unusual behaviour in network and host telemetry, enriches findings with asset information and event relationships, and produces structured alert objects that support operator decision-making. The CTI Framework then converts these enriched alerts into STIX/TAXII objects suitable for reporting, documentation, and intelligence exchange. The case scenario–an unauthorised remote-access intrusion followed by suspicious HMI-PLC activity–demonstrates how SecureAI can highlight the anomaly, provide context for understanding its impact, and supply material for reporting and further investigation.

ECHO Early Warning System for Water Infrastructure Protection

Ilkka Tikanmäki — 2026-02-19

Water is a valuable natural resource and essential for human life, so protecting critical water infrastructure is vital. Through directives such as the Network and Information Security Directive (NIS2), the European Union has made it mandatory to ensure that all critical infrastructure is adequately protected. Security measures taken to protect critical infrastructure are often limited to a national scope. The ECHO Early Warning System (E-EWS) is a tool that enables communication and cooperation across national borders. It focuses on a warning system that allows people to know almost immediately what is happening, to react appropriately and to disseminate this information to trusted partners. With geopolitical tensions and cyberattacks on the rise, this work in progress employs a literature review and case analysis to identify similarities between recent cyberattacks on critical water infrastructure and to determine what E-EWS could have done in these instances. The results show that key similarities correlate with current events: political threat actors, slow detection, fear as a weapon, information silos and people as weak links. With the E-EWS, threats are detected almost immediately, allowing mitigation actions to begin much earlier. By sharing information, knowledge grows, connecting and strengthening the overall security of E-EWS users. Attackers do not care about borders, so the cybersecurity of critical water infrastructure is no longer limited to national borders. International cooperation would help reduce the burden caused by some countries’ own resource constraints. Based on these results, the E-EWS plays a key role in the future protection of EU critical water infrastructure.

Automated Exploit Chain Modeling and Analysis

Thomas Wahl — 2026-02-19

We describe early-stage research and tool development efforts to formally model and analyze exploit chains. These are sequences of exploits carefully crafted by an attacker to achieve an elaborate end-goal, such as an escalation of privileges of the executing thread. In this work, we are taking a systematic approach to constructing formal models of exploit chains in the form of finite-state machines, which are then converted into constraint-based semantic representations or timed automata, in order to analyze chains against metrics such as effectiveness, ease of reproduction, and stability under system variations.