Sebastian Pape

Sebastian Pape
Goethe-Universität Frankfurt am Main · Faculty of Economics and Business Administration

PD Dr. rer. nat. Dipl.-Inform. Dipl.-Math.

About

125
Publications
27,865
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
617
Citations
Additional affiliations
October 2018 - August 2019
Universität Regensburg
Position
  • Professor
January 2017 - present
Social Engineering Academy GmbH
Position
  • Managing Partner
March 2015 - present
Goethe-Universität Frankfurt am Main
Position
  • Senior Researcher
Education
September 2005 - September 2013
Universität Kassel
Field of study
  • Applied Cryptography & Privacy Enhancing Technologies
October 1997 - March 2005
Technische Universität Darmstadt
Field of study
  • Computer Science
October 1996 - January 2004
Technische Universität Darmstadt
Field of study
  • Mathematics

Publications

Publications (125)
Conference Paper
Full-text available
In some scenarios, especially when visual cryptography [1] is used, the attacker has no access to an encryption oracle, and thus is not able to mount chosen-plaintext attacks. Based on the notion of real-or-random security under chosen-plaintext attacks (ROR-CPA) given by Bellare et al. [2], we propose the notion of sample-or-random security under...
Conference Paper
We report on an approach and associated tool-support for automatically evaluating and grading exercises in Software Engineering courses, by connecting various third-party tools to the online learning platform Moodle. In the case study presented here, the tool was used in several instances of a lecture course to automatically measure the test covera...
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii)...
Article
Full-text available
The concept of cloud computing relies on central large datacentres with huge amounts of computational power. The rapidly growing Internet of Things with its vast amount of data showed that this architecture produces costly, inefficient and in some cases infeasible communication. Thus, fog computing, a new architecture with distributed computational...
Conference Paper
Full-text available
Today’s environment of data-driven business models relies heavily on collecting as much personal data as possible. Besides being protected by governmental regulation, internet users can also try to protect their privacy on an individual basis. One of the most famous ways to accomplish this, is to use privacy-enhancing technologies (PETs). However,...
Article
Users report that they have regretted accidentally sharing personal information on social media. There have been proposals to help protect the privacy of these users, by providing tools which analyze text or images and detect personal information or privacy disclosure with the objective to alert the user of a privacy risk and transform the content....
Article
Users report that they have regretted accidentally sharing personal information on social media. There have been proposals to help protect the privacy of these users, by providing tools which analyze text or images and detect personal information or privacy disclosure with the objective to alert the user of a privacy risk and transform the content....
Conference Paper
Full-text available
Posters are widely in practice to communicate cybersecurity awareness (CSA) messages. This popularity could be because it is one of the simplest mechanisms, and most people are accustomed to poster usage. Despite this, very little effort has been made to make the CSA poster design and assessment more systematic. Due to this, there exists a wide var...
Chapter
The SARS-CoV-2 pandemic is a pressing societal issue today. The German government promotes a contact tracing app named Corona-Warn-App (CWA), aiming to change citizens’ health behavior during the pandemic by raising awareness about potential infections and enable infection chain tracking. Technical implementations, citizens’ perceptions, and public...
Chapter
Enabling cybersecurity and protecting personal data are crucial challenges in the development and provision of digital service chains. Data and information are the key ingredients in the creation process of new digital services and products. While legal and technical problems are frequently discussed in academia, ethical issues of digital service c...
Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious ga...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by...
Article
Full-text available
Through voice characteristics and manner of expression, even seemingly benign voice recordings can reveal sensitive attributes about a recorded speaker (e. g., geographical origin, health status, personality). We conducted a nationally representative survey in the UK (n = 683, 18-69 years) to investigate people's awareness about the inferential pow...
Poster
Most privacy policies are incomprehensive and largely unreadable. As a consequence, most users do not bother to read them. We propose Leech, a serious game developed in a students’ project for learning about the contents and structure of privacy policies so that users get a rough understanding what to expect in privacy policies. Leech is an adventu...
Conference Paper
Most privacy policies are incomprehensive and largely unreadable. As a consequence, most users do not bother to read them. We propose Leech, a serious game developed in a students’ project for learning about the contents and structure of privacy policies so that users get a rough understanding what to expect in privacy policies. Leech is an adventu...
Conference Paper
Emerging technologies are facilitating our daily activities and drive the digital transformation. The Internet of Things (IoT) and 5G communications will provide a wide range of new applications and business opportunities, but with a wide and quite complex attack surface. Several users are not aware of the underlying threats and most of them do not...
Chapter
The German Corona-Warn-App (CWA) is one of the most controversial tools to mitigate the Corona virus spread with roughly 25 million users. In this study, we investigate individuals’ knowledge about the CWA and associated privacy concerns alongside different demographic factors. For that purpose, we conducted a study with 1752 participants in German...
Article
Full-text available
Zusammenfassung It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associat...
Article
Augmented reality (AR) gained much public attention after the success of Pokémon Go in 2016, and has found application in online games, social media, interior design, and other services since then. AR is highly dependent on various different sensors gathering real time context-specific personal information about the users causing more severe and ne...
Article
Full-text available
When requesting a web-based service, users often fail in setting the website's privacy settings according to their self privacy preferences. Being overwhelmed by the choice of preferences, a lack of knowledge of related technologies or unawareness of the own privacy preferences are just some reasons why users tend to struggle. To address all these...
Article
Maturity models are a widely used concept for measuring information security. The idea is to systematically evaluate the maturity of security-relevant processes in an organisation. This enables decision makers to get an overview of the implementation status of relevant processes to identify neuralgic points. Maturity models thus play a central role...
Conference Paper
Privacy sensitive information (PSI) detection tools have the potential to help users protect their privacy when posting information online, i. e. they can identify when a social media post contains information that users could later regret sharing. However, although users consider this type of tools useful, previous research indicates that the inte...
Chapter
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees’ awareness are more effective if adjusted to their target audience. For that purpose, we p...
Article
Full-text available
Pokémon Go is one of the most successful mobile games of all time. Millions played and still play this mobile augmented reality (AR) application, although severe privacy issues are pervasive in the app due to its use of several sensors such as location data and camera. In general, individuals regularly use online services and mobile apps although t...
Chapter
Attack trees are an established concept in threat and risk analysis. They build the basis for numerous frameworks aiming to determine the risk of attack scenarios or to identify critical attacks or attack paths. However, existing frameworks do not provide systematic analyses on the asset-level like the probability of successful or near-successful a...
Chapter
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game CyberSecurity Awareness Quiz provides a quiz on recent variants to make employee...
Article
This paper provides the survey materials used to collect the data for the conceptual replication of the Internet Users' Information Privacy Concerns (IUIPC) model by Malhotra et al. (2004). The replication paper (Pape et al., 2020) used awareness, collection and control as constructs for the second order construct of IUIPC, as well as risk and trus...
Conference Paper
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game Cy-berSecurity Awareness Quiz provides a quiz on recent variants to make employe...
Conference Paper
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees' awareness are more effective if adjusted to their target audience. For that purpose, we p...
Conference Paper
Attack trees are an established concept in threat and risk analysis. They build the basis for numerous frameworks aiming to determine the risk of attack scenarios or to identify critical attacks or attack paths. However, existing frameworks do not provide systematic analyses on the asset-level like the probability of (un)successful attacks per asse...
Article
To expand the understanding of privacy concerns in the digital sphere, this paper makes use of the Internet Users' Information Privacy Concerns (IUIPC) model by Malhotra et al. (2004). The lack of empirical studies conducted in East-Asian societies makes it difficult, if not impossible, to shed light on multi-cultural differences in information pri...
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existi...
Article
Full-text available
Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to docum...
Conference Paper
Full-text available
General Data Protection Regulation (GDPR) has not only a great influence on data protection but also on the area of information security especially with regard to Article 32. This article emphasizes the importance of having a process to regularly test, assess and evaluate the security. The measuring of information security however, involves overcom...
Chapter
In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT...
Chapter
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prev...
Article
Full-text available
Due to an increasing collection of personal data by internet companies and several data breaches, research related to privacy gained importance in the last years in the information systems domain. Privacy concerns can strongly influence users' decision to use a service. The Internet Users Information Privacy Concerns (IUIPC) construct is one operat...
Data
This dataset was collected for research conducted within the project AN.ON-Next funded by the German Federal Ministry of Education and Research (BMBF) with grant number: 16KIS0371. The dataset is based on an online survey with actual users of the JonDonym technology. The dataset includes – among others – constructs from different established models...
Data
This dataset was collected for research conducted within the project AN.ON-Next funded by the German Federal Ministry of Education and Research (BMBF) with grant number: 16KIS0371. The dataset is based on an online survey with actual users of the Tor technology. The dataset includes – among others – constructs from different established models of t...
Conference Paper
Full-text available
Augmented reality (AR) gained much public attention since the success of Pokémon Go in 2016. Technology companies like Apple or Google are focusing primarily on mobile AR (MAR) applications running on smartphones or tablets since this type of AR is widely available for the end consumer. Associated privacy issues have to be investigated early as lon...
Article
Full-text available
Information security risk assessment frameworks support decision-makers in assessing and understanding the risks their organisation is exposed to. However, there is a lack of lightweight approaches. Most existing frameworks require security-related information that are not available and that are very challenging to gather. So they are not suitable...
Article
The augmented reality smartphone game Pokémon Go is one of the biggest commercial successes in the last years, posing the question concerning the factors contributing to the game’s success. An apparent distinction to other games is the strong brand Pokémon. We derive a research model based on the established theory of technology acceptance, which i...
Conference Paper
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prev...
Conference Paper
In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT...
Conference Paper
We conducted a literature survey on reproducibility and replicability of user surveys in security research. For that purpose, we examined all papers published over the last five years at three leading security research conferences and recorded the type of study and whether the authors made the underlying responses available as open data, as well as...
Chapter
Full-text available
Today’s environment of data-driven business models relies heavily on collecting as much personal data as possible. One way to prevent this extensive collection, is to use privacy-enhancing technologies (PETs). However, until now, PETs did not succeed in larger consumer markets. In addition, there is a lot of research determining the technical prope...
Conference Paper
Full-text available
Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by ap...
Chapter
Protecting enterprise’s confidential data and infrastructure against adversaries and unauthorized accesses has been always challenging. This gets even more critical when it comes to smartphones due to their mobile nature which enables them to have access to a wide range of sensitive information that can be misused. The crucial questions here are: H...
Conference Paper
Kleine und mittelständische Unternehmen haben oftmals große Probleme in der Einführung eines ISMS und einer Verbesserung der eigenen IT-Sicherheit. Besonders kritische Infrastrukturen wie Energienetzbetreiber sind gesetzlich dazu verpflichtet ein ISMS einzuführen und für eine bestmögliche Sicherheit zu sorgen. Diesen Unternehmen fehlt es jedoch oft...
Conference Paper
Full-text available
Due to an increasing collection of personal data by internet companies and several data breaches, research related to privacy gained importance in the last years in the information systems domain. Privacy concerns can strongly influence users’ decision to use a service. The Internet Users Information Privacy Concerns (IUIPC) construct is one operat...
Chapter
Full-text available
Bei Social Engineering (SE) wird durch Beeinflussungen der Opfer versucht, ein bestimmtes Verhalten hervorzurufen und auszunutzen, um sensible Informationen zu beschaffen. Laut dem aktuellen Datensatz des Data Breach Investigations Report [1] enthalten 43 % aller Datendiebstähle einen SE-Angriff. Dabei ist der SE-Angriff oft der erste Schritt eines...
Conference Paper
Full-text available
A web-based platform was developed to support the inter-organisational collaboration between small and medium-sized energy providers. Since critical infrastructures are subject to new security regulations in Germany, the platform particularly serves for the exchange of experience and for mutual support in information security. The focus of this wor...
Conference Paper
Full-text available
Today's environment of data-driven business models relies heavily on collecting as much personal data as possible. This is one of the main causes for the importance of privacy-enhancing technologies (PETs) to protect internet users' privacy. Still, PETs are rather a niche product used by relatively few users on the internet. We undertake a first st...
Chapter
We investigate privacy concerns and the privacy behavior of users of the AR smartphone game Pokémon Go. Pokémon Go accesses several functionalities of the smartphone and, in turn, collects a plethora of data of its users. For assessing the privacy concerns, we conduct an online study in Germany with 683 users of the game. The results indicate that...
Conference Paper
Full-text available
Wir untersuchen in diesem Artikel mögliche Anreize für Firmen Privacy-Enhancing Technologies (PETs) zu implementieren, und damit das Privatsphäre- und Datenschutzniveau von Endkonsumenten zu erhöhen. Ein Großteil aktueller Forschung zu Privatsphäre- und Datenschutz (im Weiteren Privacy) wird aktuell aus Nutzersicht, und nicht aus der Unternehmenspe...
Conference Paper
Full-text available
In this paper we apply privacy by design in e-commerce. We outline the requirements of a privacy-aware online shopping platform that satisfies the principle of data minimization and we suggest several architectures for building such a platform. We then compare them according to four dimensions: privacy threats, transparency, usability and compatibi...
Article
Full-text available
We present and validate a German translation of the construct Concerns for Information Privacy (CFIP). This construct, consisting of four sub-constructs, measures the privacy concerns of individuals with regard to organizational privacy practices. With this scope, the construct has a wide applicability for quantitative research on privacy. We surve...
Article
Full-text available
We present and validate a German translation of the questionnaire of the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2). For this case, we surveyed participants on the location-based mobile augmented reality game Pokémon Go. We conducted the translation with the help of two independent and certified translators and tested the validit...
Conference Paper
We investigate privacy concerns and the privacy behavior of users of the AR smartphone game Pokémon Go. Pokémon Go accesses several functionalities of the smartphone and, in turn, collects a plethora of data of its users. For assessing the privacy concerns, we conduct an online study in Germany with 683 users of the game. The results indicate that...
Technical Report
Full-text available
The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet's infrastructure and establish them in the consumer mass market. The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobil...
Conference Paper
We investigate the technology acceptance factors of the AR smartphone game Pokémon Go with a PLS-SEM approach based on the UTAUT2 model by Venkatesh et al. [1]. Therefore, we conducted an online study in Germany with 683 users of the game. Many other studies rely on the users’ imagination of the application’s functionality or laboratory environment...
Article
Full-text available
As part of the research project "Secure information networks of small- and medium-sized energy providers" (SIDATE), a survey about the IT security status of German energy providers was conducted. The project itself is focused on the IT security of small- and medium-sized energy providers. In August 2016, 881 companies listed by the Federal Network...