Effects of software security vulnerabilities on the software development industry
Category Archives: Cybersecurity: Challenges and New Threats
Analyzing the Effect of IT Decision-Making on Cybersecurity Breaches in Higher Education
Analyzing the Effect of IT Decision-Making on Cybersecurity Breaches in Higher Education
Lawrence J. Awuah, PhD
Abstract: The recent and current data breaches and cyberattacks continue to spike at an alarming rate, which in most cases can be consequential if proactive measures are not taken. Unfortunately, taking a closer look at most of those breaches and/or cyberattacks indicates that risk-based and event-based decision-making could have intended or unintended impacts on potential threats and the level of mitigated effort implemented. In this view, the lack of centralized IT governance, particularly in Higher Ed institutions, over the years, has witnessed frequent breaches associated with rising security incidents. It has therefore become critically important that IT and cybersecurity executives do well to balance IT uptime with data protection requirements while adhering to security policy enforcement.
Liu, C. W., Huang, P., & Lucas Jr, H. C. (2020). Centralized IT decision making and cybersecurity breaches: Evidence from US higher education institutions. Journal of Management Information Systems, 37(3), 758-787.
Summary: “Despite the consensus that information security should become an important consideration in information technology (IT) governance rather than the sole responsibility of the IT department, important IT governance decisions are often made on the basis of fulfilling business needs with a minimal amount of attention paid to their implications for information security. We study how an important IT governance mechanism—the degree of centralized decision making—affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a four-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Universities with more heterogeneous IT infrastructure benefit more from centralized IT decision making. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with more intensive research activities. Collectively, these findings highlight the tradeoff between granting autonomy and flexibility in the use of information systems and enforcing standardized, organization-wide security protocols.”
Keywords: Risk management, risk assessment, IT security; IT governance; cybersecurity breach; centralized decision making; cybersecurity analytics; security operations
Recent high-profile security breaches, notably those involving much-publicized and large-scale breaches and ransomware attacks on Colonial Pipeline, Facebook data breach, Kaseya Ransomware attack, and Sony Pictures have attracted scrutiny as to how the seemingly flawed decisions of employees or IT leadership can have major cybersecurity implications. Additionally, the recent and current data breaches and cyberattacks continue to spike at an alarming rate with associated consequential impacts. A closer examination of most of those breaches indicates that risk-based and event-based decision-making could have intended or unintended impacts on potential threats and the level of mitigated effort implemented. With cyberattacks becoming more widespread and more sophisticated than ever before, due care and due diligence should consistently be the focal point of IT executives. By the third quarter of 2022, [8] indicated a total of 112 publicly disclosed security incidents were identified, resulting in over 97 million compromised records. This finding represents an increase of approximately 11% in security incidents compared to the previous year. In their study, Liu et al. [1] found that academic institutions with centralized IT governance record fewer security breaches. This claim was in part attributed to the fact that those institutions with distributed IT infrastructure benefit more from centralized IT decision-making than those who do not. This assertion suggests that lack of centralized IT governance, whether in the corporate establishments or in Higher Ed institutions, can lead to frequent breaches associated as a result of rising security incidents. As well, several studies have examined financial loss, legal implications, and moral obligations involving data breaches and their impact on organizations, data owners, and victims [1]-[6], [8]. It is therefore incumbent on IT and cybersecurity leadership to do more to balance IT functionality and uptime with data protection needs while instituting security policy enforcement. This practice can make cybersecurity a business enabler to minimize risks while maximizing revenue for continued business growth.
On the other side of the spectrum, IT governance and decision-making are contingent on human factors. Human error has been known to be the main cause of most cyber security breaches; indeed, humans are the weakest link in the security chain [12]. For this reason, cybersecurity leadership cannot ignore security awareness training programs. The executives should be mindful of the fact that humans form a significant factor contributing to data breaches. This awareness can augment the centralized IT decision-making in confronting cybersecurity breaches in Higher Ed institutions in particular and the industry in general. According to [11], security awareness training programs are educational in nature that equip employees with tools to identify, mitigate, and report such attacks crafted by social engineering techniques. One of the biggest risks to an organization’s IT security is often not a weakness in the technology control environment per se; rather it is the action or inaction by employees and other personnel that can lead to security incidents. For example, employee noncompliance related to IT security policies continues to raise eyebrows for most organizations today. In other words, considering the variety of IS security policy compliance strategies in place, security awareness training [9], [10]-[11] forms a crucial part of the war on cyber threats. Evidently, despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks [2].
Furthermore, several studies [4]-[6] suggest that while cybersecurity is usually treated as a technology problem, most data breaches are the result of human error. By identifying the social behavior indicators, along with the rationales behind the decision-making process, the development of cybersecurity architecture can be improved. This aligns with the assertion by Liu et al. [1] that that adopting a centralized IT unit with a better understanding of the overall IT architecture can better equip the executives in managing risks even in a sophisticated IT environment. This is particularly important to the average cybersecurity team who could possibly make reactive decisions in addressing reported breaches. In any case, the human factor needs to be an integral part of every IT implementation when reducing and protecting against information security risks accompanying the development, architecture, and maintenance of an IT system [5]. In other words, discussing IT security problems must factor in policies, behavior, and user compliance requirements [6].
Over the past few years, [1] noted that the management of information security has gained significant research interests in the research community, as well as expert interests in the field. Typically, risk-based decision-making is reflective of strategic investments by virtue of the desire for detection, prevention, and response plans. These three parameters need to be balanced for optimum gains. Additionally, the importance of good management practices in protecting organizational assets and enforcement policies in checking employee security behaviors in organizations has also been recognized [5]-[6], [9]-[10]. One typical example is law enforcement, which can play a key role in this effort. Hui et al. estimated the impact of enforcing the Convention on Cybercrime (COC) on the desire to deter and reduce distributed denial of service (DDOS) attacks, for example [7]. The authors noted that directly observing attacker behavior can impact deterrence to complement law enforcement and leadership actions. Overall, making well-informed decisions regarding the value and benefits of secure IT implementations in the organization is great if cybersecurity is considered a business enabler. For instance, proactive investment strategies should be adopted to help minimize risks to the organization and maximize return on investment (ROI) from the perspective of understanding cybersecurity as a business enabler.
Moreover, there are other factors that make the role of IT and information security leadership an important ingredient in ensuring a substantial security posture. In some literature, there have been constant calls for IT executives to improve security operations capabilities with the aim of identifying and confronting cyberattacks using applicable incident response techniques as presented by [3]. For example, by automating security controls and policies, the security operations teams can operationalize cyber response best practices with the right guidance. In another study, strict security policies surrounding Bring Your Own Device (BYOD) computing environment in organizations were studied. Thus, complying with BYOD security policies is necessary within organizations to address the factors that lead to the desired security behavior [4]. As mentioned earlier, [1], [5] examined the implications of IT decision-making on the effect of information security management on the protection of assets and critical data. In their justification, the authors developed and tested hypotheses considering how centralized and strategic IT decision-making affect the value of information security over a certain period.
Key Takeaways
IT/Cybersecurity executives in academic institutions must consider doing the following:
- Endeavor to put safeguards in place including security controls, policies, security awareness programs, disaster recovery plans (DRP)/ business continuity plans (BCP) and others.
- Focus on embracing strategic goals in line with cybersecurity as a business enabler in terms of risk reduction, cost-effectiveness, and resource optimization targeted at high ROI.
- Understand the threat landscape, assess cybersecurity maturity, improve cybersecurity program, and document short- and long-term cybersecurity strategy.
- Balanced prevention techniques, response strategies, and detection capabilities with actionable intelligence.
In a nutshell, the theoretical development and empirical analyses yielded two important findings about the adoption of centralized IT governance in the enterprise. The main goal is that this practice tends to minimize cybersecurity breaches, especially when an academic institution has a heterogeneous IT environment in place. In these days of escalating attempts to breach information systems everywhere at any time, it is imperative that senior executives—including CISO, CIO, CFO, CRO, and CEO—consider the impact of IT governance decisions on their cybersecurity maturity and the value it brings to the organization. Therefore, the quest for reinventing cybersecurity solutions must be a continuous focus to bolsters cybersecurity infrastructure with appreciable visibility and the need to gravitate toward broader security strategies for added benefits to the organization.
Full article: Centralized IT Decision Making and Cybersecurity Breaches (Harvard)
References:
[1] Liu, C., Huang, P., & Lucas, H., C. (2020). Centralized Information Technology Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions. Journal Of Management Information Systems, 37(3), 758–787. https://doi.org/10.1080/07421222.2020.1790190
[2] Wright, R., Johnson, S. L., & Kitchens, B. (2022). Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection. Wright, RT, Johnson, SL, Kitchens, B.” Phishing Susceptibility in Context: A Multi-level Information Processing Perspective on Deception Detection” MIS Quarterly.
[3] Kinyua, J. & Awuah, L. (2021). AI/ML in Security Orchestration, Automation and Response: Future Research Directions. Intelligent Automation & Soft Computing, 28(2), 527–545. DOI:10.32604/iasc.2021.016240
[4] Palanisamy, R., Norman, A. A., & Kiah, M. L. M. (2020). Compliance with Bring Your Own Device security policies in organizations: A systematic literature review. Computers & Security, 98, 101998.
[5] Bhaharin, S., H., Sulaiman, R., Mokhtar, U., A., & Yusof, M., M., (2019). Issues and Trends in Information Security Policy Compliance. 2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS). DOI: 10.1109/ICRIIS48246.2019.9073645
[6] Angraini, A., & Okfalisa, R. Y. (2019). Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, 1216-1224.
[7] Hui, K. L., Kim, S. H., & Wang, Q. H. (2017). Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. Mis Quarterly, 41(2), 497.
[8] Irwin, L. (2022, September 1). List of Data Breaches and Cyber Attacks in August 2022–97 Million Records Breached. IT Governance. https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-august-2022-97-million-records-breached
[9] Puhakainen, P., & Siponen, M. (2010). Improving Employees’ Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly 34(4), 757-778.
[10] Richet, J. L. (2012). How to Become a Black Hat Hacker? An Exploratory Study of Barriers to Entry Into Cybercrime. In AIM.
[11] Solomon, A., Michaelshvili, M., Bitton, R., Shapira, B., Rokach, L., Puzis, R., & Shabtai, A. (2022). Contextual security awareness: A context-based approach for assessing the security awareness of users. Knowledge-Based Systems, 246, 108709.
[12] Richet, J. L. (2022). How cybercriminal communities grow and change: An investigation of ad-fraud communities. Technological Forecasting and Social Change, 174, 121282.
Employing Detection Techniques to Confront the Rapid Spread of Fake News
Employing Detection Techniques to Confront the Rapid Spread of Fake News
Lawrence J. Awuah, PhD
Abstract: Today, the use of social networks such as Facebook, Twitter, and Instagram has become a key part of continuous human engagement in the sense that these platforms are available for users to share personal messages, pictures, videos, and other forms of multimedia. However, these changing trends have become catalysts for creating misleading activities including misinformation, disinformation, and fake news. For example, the spread of false news on social media has adversely impacted mainstream news media, politics, public trust, and healthcare needs. Therefore, the desire to confront the spread of misinformation, disinformation, and false or misleading news remains a challenge for these social media platforms, policymakers, and law enforcement agencies. Several solutions have been suggested by the research community such as the application of machine intelligence, crowd technologies, and social media ranking algorithms with the aim of addressing this ever-evolving infodemic menace.
Wei, X., Zhang, Z., Zhang, M., Chen, W., & Zeng, D. D. (2021). Combining Crowd and Machine Intelligence to Detect False News on Social Media. MIS Quarterly.
Summary: “The explosive spread of false news on social media has severely affected many areas such as news ecosystems, politics, economics, and public trust, especially amid the COVID-19 infodemic. Machine intelligence has met with limited success in detecting and curbing false news. Human knowledge and intelligence hold great potential to complement machine-based methods. Yet they are largely underexplored in current false news detection research, especially in terms of how to efficiently utilize such information. We observe that the crowd contributes to the challenging task of assessing the veracity of news by posting responses or reporting. We propose combining these two types of scalable crowd judgments with machine intelligence to tackle the false news crisis. Specifically, we design a novel framework called CAND, which first extracts relevant human and machine judgments from data sources including news features and scalable crowd intelligence. The extracted information is then aggregated by an unsupervised Bayesian aggregation model. Evaluation based on Weibo and Twitter datasets demonstrates the effectiveness of crowd intelligence and the superior performance of the proposed framework in comparison with the benchmark methods. The results also generate many valuable insights, such as the complementary value of human and machine intelligence, the possibility of using human intelligence for early detection, and the robustness of our approach to intentional manipulation. This research significantly contributes to relevant literature on false news detection and crowd intelligence. In practice, our proposed framework serves as a feasible and effective approach for false news detection.”
Keywords: Crowd intelligence, collective intelligence, crowdsourcing, misinformation, fake news, social media analytics, machine learning, and deep learning.
With the rapid growth of social media, the ease of access, sharing, and transfer of information by numerous users on various platforms have in part necessitated the rapid spread of misinformation and disinformation in all spheres of our life. Misleading information has been known to negatively impact our social lives, financial situations, and even political affiliations around the world. Today, the use of social media has become a key part of continuous human engagement in the sense that these platforms are available for users to share personal messages, pictures, videos, and other forms of multimedia. However, these changing trends have become catalysts for creating misleading activities including misinformation and disinformation such as fake news that can quickly spread through social networks. Therefore, the desire to confront the spread of false or misleading news remains a challenge for these social media platforms, policymakers, and law enforcement agencies. In other words, detecting and combating fake news has become imperative in today’s world. Consequently, several solutions have been proposed by the research community and professionals in the field including the application of machine intelligence, crowd technologies, and social media ranking algorithms to confront this infodemic menace.
According to Wei et al. [1], while human knowledge and machine intelligence have great potential to complement machine-based strategies in this direction, both of these entities still exhibit limited success in detecting and thwarting false news permeating through social media. The authors were of the view that crowd contributes to the challenging task of assessing the veracity of news and proposed combining the capabilities of crowd judgments with machine intelligence to tackle persistent false news. The research generated valuable insights based on synergy savings involving crowd techniques, and human and machine intelligence, which not only be useful for early detection but also for the intentional manipulation of information. Additionally, a recent stream of developments suggests that the proliferation of social media platforms promotes the prevalence of false news from generation to consumption of information with consequential effects on individuals and organizations in particular and society in general [1] – [4]. The authors of this baseline paper were able to achieve this in several folds. First, they surveyed several streams of relevant literature that serves as the theoretical foundations of their work. Second, they summarize existing studies about false news detection on social media. Third, they reviewed false news studies that are related to crowd intelligence. This approach was the basis of their proposed framework designed to aggregate the extracted judgments.
Even though social media platforms and tech giants such as Facebook, Amazon, Google, and others have started taking action to address the false news epidemic, they seem to lag behind the alarming and continuous spread of misinformation. In addition, the research community has also devoted much effort to address the prevalence of false news based on two types of data sources including news content and social context [1]. According to this baseline research, the authors acknowledged other major challenges noting that in real-world applications, the number of responses and reports usually increases daily while in the development of false news events, debunking information often happens at a later stage [1]. The fake news (i.e. infodemic), propagated by social media and other mobile message-sharing platforms, has progressed from causing a nuisance to seriously impacting law and order through deliberate and large-scale manipulation of public sentiments [4,14]. A typical example is a COVID-19 pandemic. The global uncertainty due to the pandemic has manifested in a breeding ground for fake news resulting in widespread panic and hindering the efforts of governments around the world to disseminate credible information to their citizens [4]. What makes the spread of false news terrifying is its distinctive characteristic of information sharing as a result of many of the users of social media hastily sharing every piece of news content they come across regardless of its source [7].
In the recent past, several studies [1] – [4], [8] – [14] have used machine intelligence related methods to detect false news and other forms of misinformation via various means such as in social media news articles crowd intelligence, and surveys. For example, one study noted that fake news has shown adverse effects of propagation on social media, and to mitigate these effects, it is required to detect fake news at an early stage when limited information about the news is available [13]. On another note, information sharing is the most important thing among human beings; however, the shared information needs to be authentic and realistic [6]. As well, it is a fact that the ability to distinguish truth from fake is a knowledge that people acquire through experience and age [7]. Furthermore, the proposed framework is a demonstration of the complementary value of human and machine intelligence in aiding false news detection, which could also be attributed to the broader literature on hybrid human-machine intelligence and other crowd intelligence applications [1]. The authors revealed that their research has several practical implications and actionable insights for relevant stakeholders. For social media platforms, the proposed CAND framework serves as a feasible and effective approach for false news detection on social media platforms. They believe that the practical implications translate into cost-effective measures, which can save social media platforms millions of dollars invested to thwart the spread of false news.
Other researchers have proposed state-of-the-art solutions to address the false news menace. In one paper, Chon and Kim proposed another excellent way to optimize social media analytics to manage crises by using the framework of attribution theory to analyze a bunch of tweets [2]. The authors indicated that social media analytics is a valid tool to monitor how the spread of COVID-19 evolved from an issue to a crisis. Others presented a novel collection of news articles originating from fake and real news media sources for the analysis and prediction of news virality [3]. Unlike existing fake news datasets, which contain news articles, the authors’ article collection is supported by a Facebook engagement count. Yet, Gupta et al. [4] presented a survey on combating fake news and evaluates the challenges involved in its detection with the help of existing detection mechanisms and techniques to control its spread. Additionally, Sharma et al, discussed existing methods and techniques applicable to both identification and mitigation, with a focus on the significant advances in each method and their advantages and limitations [14]. Further, in one study, an ensemble classifier was developed for detecting fake news with better accuracy results using the LIAR dataset [6]. In their study, Mladenova and Valova examined the ability to detect fake news and clickbait in the use of social networks [7]. To help understand the current state of affairs, Hu et al, conducted a survey to review and analyze existing deep learning-based fake news detection methods that focus on various features such as news content, social context, and external knowledge [8]. Furthermore, to address the data scarcity problems, one study proposed an automated approach for labeling data using verified fact-checked statements on a Twitter dataset [9]. Li et al. [10] and Chen [11] described the concept of crowd intelligence and explain its relationship to crowdsourcing and human computation. The authors also introduced four categories of representative crowd intelligence platforms as a solution [10]. Despite these research studies, misinformation campaigns, with the spread of false news, can also divert users’ attention from serious problems that need urgent attention.
In the final analysis, increased global access to emerging technologies and accompanying devices with the prevalence of social media has led to the exponential growth of information thereby creating an infodemic. In other words, we have a situation where a lot of information is being produced and shared in every corner of the world, thus reaching billions of users at once. the authors revealed that their research has several practical implications and actionable insights for relevant stakeholders. The information age enables people to obtain news online through various channels, yet in the meanwhile making false news spread at unprecedented speed and has detrimental effects on social stability and public trust [8]. Furthermore, given the role of popular social media platforms in recent political and economic climates, understanding such processes might enhance information and the impact of communication technology on living environments [11]. Ultimately, the unified CAND framework proposed by Wei et al. [1] for detecting fake news and halting its dissemination can further improve the usefulness of crowd and machine intelligence to mitigate the effect of false news propagated mostly by social media platforms.
view full article here: Employing innovative detection techniques to confront fake news
References:
[1] Wei, X., Zhang, Z., Zhang, M., Chen, W., & Zeng, D. D. (2021). Combining Crowd and Machine Intelligence to Detect False News on Social Media. MIS Quarterly. DOI: https://doi.org/10.25300/MISQ/2022/16256
[2] Chon, M. G., & Kim, S. (2022). Dealing with the COVID-19 crisis: Theoretical application of social media analytics in government crisis management. Public Relations Review, 48(3), 102201.
[3] Krstovski, K., Ryu, A. S., & Kogut, B. (2022). Evons: A Dataset for Fake and Real News Virality Analysis and Prediction. arXiv preprint arXiv:2209.08129.
[4] Gupta, A., Kumar, N., Prabhat, P., Gupta, R., Tanwar, S., Sharma, G., … & Sharma, R. (2022). Combating Fake News: Stakeholder Interventions and Potential Solutions. Ieee Access, 10, 78268-78289.
[5] Richet, J. L. (2013). Overt censorship: a fatal mistake? Communications of the ACM, 56(8), 37-38.
[6] Wynne, H. E., & Swe, K. T. (2022). Fake News Detection in Social Media using Two-Layers Ensemble Model. In 2022 37th International Technical Conference on Circuits/Systems, Computers and Communications (ITC-CSCC) (pp. 411-414). IEEE.
[7] Mladenova, T., & Valova, I. (2022). Research on the Ability to Detect Fake News in Users of Social Networks. In 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA) (pp. 01-04). IEEE.
[8] Hu, L., Wei, S., Zhao, Z., & Wu, B. (2022). Deep learning for fake news detection: A comprehensive survey. AI Open.
[9] Akhtar, M. M., Sharma, B., Karunanayake, I., Masood, R., Ikram, M., & Kanhere, S. S. (2022). Machine Learning-based Automatic Annotation and Detection of COVID-19 Fake News. arXiv preprint arXiv:2209.03162.
[10] Li, W., Wu, W. J., Wang, H. M., Cheng, X. Q., Chen, H. J., Zhou, Z. H., & Ding, R. (2017). Crowd intelligence in AI 2.0 era. Frontiers of Information Technology & Electronic Engineering, 18(1), 15-43.
[11] Chen, M. Y., Lytras, M. D., & Sangaiah, A. K. (2019). Anticipatory computing: Crowd intelligence from social network and big data. Computers in Human Behavior, 101, 350-351.
[12] Richet, J. L. (2022). How cybercriminal communities grow and change: An investigation of ad-fraud communities. Technological Forecasting and Social Change, 174, 121282.
[13] Rastogi, S., & Bansal, D. (2021, December). Time is Important in Fake News Detection: a short review. In 2021 International Conference on Computational Science and Computational Intelligence (CSCI) (pp. 1441-1443). IEEE.
[14] Sharma, K., Qian, F., Jiang, H., Ruchansky, N., Zhang, M., & Liu, Y. (2019). Combating fake news: A survey on identification and mitigation techniques. ACM Transactions on Intelligent Systems and Technology (TIST), 10(3), 1-42.
Cybersecurity, a new challenge for the aviation and automotive industries
Cybersecurity, a new challenge for the aviation and automotive industries
Hélène Duchamp, Ibrahim Bayram, Ranim Korhani
Abstract:
This paper will focus on cybersecurity in the civil aviation industry, but will also present some of the threats that exist in a much more daily transportation mode: personal cars.
We will present the stakeholders involved in the aviation industry, point out the sources of the vulnerability of the industry to cyber attacks, and then analyze the efforts put in place to deter cyber attacks against commercial aircraft. The same order of reasoning will be applied to the automotive industry
Introduction
The aviation industry is important to the global economy. In 2013, the air transportation network carried over 48 million tons of freight and over 2.6 billion passengers. Its global economic value was estimated at 2.2 trillion dollars (AIAA, 2013). Any (cyber)-attack in this industry would result in important social and economic consequences.
With the development of new technologies such as internet, the global aviation industry is subject to a new and growing type of threat coming from cyberspace. As in the other industries, cyber threats purposes are for example the robbery of information, political actions, make profit, or simply weaken one stakeholder of the industry.
Because of its complexity and its weight in the economy, breaking the aviation industry’s security constitutes a great challenge for hackers and terrorists. Moreover, this industry relies more and more on information and communication technology (ICT). As an industry that is well known for providing one of the safest type of transportation, it is mandatory for all its stakeholders to understand the risks and to prevent any malicious events for the good of the industry, the economy, the population and the environment.
Read the full strategic report here: cybersecurity, a new challenge for the aviation and automotive industries
References
AIAA. (2013). The connectivity challenge: protecting critical assets in a networked world – a framework for aviation cybersecurity.
Cybersecurity and the Internet of Things
Cybersecurity and the Internet of Things
Sarah Baker, Grégoire Frison-Roche, Barbora Kuncikova
Abstract:
The Internet of Things (IoT) is a topic that gets a lot of attention and has become somewhat of buzzword in business and technology today. In many ways, this hype and excitement is not misplaced, as IoT has fascinating implications and opportunities for both consumers and businesses. However, the cybersecurity threats that this explosive growth represents are sometimes overlooked or not clearly understood. This paper will introduce the concept of IoT, including the definition, trends and applications. The next section will discuss the potential cybersecurity risks for IoT, for both industries and consumers. Finally, the last section will discuss recommended preventative measures and defense mechanisms available, while considering the fast changing nature of IoT technology.
Introduction: What is the Internet of Things?
The past decades have seen huge advances in electronic communications, from the rise of the Internet to the ubiquity of mobile devices. However, this communication is now shifting from devices that simply connect users to the Internet, to communication linking the physical world to the cyber world (Borgia, 2014). Generally speaking, this notion is called Cyber Physical Systems (CPS) and includes technologies such as (i) automation of knowledge work, (ii) Internet of Things, (iii) advanced robotics, and (iv) autonomous/ near autonomous vehicles (Borgia, 2014). However, IoT is considered to be the CPS technology with the largest expected economic impact (Manyika et al., 2013).
Given IoT is one of the most talked about trends in IT, there are as many definitions of the phenomena as there are angles to study. The origins of the concept IoT can be traced back to a group at MIT, who defined it as “an intelligent infrastructure linking objects, information and people through the computer networks, and where the RFID technology found the basis for its realization’’ (Brock, 2001). Today, IoT extends far beyond RFID technology. A more recent definition describes IoT as “a highly interconnected network of heterogeneous entities such as tags, sensors, embedded devices, handheld devices and backend servers” (Malina et al., 2016). The International Telecommunication Union (ITU) describes IoT as “anytime, any place connectivity for anyone… connectivity for anything. Connections will multiply and create an entirely new dynamic network of networks – an Internet of Things’’ (ITU, 2005).
Therefore, the defining attribute of IoT is that it involves things, moving beyond networked computers, tablets or smartphones to include just about any physical object that can be connected and communicate. The value offered by IoT comes from the fact that these objects which are not machines, and do not function like machines are able to gather and communicate data, which means information can be translated into action at astounding rates (Burrus, 2014). The concept behind IoT was aptly captured back in 1999:
“If we had computers that knew everything there was to know about things — using data they gathered without any help from us — we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so” (Ashton, 2009)
This strategic report focuses on securing the Internet of Things. Read the full report here: Cybersecurity and the Internet of Things
References
Ashton, K. (2009). That ‘internet of things’ thing. RFiD Journal, 22(7), 97-114.
Borgia, E. (2014). The Internet of Things vision: Key features, applications and open issues. Computer Communications, 54, 1-31.
Brock, D. L. (2001). The electronic product code (epc). Auto-ID Center White Paper MIT-AUTOID-WH-002.
Burrus, D. (2014). The Internet of Things is far bigger than anyone realizes. Wired. Accessed November.
ITU. (2005). ITU Internet Reports 2005: The internet of things. Geneva: International Telecommunication Union (ITU).
Malina, L., Hajny, J., Fujdiak, R., & Hosek, J. (2016). On perspective of security and privacy-preserving solutions in the internet of things. Computer Networks, 102, 83-95.
Manyika, J., Chui, M., Bughin, J., Dobbs, R., Bisson, P., & Marrs, A. (2013). Disruptive technologies: Advances that will transform life, business, and the global economy (Vol. 12). San Francisco, CA: McKinsey Global Institute.
Cybersecurity & Cyber Threats in Healthcare Organizations
Cybersecurity & Cyber Threats in Healthcare Organizations
Aurore Le Bris, Walid El Asri
Abstract:
Cybersecurity has become a strategic issue for healthcare facilities. This current risky situation comes from an internal double threat: the misuse of IT systems by employees due to their low risk awareness and the lack of proper funding dedicating to Information Security. Simultaneously, the democratization of hacking techniques has also increased the number of potential perpetrators and the variety of their profile. The multiplication of healthcare facilities hit by such attacks reveals how absolutely necessary the question of cybersecurity is. Thanks to the mediatization of these incidents, concerns now grow among general public and authorities, which trigger more and more initiatives to turn things around: FDA, AHA, HITRUST in the USA. A move towards more coordination in necessary. Furthermore, facilities’ staff is essential in solving the hacking issues. Indeed, cybersecurity cannot be improved without training employees to use devices properly, raising their awareness on cyber threats and ensuring their compliance with security policies.
Introduction
Cybersecurity has become a crucial issue for many organizations but also for private individuals. As well as for “regular” crime, anyone may become a target of ill-intentioned people, exploiting the vulnerabilities of information systems (IS) in any possible way. Healthcare organizations are some of the entities we trust the most and that hold the most sensitive information about us: name, date and place of birth, medical records, social security details, etc. Suffering from many flaws (low budget, lack of IT organization, excessive use of legacy systems…), healthcare actors have become easy targets for hackers, facing more and more pressure and threats from them (Fu and Blum, 2013).
This article aims at depicting the current state of cybersecurity in healthcare organizations as well as at understanding the main cyber threats they face and how these last ones could be addressed.
First of all, the stakes and risks associated to the healthcare environment will be presented. The different types of assets likely to be targeted will be reviewed as well as the profile of the potential attackers/threats and their objectives. Then, examples of attack scenarios – that occurred in real life or pentests – will be studied in order to highlight the consequences they may have on healthcare IS. Finally, the current state of cybersecurity in healthcare facilities will be portrayed and possible measures to enhance it will be discussed.
The following strategic report assess new risks and threats towards healthcare facilities and organizations. Read the full report here:
Cybersecurity & Cyber Threats in Healthcare Organizations
References
Fu, K., & Blum, J. (2013). Controlling for cybersecurity risks of medical device software. Communications of the ACM, 56(10), 35-37.