Steven Furnell

Steven Furnell
University of Nottingham | Notts · School of Computer Science

BSc (Hons) PhD

About

471
Publications
122,925
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
8,244
Citations

Publications

Publications (471)
Chapter
This chapter sets the scene for the book as a whole, establishing the need for cybersecurity awareness, training, and education in order to enable us to understand and meet our security obligations. It begins by illustrating key elements that ought to form part of cybersecurity literacy and the questions to be asked when addressing the issue. It th...
Chapter
This chapter provides a specific focus to IoT devices in a domestic scenario. It begins by looking into the nature of IoT devices and interactions within the user's home environment. Attention is then given to the nature of security issues of such devices, and more particularly, the related impact for their users. Next, the chapter examines the IoT...
Cover Page
Full-text available
For more detailed information, please visit the SI website at: https://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/special-issue-on-insider-threats-in-cyber-security
Article
Access to the many benefits available from digital technology can often vary depending upon the capabilities and facilities of the individual who is attempting to engage with it. Many digital devices and services require us to be identified and so require some form of user authentication as part of the process. However, the authentication methods t...
Chapter
The ongoing demand for new and faster technologies continues to leave consumers and business users to face the constant challenge of updating systems and software. This unrelenting pace of technological evolution has not always been matched with a commensurate focus on security and privacy matters. In particular, the obligatory move to embrace clou...
Chapter
Today, we are living in a digitally dependent world. Through the use of digital technologies, life is meant to be easier and streamlined. This includes giving access to services that previously were unavailable to many due to disability. Although technology has evolved immensely over the past few decades, reducing the digital divide, authentication...
Chapter
The importance of the human aspects of cybersecurity cannot be overstated in light of the many cybersecurity incidents stemming from insecure user behavior. Users are supposed to engage in secure behavior by use of security features or procedures but those struggle to get widespread use and one hindering factor is usability. While several previous...
Article
The term ‘cyber security’ is increasingly commonplace in everyday life, and is something that users of all ages will encounter in some form. However, there are varying interpretations about what it actually means, and because of this, people have similarly varying assumptions about the extent to which it applies to them or might affect them.
Preprint
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational...
Article
Purpose The purpose of this study is to determine effective online safety awareness education for young people in less developed countries. The research followed an explanatory mixed methods design starting with an online survey (quantitative element) and then interesting or anomalous findings were followed up with one-on-one interviews (qualitativ...
Article
Information security is a challenge facing organisations, as security breaches pose a serious threat to sensitive information. Organisations face security risks in relation to their information assets, which may also stem from their own employees. Organisations need to focus on employee behaviour to limit security failures, as if they wish to estab...
Article
While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational...
Article
One of the most noticeable effects of the Covid-19 pandemic from the technology perspective has been the significant uptake of online meeting platforms, which many have suddenly found to be a necessary alternative to face-to-face meetings in all manner of contexts. From relatively casual meetings that may have taken place among co-workers in the of...
Article
Full-text available
Complexity and sophistication among multimedia-based tools have made it easy for perpetrators to conduct digital crimes such as counterfeiting, modification, and alteration without being detected. It may not be easy to verify the integrity of video content that, for example, has been manipulated digitally. To address this perennial investigative ch...
Article
While the threats may appear to be vastly different, further investigation reveals that the cybersecurity community can learn much from the COVID-19 messaging response.
Article
The Internet of Things (IoT) allows various embedded devices and smart sensors to be connected with each other, which provides a basis for building smart cities. The IoT-enabled smart city can greatly benefit people’s daily lives, where smartphone is one of the most widely used IoT devices. For example, people can use the phone to check their finan...
Article
While the Internet has become an indispensable aspect of personal and professional lives, it has also served to render many individuals vulnerable to cybersecurity threats. Thus, the promotion of cybersecurity behaviors can effectively protect individuals from these threats. However, cybersecurity behaviors do not necessarily come naturally, and pe...
Article
Cyber security is now an essential requirement for modern organisations, but many face a significant constraint in terms of a lack of skilled personnel to support the required roles and responsibilities. Although numerous related qualifications and certifications are available, it is necessary to understand this landscape in order to make an inform...
Chapter
Intensive IT development is driving current information security (IS) trends and require sophisticated structures and adequate approached to manage IS for different businesses. The wide range of threats is constantly growing in modern intranets; they have become not only numerous and diverse but also more disruptive. In such circumstances, organiza...
Chapter
This chapter examines the use of delay-tolerant networks (DTNs) in the context of deep-space data communications: an application area with extreme demands for delay tolerance. The discussion examines the networking requirements of space data communications, and the associated technology requirements to support a deep-space DTN solution. Specific at...
Book
Full-text available
This book is a relevant reference for any readers interested in the security aspects of Cyber-Physical Systems and particularly useful for those looking to keep informed on the latest advances in this dynamic area. Cyber-Physical Systems (CPSs) are characterized by the intrinsic combination of software and physical components. Inherent elements of...
Book
This book constitutes the proceedings of the 15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2020, held virtually in July 2021. The 18 papers presented in this volume were carefully reviewed and selected from 30 submissions. They are organized in the following topical sections: attitudes and...
Article
Full-text available
The prevalence of HTTP web traffic on the Internet has long transcended the layer 7 classification, to layers such as layer 5 of the OSI model stack. This coupled with the integration-diversity of other layers and application layer protocols has made identification of user-initiated HTTP web traffic complex, thus increasing user anonymity on the In...
Article
Media reports regularly highlight organisations that have experienced costly cyber attacks or other cyber security breaches. Such breaches can have far-reaching and long-running impacts, compromising systems and data, impacting relationships with customers, suppliers and partners, and in extreme situations becoming existential threats. As an exampl...
Conference Paper
The increased use of digital technologies and services brings with it a similarly increasing requirement for their end-users to have the awareness and ability to protect the security and privacy of their devices and data. However, this raises the related questions of what they need to know and from where they may obtain related guidance. The discus...
Article
Modern network traffic classification puts much attention toward producing a granular classification of the traffic, such as at the application service level. However, the classification process is often impaired by the lack of granular network traffic ground truth. Granular network traffic ground truth is critical to provide a benchmark for a fair...
Chapter
The demand for cybersecurity professionals is growing. Many cybersecurity academic and training programmes exist to prepare students and professionals for these jobs. The programmes cover many areas of cybersecurity with considerable overlap, but with different emphases. Some are highly technical and cover little non-technical; others do the opposi...
Chapter
The majority of online safety awareness education programmes have been developed in advanced countries and for the needs of their own populations. In less developed countries (LDCs) not only are there fewer programmes there is also a research gap in knowing the issues that face young people in their respective country. The Young People Online Educa...
Article
Purpose The human factor is a major consideration in securing systems. A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks and are increasingly being targeted as they...
Article
Home working has been one of the long-promised freedoms of information technology. But until recently it was something that relatively few people had routinely experienced in practice (aside, perhaps, from taking work home to do in the evenings and at weekends). This situation abruptly changed in early 2020, with the Covid-19 pandemic forcing organ...
Article
The surveillance and subsequent privacy risks (i.e., misuse of personal information) of Facebook App data constitute a persistent problem that affects millions of users. However, despite Facebook App research on specifics such as privacy concerns, value of information, and demographics, none of them has conducted vulnerability assessments on the us...
Article
The surveillance of social media-based data is extensive and is showing little signs of abating. Alarmingly, social media corporates are seemingly irreproachable in this matter with many data surveillance practices persisting—even post Cambridge Analytica. In this article, we argue, and demonstrate, that although data surveillance is not a new conc...
Article
Passwords are dead, writes Steven Furnell FBCS of the Centre for Security, Communications and Network Research at the University of Plymouth. Numerous people have said so (just search for the phrase to see for yourself).
Article
With cyber security gaining ever-greater recognition as a key concern in today's organisations, there is an accompanying appreciation that specialist skills are required to support it. However, this has created challenges for employers in recruiting the associated talent, not least because skilled staff are in short supply. With cyber security beco...
Book
This book constitutes the refereed post-conference proceedings of the 5th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2019, the Third International Workshop on Security and Privacy Requirements Engineering, SECPRE 2019, the First International Workshop on Security, Privacy, Organizations, a...
Book
This book constitutes the revised selected papers of the 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, held in Prague, Czech Republic, in February 2019. The 19 full papers presented were carefully reviewed and selected from a total of 100 submissions. The papers presented in this volume address various topi...
Book
This book constitutes the proceedings of the 14th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2020, held in Mytilene, Lesbos, Greece, in July 2020.* The 27 full papers presented in this volume were carefully reviewed and selected from 43 submissions. They are organized in the following topical sections: pri...
Book
This book constitutes the refereed post-conference proceedings of the 6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, the Second International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and the Third International Workshop on Attacks and Defenses for Inter...
Article
Psychological and behavioral characteristics are among the most important factors that instigate information security incidents. Although many previous studies have discussed the influencing factors of information security policy compliance behavior in an organization, few have considered the influence of organizational structures. In this study, t...
Conference Paper
At the present time, there has been a rapid increase in the variety and popularity of messaging systems such as social network messaging, text messages, email and Twitter, with users frequently exchanging messages across various platforms. Unfortunately, in amongst the legitimate messages, there is a host of illegitimate and inappropriate content -...
Article
Although we are continually offered the promise of passwords being eradicated they continue to be used extensively on the majority of devices, sites and services.1, 2 At the same time, they remain a significant point of weakness – particularly in view of the way in which users choose and manage them. For example, in 2017, Verizon's ‘Data Breach Inv...
Article
Full-text available
Purpose The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison wit...
Article
With the first incidents dating back to 2003, phishing has now been a problem for over a decade and a half. Unfortunately, just like malware, it's proven to be the cyber security equivalent of an unwanted genie that we can't put back in the bottle. Despite many efforts to educate users and provide safeguards, people are still falling victim. Althou...
Chapter
Organizational security is exposed to internal and external threats, with a greater level of vulnerabilities coming from the former. Drawing upon findings from prior works as a foundation, this study aims to highlight the significant factors that influence the security culture within organizations. Phase one of the study reports upon an interview-b...
Article
Full-text available
In recent years, enterprise applications have begun to migrate from a local hosting to a cloud provider and may have established a business-to-business relationship with each other manually. Adaptation of existing applications requires substantial implementation changes in individual architectural components. On the other hand, users may store thei...
Article
With the rapid growth of smartphones and tablets in our daily lives, securing the sensitive data stored upon them makes authentication of paramount importance. Current authentication approaches do not re-authenticate in order to re-validate the user’s identity after accessing a mobile phone. Accordingly, there is a security benefit if authenticatio...
Conference Paper
Current cloud architectures do not comply with today's digital forensics procedures-largely due to the fundamental dynamic nature of the cloud. Data acquisition is the first and arguably the most important process within digital forensics-to ensure data integrity and admissibility. Currently investigators have no option but to rely on the Cloud Ser...
Book
Understanding cybersecurity principles and practices is vital to all users of IT systems and services, and is particularly relevant in an organizational setting where the lack of security awareness and compliance amongst staff is the root cause of many incidents and breaches. If these are to be addressed, there needs to be adequate support and prov...
Chapter
This chapter sets the scene for the book as a whole, establishing the need for cybersecurity aware- ness, training, and education in order to enable us to understand and meet our security obligations. It begins by illustrating key elements that ought to form part of cybersecurity literacy and the questions to be asked when addressing the issue. It...
Preprint
Full-text available
Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a si...
Article
Steven Furnell, University of Plymouth UK, and Eugene H. Spafford, Purdue University USA, turn the clock back 30 years and show that, though bigger, the internet might not be much safer.
Article
Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a si...
Conference Paper
Full-text available
The growth in smartphone usage has led to increased user concerns regarding privacy and security. Smartphones contain sensitive information, such as personal data, images, and emails, and can be used to perform various types of activity, such as transferring money via mobile Internet banking, making calls and sending emails. As a consequence, conce...
Article
Full-text available
Purpose It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and respondin...
Article
Full-text available
The Internet of Things (IoT) is an emerging communications paradigm in which devices or “Things” have the ability to sense their environment, connect with each other and exchange data over the Internet [1]. The IoT model has recently been used in building smart environments such as smart cities and smart homes. On the one hand, the deployment of Io...
Article
Purpose The purpose of this paper is to review current evidence in relation to scale and impacts of cyber crime, including various approaches to defining and measuring the problem. Design/methodology/approach A review and analysis of survey evidence is used to enable an understanding of the scope and scale of the cyber crime problem, and its eff...
Book
This book constitutes revised and selected papers from the 5th International Symposium on Security and Privacy in Social Networks and Big Data, SocialSec 2019, held in Copenhagen, Denmark, in July 2019. The 18 full papers and 3 short papers presented in this volume were carefully reviewed and selected from a total of 76 submissions. The papers in...
Chapter
Security education and awareness are frequently overlooked for users in both workplace and personal contexts, and even where some level of provision is offered it is rarely done in a manner that is matched specifically to the needs of the audience. However, by personalising the provision, and making the presentation and messaging more appropriate t...
Article
Prof. Steven Furnell FBCS and Prof. Nathan Clarke FBCS, from the University of Plymouth, examine the rise of biometrics in modern society, with particular focus upon the potential to ease the authentication burden on mobile devices.
Poster
The Facial-Forensic Analysis Tool (F-FAT) provide a technique that aid forensic investigation in terms of automatic facial recognition. It is a holistic system that is developed to collect, exam, and analyse multimedia evidence (photos and videos).
Article
Full-text available
Facial recognition has played an essential role in digital forensics due to the widespread use of digital technology such as CCTV, mobile phones, and digital cameras. Therefore, the growing volume of multimedia files (photos and videos), in particular, are a valuable source of evidence and the ability to identify culprits’ is invaluable. Despite si...
Article
World Password Day 2018 saw Microsoft suggesting that it would deliver a “world without passwords” and BlackBerry proposing that they would be replaced by adaptive authentication (based on the buzzwords du jour of artificial intelligence and machine learning).1, 2 Yet at the same time we had the irony of Twitter asking 330 million subscribers to ch...
Conference Paper
Full-text available
Forensic facial recognition has become an essential requirement in criminal investigations due to the advent of electronic devices such as CCTV, digital cameras, mobile phones, and computers and the huge volume of content that exists. Forensic facial recognition goes beyond facial recognition in that it deals with facial images under unconstraint a...
Article
Although the role of users in maintaining security is regularly emphasised, this is often not matched by an accompanying level of support. Indeed, users are frequently given insufficient guidance to enable effective security choices and decisions, which can lead to perceived bad behaviour as a consequence. This paper discusses the forms of support...
Article
Purpose The end-user has frequently been identified as the weakest link; however, motivated by the fact that different users react differently to the same stimuli, identifying the reasons behind variations in security behavior and why certain users could be “at risk” more than others is a step toward protecting and defending users against security...
Conference Paper
Full-text available
Key aspects that weaken users’ ability to use security are often related to the difficulty of comprehending the features/notifications within the interfaces of applications, inconsistency in the interfaces, and not receiving appropriate guidance or adequate security information. This often leads to confusion, limiting a users’ ability to comprehend...
Article
The medical industry is increasingly digitalized and Internet-connected (e.g., Internet of Medical Things), and when deployed in an Internet of Medical Things environment, software-defined networks (SDN) allow the decoupling of network control from the data plane. There is no debate among security experts that the security of Internet-enabled medic...
Article
Full-text available
A wide range of information communication technologies (ICTs), including devices such as smart phones, tablets, desktops and smart TVs, are increasingly used at home. Home users arguably struggle with managing and handling different devices and operating systems, applying different security configurations and mitigating different security threats....
Article
The risk of sensitive information disclosure and modification through the use of online services has increased considerably and may result in significant damage. As the management and assessment of such risks is a well-known discipline for organizations, it is a challenge for users from the general public. Users have difficulties in using, understa...
Article
In today’s business environment where all operations are enabled by technology, information security has become an established discipline as more and more businesses realize its value. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees mor...
Article
The protection of organisational information assets requires the collaboration of all employees; information security collaboration (ISC) aggregates the efforts of employees in order to mitigate the effect of information security breaches and incidents. However, it is acknowledged that ISC formation and its development needs more investigation. Thi...