January 2025
·
5 Reads
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
January 2025
·
5 Reads
December 2024
·
11 Reads
·
4 Citations
November 2024
·
9 Reads
November 2024
November 2024
·
4 Reads
October 2024
·
7 Reads
July 2024
·
41 Reads
·
1 Citation
Writing secure code is challenging and so it is expected that, following the release of code-generative AI tools, such as ChatGPT and GitHub Copilot, developers will use these tools to perform security tasks and use security APIs. However, is the code generated by ChatGPT secure? How would the everyday software or security engineer be able to tell? As we approach the next decade we expect a greater adoption of code-generative AI tools and to see developers use them to write secure code. In preparation for this, we need to ensure security-by-design. In this paper, we look back in time to Saltzer & Schroeder's security design principles as they will need to evolve and adapt to the challenges that come with a world of AI-generated code.
July 2024
·
8 Reads
·
1 Citation
July 2024
·
11 Reads
·
1 Citation
Computers & Security
June 2024
·
87 Reads
Cyber Essentials (CE) comprise a set of controls designed to protect organisations, irrespective of their size, against cyber attacks. The controls are firewalls, secure configuration, user access control, malware protection & security update management. In this work, we explore the extent to which CE remains robust against an ever-evolving threat landscape. To that end, we reconstruct 45 breaches mapped to MiTRE ATT&CK using an Incident Fault Tree ( IFT ) approach. Our method reveals the intersections where the placement of controls could have protected organisations. Then we identify appropriate Cyber Essential controls and/or Additional Controls for these vulnerable intersections. Our results show that CE controls can effectively protect against most attacks during the initial attack phase. However, they may need to be complemented with additional Controls if the attack proceeds further into organisational systems & networks. The Additional Controls (AC) we identify include back-ups, security awareness, logging and monitoring. Our analysis brings to the fore a foundational issue as to whether controls should exclude recovery and focus only on pre-emption. The latter makes the strong assumption that a prior identification of all controls in a dynamic threat landscape is indeed possible. Furthermore, any potential broadening of technical controls entails re-scoping the skills that are required for a Cyber Essentials (CE) assessor. To that end, we suggest human factors and security operations and incident management as two potential knowledge areas from Cyber Security Body of Knowledge (CyBOK) if there is any broadening of CE based on these findings.
... Unfortunately, little research has investigated the security threats posed by knowledge base poisoning in the RACG systems. Previous research has mainly focused on the security of code directly generated by LLMs [32,56,74], leaving a critical gap in understanding the security of code generated by RACG systems, particularly when the knowledge base is poisoned by attackers. As RACG rapidly becomes a mainstream paradigm in modern LLM-based systems [45,50,71], this knowledge gap becomes even more pressing. ...
December 2024
... The management of knowledge helps organizations to identify gaps in knowledge and experience in the context of cybersecurity. There are many studies conducted to evaluate employee skills, knowledge, awareness and continuous skill development of cybersecurity in organizations [10][11][12][13]. Typically, cybersecurity incidents occur within organizations due to employees who unintentionally get involved in breach of data integrity and cybersecurity [14]. ...
July 2024
Computers & Security
... The widespread integration of machine learning in software quality and security brings new societal and legal considerations [112]. As software systems become increasingly complex and large-scale, novel security challenges arise, underscoring the need for advanced methods in secure software engineering and cybersecurity [128]. ...
July 2024
... Modern E2E encryption are failing to protect privacy, allowing malactors to perform spying activities. The use of desktop clients with shared system states that are open to compromise further questions the robustness of these systems [1]. ...
May 2024
Software Practice and Experience
... San Biagioe ta l. [161]r eferst om ultiples tudies that confirmt he prevalence of organized terrorism on social mediap latforms.T hese studies highlight theu se of thei nternet by terrorist groups to disseminate theirp ropaganda andr ecruitn ew members. The onlinep ropaganda,w hich is part of thel asts ocio-technicalc omponent,t argets oftent he offlinew orld.A nother usable social mediaf eature is theu se of hashtags on shared content whichterrororganizations have also largelyexploited to target individuals [161] [171]. ...
March 2024
... With the close integration of embedded computing, network communication and real-time control technologies, CPS is rapidly developing into a new field [1][2][3]. CPS integrates physical and cyber components and has a wide range of applications in intelligent transportation systems [4], healthcare [5], smart manufacturing [6], energy management [7], and other fields. However, because CPS requires real-time data transmission and high connectivity, it is highly susceptible to cyber interference, which can threaten system security. ...
December 2023
Energy Research & Social Science
... Likewise, social computing scholarship has reflected many parallels. Researchers have extensively reported on AI risks, errors, and failures (Domínguez Hernández et al. 2023;Ntoutsi et al. 2020;Dolata, Feuerriegel, and Schwabe 2022) and in response have created an abundance of RAI artifacts for assessment and mitigation, and to foster better communication between non-industry audiences who contend with the governance of AI. Unlike other industries, RAI artifacts have largely pre-dated AI regulation. ...
October 2023
Proceedings of the ACM on Human-Computer Interaction
... Notably, an advanced worm, Stuxnet, a sophisticated worm, utilises rootkits to conceal itself and exploits static or hard-coded default passwords in IIoT devices like PLC and industrial sensors, leveraging zero-day vulnerabilities in the Windows operating system to impact interconnected nodes [69]. PLCs represent the prime focal points in IIoT integrated systems [70], evident in notable malware attacks like Stuxnet affecting Iranian nuclear facilities, Industroyer causing power outages in Ukraine, and TRITON targeting a Saudi Arabian petrochemical plant [71]. Security breaches targeting IIoT devices may arise from shared communication channels like Wi-Fi, linking various devices, including sensors, PLCs, and other industrial equipment. ...
July 2023
... Privacy engineering has become an imperative part of modern software development due to the emergence of strict legal frameworks such as the General Data Protection Regulation (GDPR) in the European Union [1]. Overall, it involves multiple activities (e.g., privacy requirements elicitation and threat modeling) that, altogether, seek to (i) bring privacy to the forefront of the development pipeline and (ii) facilitate compliance with these legal provisions and data protection standards alike [2]. Nonetheless, it remains a challenging task for many developers who do not count on extensive privacy training from either a technical or a legal perspective [3,4]. ...
September 2023
IEEE Transactions on Software Engineering
... Relative to usability, accessibility demands that any human-centered security design does not disproportionally impact people with disabilities [3]. Relative to inclusivity, accessibility also demands that everyone is involved to the greatest extent possible, that is, factoring not just for their disabilities, but also their basic capabilities (e.g., access to the Internet, computer literacy, economic situation, etc.) when designing security technologies [5,8]. While the security and usability dimensions are well established, accessibility has seldom been considered in a security context. ...
June 2023