Conference Paper
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Emerging technologies are facilitating our daily activities and drive the digital transformation. The Internet of Things (IoT) and 5G communications will provide a wide range of new applications and business opportunities, but with a wide and quite complex attack surface. Several users are not aware of the underlying threats and most of them do not possess the knowledge to set and operate the various digital assets securely. Therefore, cyber security training is becoming mandatory both for simple users and security experts. Cyber ranges constitute an advance training technique where trainees gain hands-on experiences on a safe virtual environment, which can be a realistic digital twin of an actual system. This paper presents the cyber ranges platform THREAT-ARREST. Its design is fully model-driven and offers all modern training features (i.e. emulation, simulation, serious games, and fabricated data). The platform has been evaluated under the smart energy, intelligent transportation, and healthcare domains.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
Article
Full-text available
Digital technologies are facilitating our daily activities, and thus leading to the social transformation with the upcoming 5G communications and the Internet of Things. However, mainstream and sophisticated attacks are remaining a threat, both for individuals and organisations. Cyber Range emerges as a promising solution to effectively train people in cybersecurity aspects. A Training Programme is considered adequate only if it can adapt to the scope of the attacks they cover and if the trainees apply the learning material to the operational system. Therefore, this study introduces the model-driven CYber Range Assurance platform (CYRA). The solution allows a trainee to be trained for known and new cyber-attacks by adapting to the continuously evolving threat landscape and examines if the trainees transfer the acquired knowledge to the working environment. Furthermore, this paper presents a use case on an operational backend ICT system, showing how the CYRA platform was utilised to increase the security posture of the organisation.
Article
Full-text available
Introduction Today, cyber-security curricula are available across educational types and levels, including a vast array of programs and modules tailored to specific sectors of industry and audiences, to allow more targeted delivery of knowledge. Nonetheless, general agreement on best measures and methods for cybersecurity training has yet to be reached. Objective In this study, we seek to establish the current state-of-the-art in cyber-security training offerings for critical infrastructure protection and the key performance indicators (KPIs) that allow evaluating their effectiveness. Particular focus is given in this study on the aviation, energy and nuclear sectors. Methodology Accordingly, the article presents the findings of a systematic literature review that collected relevant literature produced after 2000. The identified sources have been examined according to a formal data extraction form, allowing the analysis of relevant training solutions, methodologies, target groups and focus areas. Results The results show that solutions that provide hands-on experience, team skills development, high level of real-life fidelity are often preferred to other options, with simulation-based solutions showing the highest amount of research and development. Nonetheless, researchers have not reached agreements on optimal training delivery methods and design of cybersecurity exercises. Conclusion Consequently, research on improving current cybersecurity training offerings should be conducted, to demonstrate whether integrating advantageous attributes from different delivery methods could produce more comprehensive and effective solutions.
Article
Full-text available
The railway transport system is critical infrastructure that is exposed to numerous man-made and natural threats, thus protecting this physical asset is imperative. Cyber security, privacy, and dependability (SPD) are also important, as the railway operation relies on cyber-physical systems (CPS) systems. This work presents SPD-Safe—an administration framework for railway CPS, leveraging artificial intelligence for monitoring and managing the system in real-time. The network layer protections integrated provide the core security properties of confidentiality, integrity, and authentication, along with energy-aware secure routing and authorization. The effectiveness in mitigating attacks and the efficiency under normal operation are assessed through simulations with the average delay in real equipment being 0.2–0.6 s. SPD metrics are incorporated together with safety semantics for the application environment. Considering an intelligent transportation scenario, SPD-Safe is deployed on railway critical infrastructure, safeguarding one outdoor setting on the railway’s tracks and one in-carriage setting on a freight train that contains dangerous cargo. As demonstrated, SPD-Safe provides higher security and scalability, while enhancing safety response procedures. Nonetheless, emergence response operations require a seamless interoperation of the railway system with emergency authorities’ equipment (e.g., drones). Therefore, a secure integration with external systems is considered as future work.
Article
Full-text available
Understanding the effects of individual awareness on epidemic phenomena is important to comprehend the coevolving system dynamic, to improve forecasting, and to better evaluate the outcome of possible interventions. In previous models of epidemics on social networks, individual awareness has often been approximated as a generic personal trait that depends on social reinforcement, and used to introduce variability in state transition probabilities. A novelty of this work is to assume that individual awareness is a function of several contributing factors pooled together, different by nature and dynamics, and to study it for different epidemic categories. This way, our model still has awareness as the core attribute that may change state transition probabilities. Another contribution is to study positive and negative variations of awareness, in a contagion-behavior model. Imitation is the key mechanism that we model for manipulating awareness, under different network settings and assumptions, in particular regarding the degree of intentionality that individuals may exhibit in spreading an epidemic. Three epidemic categories are considered—disease, addiction, and rumor—to discuss different imitation mechanisms and degree of intentionality. We assume a population with a heterogeneous distribution of awareness and different response mechanisms to information gathered from the network. With simulations, we show the interplay between population and awareness factors producing a distribution of state transition probabilities and analyze how different network and epidemic configurations modify transmission patterns.
Article
Full-text available
Measurement of software security is an ongoing research field. Privacy is also becoming an imperative target as social networking and ubiquitous computing evolve and users exchange high volumes of personal information. However, security and privacy alone don't guarantee proper data protection; software must also be dependable. Several standards typify the main concepts and protection mechanisms for these three properties, and measurement methodologies can quantify the provided protection level. However, security, privacy, and dependability are usually dealt with in isolation. To solve this problem, researchers have proposed a practical, easy-to-use methodology that measures a software system's overall security, privacy, and dependability (SPD) on the basis of the standards for each property. The nSHIELD (New Embedded Systems Architecture for Multi-layer Dependable Solutions) project is applying the SPD methodology to evaluate configurable embedded software in a social-mobility scenario.
Article
Full-text available
Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.
Article
Full-text available
Transfer of training is of paramount concern for training researchers and practitioners. Despite research efforts, there is a growing concern over the "transfer problem." The purpose of this paper is to provide a critique of the existing transfer research and to suggest directions for future research investigations. The conditions of transfer include both the generalization of learned material to the job and the maintenance of trained skills over a period of time on the job. The existing research examining the effects of training design, trainee, and work-environment factors on conditions of transfer is reviewed and critiqued. Research gaps identified from the review include the need to (1) test various operationalizations of training design and work-environment factors that have been posited as having an impact on transfer and (2) develop a framework for conducting research on the effects of trainee characteristics on transfer. Needed advancements in the conceptualization and operationalization of the criterion of transfer are also discussed. ABSTRACT FROM AUTHOR Copyright of Personnel Psychology is the property of Blackwell Publishing Limited and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts)
Chapter
Cyber ranges are virtual environments used in several contexts to enhance the awareness and preparedness of users to cybersecurity threats. Effectiveness of cyber ranges strongly depends on how much realistic are the training scenarios provided to trainees and on an efficient mechanism to monitor and evaluate trainees’ activities. In the context of the emulation environment of the THREAT-ARREST cyber range platform, in this paper we present a preliminary design of our work in progress towards the definition of a model-driven approach to monitor and evaluate the trainee performance. We enhance the platform emulation environment with an agent-based system that checks trainees’ behavior in order to collect all the trainee’s actions performed while executing a training exercise. Furthermore, we propose a modular taxonomy of the actions that can be exploited for the description of the trainee’s expected behavior in terms of the expected trace, i.e., the sequence of actions that is required for the correct execution of an exercise. We model the expected and actual trainee activities in terms of finite state machines, then we apply an existing algorithm for graph matching to score the trainee performance in terms of graph distance.
Conference Paper
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game Cy-berSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
Chapter
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
Article
The goal of this study is to examine the effects of learner control on information security (ISec) training effectiveness. While organizations recognize the importance of education and training in security and invest in such efforts, the design of these programs often lacks theoretical grounding and the outcomes are often not critically evaluated. This paper attempts to fill these gaps by (1) identifying desirable characteristics for the design of such training programs, (2) using these characteristics as guidelines to design a web-based information security training (3) experimentally evaluating the effectiveness of the training using critical outcomes such as training satisfaction, security training performance, self-efficacy, perceived threat severity and susceptibility. We find that web based ISec training that incorporates learner control positively affects training reactions and learning outcomes.
Conference Paper
In this paper, we introduce a hybrid approach for certifying security properties of cloud services that combines monitoring and testing data. The paper argues about the need for hybrid certification and examines some basic characteristics of hybrid certification models.
Article
This study aims to gain insight into some of the factors that determine the transfer of training to the work context. The present research examined the relationship between three types of predictors on transfer of training, including training design, individual characteristics and work environment. Data was collected at two points in time from 182 employees in a large grocery organization. The results indicated that transfer design, performance self-efficacy, training retention and performance feedback were significantly related to transfer of training. Contrary to expectation, supervisory support was not significantly related to transfer of training. These results suggest that in order to enhance transfer of training, organizations should design training that gives trainees the ability to 282 International Journal of Training and Development transfer learning, reinforces the trainee's beliefs in their ability to transfer, ensures the training content is retained over time and provides appropriate feedback regarding employee job performance following training activities.
AI-driven composition and security validation of an IoT ecosystem
  • G Hatzivasilis
Hatzivasilis, G., et al.: AI-driven composition and security validation of an IoT ecosystem. Applied Sciences -Special Issue on Smart City and Multi-Agent Systems, MDPI Open Access Journal, August 2020, vol. 10, issue 14, article 4862, pp. 1-31.
Computer security incident handling guide
  • P Cichonski
Online cyber security & hacking courses
  • Stationx
SPD-Safe: Secure administration of railway intelligent transportation systems. Electronics -Special Issue on Advances in Public Transport Platform for the Development of Sustainability Cities
  • G Hatzivasilis
Hatzivasilis, G., et al.: SPD-Safe: Secure administration of railway intelligent transportation systems. Electronics -Special Issue on Advances in Public Transport Platform for the Development of Sustainability Cities, MDPI Open Access Journal, January 2021, vol. 10, issue 1, article 92, pp. 1-26.
CYRA: A Model-Driven Cyber Range Assurance Platform. Applied Sciences -Special Issue on Security Management of 5G and IoT Ecosystems
  • I Smyrlis
Smyrlis, I., et al.: CYRA: A Model-Driven Cyber Range Assurance Platform. Applied Sciences -Special Issue on Security Management of 5G and IoT Ecosystems, MDPI Open Access Journal, June 2021, vol. 11, issue 11, article 5165, pp. 1-28.
  • C Braghin
Braghin, C., et al.: Towards the Monitoring and Evaluation of Trainees' Activities in Cyber Ranges. 2 nd Model-driven Simulation and Training Environments for Cybersecurity (MSTEC), ESORICS, Guildford, UK, September 2020, Springer, LNCS, vol. 12512, pp. 79-91.
Develop security skills
  • Cybrary
Cybrary: Develop security skills. https://www.cybrary.it/. [12] StationX: Online cyber security & hacking courses. https://www.stationx.net/.
  • L Goeke
Goeke, L., et al.: PROTECT -An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks. 1 st Model-driven Simulation and Training Environments for Cybersecurity (MSTEC), ESORICS, Luxembourg, September 2019, Springer, LNCS, vol. 11981, pp 156-171.
  • S Pape
Pape, S., et al.: Conceptualization of a CyberSecurity Awareness Quiz. 2 nd Model-driven Simulation and Training Environments for Cybersecurity (MSTEC), ESORICS, Guildford, UK, September 2020, Springer, LNCS, vol. 12512, pp. 61-76.