Aad P. A. van Moorsel

Newcastle University, Newcastle-on-Tyne, England, United Kingdom

Are you Aad P. A. van Moorsel?

Claim your profile

Publications (130)16.76 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: Choosing an optimal investment in information security is an issue most companies face these days. Which security controls to buy to protect the IT system of a company in the best way? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem that should take into account conflicting objectives and constraints of the problem. In particular, the security of the system should be improved without hindering productivity, under a limited budget for buying controls. In this work, we provide several possible formulations of security controls subset selection problem as a portfolio optimization, which is well known in financial management. We propose approaches to solve them using existing single and multiobjective optimization algorithms.
    Procedia Computer Science 12/2015; 64:1035 - 1042. DOI:10.1016/j.procs.2015.08.625
  • Source
    James Turland · Lynne Coventry · Deborah Jeske · Pam Briggs · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: People make security choices on a daily basis without fully considering the security implications of those choices. In this paper we present a prototype application which promotes the choice of secure wireless network options, specifically when users are unfamiliar with the wireless networks available. The app was developed based on behavioural theory, choice architecture and good practices informed by HCI design. The app includes several options to 'nudge' users towards selecting more secure public wireless networks. This paper outlines the development and the results of an evaluation of some of the potential app nudges (specifically, presentation order and colour coding). Colour coding was found to be a powerful influence, less so with the order in which we listed the Wi-Fi networks, although the colour x order combination was most effective. The paper contributes to the body of evidence on the effectiveness of cyber-security interventions to empower the user to make more informed security decisions.
    British HCI 2015, Lincoln, UK; 07/2015
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work we address the main issues of IT consumerisation that are related to security risks, and propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work we address the main issues of IT consumerisation that are related to security risks, and propose a 'soft' mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
    CENTERIS 2014 - Conference on ENTERprise Information Systems, Troia, Lisbon, Portugal; 10/2014
  • Source
    Lynne Coventry · Pam Briggs · Debora Jeske · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that allows resesarchers and organisational stakeholders to work together to identify a set of nudges that might promote best behavioral practice. We describe the structured approach or framework, which we call SCENE, and follow this description with a worked example of how the approach has been utilised effectively in the development of a nudge to mitigate insecure behaviors around selection of wireless networks.
    Third International Conference DUXU held at HCI International, Heraklion, Crete, Greece, June 22-27, 2014.; 06/2014
  • Source
    Debora Jeske · Lynne Coventry · Pam Briggs · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized behaviour change in security. We asked participants to select from a menu of public wireless networks, using colour and menu order to ‘nudge’ participants towards making more secure choices. The preliminary results from 67 participants suggest that while nudging can be an effective tool to help non-experts to select more secure networks, certain user differences may also play a role. Lower (novice level) IT proficiency and diminished impulse control led to poorer security decisions. At the same time, we were able to demonstrate that our nudge effectively changed the behaviour of participants with poor impulse control. We discuss these implications and pose several questions for future research.
    Paper presented at the “Personalizing Behavior Change Technologies” CHI Workshop,, Toronto, Canada, April 27, 2014.; 04/2014
  • Winai Wongthai · Francisco Rocha · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Cloud computing offers computational resources such as processing, networking, and storage to customers. However, the cloud also brings with it security concerns which affect both cloud consumers and providers. The Cloud Security Alliance (CSA) define the security concerns as the seven main threats. This paper investigates how threat number one (malicious activities performed in consumers' virtual machines/VMs) can affect the security of both consumers and providers. It proposes logging solutions to mitigate risks associated with this threat. We systematically design and implement a prototype of the proposed logging solutions in an IaaS to record the history of customer VM's files. The proposed system can be modified in order to record VMs' process behaviour log files. These log files can assist in identifying malicious activities (spamming) performed in the VMs as an example of how the proposed solutions benefits the provider side. The proposed system can record the log files while having a smaller trusted computing base compared to previous work. Thus, the logging solutions in this paper can assist in mitigating risks associated with the CSA threats to benefit consumers and providers.
    2013 International Conference on Cloud Computing and Big Data (CloudCom-Asia); 12/2013
  • Suliman A. Alsuhibany · Charles Morisset · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: An intrusion and attack detection system usually focuses on classifying a record as either normal or abnormal. In some cases such as insider attacks, attackers rely on feedback from the attacked system, which enables them to gradually manipulate their attempts in order to avoid detection. This paper proposes the notion of accumulative manipulation that can be observed through a number of attempts accomplished by the attacker, which forms the basis of the Attacker Learning Curve (ALC). Based on a controlled experiment, we first show that the ALC for three different attack strategies are consistent between two different groups of subjects. We then define a strategy detection mechanism, which is experimentally shown to be accurate more than 70% of the time.
    2013 International Conference on Risks and Security of Internet and Systems (CRiSIS); 10/2013
  • S.A. Alsuhibany · A. van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: While security algorithms are utilized to protect system resources from misuse, using a single algorithm such as CAPTCHAs and Spam-Filters as a defence mechanism can work to protect a system against current attacks. However, as attackers learn from their attempts, this algorithm will eventually become useless and the system is no longer protected. We propose to look at a set of algorithms as a combined defence mechanism to maximize the time taken by attackers to break a system. When studying sets of algorithms, diverse issues arise in terms of how to construct them and in which order or in which combination to release them. In this paper, we propose a model based on Stochastic Petri Nets, which describe the interaction between an attacker, the set of algorithms used by a system, and the knowledge gained by the attacker with each attack. In particular, we investigate the interleaving of dependent algorithms, which have overlapping rules, with independent algorithms, which have a disjoint set of rules. Based on the proposed model, we have analyzed and evaluated how the order can impact the time taken by an attacker to break a set of algorithms. Given the mean time to security failure (MTTSF) for a system to reach a failure state, we identify an improved approach to the release order of a set of algorithms in terms of maximizing the time taken by the attacker to break them. Further, we show a prediction of the attacker's knowledge acquisition progress during the attack process.
    Availability, Reliability and Security (ARES), 2013 Eighth International Conference on; 01/2013
  • Winai Wongthai · F.L. Rocha · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Infrastructure as a Service (IaaS) consists of a cloud-based infrastructure to offer consumers raw computation resources such as storage and networking. These resources are billed using a pay-per-use cost model. However, this type of infrastructure is far from being a security haven as the seven main threats defined by the Cloud Security Alliance (CSA) indicate. Using logging systems can provide evidence to support accountability for an IaaS cloud, which helps us mitigating known threats. In this paper, we research to which extent such logging systems help mitigate risks associated with the threats identified by the CSA. A generic architecture 'template' for logging systems is proposed. This template encompasses all possible instantiations of logging solutions for IaaS cloud. We map existing logging systems to our generic template, and identify a logging solution to mitigate the risks associated with CSA threat number one (related to spam activities). We then argue that the template we suggest can be used to perform a systematic analysis of logging systems in terms of security before deploying them in production systems.
    Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on; 01/2013
  • Francisco Rocha · Thomas Gross · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: A critical challenge in cloud computing is assuring confidentiality and integrity for the execution of arbitrary software in a consumer's virtual machine. The problem arises from having multiple virtual machines sharing hardware resources in the same physical host. A security critical resource is random access memory, which in the current version of the Xen hyper visor is vulnerable to attacks. Like previous work demonstrated, this vulnerability originates from Xen adopting avery permissive memory access model for its management virtual machine (Dom0). The model assumes it is safe to grant Dom0full access to the memory space allocated to consumer's virtual machines. In this paper, we first present a sophisticated attack which makes it possible to compromise security-sensitive information resident in the memory area of a particular process executing in a virtual machine. The attack demonstration consists in subverting the new inter-virtual machine communication mechanism, libvchan, which is under development for the Xen hyper visor. This attack allows us to propose and implement a proof of concept for a lightweight mandatory memory access control mechanism for Xen, which achieves a better overall memory access model forDom0. We then propose an architecture which takes advantage of our memory protection mechanism and previous work to achievedefense in depth in cloud computing.
    Cloud Engineering (IC2E), 2013 IEEE International Conference on; 01/2013
  • David Greathead · Lynne Coventry · Budi Arief · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Social media and online communication encourage social interaction but do little to strengthen community relations between people who live in the same area. The aim of this work is to develop a set of requirements, in this initial case from a group of older adults, for an online system aimed at increasing local face-to-face communication and enhancing community interaction. Eleven older adults took part in two discussion groups to develop this list of requirements. The results of these discussions are presented and come under six broad categories, these being: Security/Information, Social, Physical, Interface, Crime and Management. We also suggest additional requirements we think would benefit the system and future directions.
  • Source
    Feng Li · Dariusz Pieńkowski · Aad Van Moorsel · Chris Smith ·
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper systematically reviews previous studies of trust from social, economic and technological perspectives and develops a holistic framework for trust, which can be used to analyse the establishment and maintenance of trust in online transactions, and identify the mechanisms that can be used to increase trust. Trust plays a crucial role in the formation of dependent relationships represented by online transactions, and a holistic treatment of trust is necessary because of the gap that exists between the developments in information systems and our understanding of their social and economic implications, and the impact on the perceived trust of the transacting parties. This review enables us to depict an online transaction through its attributes and context, and systematically map these to identified trust antecedents. The key components and processes of the framework are outlined, and three strands of empirical work are discussed to develop it further. The framework highlights the critical role of institutions in the establishment and maintenance of trust in online transactions, which informs the development of e‐commerce and e‐business platforms and the underpinning information systems, and facilitates the establishment of mechanisms to induce additional institutions to increase trust in online transactions.
    International Journal of Management Reviews 03/2012; 14(1). DOI:10.1111/j.1468-2370.2011.00311.x · 3.58 Impact Factor
  • R. Cain · A. van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Probabilistic and stochastic models are routinely used in performance, dependability and security evaluation, and determining appropriate values for model parameters is a long-standing problem in the practical use of such models. With the increasing emphasis on human aspects and business considerations, data collection to estimate parameter values often gets prohibitively expensive, since it may involve questionnaires, costly audits or additional monitoring and processing. In this paper we articulate a set of optimization problems related to data collection, and provide efficient algorithms to determine the optimal data collection strategy for a model. The main idea is to model the uncertainty of data sources and determine its influence on output accuracy by solving the model. This approach is particularly natural for data sources that rely on sampling, such as questionnaires or monitoring, since uncertainty can be expressed using the central limit theorem. We pay special attention to the efficiency of our optimization algorithm, using ideas inspired by importance sampling to derive optimal strategies for a range of parameter values from a single set of experiments.
    Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on; 01/2012
  • Katinka Wolter · Alberto Avritzer · Marco Vieira · Aad van Moorsel ·

  • Source
    Mohamed Kaâniche · Aad P. A. van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: The new editors of this department introduce themselves, explain how they plan to develop the department, and ask readers to submit articles and send feedback.
    IEEE Security and Privacy Magazine 11/2011; 9:56-57. DOI:10.1109/MSP.2011.165 · 0.73 Impact Factor
  • Source
    Wen Zeng · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: It is of critical business importance for organizations to keep confidential digital documents secure, as the potential cost and damage incurred from the loss of confidential digital documents have increased significantly in recent years. Digital Rights Management (DRM) was developed to help organizations keep digital documents secure, as one of many digital information security solutions.In this study, the functions of eight popular DRM products currently available on the market are reviewed, and the impact of using of these DRM products is evaluated quantitatively. A group of metrics is defined reflecting the potential costs and impact to the organization incurred by implementing DRM products. Stochastic models are used to quantitatively evaluate the costs and impact of implementing a particular DRM product. In this study, it is found that although DRM products protect digital assets by encryption and by providing central control on information within the organization, this comes at a cost, since these security mechanisms typically reduce the productivity of the staff. The reduction in productivity is in turn measured in the form of non-productive time (NPT) which is an inherent part of the stochastic modeling process.
    Electronic Notes in Theoretical Computer Science 09/2011; 275(1):159-174. DOI:10.1016/j.entcs.2011.09.011
  • Source
    Stefan Fenz · Simon Parkin · Aad van Moorsel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Does every organization need to reinvent the wheel when it comes to IT security? Not if the IT community can develop a formal knowledge base for sharing and applying IT security management knowledge. Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they're often gathering and applying the same knowledge. However, they're doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.
    IT Professional 07/2011; 13(3-13):24 - 30. DOI:10.1109/MITP.2011.35 · 0.82 Impact Factor
  • Source
    John C. Mace · Aad van Moorsel · Paul Watson ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Many enterprises are currently exploring the po- tential cost benefits of running applications in public clouds. Enterprises often have global security policies to ensure that its information management conforms to business rules and legal mandates. The location of data storage and application execution therefore becomes a critical issue. The prevalence of Service Oriented Architectures (SOA) means that appli- cations are often composed from a set of services which form a workflow. The concept of running workflow instances on public cloud processing platforms is in its infancy. The scientific community still needs to define the security issues in public cloud workflow deployment and the requirements of possible solutions that will deal with those concerns. This paper aims to address this by exploring the current information security issues of public cloud workflow deployment within an enterprise setting and by identifying core requirements of solutions needed to deal with these challenges. We argue that enterprises would benefit from an automated and dynamic approach when selecting where to execute workflows and store data. This approach would choose what workflows, or subsets of workflows, can be executed in a public cloud environment while ensuring that enterprise security and compliance needs are met. Keywords-cloud computing; information security; workflow; dynamic decision making.
  • Budi Arief · Aad P. A. van Moorsel · David Greathead · Lynne M. Coventry ·
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we discuss the current state of our work regarding the development and planned in-situ testing of a computer-based system to enhance community relations through the Neighbourhood Watch scheme. The system is intended for use in a community to help the residents interact with each other more easily and to encourage the reporting of suspicious behaviour or crime. We discuss some details of the system and how we plan to test it in the field using an iterative process. We also discuss the possible implications of the work for the future.
    International Conference on Computational Aspects of Social Networks, CASoN 2011, Salamanca, Spain, October 19-21, 2011; 01/2011

Publication Stats

1k Citations
16.76 Total Impact Points


  • 2004-2014
    • Newcastle University
      • School of Computing Science
      Newcastle-on-Tyne, England, United Kingdom
  • 2004-2011
    • University of Newcastle
      • Department of Computer Science
      Newcastle, New South Wales, Australia
  • 2008
    • University of Florence
      • Dipartimento di Ingegneria dell'Informazione
      Florens, Tuscany, Italy
  • 2007-2008
    • The Newcastle upon Tyne Hospitals NHS Foundation Trust
      Newcastle-on-Tyne, England, United Kingdom
  • 2003
    • Hewlett-Packard
      Palo Alto, California, United States
  • 2002-2003
    • FX Palo Alto Laboratory
      Palo Alto, California, United States
    • The Chinese University of Hong Kong
      • Department of Computer Science and Engineering
      Hong Kong, Hong Kong
  • 1997
    • AT&T Labs
      Austin, Texas, United States
  • 1995-1996
    • University of Illinois, Urbana-Champaign
      • Coordinated Science Laboratory
      Urbana, Illinois, United States
  • 1992-1995
    • Universiteit Twente
      • • Department of Computer Science
      • • Centre for Telematics and Information Technology (CTIT)
      Enschede, Provincie Overijssel, Netherlands