2021 KSU Conference on Cybersecurity Education, Research and Practice | KSU Proceedings on Cybersecurity Education, Research and Practice

Subscribe to RSS Feed (Opens in New Window)

Research
2021
Saturday, October 30th
9:00 AM

A Taxonomy of Cyberattacks against Critical Infrastructure

Miloslava Plachkinova, Kennesaw State University
Ace Vo, Loyola Marymount University

Online Zoom Session

9:00 AM - 9:30 AM

The current study proposes a taxonomy to organize existing knowledge on cybercrimes against critical infrastructure such as power plants, water treatment facilities, dams, and nuclear facilities. Routine Activity Theory is used to inform a three-dimensional taxonomy with the following dimensions: hacker motivation (likely offender), cyber, physical, and cyber-physical components of any cyber-physical system (suitable target), and security (capable guardian). The focus of the study is to develop and evaluate the classification tool using Design Science Research (DSR) methodology. Publicly available data was used to evaluate the utility and usability of the proposed artifact by exploring three possible scenarios – Stuxnet, the Ukrainian power grid shut down, and ransomware attacks. While similar taxonomies exist, none of them have been verified due to the sensitive nature of the data and this would be one of the first empirically validated frameworks to explore cyberattacks against critical infrastructure. By better understanding these attacks, we can be better prepared to prevent and respond to incidents.

9:30 AM

ASSESSING THE IMPACT OF TIMERS ON USER SUSCEPTIBILITY TO PHISHING ATTACKS

Amy Antonucci, Updated - AIS
Yair Levy, College of Engineering and Computing, Nova Southeastern University
Laurie P. Dringus, Nova Southeastern University
Marti Snyder, Nova Southeastern University

Online Zoom Session

9:30 AM - 10:00 AM

Social engineering costs organizations billions of dollars. It exploits the weakest link of information systems security, the users. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are warranted. Kahneman introduced the concepts of System-One and System-Two thinking. System-One is a quick, instinctual decision-making process, while System-Two is a process by which humans use a slow, logical, and is easily disrupted. The key aim of our experimental field study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System-Two thinking. In this study, we designed, developed, and empirically tested a Pause-and-Think (PAT) mobile app that presented a user with a warning dialog and a countdown or count-up timer. Our goal was to determine whether requiring users to wait with a colored warning and a timer has any effect on phishing attempts. The study was completed in three phases with 42 subject matter experts and 107 participants. The results indicated that a countdown timer set at 3-seconds accompanied by red warning text was most effective on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing.

10:00 AM

Cybersecurity continuity risks: Lessons learned from the COVID-19 pandemic

Tyler Fezzey, University of West Florida
John H. Batchelor, University of West Florida
Gerald F. Burch, University of West Florida
Randall Reid, University of West Florida

Online Zoom Session

10:00 AM - 10:30 AM

The value of a strong business continuity plan has become obvious with the changes and disruptions brought about by the COVID-19 pandemic. Further, the increase in remote working arrangements brought about by COVID-19 has highlighted the importance of cybersecurity and continuity planning. Thus, the two concepts, Business Continuity Planning (BCP) and cybersecurity, are linked as they both deal with managing risk. This article used a study conducted at the height of the COVID-19 pandemic to identify business continuity and cybersecurity blind spots that arose during the crisis. This study was conducted in the state of Florida using the data from a community resource development center. The primary cybersecurity related impacts of COVID-19 were the following: off-site working options, enhancing second mode of business operations, changing the business model, changing the business hours, and business closure.

The primary finding of this article is that pre-COVID cybersecurity and continuity planning focused on the potential for single axis attacks/incidents related to one business aspect and attacks such as phishing, ransomware, and crypto-jacking. It is argued that going forward, businesses should focus on how to mitigate the risks of multi-pronged attacks that disrupt not only business operations but how and where the work is performed and by whom. As multi-pronged attacks exposed vulnerabilities that many thought were unlikely pre-COVID, we make recommendations that incorporate both common cybersecurity and business continuity planning concepts to mitigate such broad impacts going forward. These include practices such as daily system backups, avoiding public networks, conducting vulnerability testing, multifactor authentication, employee response training, cyber insurance, fostering a culture of cybersecurity, use of secure VPNs, multiple revenue sources, multimodality workforce planning, cross training employees, and multi-incident continuity planning.

10:30 AM

SUBJECT MATTER EXPERTS’ FEEDBACK ON EXPERIMENTAL PROCEDURES TO MEASURE USER’S JUDGMENT ERRORS IN SOCIAL ENGINEERING ATTACKS

Tommy Pollock, Nova Southeastern University
Yair Levy, Nova Southeastern University
Li Wei, Nova Southeastern University
Ajoy Kumar, Nova Southeastern University

Online Zoom Session

10:30 AM - 11:00 AM

Distracted users can fail to correctly distinguish the differences between legitimate and malicious emails or search engine results. Mobile phone users can have a more challenging time identifying malicious content due to the smaller screen size and the limited security features in mobile phone applications. Thus, the main goal of this research study was to design, develop, and validate a set of field experiments to assess user’s judgment when exposed to two types of simulated social engineering attacks: phishing and Potentially Malicious Search Engine Results (PMSER), based on the interaction of the environment (distracting vs. non-distracting) and type of device used (mobile vs. computer). In this paper, we provide the results from the Delphi methodology research we conducted using an expert panel consisting of 28 cybersecurity Subject Matter Experts (SMEs) who participated, out of 60 cybersecurity experts invited. Half of the SMEs were with over 10 years of experience in cybersecurity, the rest around five years. SMEs were asked to validate two sets of experimental tasks (phishing & PMSER) as specified in RQ1. The SMEs were then asked to identify physical and Audio/Visual (A/V) environmental factors for distracting and non-distracting environments. About 50% of the SMEs found that an airport was the most distracting environment for mobile phone and computer users. About 35.7% of the SMEs also found that a home environment was the least distracting environment for users, with an office setting coming into a close second place. About 67.9% of the SMEs chose “all” for the most distracting A/V distraction level, which included continuous background noise, visual distractions, and distracting/loud music. About 46.4% of the SMEs chose “all” for the least distracting A/V level, including a quiet environment, relaxing background music, and no visual distractions. The SMEs were then asked to evaluate a randomization table. This was important for RQ2 to set up the eight experimental protocols to maintain the validity of the proposed experiment. About 89.3% indicated a strong consensus that we should keep the randomization as it is. The SMEs were also asked whether we should keep, revise, or replace the number of questions for each mini-IQ test to three questions each. About 75% of the SMEs responded that we should keep the number of mini-IQ questions to three. Finally, the SMEs were asked to evaluate the proposed procedures for the pilot testing and experimental research phases conducted in the future. About 96.4% of the SMEs selected to keep the first pilot testing procedure. For second and third pilot testing procedures, the SMEs responded with an 89.3% strong consensus to keep the procedures. For the first experimental procedure, a strong consensus of 92.9% of the SMEs recommended keeping the procedure. Finally, for the third experimental procedure, there was an 85.7% majority to keep the procedure. The expert panel was used to validate the proposed experimental procedures and recommended adjustments. The conclusions, study limitations, and recommendations for future research are discussed.

Keywords: Cybersecurity, social engineering, judgment error in cybersecurity, phishing email mitigation, distracting environments

11:00 AM

Analyzing Robotics Software Vulnerabilities

Hossain Shahriar, Kennesaw State University
Md Jobair Hossain Faruk
Shahriar Sobhan
Mohammad Nazim, Kennesaw State University

Online Zoom Session

11:00 AM - 11:30 AM

Robots are widely used in our day-to-day life in various domains. For example, eldercare robots, such as CareO-Bots [1]are used to perform household tasks and provide mobility assistance [2]. Amazon uses manufacturing robots to accomplish manufacturing labor activities, such as welding and assembling equipment [2]. According to the International Data Corporation, spending on robotics is expected to reach USD 241.4 billion by the end of 2023 [4].

However, malicious users can exploit security vulnerabilities in hardware and software components of robotics systems to conduct security attacks and cause malfunction, i.e., deviate robots from their expected behaviors. Security attacks on robots can have serious consequences such as (i) bottlenecks and shutdowns in the assembly line, (ii) disruption in the food supply chain, (iii) incorrect treatment for patients, and (iv) unwanted military attacks injuring or killing civilians and military personnel [2].

Researchers [3] have observed a lack of awareness amongst practitioners related to security issues that can exist in robotics systems. Using qualitative analysis, the project aims to determine the software vulnerabilities that commonly appear in robotics systems.

In this work in progress, we plan to discuss our initial findings using Robotics Vulnerability Database (RVD) repositories [5] the following questions – (i) what are the most frequent security vulnerabilities in robotics systems? (ii) what types of components are affected by the vulnerabilities? (iii) what categories of vulnerabilities exist and severity for robotics systems?

11:30 AM

Privacy and Digital Contact Tracing

Mahdi Nasereddin, The Pennsylvania State University
Edward J. Glantz, The Pennsylvania State University
Galen A. Grimes, The Pennsylvania State University
Joanne Peca, Carnegie Melllon University
Michelle Gordon, The Pennsylvania State University
Michael R. Bartolacci, The Pennsylvania State University

Online Zoom Session

11:30 AM - 12:00 PM

Digital contact tracing tools were developed to decrease the spread of COVID-19 by supplementing traditional manual methods. Although these tools have great potential, they were developed rather quickly resulting in tools with varying levels of success. The main issues with these tools are over privacy and who might have access to the information gathered. In general, their effectiveness varied globally, where users expressed privacy concerns associated with sharing identity, illness, and location information. This paper reviews these issues in deployments across Asia, Europe, and the United States. The goal is to begin a discussion that improves the design and development of digital technologies that not only improve the control of infectious disease spread, but also achieve an appropriate standard of privacy and security.

1:00 PM

TOWARDS ASSESSING PASSWORD WORKAROUNDS AND PERCEIVED RISK TO DATA BREACHES FOR ORGANIZATIONAL CYBERSECURITY RISK MANAGEMENT TAXONOMY

Michael J. Rooney, Nova Southeastern University
Yair Levy, Nova Southeastern University, USA
Wei Li, Nova Southeastern University
Ajoy Kumar, Nova Southeastern University

Online Zoom Session

1:00 PM - 1:30 PM

Cybersecurity involves a broad range of techniques, including cyber-physical, managerial, and technical, while authentication provides a layer of protection for Information Systems (IS) against data breaches. The recent COVID-19 pandemic brought a tsunami of data breach incidents worldwide. Authentication serves as a mechanism for IS against unauthorized access utilizing various defense techniques, with the most popular and frequently used technique being passwords. However, the dramatic increase of user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Despite users being more aware of password entropy, users still often participate in deviant password behaviors also known as ‘password workarounds’ or ‘shadow security’. These deviant password behaviors can put individuals and organizations at risk resulting in data privacy issues, data loss, and ultimately a data breach incident. In this paper, we outline a research-in-progress study to build a risk taxonomy for organizations based on the to identify the risks associated with deviant password behaviors technique based on the constructs of users’ perceived cybersecurity risk of data breaches resulting from PassWord WorkArounds (PWWA) techniques. Additionally, this study aims to empirically assess significant mean difference between Subject Matter Experts (SMEs) and employees on their perceived cybersecurity risk of data breaches resulting from the deviant password behaviors and frequency of PWWA techniques usage.

1:30 PM

Fake News or Real News? Sharing Behaviors on Social Media about COVID-19

Xin Tian, Kennesaw State University
Wu He, Old Dominion University
Justin Zhang, University of North Florida
Yuming He, Old Dominion University

Online Zoom Session

1:30 PM - 2:00 PM

Guided by the Uses and Gratification theory and Impression Management theory, this study aims to find out whether there are predictable types of COVID-19 fake news that are easier to spread or there are predictable types of people that are more likely to spread COVID-19 fake news. We recently performed a survey study on social media users’ sharing of COVID-19 fake news. The study found that online trust is positively associated with the sharing of COVID-19 fake news. In contrast, awareness about COVID-19 and activeness in social media activities have a negative association with the sharing of COVID-19 fake news. Furthermore, the results indicate that individuals are less likely to share scientific COVID-19 fake news than policy-related COVID-19 fake news, and online trust is a key factor in determining whom to share the news with. The findings have implications for reducing the negative impacts of COVID-19 fake news spread during the pandemic.

2:00 PM

Warshipping: Hacking the Mailroom

Jackson Szwast, University of North Georgia
Bryson Payne, University of North Georgia

Online Zoom Session

2:00 PM - 2:30 PM

Everyone knows what package shipping is, but not everyone knows what warshipping is. Corporate mailrooms are rarely considered as part of the cybersecurity attack surface of most organizations, but they offer physical access to millions of uninspected packages daily. UPS shipped 5.5 billion items last year, with their daily average being 21.9 million items and operating through 1,800 locations in 2020. FedEx shipped 6.5 million packages daily and operates 2,150 locations. The United States Postal Service delivered 143 billion pieces of mail in 2019. Increasingly the world’s consumers are relying on e-commerce, and during the recent COVID-19 pandemic, package deliveries reached record levels according to the US Government Accountability Office. E-commerce sales represented 14.5% of all retail sales in the United States with deliveries made via major carriers such as USPS, UPS, and FedEx, making the corporate mailroom an increasingly attractive and vulnerable surface of attack. The goal of this research is to demonstrate how warshipping attacks work by creating a low-cost physical device using readily available commodity parts, provide some background on warshipping, and provide guidance to organizations and individuals on how to defend against this type of cyber-physical attack.

2:30 PM

Resilience vs. Prevention. Which is the Better Cybersecurity Practice?

Frank Katz, Georgia Southern University

Online Zoom Session

2:30 PM - 3:00 PM

Students in multiple cohorts of our 3000 level Fundamentals of Information Systems Security course were given a discussion question where they had to either agree or disagree with the premise that given all the constant threats to our systems, we should dedicate more of our efforts to quickly repairing the damage of an attack rather than dedicate more of our time and energies to preventing such attacks. They were required to give their reasoning and provide sources to back up their analysis of his comment.

This paper will describe and explain the concept of cyber resiliency. It will then evaluate the responses of the students and their sources to determine if they felt that emphasizing bringing systems back quickly over prevention is a cybersecurity practice that more organizations should consider, as well as give some recommendations about both cyber prevention and cyber resiliency methods.

3:00 PM

Effectiveness of the Cybersecurity Training– A Brain-Computer Interface Perspective

Lei Li, Kennesaw State University

Online Zoom Session

3:00 PM - 3:30 PM

Effective information awareness training is critical part of security program in an organization. In this paper, we studied the effectiveness of text-based and video-based security awareness training delivery methods using a three-pronged approach. In addition to measuring participants’ perceptions and testing knowledge transfer after post-training, we analyzed the emotional parameters of the participants during the training using a Brain Computer Interface (BCI) device such as Emotiv EPOC+ Neuroheadset. We conducted an experiment in realistic setting. Our study showed that both text-based training group and video-based training group scored well in post-training knowledge transfer quiz. The text-based training group indicated higher perceived training effectiveness, enjoyment of delivery methods and engagement. For emotional analysis, all participants seemed to be engaged, showed interesting in the training, relaxed, and less stressed about the training. But the differences were not statistically different. The video-based training group is significantly more stressed and more focused than the text-based training group. Based on our knowledge, this study is first of its kind to investigate the effectiveness of the information security awareness training. The implications and limitation of our research are also discussed.

3:30 PM

Emotional Analysis of Learning Cybersecurity with Games using IoT

Maria Valero
Md Jobair Hossain, Kennesaw State University
Shahriar Sobhan, Kennesaw State University

Online Zoom Session

3:30 PM - 4:00 PM

The constant rise of cyber-attacks poses an increasing demand for more qualified people with cybersecurity knowledge. Games have emerged as a well-fitted technology to engage users in learning processes. In this paper, we analyze the emotional parameters of people while learning cybersecurity through computer games. The data are gathered using a non-invasive Brain-Computer Interface (BCI) to study the signals directly from the users’ brains. We analyze six performance metrics (engagement, focus, excitement, stress, relaxation, and interest) of 12 users while playing computer games to measure the effectiveness of the games to attract the attention of the participants. Results show participants were more engaged with parts of the games that are more interactive instead of those that present text to read and type.