Jeb Webb’s research while affiliated with University of Melbourne and other places

Advanced persistent threat (APT) is widely acknowledged to be the most sophisticated and potent class of security threat. APT refers to knowledgeable human attackers that are organized, highly sophisticated and motivated to achieve their objectives against a targeted organization(s) over a prolonged period. Strategically-motivated APTs or S-APTs are distinct in that they draw their objectives from the broader strategic agenda of third parties such as criminal syndicates, nation-states, and rival corporations. In this paper we review the use of the term - Advanced Persistent Threat - and present a formal definition. We then draw on military science, the science of organized conflict, for a theoretical basis to develop a rigorous and holistic model of the stages of an APT operation which we subsequently use to explain how S-APTs execute their strategically motivated operations using tactics, techniques and procedures. Finally, we present a general disinformation model, derived from situation awareness theory, and explain how disinformation can be used to attack the situation awareness and decision making of not only S-APT operators, but also the entities that back them.

Advanced persistent threat (APT) is widely acknowledged to be the most sophisticated and potent class of security threat. APT refers to knowledgeable human attackers that are organized, highly sophisticated and motivated to achieve their objectives against a targeted organization(s) over a prolonged period. Strategically-motivated APTs or S-APTs are distinct in that they draw their objectives from the broader strategic agenda of third parties such as criminal syndicates, nation-states, and rival corporations. In this paper we review the use of the term “advanced persistent threat,” and present a formal definition. We then draw on military science, the science of organized conflict, for a theoretical basis to develop a rigorous and holistic model of the stages of an APT operation which we subsequently use to explain how S-APTs execute their strategically motivated operations using tactics, techniques and procedures. Finally, we present a general disinformation model, derived from situation awareness theory, and explain how disinformation can be used to attack the situation awareness and decision making of not only S-APT operators, but also the entities that back them.

The modern digital world of networking and connectivity makes possible a new era of computing in which users exert greater control over the collection and use of their personal data through the Internet of Things (IoT). Our recent empirical work indicates that traditional forms of consent are inadequate and that users are looking for different levels of and greater involvement in controlling the collection and use of their personal data – with some participants voicing particular concerns about collection and use of sensitive data, such as health information, and others pointing to particular risks, such as insecure storage in the Cloud. In response to these needs we propose a new Intelligent Warning Application in the form of a conceptual architecture for an App that empowers users to control their IoT data collection through users: 1) identifying their own levels of risk, 2) customizing the App allowing for the setting of their identified risk levels, and 3) situated use of the App warning users of risk-averse situations through 'nudges'. We conclude with a discussion illustrating scenarios of the App's.

The Internet of Things (IoT) is considered to be one of the most significant disruptive technologies of modern times, and promises to impact our lives in many positive ways. At the same time, its interactivity and interconnectivity poses significant challenges to privacy and data protection. Following an exploratory interpretive qualitative case study approach, we interviewed 14 active IoT users plus ten IoT designers/developers in Melbourne, Australia to explore their experiences and concerns about privacy and data protection in a more networked world enabled by the IoT. We conclude with some recommendations for ‘responsive regulation’ of the IoT in the Australian context.

Three deficiencies exist in the organisational practice of information security risk management: risk assessments are commonly perfunctory, security risks are estimated without investigation; risk is assessed on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of decision-makers in many organisations is currently inadequate. This research-in-progress paper uses Endsley's situation awareness theory, and examines how the structure and functions of the US national security intelligence enterprise—a revelatory case of enterprise situation awareness development in security and risk management—correspond with Endsley’s theoretical model, and how facets of the US enterprise might be adapted to improve situation awareness in the information security risk management process of organisations.

Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

Three deficiencies exist in information security under prevailing practices: organisations tend to focus on compliance over protection; to estimate risk without investigating it; and to assess risk on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of decision-makers in many organisations is currently inadequate. This research-in-progress paper uses Endsley's situation awareness theory, and examines how the structure and functions of the US national security intelligence enterprise—a revelatory case of enterprise situation awareness development in security and risk management—correspond with Endsley's theoretical model, and how facets of the US enterprise might be adapted to improve situation awareness in the information security risk management process of organisations.