"JPSS has articles that make you really think about payments and how they affect commerce and society."
Volume 8 (2024-25)
Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published both in print and online.
Volume 8 Number 3
-
Editorial
Simon Beckett, Publisher -
Practice Papers
AI in cyber security: A dual perspective on hacker tactics and defensive strategies
Lawrence Amer, Cyber Security Expert, KPMG Netherlands
The use of artificial intelligence (AI) in cyber security has significantly changed the dynamics of warfare, ushering in an era in the continuous battle between those launching attacks and those defending against them. This paper presents an analysis of the impact of AI on cyber security, examining its role from a defensive standpoint. It begins by investigating how cybercriminals harness AI to enhance their capabilities. Cutting-edge machine learning (ML) algorithms empower the development of targeted and stealth attacks, using tactics ranging from AI-driven social engineering strategies to malware that can evade detection methods, as well as intelligent botnet systems capable of orchestrating complex offensives. Specific instances such as AI-fuelled malware creation tools and adaptive command and control servers are explored to illustrate the changing landscape of cyber threats and show how cyber security experts utilise AI to strengthen defences. AI-empowered intrusion detection systems, anomaly detection based on ML and automated incident response platforms stand at the forefront of contemporary cyber defence measures. These technologies enable threat identification, in-time predictive analytics and rapid responses to emerging security breaches. By juxtaposing these contrasting uses of AI in cyber security, the paper offers a nuanced perspective on the competition within this domain. This paper seeks to provide cyber security experts with knowledge to predict and combat changing threats and to give researchers a basis for creating new AI-driven security solutions. This holistic strategy not only showcases the game-changing impact of AI in cyber security but also emphasises the crucial requirement for ongoing creativity in this swiftly advancing domain.
Keywords: artificial intelligence; cyber security; hackers’ strategies; defensive countermeasures; machine learning; anomaly detection; incident response; malware development -
Applying forensic engineering to cyber security incidents
Jason Jordaan, Principal Forensic Analyst, DFIRLABS
Cyber security incidents are becoming increasingly common, and society is demanding accountability for failures that lead to them. Traditional incident response focuses on containment and recovery, but it often overlooks the root cause and potential liability. This paper proposes applying forensic engineering to cyber security incidents to investigate flaws in systems and hold organisations responsible for negligence. Cyber security structures and systems should be held to the same standards of accountability as physical structures, and forensic engineering can identify flaws in cyber security systems and determine if negligence was involved, especially where there are appropriate laws and regulation to do this. This approach promotes a sense of justice and incentivises organisations to invest in stronger cyber security measures.
Keywords: forensic engineering; cyber security incident; cyber security liability -
Preparing for the implementation of reporting requirements from new EU and UK product and cyber security legislation
Gaus Rajnović, Senior Manager, Panasonic Europe
This paper analyses the reporting requirements of upcoming European Union (EU) and UK cyber security and product security regulation. The assumption is that more regulation is forthcoming. The objective of the paper is to present ideas on how an organisation can prepare itself for reporting even when it is not known what must be reported, how and to whom. The paper asserts that it is possible to create a system which can be used for such reporting.
Keywords: legislation; reporting; cyber security; product security -
How to secure development environments
Gerd Giese, Transformation Architect, Zscaler and Frank Bartel, Business Consultant, Fortinet
In July 2024, Porsche announced the discontinuation of its petrol-powered Macan sports utility vehicle (SUV) sales in Europe due to cyber security compliance issues with UN Regulation No. 155. This regulation mandates robust cyber security measures to protect vehicles from cyber threats, highlighting the direct impact of cyber security regulations on the automotive industry. While this is a drastic instance of a cyber security regulation directly affecting the automotive industry, other regulations, such as the Network and Information Security Directive (NIS2), impose cyber security standards in more subtle yet comprehensive ways. The NIS2 is set to transform cyber security expectations across various industries, including automotive manufacturing. NIS2 extends beyond simple compliance, emphasising proactive cyber security measures that start long before cars are built. The upcoming implementation in the automotive industry aims to enhance cyber resilience and mitigate the financial and reputational damage caused by cyber incidents. This directive covers the entire life cycle of a vehicle, from the initial design and development of the car and its software to the production and maintenance stages. This paper proposes that urgent action is required to safeguard the industry’s digital infrastructure from increasing cyber security threats.
Keywords: cyber security; DevSecOps; automotive; zero trust -
Data minimisation: A crucial pillar of cyber security
Paul Luehr, Partner and Brandon Reilly, Partner, Manatt, Phelps & Phillips
As data security threats mount, businesses should not lose sight of a fundamental but powerful tool to mitigate risk: data minimisation. Businesses across industries should recognise the potentially devastating security, operational and compliance risks that arise from keeping old and unreliable data. Helpfully, the latest generation of privacy laws are increasingly mandating data minimisation, purpose limitation and other measures designed to protect individual privacy. Such measures have the additional benefit of shrinking the surface area for cyberattacks and other threats to the confidentiality, integrity and availability of data. Leveraging new laws and technology, companies should maximise the value of their information by focusing on sound data governance, ensuring that it is not just an ‘IT issue’. Then businesses should use new tools to map their data and determine its age and sensitivity and start minimising their retention and use of data that no longer meets current business or compliance requirements. Businesses can use a variety of techniques to slim their data profile, eg destruction, de-identification, tighter retention policies, privacy-enhancing technology. In the end, these minimisation actions will be well worth the effort. Businesses will unlock their data’s true value, increase their productivity and avoid the serious privacy and information security risks that come from housing data they no longer need.
Keywords: data minimisation; data mapping; data governance; data protection laws -
Seeking harmony: CISA’s proposed cyber reporting rules for critical infrastructure are an ambitious work in progress
Joseph C. Folio III, Partner, Morrison Foerster, et al.
The federal cyber incident reporting regulations proposed by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are ambitious and laudable but, with some modest changes, could go even farther to protect US critical infrastructure. First, to reduce the growing burden of duplicative and overlapping reporting obligations, CISA should take more concrete steps to harmonise its proposed cyber incident reporting requirements with those of other federal, state and local agencies. Secondly, CISA should provide greater clarity on the types of data that must be preserved following a reportable cyber incident and shorten the default preservation period to six months, with an option to extend it if necessary. Finally, CISA should provide additional guidance about how the reporting requirements apply to the international operations of multinational companies. By offering additional clarity and reducing the burden on private sector entities, CISA could create a streamlined cyber incident report regime that is more closely aligned with the goal of providing timely, essential and actionable information that will better protect the US critical infrastructure.
Keywords: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA); Cybersecurity and Infrastructure Security Agency (CISA); critical infrastructure; data breach -
Cyber threat intelligence in practice: Implications of the blurred lines between public and private intelligence activity
Neil Ashdown, Researcher and Consultant and Keith Martin, Professor, Royal Holloway, University of London
Intelligence is recognised as crucial for strengthening organisational security, particularly in the cyber domain. Companies have developed their own intelligence capabilities to address this requirement. Cyber threat intelligence (CTI) has historically been understood as a primarily technical, politically neutral practice. In contrast, this paper argues that CTI is socio-technical, collaborative and political. Interviews with industry and government practitioners were undertaken to better understand how CTI practitioners viewed their work. The findings underlined the importance of personal trusted relationships and collaboration. Companies were found to be working closely with government, often in ad hoc and informal ways. Moreover, the public and private sector were viewed as having different, complementary forms of visibility into the cyber domain. Together, this has contributed to a blurring of the lines between public and private organisations. These findings suggest that companies should promote trusted personal relationships through a combination of formal and less formal methods. At the same time, companies should be alive to the risks inherent in conducting intelligence activities in ‘operational intimacy’ with state actors, particularly in a period of increasing geopolitical competition and conflict.
Keywords: intelligence; cyber security; cyber threat intelligence; public–private collaboration; geopolitics -
Fast-changing cyber threat landscape and a new reality of cyber security
Antanas Kedys, Manager, ACyber
The world is changing, for good or for bad — only we can decide and help shape it. This paper explores and examines the faster-than-ever changing security landscape, including cyber security vulnerabilities, modern threats, threats that these methods pose, and various issues that arose in subsequent years and continue to threaten the digital environment and our world. It reviews different countermeasures for these threats, evaluates and compares different security tools, from legacy to state-of-the-art and artificial intelligence (AI)-based new ones, which help to mitigate those evolving threats and dangers. Finally, the paper assesses the current situation in the cyber security job market, personnel and security management.
Keywords: vulnerability; cyber threat; artificial intelligence; detection and response; CISO; management -
Differences between traditional network security and security in the cloud
Ilya Verbitskiy, Founder, WebStoating
Serverless computing is transforming cloud application development by removing the need for infrastructure management, enabling developers to focus on writing and deploying code. This cloud-computing execution model offers significant advantages in cost-effectiveness, scalability and operational efficiency, with cloud providers dynamically managing server allocation, scaling and maintenance. Prominent serverless computing services include Amazon Web Services (AWS) Lambda, Azure Functions and Google Cloud Functions, facilitating faster development cycles and improving application performance. Security remains a critical concern as the serverless computing market grows. This paper focuses on AWS Cloud security, exploring the differences between traditional network security and cloud security and emphasising the challenges unique to the cloud environment. It advocates for a defence in depth strategy, which employs multiple layers of security to protect cloud infrastructure. The paper underscores the AWS shared responsibility model, which clearly outlines the security responsibilities of both AWS and its customers. It also explores the AWS Well-Architected Framework, which provides best practices for constructing secure, reliable and efficient cloud workloads. Additionally, it discusses the significance of a well-designed landing zone in AWS for managing multi-account environments and ensuring security through multilayered protection mechanisms, including identity and access management (IAM) policies, resource policies, data encryption and network security. In conclusion, the adoption of comprehensive security strategies, such as defence in depth and the utilisation of AWS tools and best practices, is not just beneficial but crucial for enterprises to secure their serverless computing environments. These measures play a pivotal role in mitigating risks, enhancing security postures and fully leveraging the benefits of serverless computing, thereby driving digital transformation initiatives.
Keywords: serverless computing; cloud security; identity and access management; defence in depth; shared responsibility model; well-architected framework; multilayered protection
Volume 8 Number 2
-
Editorial
Simon Beckett, Publisher -
Case Study
From compliance to impact: Tracing the transformation of an organisational security awareness programme
Julie Haney, Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology and Wayne Lutters, Professor and Associate Dean for Strategic Initiatives, College of Information Studies, University of Maryland
There is a growing recognition of the need for a transformation from organisational security awareness programmes focused on compliance, measured by training completion rates, to those resulting in behaviour change. Few researchers or practitioners, however, have begun to unpack the organisational practices of the security awareness teams tasked with executing programme transformation. The authors of this paper conducted a year-long case study of a security awareness programme in a US government agency, collecting data via observations, interviews and documents. Their findings reveal the challenges and practices involved in the progression of a security awareness programme from being compliance-focused to emphasising impact on workforce attitudes and behaviours. The authors capture transformational organisational security awareness practices in action from multiple workforce perspectives. The study insights can serve as a resource for other security awareness programmes and workforce development initiatives aimed at better defining the security awareness work role.
Keywords: cyber security; awareness; training; compliance; measures; case study -
Practice Papers
Three approaches to foster organisational cohesion and reduce friction for cyber and security teams
Elizabeth Wanic, Director of Cyber Partnerships and Government Engagement, Morgan Stanley and Bradley Smith, Head of Cyber Fraud Fusion, Barclays
High-quality and engaged cyber and security teams are essential to the successful operation and continued growth of any modern organisation. Deficiency in funding, lack of executive leadership and support and internal friction, however, can often present challenges to efficient and effective cyber and security programmes, limiting the responsiveness and capabilities of an organisation’s defenders. Therefore, building internal support and permission to execute is critical to enabling these teams to operate as the high-performing functions they need to be. To help facilitate cyber and security teams in achieving their goals, this paper presents suggestions and best practices to foster high-level support, dialogue and engagement throughout the organisation. The authors draw on their work building connections across functions in a large global institution as well as their previous experiences within other financial services organisations to provide concrete actions teams can take to refocus on the fundamentals and deliver immense benefits.
Keywords: fraud; cyber security; fusion; cross-team collaboration; information sharing; communication -
How to mitigate ransomware risk through data and risk quantification
Erik Sørup Andersen, Partner and Chief Executive Officer, Risk Measure
Ransomware attacks have, over the past years, been the most frequent cyberattack type and a growing community of adversaries continues to innovate methods for extorting organisations into paying ransom. Yet this risk is still, to many organisations, not well understood. Some refer to the averages reported in the media of the size of ransom and cost of ransomware attacks. But these numbers can be very far from the actual risk of a particular organisation. The nature of the risk, comprising many attack techniques and paths through an organisation’s IT assets affecting a range of systems, data and the processes they support, makes it complex to describe and analyse. By using a risk analysis technique, where the risk scenario is decomposed to account for the contributions to the risk from different attack techniques, the vulnerabilities they exploit and the different forms of impact the attack inflicts on an organisation, it is possible to describe the risk in a more nuanced way unique to an organisation. Having created a model of the risk scenario that accounts for the factors relevant to the target organisation, it is possible to study mitigation options more consistently and simulate effects of implementing potential controls. Collecting data used to estimate the individual contributions to the total risk reduces the uncertainty of the risk measure and enables calculation of mitigation effects. This paper introduces the concept of quantitative risk assessment by highlighting results from quantitative studies of ransomware risk and providing examples of how data can be collected. Common pitfalls when using high-level data are demonstrated by showing examples of insights gained from collecting data about controls effectiveness. Being more effective in mitigating ransomware risk will both benefit the organisation directly and, by making ransomware attacks less profitable, society.
Keywords: cyber risk quantification; ransomware risk; controls effectiveness; mitigation strategies -
Crumbling bridges: The failed economics of software maintenance
JC Herz, Senior Vice President of Cyber Supply Chain, Exiger
This paper defines a microeconomic framework for understanding systemic failure in cyber security as market failure. In a marketplace with limited supply chain transparency on software quality in general and software maintenance in particular, rational actors — both software vendors and software buyers — will maximise economic returns by minimising software maintenance and security. As technical debt accrues, so does vulnerability and operational risk, as systems become more difficult to update. In this regard, the depreciation of resilience in software infrastructure is similar to the breakdown of physical infrastructure that is chronically undermaintained, but with the added element of adversarial profit. These problems cannot be solved at the computer science level that created them. They can only be solved as a business problem, as transparency requirements (eg software bill of materials [SBOMs]) and automation slash the cost of diligence, enable preferential selection of higher-quality software and continuous enforcement of terms and conditions for active maintenance.
Keywords: software supply chain; SCRM; C-SCRM; vulnerability management; end of life; compliance; procurement -
Why crisis leadership competencies matter in the effective management of a cyber crisis
Caroline Sapriel, Managing Partner, CS&A International
This paper examines whether specific leadership competencies are relevant in a cyber crisis and what it takes to manage one effectively. Our increasing dependence on technology exposes us to risks and makes us more vulnerable to digital crises. Cyberattacks are more common and can affect even well-prepared companies. Leadership during a crisis can influence an organisation’s success or failure, no matter how primed and savvy its people are. The author compares crisis management to crisis leadership and emphasises the shift in crisis management responsibility from an operational response to prevention and the ability to steer through uncertainty. This change requires crisis-specific leadership skills and a broader recognition of organisational risk. The author highlights research by Wooten and James,1 which notes leadership competencies applicable to different phases of a crisis. Not all leaders can demonstrate all these attributes in every crisis and are often ill prepared when a crisis hits; however, leaders can learn, develop and practise the competencies needed to survive and triumph over a crisis. Tools that can help develop these skills include stakeholder mapping and a protocol that evaluates and trains leaders in hard (knowledge-based) and soft (behaviour-based) skills. The author refers to the Salviotti et al.2 (2023) study, which analysed the Norsk Hydro ransomware case, noting that leadership competencies identified in traditional crisis management also apply in a cyber crisis. Given the certainty of a cyber threat, the author recommends a stronger emphasis on developing crisis leadership competencies. Training should complement other activities and programmes to prepare employees to handle crises adeptly.
Keywords: cyber security; cyberattack; crisis leadership -
Guidelines for non-profit organisation governance in cyber resilience
Margaret Mavins Johnson, Doctor of Business Administration Graduate, University of Phoenix
Previous research on corporate governance and cyber security risk management has focused primarily on large for-profit organisations. Although this paper includes a focus on cyber resilience strategies non-profit organisation leaders use, a significant aspect of the research exploration is applicable to the growing need for both for-profit and non-profit businesses to develop cyber resilience guidelines to sustain their organisations’ abilities to detect, withstand and recover from cyberattacks and threats. Despite the growing awareness of the importance of cyber resilience, the problem addressed was that a considerable number of organisation senior executives continue to demonstrate an unpreparedness to address information security cybercrime issues and cyber resilience decisions. As a consequence, a single set of standard cyber security risk management procedures related to non-profit organisation cyber resilience decisions did not exist to justify how nonprofit organisation leaders addressed existing network security procedures, implemented strategies or achieved cyber resilience success. This is and has been arguably the most significant threat non-profit organisation leaders have experienced. The goal of this paper is to provide an understanding of non-profit organisation leaders — board chairman, board of directors, executive directors and other executives — cyber security risk management procedures and strategies for cyber resilience board governance in an urban metropolitan city area in the southeastern US. Emerging cyber resilience network security trends and technologies are identified to include the ways non-profit organisation leaders responded to the COVID-19 pandemic health crisis.
Keywords: non-profit organisation board governance; cyber security risk management procedures; cyber resilience decisions; data threats -
Research Paper
Your decision: Senior professionals’ decision making during a simulated ransomware attack
Fabian Muhly, Partner and Philipp Leo, Partner, Leo & Muhly Cyber Advisory
The current authors surveyed 315 senior professionals of Swiss organisations for their decision making in a simulated ransomware attack. They were put into the shoes of a chief executive officer (CEO) of a fictitious organisation that is victim of a ransomware attack. The study described in this paper used an interactive ransomware simulation presentation. In three stages, study participants voted for their preferred course of action using the mentimeter.com platform. The results of this study help to better understand senior professionals’ preferred choices in ransomware decision dilemmas. It shows that most decision makers would report an attack to authorities and would not pay a ransom. In reality, however, this preferable path of action might not always be observable, ex post. The current authors call for decision makers to be more sensitive about ransomware decision dilemmas to strengthen business continuity operations. This can help to increase crisis management efficiency and effectiveness while minimising losses.
Keywords: ransomware; decision making; interactive simulation; senior professionals; business environment
Volume 8 Number 1
-
Editorial
Simon Beckett, Publisher -
Practice Papers
Common pitfalls when mitigating cyber risk: Addressing socio-behavioural factors
Öykü Işik, Professor of Digital Strategy and Cybersecurity, IMD, Yanya Viskovich, Senior Manager, Security Consulting, Accenture and Si Pavitt, Head of Cyber Behaviours and Culture, Recyber
Although humans constitute a pivotal dimension of the cyber security attack surface, prevailing approaches are often ineffective at addressing human risk. From the vantage point of three key socio-behavioural perspectives, a critical analysis of contemporary cyberattacks and cyber security practices offers insights and a range of opportunities to manage the human factor in cyber security. First, the role of metaphors in shaping cyber security discourse, particularly militaristic analogies, is analysed, supported by research advocating for careful metaphor selection to enhance comprehension, foster shared responsibility and reduce counterproductive assumptions. Secondly, the paper explores the significance of psychological safety within organisational cultures. It discusses the concept of a ‘just culture’ and the impact of cultivating an environment that encourages risk reporting. The discussion expands to highlight the interconnectedness of security culture with broader organisational values, emphasising the critical role of leadership in shaping resilient cyber security postures. Finally, an examination of blame-centric practices and associated consequences provides an insight into less visible forms of victim blaming, such as phishing tests and traditional training-centric strategies. It offers a psychological perspective on the distinction between blame and accountability and highlights the need for a shift away from a compliance-based focus towards a positivist approach. In presenting insights from these three key perspectives, this paper offers opportunities to innovatively manage socio-behavioural risk in cyber security, critiquing prevailing approaches that fail to do so. By linking metaphors, psychological safety and blame-centric practices, it contributes to a comprehensive understanding of the human dimension in cyber security and provides a foundation for advancing effective risk management strategies.
Keywords: Generative AI; GPT chatbot; data ownership; ethics; risk assessment; governance -
Understanding and prioritising cyberattack paths amid growing organisational complexity
Elliott Went, Senior Security Systems Engineer, SentinelOne
This paper explores the role of attack path modelling (APM) in modern cyber security, addressing the challenges posed by the rapidly evolving digital landscape. It provides a comprehensive overview of APM frameworks and their application in identifying and prioritising potential attack paths. The challenges associated with manual APM efforts, the need for standardisation and the potential for innovation in automated APM tools are examined throughout. Drawing from real-world examples, the paper demonstrates the practical implications of APM in dissecting attack components and mitigating risks. It emphasises the dual approach of human-led APM initiatives and the integration of APM functionality in technical solutions, advocating for improved hygiene with manual and periodic APM assessments that can be optimised with advanced SecOps APM tooling. The paper serves as a general resource for all cyber security practitioners, providing insights into the historical context, frameworks and practical challenges of APM. The paper describes the significance of human-led APM initiatives, using open frameworks to enhance cyber security posture. Furthermore, the paper explores the evolving landscape of APM tools, anticipating their integration with big data platforms and artificial intelligence (AI) for comprehensive security analyses. This paper presents insights into the current state of cyber security, the practical applications of APM frameworks, and the potential future developments in APM technology.
Keywords: cyber security culture; human factor; behavioural risks; victim blaming; cyber security metaphors; cyber resilience -
Improving cyber risk governance through storytelling
Levi Gundert, Chief Security Officer, Recorded Future
This paper addresses the critical challenge of cyber risk governance faced by executives, security committees and boards of directors in the rapidly changing digital landscape. Cyber security complexity, characterised by data deluges and the translational gap between technical jargon and business risk, significantly hinders effective cyber risk messaging and governance. Drawing on five years of research and interviews with chief information security officers (CISOs), the paper highlights the struggle in establishing trust and confidence in governance bodies due to these complexities. It introduces three constructs that aim to simplify cyber security messaging to enhance cyber risk governance: the intelligence to risk (I2R) pyramid, five risk impacts, and resilience and proximity graph. Each construct, illustrated with practical examples, is designed to provide clarity and foster understanding between cyber security professionals and governance bodies, ensuring a cohesive approach to cyber risk management. Readers can expect to gain valuable insights into overcoming the limitations of traditional risk communication tools such as risk registers. By adopting the presented storytelling approach, the paper promises strategies for building trust through transparency and accountability, bridging the communication gap between technical and executive levels, and facilitating informed decision making for improved governance outcomes in the face of cyber security threats.
Keywords: cyber security; risk; governance; intelligence; resilience; transparency -
Obstacles and countermeasures for protecting Internet of Things devices from emerging security risks
Chahak Mittal, Cybersecurity Manager, Universal Logistics
The rapid proliferation of Internet of Things (IoT) devices has ushered in a paradigm shift, revolutionising the way we interact with and perceive our environment. This phenomenon has given rise to a hyper-connected ecosystem, seamlessly integrating smart devices into the fabric of homes, cities and industries. While this interconnectedness holds tremendous promise for enhancing efficiency and convenience, it concurrently exposes a complex web of security challenges. This paper delves into the intricate interplay between the expansive scope of IoT deployment and the challenges it poses to security practitioners, policymakers and technology developers alike. By critically assessing current security gaps and potential weaknesses in IoT infrastructures, the research identifies key areas of vulnerability, ranging from insecure communication protocols and inadequate device authentication to insufficient data encryption. In response to these identified challenges, the paper proposes a set of innovative and pragmatic countermeasures aimed at mitigating emerging threats to IoT security. Emphasising the importance of a holistic security framework, the suggested countermeasures span technological enhancements, policy interventions and user education initiatives. The goal is to establish a resilient security posture that not only addresses current vulnerabilities but also adapts to the evolving threat landscape, thereby fostering a more secure and trustworthy IoT ecosystem. Through this research, we aim to contribute valuable insights to the ongoing discourse on IoT security, fostering a deeper understanding of the intricate dynamics at play and providing actionable recommendations for stakeholders invested in fortifying the security foundations of our increasingly interconnected world.
Keywords: IoT security; emerging threats; obstacles; countermeasures; secure-by-design; updates; zero-trust security; network segmentation; user education; threat intelligence -
Strong reasons make strong actions: What Shakespeare’s ‘King John’ can teach us about the Internet of Things
Hanane Taidi, Director General, TIC Council
The rapid proliferation of Internet of Things (IoT) devices in modern societies brings forth unprecedented opportunities for convenience and connectivity but also poses significant cyber security challenges. This paper examines the risks associated with these devices and the regulatory frameworks governing them in key regions including the US, the EU, China and India. Through a comprehensive analysis, it becomes evident that while efforts are being made to address IoT cyber security concerns, discrepancies in approaches and regulations hinder global harmonisation and create obstacles for industry compliance. Drawing from insights into existing cyber security frameworks and industry practices, the paper proposes actionable recommendations to enhance consumer IoT cyber security. These recommendations include defining baseline security requirements, promoting expertise within IoT workforces, advocating for the independent involvement of conformity assessment bodies (CABs), leveraging the quality infrastructure ecosystem, and launching an international awareness campaign. By implementing these measures, stakeholders can foster a safer and more secure IoT environment, mitigating the risks posed by cyber threats and ensuring the trust and resilience of connected devices. As society continues to navigate the complexities of IoT adoption, it is imperative to recognise the urgency of addressing cyber security challenges. By heeding the lessons from Shakespeare’s ‘King John’ — ‘Strong reasons make strong actions’ — and taking decisive steps to fortify IoT cyber security, we can safeguard individuals, businesses and critical infrastructure from the evolving threat landscape.
Keywords: Internet of Things; IoT; cyber security; connected devices; regulatory frameworks; conformity assessment bodies; quality infrastructure ecosystem; cyber security standards -
Identifying and classifying cyberattacks on airports
Lázaro Florido-Benítez, Lecturer, University of Málaga
This paper describes research to identify and classify cyberattacks in the aviation industry in order to present the true reality of airports as a critical infrastructure and the threats that airport operators face. We conducted a critical review related to types of cyberattacks and supported by updated studies to analyse cyberattacks in the aviation industry from 2000 to 2023 due to the increase of attacks occurring in this period. Data was collected from verifiable sources such as the Center for Strategic and International Studies (CSIS), Federal Aviation Administration, EUROCONTROL, European Union Aviation Safety Agency (EASA), European Union Agency for Cybersecurity (ENISA) and KonBriefing. The findings of this study revealed that recent years have seen an increase in the number of distributed denial-of-service (DDoS) and ransomware cyberattacks at airports by foreign countries motivated by political and economic reasons, diplomatic espionage or even as part of a cyber war. This is particularly worrying, because the most influential international organisations and countries are recognising the existence of a cyber war in political, espionage, terrorism, safety, financial and commercial terms. The new contribution of this research lies in the fact that many uncertainties surround the cyberattacks that airport operators and commercial airlines face on a daily basis. Cyberattacks in the aviation industry are more common than most people realise, and the issue is that sometimes this information is silenced by governments, airport and airline operators to avoid unnecessary social alarm.
Keywords: airports; cyberattacks; cyber security; critical infrastructures; airlines -
Research Paper
AI detection of malicious push notifications in augmented reality in the workplace
Sarah Katz, Cybersecurity Technical Writer, Microsoft
Distraction caused by the visual processing of multiple objects during augmented reality (AR) immersion could make users more susceptible to malicious push notifications, thus potentially exposing organisations to unwitting insider threats. This case study consulted four experts in the field of AR application development to design a proposed artificial intelligence (AI) equipped feature that could detect possibly malicious artefacts entering the user’s line of sight during partial immersion in an augmented reality application at the workplace. Participants included a business partner at an AR company, a security engineering manager, an AI engineer focused on machine learning (ML) and a data analytics specialist. The case study determined that a security application natively implemented into the device could use heuristic analysis of user screen captured activity to assess potentially malicious push notifications in real time.
Keywords: cyber security; cyberpsychology; augmented reality; application development; artificial intelligence