"I am pleased there is going to be a journal focused on this. There was a clear gap in the market for a publication which helps us understand more about the strategies adopted by digital banks and how FinTech can help them."
Volume 8 (2024-25)
Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published both in print and online.
Volume 8 Number 1
-
Editorial
Simon Beckett, Publisher -
Practice Papers
Common pitfalls when mitigating cyber risk: Addressing socio-behavioural factors
Öykü Işik, Professor of Digital Strategy and Cybersecurity, IMD, Yanya Viskovich, Senior Manager, Security Consulting, Accenture and Si Pavitt, Head of Cyber Behaviours and Culture, Recyber
Although humans constitute a pivotal dimension of the cyber security attack surface, prevailing approaches are often ineffective at addressing human risk. From the vantage point of three key socio-behavioural perspectives, a critical analysis of contemporary cyberattacks and cyber security practices offers insights and a range of opportunities to manage the human factor in cyber security. First, the role of metaphors in shaping cyber security discourse, particularly militaristic analogies, is analysed, supported by research advocating for careful metaphor selection to enhance comprehension, foster shared responsibility and reduce counterproductive assumptions. Secondly, the paper explores the significance of psychological safety within organisational cultures. It discusses the concept of a ‘just culture’ and the impact of cultivating an environment that encourages risk reporting. The discussion expands to highlight the interconnectedness of security culture with broader organisational values, emphasising the critical role of leadership in shaping resilient cyber security postures. Finally, an examination of blame-centric practices and associated consequences provides an insight into less visible forms of victim blaming, such as phishing tests and traditional training-centric strategies. It offers a psychological perspective on the distinction between blame and accountability and highlights the need for a shift away from a compliance-based focus towards a positivist approach. In presenting insights from these three key perspectives, this paper offers opportunities to innovatively manage socio-behavioural risk in cyber security, critiquing prevailing approaches that fail to do so. By linking metaphors, psychological safety and blame-centric practices, it contributes to a comprehensive understanding of the human dimension in cyber security and provides a foundation for advancing effective risk management strategies.
Keywords: Generative AI; GPT chatbot; data ownership; ethics; risk assessment; governance -
Understanding and prioritising cyberattack paths amid growing organisational complexity
Elliott Went, Senior Security Systems Engineer, SentinelOne
This paper explores the role of attack path modelling (APM) in modern cyber security, addressing the challenges posed by the rapidly evolving digital landscape. It provides a comprehensive overview of APM frameworks and their application in identifying and prioritising potential attack paths. The challenges associated with manual APM efforts, the need for standardisation and the potential for innovation in automated APM tools are examined throughout. Drawing from real-world examples, the paper demonstrates the practical implications of APM in dissecting attack components and mitigating risks. It emphasises the dual approach of human-led APM initiatives and the integration of APM functionality in technical solutions, advocating for improved hygiene with manual and periodic APM assessments that can be optimised with advanced SecOps APM tooling. The paper serves as a general resource for all cyber security practitioners, providing insights into the historical context, frameworks and practical challenges of APM. The paper describes the significance of human-led APM initiatives, using open frameworks to enhance cyber security posture. Furthermore, the paper explores the evolving landscape of APM tools, anticipating their integration with big data platforms and artificial intelligence (AI) for comprehensive security analyses. This paper presents insights into the current state of cyber security, the practical applications of APM frameworks, and the potential future developments in APM technology.
Keywords: cyber security culture; human factor; behavioural risks; victim blaming; cyber security metaphors; cyber resilience -
Improving cyber risk governance through storytelling
Levi Gundert, Chief Security Officer, Recorded Future
This paper addresses the critical challenge of cyber risk governance faced by executives, security committees and boards of directors in the rapidly changing digital landscape. Cyber security complexity, characterised by data deluges and the translational gap between technical jargon and business risk, significantly hinders effective cyber risk messaging and governance. Drawing on five years of research and interviews with chief information security officers (CISOs), the paper highlights the struggle in establishing trust and confidence in governance bodies due to these complexities. It introduces three constructs that aim to simplify cyber security messaging to enhance cyber risk governance: the intelligence to risk (I2R) pyramid, five risk impacts, and resilience and proximity graph. Each construct, illustrated with practical examples, is designed to provide clarity and foster understanding between cyber security professionals and governance bodies, ensuring a cohesive approach to cyber risk management. Readers can expect to gain valuable insights into overcoming the limitations of traditional risk communication tools such as risk registers. By adopting the presented storytelling approach, the paper promises strategies for building trust through transparency and accountability, bridging the communication gap between technical and executive levels, and facilitating informed decision making for improved governance outcomes in the face of cyber security threats.
Keywords: cyber security; risk; governance; intelligence; resilience; transparency -
Obstacles and countermeasures for protecting Internet of Things devices from emerging security risks
Chahak Mittal, Cybersecurity Manager, Universal Logistics
The rapid proliferation of Internet of Things (IoT) devices has ushered in a paradigm shift, revolutionising the way we interact with and perceive our environment. This phenomenon has given rise to a hyper-connected ecosystem, seamlessly integrating smart devices into the fabric of homes, cities and industries. While this interconnectedness holds tremendous promise for enhancing efficiency and convenience, it concurrently exposes a complex web of security challenges. This paper delves into the intricate interplay between the expansive scope of IoT deployment and the challenges it poses to security practitioners, policymakers and technology developers alike. By critically assessing current security gaps and potential weaknesses in IoT infrastructures, the research identifies key areas of vulnerability, ranging from insecure communication protocols and inadequate device authentication to insufficient data encryption. In response to these identified challenges, the paper proposes a set of innovative and pragmatic countermeasures aimed at mitigating emerging threats to IoT security. Emphasising the importance of a holistic security framework, the suggested countermeasures span technological enhancements, policy interventions and user education initiatives. The goal is to establish a resilient security posture that not only addresses current vulnerabilities but also adapts to the evolving threat landscape, thereby fostering a more secure and trustworthy IoT ecosystem. Through this research, we aim to contribute valuable insights to the ongoing discourse on IoT security, fostering a deeper understanding of the intricate dynamics at play and providing actionable recommendations for stakeholders invested in fortifying the security foundations of our increasingly interconnected world.
Keywords: IoT security; emerging threats; obstacles; countermeasures; secure-by-design; updates; zero-trust security; network segmentation; user education; threat intelligence -
Strong reasons make strong actions: What Shakespeare’s ‘King John’ can teach us about the Internet of Things
Hanane Taidi, Director General, TIC Council
The rapid proliferation of Internet of Things (IoT) devices in modern societies brings forth unprecedented opportunities for convenience and connectivity but also poses significant cyber security challenges. This paper examines the risks associated with these devices and the regulatory frameworks governing them in key regions including the US, the EU, China and India. Through a comprehensive analysis, it becomes evident that while efforts are being made to address IoT cyber security concerns, discrepancies in approaches and regulations hinder global harmonisation and create obstacles for industry compliance. Drawing from insights into existing cyber security frameworks and industry practices, the paper proposes actionable recommendations to enhance consumer IoT cyber security. These recommendations include defining baseline security requirements, promoting expertise within IoT workforces, advocating for the independent involvement of conformity assessment bodies (CABs), leveraging the quality infrastructure ecosystem, and launching an international awareness campaign. By implementing these measures, stakeholders can foster a safer and more secure IoT environment, mitigating the risks posed by cyber threats and ensuring the trust and resilience of connected devices. As society continues to navigate the complexities of IoT adoption, it is imperative to recognise the urgency of addressing cyber security challenges. By heeding the lessons from Shakespeare’s ‘King John’ — ‘Strong reasons make strong actions’ — and taking decisive steps to fortify IoT cyber security, we can safeguard individuals, businesses and critical infrastructure from the evolving threat landscape.
Keywords: Internet of Things; IoT; cyber security; connected devices; regulatory frameworks; conformity assessment bodies; quality infrastructure ecosystem; cyber security standards -
Identifying and classifying cyberattacks on airports
Lázaro Florido-Benítez, Lecturer, University of Málaga
This paper describes research to identify and classify cyberattacks in the aviation industry in order to present the true reality of airports as a critical infrastructure and the threats that airport operators face. We conducted a critical review related to types of cyberattacks and supported by updated studies to analyse cyberattacks in the aviation industry from 2000 to 2023 due to the increase of attacks occurring in this period. Data was collected from verifiable sources such as the Center for Strategic and International Studies (CSIS), Federal Aviation Administration, EUROCONTROL, European Union Aviation Safety Agency (EASA), European Union Agency for Cybersecurity (ENISA) and KonBriefing. The findings of this study revealed that recent years have seen an increase in the number of distributed denial-of-service (DDoS) and ransomware cyberattacks at airports by foreign countries motivated by political and economic reasons, diplomatic espionage or even as part of a cyber war. This is particularly worrying, because the most influential international organisations and countries are recognising the existence of a cyber war in political, espionage, terrorism, safety, financial and commercial terms. The new contribution of this research lies in the fact that many uncertainties surround the cyberattacks that airport operators and commercial airlines face on a daily basis. Cyberattacks in the aviation industry are more common than most people realise, and the issue is that sometimes this information is silenced by governments, airport and airline operators to avoid unnecessary social alarm.
Keywords: airports; cyberattacks; cyber security; critical infrastructures; airlines -
Research Paper
AI detection of malicious push notifications in augmented reality in the workplace
Sarah Katz, Cybersecurity Technical Writer, Microsoft
Distraction caused by the visual processing of multiple objects during augmented reality (AR) immersion could make users more susceptible to malicious push notifications, thus potentially exposing organisations to unwitting insider threats. This case study consulted four experts in the field of AR application development to design a proposed artificial intelligence (AI) equipped feature that could detect possibly malicious artefacts entering the user’s line of sight during partial immersion in an augmented reality application at the workplace. Participants included a business partner at an AR company, a security engineering manager, an AI engineer focused on machine learning (ML) and a data analytics specialist. The case study determined that a security application natively implemented into the device could use heuristic analysis of user screen captured activity to assess potentially malicious push notifications in real time.
Keywords: cyber security; cyberpsychology; augmented reality; application development; artificial intelligence