Luigi Lo Iacono

Luigi Lo Iacono
Bonn-Rhein-Sieg University of Applied Sciences · Department of Computer Science

PhD

About

150
Publications
44,453
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,464
Citations

Publications

Publications (150)
Preprint
Full-text available
HTTP client hints are a set of standardized HTTP request headers designed to modernize and potentially replace the traditional user agent string. While the user agent string exposes a wide range of information about the client's browser and device, client hints provide a controlled and structured approach for clients to selectively disclose their c...
Article
Full-text available
Continuous authentication has emerged as a promising approach to increase user account security for online services. Unlike traditional authentication methods, continuous authentication provides ongoing security throughout the session, protecting against session takeover attacks due to illegitimate access. The effectiveness of continuous authentica...
Conference Paper
Risk-based authentication (RBA) is used in online services to protect user accounts from unauthorized takeover. RBA commonly uses contextual features that indicate a suspicious login attempt when the characteristic attributes of the login context deviate from known and thus expected values. Previous research on RBA and anomaly detection in authenti...
Article
Full-text available
Zusammenfassung Personenbezogene Daten und ihre Nutzung gewinnen in Wirtschaft, Wissenschaft, Verwaltung und Gesellschaft zunehmend an Bedeutung. Damit die Datennutzung in fairer und verantwortungsvoller Weise erfolgt, müssen Datenökonomie und Datenschutz miteinander in Einklang gebracht werden. Dieser Beitrag erläutert einige zentrale Begriffe und...
Article
Full-text available
Push notifications are widely used in Android apps to show users timely and potentially sensitive information outside the apps’ regular user interface. Google’s Firebase Cloud Messaging (FCM) is the default service for sending push notification messages to Android devices. While it does provide transport layer security, it does not offer message pr...
Preprint
Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attac...
Chapter
Full-text available
Users should always play a central role in the development of (software) solutions. The human-centered design (HCD) process in the ISO 9241-210 standard proposes a procedure for systematically involving users. However, due to its abstraction level, the HCD process provides little guidance for how it should be implemented in practice. In this chapte...
Chapter
Full-text available
The European General Data Protection Regulation requires the implementation of Technical and Organizational Measures (TOMs) to reduce the risk of illegitimate processing of personal data. For these measures to be effective, they must be applied correctly by employees who process personal data under the authority of their organization. However, even...
Chapter
Digital ecosystems are driving the digital transformation of business models. Meanwhile, the associated processing of personal data within these complex systems poses challenges to the protection of individual privacy. In this paper, we explore these challenges from the perspective of digital ecosystems’ platform providers. To this end, we present...
Preprint
Full-text available
Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor a...
Article
Full-text available
Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from those previously observed. It is recommended by various national security organizations, and users perceive it more usable than and equally secure...
Preprint
Full-text available
Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from previously observed ones. It is recommended by various national security organizations, and users perceive it more usable and equally secure than...
Article
In the last decades, research has shown that both technical solutions and user perceptions are important to improve security and privacy in the digital realm. The field of ‘usable security’ already started to emerge in the mid-90s, primarily focussed on password and email security. Later on, the research field of ”usable security and privacy” evolv...
Article
Full-text available
Employees who process personal data as part of their job play a critical role in protecting privacy. They are expected to follow strict data protection guidelines and protect personal data adequately. However, few studies have addressed the needs of these employees in terms of appropriate tools to assist them in complying with privacy laws. To deve...
Article
Full-text available
We propose eight usable security principles that provide software developers with a lightweight framework to help them integrate security in a user-friendly way. These principles should help developers who must weigh usability and security tradeoffs to facilitate adoption.
Article
Full-text available
The processing of employees’ personal data is dramatically increasing, yet there is a lack of tools that allow employees to manage their privacy. In order to develop these tools, one needs to understand what sensitive personal data are and what factors influence employees’ willingness to disclose. Current privacy research, however, lacks such insig...
Chapter
Full-text available
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recomm...
Conference Paper
Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor a...
Article
Full-text available
Applied privacy research has so far focused mainly on consumer relations in private life. Privacy in the context of employment relationships is less well studied, although it is subject to the same legal privacy framework in Europe. The European General Data Protection Regulation (GDPR) has strengthened employees’ right to privacy by obliging that...
Article
Software developers build complex systems using plenty of third-party libraries. Documentation is key to understand and use the functionality provided via the libraries APIs. Therefore, functionality is the main focus of contemporary API documentation, while cross-cutting concerns such as security are almost never considered at all, especially when...
Chapter
XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-w...
Chapter
The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate...
Preprint
Full-text available
XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-w...
Conference Paper
Full-text available
Threats to passwords are still very relevant due to attacks like phishing or credential stuffing. One way to solve this problem is to remove passwords completely. User studies on passwordless FIDO2 authentication using security tokens demonstrated the potential to replace passwords. However, widespread acceptance of FIDO2 depends, among other thing...
Article
Risk-based authentication (RBA) is an adaptive security measure used to strengthen password-based authentication against account takeover attacks. Our study on 65 participants shows that users find RBA more usable than two-factor authentication equivalents and more secure than password-only authentication.
Preprint
Full-text available
Threats to passwords are still very relevant due to attacks like phishing or credential stuffing. One way to solve this problem is to remove passwords completely. User studies on passwordless FIDO2 authentication using security tokens demonstrated the potential to replace passwords. However, widespread acceptance of FIDO2 depends, among other thing...
Chapter
Vernetzte Systeme, Produkte und Dienstleistungen müssen mit Sicherheitsfunktionen ausgestattet sein, die sowohl für Fachanwendende als auch für Gelegenheitsnutzende und Menschen ohne Fachkenntnisse verständlich und benutzbar sind.
Chapter
The right of access under Art. 15 of the General Data Protection Regulation (GDPR) grants data subjects the right to obtain comprehensive information about the processing of personal data from a controller, including a copy of the data. Privacy dashboards have been discussed as possible tools for implementing this right, and are increasingly found...
Chapter
Sicherheitskritische Mensch-Computer-Interaktion ist nicht nur derzeit ein hochaktuelles Thema, sondern wird dies auch in Zukunft bleiben. Insofern ist ein Lehr- und Fachbuch wie dieses immer nur eine Momentaufnahme, und kann immer nur einen punktuellen Stand abdecken. Dennoch kann der Versuch unternommen werden, aktuelle Trends zu identifizieren u...
Conference Paper
Risk-based authentication (RBA) aims to strengthen password based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recomm...
Preprint
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recomm...
Conference Paper
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to off...
Preprint
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to off...
Conference Paper
Full-text available
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usu...
Preprint
Full-text available
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usu...
Preprint
Full-text available
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity gu...
Conference Paper
Scalability and security are two important elements of contemporary distributed software systems. The Web vividly shows that while complying with the constraints defined by the architectural style REST, the layered design of software with intermediate systems enables to scale at large. Intermediaries such as caches, however, interfere with the secu...
Conference Paper
Web caching enables the reuse of HTTP responses with the aim to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the user-perceived latency of resource access. For these reasons, a cache is a key component in modern distributed systems as it enables applications to scale...
Conference Paper
Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical...
Chapter
Web browsers use HTTP caches to reduce the amount of data to be transferred over the network and allow Web pages to load faster. Content such as scripts, images, and style sheets, which are static most of the time or shared across multiple websites, are stored and loaded locally when recurring requests ask for cached resources. This behaviour can b...
Conference Paper
Full-text available
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity gu...
Conference Paper
Modern software applications are widely interconnected systems mostly built on web technologies as foundation. Caching is an integral layer of such systems and thus needs to be carefully considered in development and operations. First reported incidents with caches leaking sensitive information emphasize the possible consequences of getting them an...
Article
3GPP is currently finalizing the first publication of 5G specifications in their Release 15. Several new features and concepts are introduced to the radio interface and the core network in order to enhance the softwarization and virtualization of functional entities in the mobile core network. One of the driving new concepts is the service-based ar...
Article
Full-text available
Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in s...
Article
Full-text available
We present a systematization of usable security principles, guidelines and patterns to facilitate the transfer of existing knowledge to researchers and practitioners. Based on a literature review, we extracted 23 principles, 11 guidelines and 47 patterns for usable security and identified their interconnection. The results indicate that current res...
Conference Paper
The caching of frequently requested web resources is an integral part of the web ever since. Cacheability is the main pillar for the web's scalability and an important mechanism for optimizing resource consumption and performance. Caches exist in many variations and locations on the path between web client and server with the browser cache being ub...
Conference Paper
Full-text available
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exis...
Conference Paper
Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use...
Conference Paper
Full-text available
Malicious apps are a severe attack vector on smartphones. A common defence mechanism to prevent them is the permission system found in mobile operating systems. Still, the effectiveness of such permission systems relies heavily on the users' ability to judge the risk associated with a certain app and its demanded set of privileges. Failing or ignor...
Article
Full-text available
One of the main aims of current social robotic research is to improve the robots' abilities to interact with humans. In order to achieve an interaction similar to that among humans, robots should be able to communicate in an intuitive and natural way and appropriately interpret human affects during social interactions. Similarly to how humans are a...
Presentation
Full-text available
Power drive systems with internal safe motion functionality according to EN 61800-5-2 require usually an additional complete processor based safe logic subsystem. Updating the firmware of this safety component is a requirement of increasing importance, which is, however, challenging to integrate in available technologies. Unfortunately, standard fi...
Chapter
Sicherheitskritische Mensch-Computer-Interaktion ist nicht nur derzeit, sondern auch zukünftig ein äußerst relevantes Thema. Hierbei kann ein Lehr- und Fachbuch, wie dieses, immer nur einen punktuellen Stand abdecken. Dennoch kann der Versuch unternommen werden, aktuelle Trends zu identifizieren und einen Ausblick in die Zukunft zu wagen. Genau das...
Chapter
Vernetzte Systeme, Produkte und Dienstleistungen müssen mit Sicherheitsfunktionen ausgestattet sein, die sowohl für Fachanwender als auch für Gelegenheitsnutzer und Laien verständlich und benutzbar sind. Der Umgang mit diesen Systemen, Produkten und Dienstleistungen kann sich ansonsten schnell als Risiko entpuppen, etwa wenn Sicherheitsmechanismen...
Technical Report
Full-text available
Im Projekt „USecureD – Usable Security by Design“ wurden Methoden und Werkzeuge entwickelt, die Softwarearchitekten und -programmierer bei der Entwicklung von betrieblichen Anwendungen mit dem Qualitätsmerkmal Usable Security (benutzerfreundliche Informationssicherheit) unterstützen. Das Projekt stellt zudem Werkzeuge bereit, die es Anwendern ermög...
Conference Paper
Unser beruflicher wie privater Alltag wird zunehmend digitaler. Mit diesem Trend einher geht ein steigender Bedarf an adäquaten Sicherheitslösungen in digitalen Produkten und Dienstleistungen, die sowohl Unternehmen als auch privaten Endanwendern das notwendige Maß an wirksamem Schutz der sensiblen Daten ermöglichen. Eine wesentliche Rolle kommt hi...
Conference Paper
Software, Apps und vernetzte Technikprodukte müssen mit Sicherheitsfeatures ausgestattet sein, die einen wirksamen Schutz vor Cyberangriffen bieten. Auf Anwenderebene präsentieren sich diese Sicherheitsfeatures jedoch oft mit einer schlechten Usability, weshalb sie von den Anwendern falsch bedient, umgangen oder ignoriert werden. Hierdurch eröffnen...
Conference Paper
Microservice-based systems enable the independent development, deployment, and scalability for separate system components of enterprise applications. A significant aspect during development is the microservice integration in frontends of web, mobile, and desktop applications. One challenge here is the selection of an adequate frontend architecture...
Article
Full-text available
Zusammenfassung Der Beitrag stellt Konzepte und Modelle von Blockchain-Anwendungen außerhalb des Finanzbereichs vor. Die Anwendungsgebiete reichen derzeit vom Schutz persönlicher Daten bis zur Sicherung und Überwachung von Nahrungsmittelproduktionsketten.
Conference Paper
In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider (IDP) based systems gained most traction for Web services. An o...
Conference Paper
Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized spe...
Book
Full-text available
Forschen, forschen und nochmal forschen: Genau das haben sich Hartmut Schmitt, Peter Nehren, Luigi Lo Iacono und Peter Leo Gorski in diesem shortcut zur Aufgabe gemacht. In fünf Kapiteln stellen sie die Ergebnisse des Forschungsprojekts "USecureD - Usable Security by Design" vor und unterstützen damit Softwareentwickler bei der systematischen Entwi...
Conference Paper
Damit IT-gestützte Produkte und Systeme vor unbefugter oder missbräuchlicher Nutzung wirksam geschützt sind, müssen sie mit Sicherheitsfunktionen ausgestattet sein, die benutzerfreundlich sind. Hierfür sind seitens der Entwickler sowohl Security- als auch Usability-Kenntnisse erforderlich. Da insbesondere Entwickler in kleinen und mittleren Unterne...
Conference Paper
Full-text available
Usable security puts the users into the center of cyber security developments. Software developers are a very specific user group in this respect, since their points of contact with security are application programming interfaces (APIs). In contrast to APIs providing functionalities of other domains than security, security APIs are not approachable...
Article
Sowohl im geschäftlichen wie im privaten Umfeld müssen Software, Apps und vernetzte Technikprodukte mit Sicherheitsfunktionen ausgestattet sein, die auch für Laien und Gelegenheitsnutzer verständlich und benutzbar sind. Im Umgang mit sensiblen Daten können sich diese Produkte ansonsten schnell als Risiko entpuppen, etwa wenn Sicherheitsmechanismen...
Article
Es gibt einen hohen bedarf an gebrauchstauglichen Sicherheitskomponenten in der Softwarebranche. Dies bedeutet für Softwarearchitekten und Programmierer, dass sie das neue Qualitätsmerkmal Usable Security vermehrt berücksichtigen und umsetzen müssen. Seit Mai 2015 werden daher im Rahmen des Projekts USecureD („Usable Security by Design“) Methoden u...
Article
Full-text available
Zusammenfassung Der dem Web zugrunde liegende Architekturstil REST gilt als einer der bedeutendsten Leitfäden für den Entwurf gro§er, verteilter Anwendungssysteme. Die existierenden Ansätze für die Sicherheit von REST-basierten Anwendungen sind jedoch nur für bestimmte REST-basierte Technologien wie HTTP oder CoAP konzipiert. Um Sicherheitskonzepte...
Article
As mobile devices have evolved from simple phones to rich computing systems, the data stored on these multi-taskers have consequently become more sensitive and private. Due to this, modern mobile operating systems include sophisticated permission systems for restricting the access to this device for the mobile applications. However, many applicatio...
Chapter
Future IT visions, including smart city, smart building, smart home, smart mobility, and Industry 4.0, are evolving on the foundations of the Internet of Things (IoT). As those systems cover a large number of networked entities, design concepts for developing IoT systems must be highly scalable. One approach to fulfilling this requirement is the ar...
Conference Paper
Full-text available
Der Arbeitskreis Usable Security & Privacy bietet ein Forum für den Gedankenaustausch und die interdisziplinäre Zusammenarbeit rund um das Thema benutzerfreundliche Informationssicherheit und privatheitsfördernde Technologien. Sicherheit ist bei der Anschaffung von Software und Technikprodukten zwar eines der zentralen Auswahlkriterien – aufgrund m...
Conference Paper
In Fortführung zum erfolgreichen Auftaktworkshop „Usable Security and Privacy: Nutzerzentrierte Lösungsansätze zum Schutz sensibler Daten“ auf der Mensch und Computer 2015 werden in einem zweiten wissenschaftlichen Workshop auf der diesjährigen Mensch und Computer vier Arbeiten auf dem Gebiet Usable Security and Privacy vorgestellt und diskutiert....
Article
Security has evolved into an essential quality factor of software systems. However, security features in software applications are often time-consuming, error-prone and too complicated for common users. This is mainly due to a limited consideration and integration of usability. As a consequence, users either circumvent security features or do not u...
Article
Full-text available
Das Internet der Dinge (IoT) bezeichnet die Anbindung von Gegenständen des alltäglichen Gebrauchs an das Internet. Der Fernseher ist als Smart-TV bereits Teil des Internets. Einige Untersuchungen haben hier in jüngster Vergangenheit deutliche Missstände in Bezug auf Datenschutz und Datensicherheit aufgezeigt. Der Beitrag fasst die Ergebnisse einer...
Conference Paper
Application Programming Interfaces (APIs) are a vital link between software components as well as between software and developers. Security APIs deliver crucial functionalities for programmers who see themselves in the increasing need for integrating security services into their software products. The ignorant or incorrect use of Security APIs lead...
Conference Paper
This paper presents methods for the reduction and compression of meteorological data for web-based wind flow visualizations, which are tailored to the flow visualization technique. Flow data sets represent a large amount of data and are therefore not well suited for mobile networks with low data throughput rates and high latency. Using the mechanis...
Conference Paper
Online media consumption is the main driving force for the recent growth of the Web. As especially real- time media is becoming more and more accessible from a wide range of devices, with contrasting screen resolutions, processing resources and network connectivity, a necessary requirement is providing users with a seamless multimedia experience at...
Article
Der Begriff „Usable Security and Privacy by Design“ bezeichnet Methoden und Verfahrensweisen in der Entwicklung von Software und technischen Produkten, bei denen der Benutzer im Mittelpunkt der Entwicklung von Sicherheits- bzw. Datenschutzkomponenten steht. „Benutzer“ meint in diesem Zusammenhang nicht nur den Anwender der Software, sondern auch de...
Conference Paper
One core technology for implementing and integrating the architectural principles of REST into the Internet of Things (IoT) is CoAP, a REST-ful application protocol for constrained networks and devices. Since CoAP defaults to UDP as transport protocol, the protection of CoAP-based systems is realised by the adoption of DTLS, a transport-oriented se...
Conference Paper
Full-text available
Die digitale Vernetzung und die zunehmende Technologisierung unseres beruflichen und privaten Alltags stellen neue Herausforderungen an den Schutz sensibler Daten. Damit sich Software, Apps und interaktive Produkte im täglichen Gebrauch nicht als Risiken für private Endanwender oder Unternehmen entpuppen, müssen sie mit Sicherheitsfunktionen und -m...
Conference Paper
The application of cryptographic primitives to structured and semi-structured data in a fine-grained manner is constantly increasing in importance. The encryption and signature of selective parts of a document while retaining the underlying data format characteristics dates back to XML and XML security. The specification of the data portions to be...
Conference Paper
REST has been established as an architectural style for designing distributed hypermedia systems. With an increased adoption in Cloud and Service-oriented Computing, REST is confronted with requirements not having been central to it so far. Most often the protection of REST-based service systems is, e.g., solely ensured by transport-oriented securi...
Conference Paper
Despite the lack of standardisation for building REST-ful HTTP applications, the deployment of REST-based Web Services has attracted an increased interest. This gap causes, however, an ambiguous interpretation of REST and induces the design and implementation of REST-based systems following proprietary approaches instead of clear and agreed upon de...
Article
Die Bezeichnung „Web of Services“ bezieht sich nach einer Definition des W3C auf ein nachrichtenbasiertes Designprinzip, das häufig zum Entwurf von Internet-Anwendungen oder Unternehmenssoftware zum Einsatz kommt. Die beiden dominierenden Ansätze sind hier derzeit SOAP und REST. Für REST existiert jedoch keine der SOAP-Security entsprechende Sicher...
Article
Google TV verknüpft das klassische Fernsehen mit Zusatzdiensten aus dem Internet. Dies wirft neue Frage- und Problemstellungen in Bezug auf die mögliche Einfl ussnahme auf das Sehverhalten, den Schutz der Privatsphäre des Fernsehkonsumenten und den Signalschutz auf.