Research

Subscribe to RSS Feed

2021
Saturday, October 30th
9:00 AM

A Taxonomy of Cyberattacks against Critical Infrastructure

Miloslava Plachkinova, Kennesaw State University
Ace Vo, Loyola Marymount University

Online Zoom Session

9:00 AM - 9:30 AM

The current study proposes a taxonomy to organize existing knowledge on cybercrimes against critical infrastructure such as power plants, water treatment facilities, dams, and nuclear facilities. Routine Activity Theory is used to inform a three-dimensional taxonomy with the following dimensions: hacker motivation (likely offender), cyber, physical, and cyber-physical components of any cyber-physical system (suitable target), and security (capable guardian). The focus of the study is to develop and evaluate the classification tool using Design Science Research (DSR) methodology. Publicly available data was used to evaluate the utility and usability of the proposed artifact by exploring three possible scenarios – Stuxnet, the Ukrainian power grid shut down, and ransomware attacks. While similar taxonomies exist, none of them have been verified due to the sensitive nature of the data and this would be one of the first empirically validated frameworks to explore cyberattacks against critical infrastructure. By better understanding these attacks, we can be better prepared to prevent and respond to incidents.

9:30 AM

ASSESSING THE IMPACT OF TIMERS ON USER SUSCEPTIBILITY TO PHISHING ATTACKS

Amy Antonucci, Updated - AIS
Yair Levy, College of Engineering and Computing, Nova Southeastern University
Laurie P. Dringus, Nova Southeastern University
Marti Snyder, Nova Southeastern University

Online Zoom Session

9:30 AM - 10:00 AM

Social engineering costs organizations billions of dollars. It exploits the weakest link of information systems security, the users. It is well-documented in literature that users continue to click on phishing emails costing them and their employers significant monetary resources and data loss. Training does not appear to mitigate the effects of phishing much; other solutions are warranted. Kahneman introduced the concepts of System-One and System-Two thinking. System-One is a quick, instinctual decision-making process, while System-Two is a process by which humans use a slow, logical, and is easily disrupted. The key aim of our experimental field study was to investigate if requiring the user to pause by presenting a countdown or count-up timer when a possible phishing email is opened will influence the user to enter System-Two thinking. In this study, we designed, developed, and empirically tested a Pause-and-Think (PAT) mobile app that presented a user with a warning dialog and a countdown or count-up timer. Our goal was to determine whether requiring users to wait with a colored warning and a timer has any effect on phishing attempts. The study was completed in three phases with 42 subject matter experts and 107 participants. The results indicated that a countdown timer set at 3-seconds accompanied by red warning text was most effective on the user’s ability to avoid clicking on a malicious link or attachment. Recommendations for future research include enhancements to the PAT mobile app and investigating what effect the time of day has on susceptibility to phishing.

10:00 AM

Cybersecurity continuity risks: Lessons learned from the COVID-19 pandemic

Tyler Fezzey, University of West Florida
John H. Batchelor, University of West Florida
Gerald F. Burch, University of West Florida
Randall Reid, University of West Florida

Online Zoom Session

10:00 AM - 10:30 AM

The value of a strong business continuity plan has become obvious with the changes and disruptions brought about by the COVID-19 pandemic. Further, the increase in remote working arrangements brought about by COVID-19 has highlighted the importance of cybersecurity and continuity planning. Thus, the two concepts, Business Continuity Planning (BCP) and cybersecurity, are linked as they both deal with managing risk. This article used a study conducted at the height of the COVID-19 pandemic to identify business continuity and cybersecurity blind spots that arose during the crisis. This study was conducted in the state of Florida using the data from a community resource development center. The primary cybersecurity related impacts of COVID-19 were the following: off-site working options, enhancing second mode of business operations, changing the business model, changing the business hours, and business closure.

The primary finding of this article is that pre-COVID cybersecurity and continuity planning focused on the potential for single axis attacks/incidents related to one business aspect and attacks such as phishing, ransomware, and crypto-jacking. It is argued that going forward, businesses should focus on how to mitigate the risks of multi-pronged attacks that disrupt not only business operations but how and where the work is performed and by whom. As multi-pronged attacks exposed vulnerabilities that many thought were unlikely pre-COVID, we make recommendations that incorporate both common cybersecurity and business continuity planning concepts to mitigate such broad impacts going forward. These include practices such as daily system backups, avoiding public networks, conducting vulnerability testing, multifactor authentication, employee response training, cyber insurance, fostering a culture of cybersecurity, use of secure VPNs, multiple revenue sources, multimodality workforce planning, cross training employees, and multi-incident continuity planning.

11:30 AM

Privacy and Digital Contact Tracing

Mahdi Nasereddin, The Pennsylvania State University
Edward J. Glantz, The Pennsylvania State University
Galen A. Grimes, The Pennsylvania State University
Joanne Peca, Carnegie Melllon University
Michelle Gordon, The Pennsylvania State University
Michael R. Bartolacci, The Pennsylvania State University

Online Zoom Session

11:30 AM - 12:00 PM

Digital contact tracing tools were developed to decrease the spread of COVID-19 by supplementing traditional manual methods. Although these tools have great potential, they were developed rather quickly resulting in tools with varying levels of success. The main issues with these tools are over privacy and who might have access to the information gathered. In general, their effectiveness varied globally, where users expressed privacy concerns associated with sharing identity, illness, and location information. This paper reviews these issues in deployments across Asia, Europe, and the United States. The goal is to begin a discussion that improves the design and development of digital technologies that not only improve the control of infectious disease spread, but also achieve an appropriate standard of privacy and security.

1:00 PM

TOWARDS ASSESSING PASSWORD WORKAROUNDS AND PERCEIVED RISK TO DATA BREACHES FOR ORGANIZATIONAL CYBERSECURITY RISK MANAGEMENT TAXONOMY

Michael J. Rooney, Nova Southeastern University
Yair Levy, levyy@nova.edu
Wei Li, Nova Southeastern University
Ajoy Kumar, Nova Southeastern University

Online Zoom Session

1:00 PM - 1:30 PM

Cybersecurity involves a broad range of techniques, including cyber-physical, managerial, and technical, while authentication provides a layer of protection for Information Systems (IS) against data breaches. The recent COVID-19 pandemic brought a tsunami of data breach incidents worldwide. Authentication serves as a mechanism for IS against unauthorized access utilizing various defense techniques, with the most popular and frequently used technique being passwords. However, the dramatic increase of user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Despite users being more aware of password entropy, users still often participate in deviant password behaviors also known as ‘password workarounds’ or ‘shadow security’. These deviant password behaviors can put individuals and organizations at risk resulting in data privacy issues, data loss, and ultimately a data breach incident. In this paper, we outline a research-in-progress study to build a risk taxonomy for organizations based on the to identify the risks associated with deviant password behaviors technique based on the constructs of users’ perceived cybersecurity risk of data breaches resulting from PassWord WorkArounds (PWWA) techniques. Additionally, this study aims to empirically assess significant mean difference between Subject Matter Experts (SMEs) and employees on their perceived cybersecurity risk of data breaches resulting from the deviant password behaviors and frequency of PWWA techniques usage.

1:30 PM

Fake News or Real News? Sharing Behaviors on Social Media about COVID-19

Xin Tian, Kennesaw State University
Wu He, Old Dominion University
Justin Zhang, University of North Florida
Yuming He, Old Dominion University

Online Zoom Session

1:30 PM - 2:00 PM

Guided by the Uses and Gratification theory and Impression Management theory, this study aims to find out whether there are predictable types of COVID-19 fake news that are easier to spread or there are predictable types of people that are more likely to spread COVID-19 fake news. We recently performed a survey study on social media users’ sharing of COVID-19 fake news. The study found that online trust is positively associated with the sharing of COVID-19 fake news. In contrast, awareness about COVID-19 and activeness in social media activities have a negative association with the sharing of COVID-19 fake news. Furthermore, the results indicate that individuals are less likely to share scientific COVID-19 fake news than policy-related COVID-19 fake news, and online trust is a key factor in determining whom to share the news with. The findings have implications for reducing the negative impacts of COVID-19 fake news spread during the pandemic.

2:00 PM

Warshipping: Hacking the Mailroom

Jackson Szwast, University of North Georgia
Bryson Payne, University of North Georgia

Online Zoom Session

2:00 PM - 2:30 PM

Everyone knows what package shipping is, but not everyone knows what warshipping is. Corporate mailrooms are rarely considered as part of the cybersecurity attack surface of most organizations, but they offer physical access to millions of uninspected packages daily. UPS shipped 5.5 billion items last year, with their daily average being 21.9 million items and operating through 1,800 locations in 2020. FedEx shipped 6.5 million packages daily and operates 2,150 locations. The United States Postal Service delivered 143 billion pieces of mail in 2019. Increasingly the world’s consumers are relying on e-commerce, and during the recent COVID-19 pandemic, package deliveries reached record levels according to the US Government Accountability Office. E-commerce sales represented 14.5% of all retail sales in the United States with deliveries made via major carriers such as USPS, UPS, and FedEx, making the corporate mailroom an increasingly attractive and vulnerable surface of attack. The goal of this research is to demonstrate how warshipping attacks work by creating a low-cost physical device using readily available commodity parts, provide some background on warshipping, and provide guidance to organizations and individuals on how to defend against this type of cyber-physical attack.

2:30 PM

Analyzing Robotics Software Vulnerabilities

Hossain Shahriar, Kennesaw State University
Md Jobair Hossain Faruk
Shahriar Sobhan
Mohammad Nazim, Kennesaw State University

Online Zoom Session

2:30 PM - 3:00 PM

Robots are widely used in our day-to-day life in various domains. For example, eldercare robots, such as CareO-Bots [1]are used to perform household tasks and provide mobility assistance [2]. Amazon uses manufacturing robots to accomplish manufacturing labor activities, such as welding and assembling equipment [2]. According to the International Data Corporation, spending on robotics is expected to reach USD 241.4 billion by the end of 2023 [4].

However, malicious users can exploit security vulnerabilities in hardware and software components of robotics systems to conduct security attacks and cause malfunction, i.e., deviate robots from their expected behaviors. Security attacks on robots can have serious consequences such as (i) bottlenecks and shutdowns in the assembly line, (ii) disruption in the food supply chain, (iii) incorrect treatment for patients, and (iv) unwanted military attacks injuring or killing civilians and military personnel [2].

Researchers [3] have observed a lack of awareness amongst practitioners related to security issues that can exist in robotics systems. Using qualitative analysis, the project aims to determine the software vulnerabilities that commonly appear in robotics systems.

In this work in progress, we plan to discuss our initial findings using Robotics Vulnerability Database (RVD) repositories [5] the following questions – (i) what are the most frequent security vulnerabilities in robotics systems? (ii) what types of components are affected by the vulnerabilities? (iii) what categories of vulnerabilities exist and severity for robotics systems?

3:30 PM

Emotional Analysis of Learning Cybersecurity with Games using IoT

Maria Valero
Md Jobair Hossain, Kennesaw State University
Shahriar Sobhan, Kennesaw State University

Online Zoom Session

3:30 PM - 4:00 PM

The constant rise of cyber-attacks poses an increasing demand for more qualified people with cybersecurity knowledge. Games have emerged as a well-fitted technology to engage users in learning processes. In this paper, we analyze the emotional parameters of people while learning cybersecurity through computer games. The data are gathered using a non-invasive Brain-Computer Interface (BCI) to study the signals directly from the users’ brains. We analyze six performance metrics (engagement, focus, excitement, stress, relaxation, and interest) of 12 users while playing computer games to measure the effectiveness of the games to attract the attention of the participants. Results show participants were more engaged with parts of the games that are more interactive instead of those that present text to read and type.