Aad van Moorsel

Newcastle University, Newcastle-on-Tyne, England, United Kingdom

Are you Aad van Moorsel?

Claim your profile

Publications (139)20.35 Total impact

  • Iryna Yevseyeva · Charles Morisset · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Users of computing systems and devices frequently make decisions related to information security, e. g., when choosing a password, deciding whether to log into an unfamiliar wireless network, etc. Employers or other stakeholders may have a preference for certain outcomes, without being able to or having a desire to enforce a particular decision. In such situations, systems may build in design nudges to influence the decision making, e. g., by highlighting the employer’s preferred solution. In this paper we model influencing in information security to identify which approaches to influencing are most effective and how they can be optimized. To do so, we extend traditional multi-criteria decision analysis models with modifiable criteria, to represent the approaches an influencer has available to influence the choice of the decision maker. We also introduce the notion of influence power, to characterize the extend to which an influencer can influence decision makers. We illustrate our approach using data from a controlled experiment on techniques to influence which public wireless network users select. This allows us to calculate influence power and identify which design nudges exercise the most influence over user decisions.
    No preview · Article · Jan 2016
  • [Show abstract] [Hide abstract]
    ABSTRACT: Choosing an optimal investment in information security is an issue most companies face these days. Which security controls to buy to protect the IT system of a company in the best way? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem that should take into account conflicting objectives and constraints of the problem. In particular, the security of the system should be improved without hindering productivity, under a limited budget for buying controls. In this work, we provide several possible formulations of security controls subset selection problem as a portfolio optimization, which is well known in financial management. We propose approaches to solve them using existing single and multiobjective optimization algorithms.
    No preview · Article · Dec 2015 · Procedia Computer Science
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: People make security choices on a daily basis without fully considering the security implications of those choices. In this paper we present a prototype application which promotes the choice of secure wireless network options, specifically when users are unfamiliar with the wireless networks available. The app was developed based on behavioural theory, choice architecture and good practices informed by HCI design. The app includes several options to 'nudge' users towards selecting more secure public wireless networks. This paper outlines the development and the results of an evaluation of some of the potential app nudges (specifically, presentation order and colour coding). Colour coding was found to be a powerful influence, less so with the order in which we listed the Wi-Fi networks, although the colour x order combination was most effective. The paper contributes to the body of evidence on the effectiveness of cyber-security interventions to empower the user to make more informed security decisions.
    Full-text · Conference Paper · Jul 2015
  • Wen Zeng · Maciej Koutny · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: By providing effective access control mechanisms, enterprise information security technologies have been proven successful in protecting the confidentiality of sensitive information in business organizations. However, such security mechanisms typically reduce the work productivity of the staff, by making them spend time working on non-project related tasks. Therefore, organizations have to invest a signification amount of capital in the information security technologies, and then to continue incurring additional costs. In this study, we investigate the performance of administrators in an information help desk, and the non-productive time (NPT) in an organization, resulting from the implementation of information security technologies. An approximate analytical solution is discussed first, and the loss of staff member productivity is quantified using non-productive time. Stochastic Petri nets are then used to provide simulation results. The presented study can help information security managers to make investment decisions, and to take actions toward reducing the cost of information security technologies, so that a balance is kept between information security expense, resource drain and effectiveness of security technologies.
    No preview · Article · Dec 2014
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work we address the main issues of IT consumerisation that are related to security risks, and propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
    Full-text · Article · Nov 2014
  • B. Arief · K.P.L. Coopamootoo · M. Emms · A. Van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Privacy is a concept with real life ties and implications. Privacy infringement has the potential to lead to serious consequences for the stakeholders involved, hence researchers and organisations have developed various privacy enhancing techniques and tools. However, there is no solution that fits all, and there are instances where privacy solutions could be misused, for example to hide nefarious activities. Therefore, it is important to provide suitable measures and to make necessary design tradeoffs in order to avoid such misuse. This short paper aims to make a case for the need of careful consideration when designing a privacy solution, such that the design effectively addresses the user requirements while at the same time minimises the risk of inadvertently assisting potential offenders. In other words, this paper strives to promote "sensible privacy" design, which deals with the complex challenges in balancing privacy, usability and accountability. We illustrate this idea through a case study involving the design of privacy solutions for domestic violence survivors. This is the main contribution of the paper. The case study presents specific user requirements and operating conditions, which coupled with the attacker model, provide a complex yet interesting scenario to explore. One example of our solutions is described in detail to demonstrate the feasibility of our approach.
    No preview · Article · Nov 2014
  • M. Emms · B. Arief · L. Freitas · J. Hannon · A. Van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a "rogue merchant" who then uses the transaction data to take money from the victim's account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim's balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.
    No preview · Article · Nov 2014
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this work we address the main issues of IT consumerisation that are related to security risks, and propose a 'soft' mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions.
    Full-text · Conference Paper · Oct 2014
  • Iryna Yevseyeva · Charles Morisset · Thomas Groß · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Information security decisions typically involve a trade-off between security and productivity. In practical settings, it is often the human user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of ‘bring your own device’), although it may be responsibility of a company security manager to influence employees choices. One of the practical ways to model human decision making is with multi-criteria decision analysis, which we use here for modeling security choices. The proposed decision making model facilitates quantitative analysis of influencing information security behavior by capturing the criteria affecting the choice and their importance to the decision maker.Within this model, we will characterize the optimal modification of the criteria values, taking into account that not all criteria can be changed. We show how subtle defaults influence the choice of the decision maker and calculate their impact. We apply our model to derive optimal policies for the case study of a public Wi-Fi network selection, in which the graphical user interface aims to influence the user to a particular security behavior.
    No preview · Chapter · Sep 2014
  • Charles Morisset · Iryna Yevseyeva · Thomas Groß · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal influencing policy, that takes into account both the control of the influencer and the uncertainty in the system.
    No preview · Chapter · Sep 2014
  • Charles Morisset · Thomas Groß · Aad van Moorsel · Iryna Yevseyeva
    [Show abstract] [Hide abstract]
    ABSTRACT: On the one hand, an access control mechanism must make a conclusive decision for a given access request. On the other hand, such a mechanism usually relies on one or several decision making processes, which can return partial decisions, inconclusive ones, or conflicting ones. In some cases, this information might not be sufficient to automatically make a conclusive decision, and the access control mechanism might have to involve a human expert to make the final decision. In this paper, we formalise these decision making processes as quantitative access control systems, which associate each decision with a measure, indicating for instance the level of confidence of the system in the decision. We then propose to explore how nudging, i.e., how modifying the context of the decision making process for that human expert, can be used in this context. We thus formalise when such a delegation is required, when nudging is applicable, and illustrate some examples from the MINDSPACE framework in the context of access control.
    No preview · Chapter · Jun 2014
  • Source
    Lynne Coventry · Pam Briggs · Debora Jeske · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the behavior change literature (MINDSPACE) that allows resesarchers and organisational stakeholders to work together to identify a set of nudges that might promote best behavioral practice. We describe the structured approach or framework, which we call SCENE, and follow this description with a worked example of how the approach has been utilised effectively in the development of a nudge to mitigate insecure behaviors around selection of wireless networks.
    Full-text · Conference Paper · Jun 2014
  • Source
    Debora Jeske · Lynne Coventry · Pam Briggs · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized behaviour change in security. We asked participants to select from a menu of public wireless networks, using colour and menu order to ‘nudge’ participants towards making more secure choices. The preliminary results from 67 participants suggest that while nudging can be an effective tool to help non-experts to select more secure networks, certain user differences may also play a role. Lower (novice level) IT proficiency and diminished impulse control led to poorer security decisions. At the same time, we were able to demonstrate that our nudge effectively changed the behaviour of participants with poor impulse control. We discuss these implications and pose several questions for future research.
    Full-text · Conference Paper · Apr 2014
  • Winai Wongthai · Francisco Rocha · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Cloud computing offers computational resources such as processing, networking, and storage to customers. However, the cloud also brings with it security concerns which affect both cloud consumers and providers. The Cloud Security Alliance (CSA) define the security concerns as the seven main threats. This paper investigates how threat number one (malicious activities performed in consumers' virtual machines/VMs) can affect the security of both consumers and providers. It proposes logging solutions to mitigate risks associated with this threat. We systematically design and implement a prototype of the proposed logging solutions in an IaaS to record the history of customer VM's files. The proposed system can be modified in order to record VMs' process behaviour log files. These log files can assist in identifying malicious activities (spamming) performed in the VMs as an example of how the proposed solutions benefits the provider side. The proposed system can record the log files while having a smaller trusted computing base compared to previous work. Thus, the logging solutions in this paper can assist in mitigating risks associated with the CSA threats to benefit consumers and providers.
    No preview · Conference Paper · Dec 2013
  • Suliman A. Alsuhibany · Charles Morisset · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: An intrusion and attack detection system usually focuses on classifying a record as either normal or abnormal. In some cases such as insider attacks, attackers rely on feedback from the attacked system, which enables them to gradually manipulate their attempts in order to avoid detection. This paper proposes the notion of accumulative manipulation that can be observed through a number of attempts accomplished by the attacker, which forms the basis of the Attacker Learning Curve (ALC). Based on a controlled experiment, we first show that the ALC for three different attack strategies are consistent between two different groups of subjects. We then define a strategy detection mechanism, which is experimentally shown to be accurate more than 70% of the time.
    No preview · Conference Paper · Oct 2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In the practical use of security mechanisms such as CAPTCHAs and spam filters, attackers and defenders exchange ‘victories,’ each celebrating (temporary) success in breaking and defending. While most of security mechanisms rely on a single algorithm as a defense mechanism, we propose an approach based on a set of algorithms as a defense mechanism. When studying sets of algorithms various issues arise about how to construct the algorithms and in which order or in which combination to release them. In this paper, we consider the question of whether the order in which a set of defensive algorithms is released has a significant impact on the time taken by attackers to break the combined set of algorithms. The rationale behind our approach is that attackers learn from their attempts, and that the release schedule of defensive mechanisms can be adjusted so as to impair that learning process. This paper introduces this problem. We show that our hypothesis holds for an experiment using several simplified but representative spam filter algorithms—that is, the order in which spam filters are released has a statistically significant impact on the time attackers take to break all algorithms.
    No preview · Chapter · Sep 2013
  • Martin Emms · Budi Arief · Nicholas Little · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.
    No preview · Chapter · Apr 2013
  • Source
    Winai Wongthai · F.L. Rocha · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: Infrastructure as a Service (IaaS) consists of a cloud-based infrastructure to offer consumers raw computation resources such as storage and networking. These resources are billed using a pay-per-use cost model. However, this type of infrastructure is far from being a security haven as the seven main threats defined by the Cloud Security Alliance (CSA) indicate. Using logging systems can provide evidence to support accountability for an IaaS cloud, which helps us mitigating known threats. In this paper, we research to which extent such logging systems help mitigate risks associated with the threats identified by the CSA. A generic architecture 'template' for logging systems is proposed. This template encompasses all possible instantiations of logging solutions for IaaS cloud. We map existing logging systems to our generic template, and identify a logging solution to mitigate the risks associated with CSA threat number one (related to spam activities). We then argue that the template we suggest can be used to perform a systematic analysis of logging systems in terms of security before deploying them in production systems.
    Full-text · Conference Paper · Jan 2013
  • Francisco Rocha · Thomas Gross · Aad van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: A critical challenge in cloud computing is assuring confidentiality and integrity for the execution of arbitrary software in a consumer's virtual machine. The problem arises from having multiple virtual machines sharing hardware resources in the same physical host. A security critical resource is random access memory, which in the current version of the Xen hyper visor is vulnerable to attacks. Like previous work demonstrated, this vulnerability originates from Xen adopting avery permissive memory access model for its management virtual machine (Dom0). The model assumes it is safe to grant Dom0full access to the memory space allocated to consumer's virtual machines. In this paper, we first present a sophisticated attack which makes it possible to compromise security-sensitive information resident in the memory area of a particular process executing in a virtual machine. The attack demonstration consists in subverting the new inter-virtual machine communication mechanism, libvchan, which is under development for the Xen hyper visor. This attack allows us to propose and implement a proof of concept for a lightweight mandatory memory access control mechanism for Xen, which achieves a better overall memory access model forDom0. We then propose an architecture which takes advantage of our memory protection mechanism and previous work to achievedefense in depth in cloud computing.
    No preview · Conference Paper · Jan 2013
  • S.A. Alsuhibany · A. van Moorsel
    [Show abstract] [Hide abstract]
    ABSTRACT: While security algorithms are utilized to protect system resources from misuse, using a single algorithm such as CAPTCHAs and Spam-Filters as a defence mechanism can work to protect a system against current attacks. However, as attackers learn from their attempts, this algorithm will eventually become useless and the system is no longer protected. We propose to look at a set of algorithms as a combined defence mechanism to maximize the time taken by attackers to break a system. When studying sets of algorithms, diverse issues arise in terms of how to construct them and in which order or in which combination to release them. In this paper, we propose a model based on Stochastic Petri Nets, which describe the interaction between an attacker, the set of algorithms used by a system, and the knowledge gained by the attacker with each attack. In particular, we investigate the interleaving of dependent algorithms, which have overlapping rules, with independent algorithms, which have a disjoint set of rules. Based on the proposed model, we have analyzed and evaluated how the order can impact the time taken by an attacker to break a set of algorithms. Given the mean time to security failure (MTTSF) for a system to reach a failure state, we identify an improved approach to the release order of a set of algorithms in terms of maximizing the time taken by the attacker to break them. Further, we show a prediction of the attacker's knowledge acquisition progress during the attack process.
    No preview · Conference Paper · Jan 2013

Publication Stats

1k Citations
20.35 Total Impact Points


  • 2004-2014
    • Newcastle University
      • School of Computing Science
      Newcastle-on-Tyne, England, United Kingdom
  • 2004-2011
    • University of Newcastle
      • Department of Computer Science
      Newcastle, New South Wales, Australia
  • 2008
    • University of Florence
      • Dipartimento di Ingegneria dell'Informazione
      Florens, Tuscany, Italy
  • 2007-2008
    • The Newcastle upon Tyne Hospitals NHS Foundation Trust
      Newcastle-on-Tyne, England, United Kingdom
  • 2002-2003
    • Hewlett-Packard
      Palo Alto, California, United States
    • The Chinese University of Hong Kong
      • Department of Computer Science and Engineering
      Hong Kong, Hong Kong
  • 2001-2003
    • FX Palo Alto Laboratory
      Palo Alto, California, United States
  • 1995-1998
    • University of Illinois, Urbana-Champaign
      • Coordinated Science Laboratory
      Urbana, Illinois, United States
  • 1992-1995
    • Universiteit Twente
      • • Department of Computer Science
      • • Centre for Telematics and Information Technology (CTIT)
      Enschede, Provincie Overijssel, Netherlands