3rd Annual Best Scientific Cybersecurity Paper Competition

 

 
SoS Logo

3rd Annual Best Scientific Cybersecurity Paper Competition

Here are the citations for the winning papers in the 3rd Annual NSA Competition for the best Scientific Paper.  Details about the review team, the authors and the awards ceremony are available on the CPS-VO web page at: http://cps-vo.org/group/sos/papercompetition#honorable

The Winning Paper:

 Alvim, M.S.; Chatzikokolakis, K.; Mciver, A.; Morgan, C.; Palamidessi, C.; Smith, G., "Additive and Multiplicative Notions of Leakage, and Their Capacities," Computer Security Foundations Symposium (CSF), 2014 IEEE 27th , vol., no., pp.308,322, 19-22 July 2014. doi: 10.1109/CSF.2014.29

Abstract: Protecting sensitive information from improper disclosure is a fundamental security goal. It is complicated, and difficult to achieve, often because of unavoidable or even unpredictable operating conditions that can lead to breaches in planned security defences. An attractive approach is to frame the goal as a quantitative problem, and then to design methods that measure system vulnerabilities in terms of the amount of information they leak. A consequence is that the precise operating conditions, and assumptions about prior knowledge, can play a crucial role in assessing the severity of any measured vulnerability. We develop this theme by concentrating on vulnerability measures that are robust in the sense of allowing general leakage bounds to be placed on a program, bounds that apply whatever its operating conditions and whatever the prior knowledge might be. In particular we propose a theory of channel capacity, generalising the Shannon capacity of information theory, that can apply both to additive- and to multiplicative forms of a recently-proposed measure known as g-leakage. Further, we explore the computational aspects of calculating these (new) capacities: one of these scenarios can be solved efficiently by expressing it as a Kantorovich distance, but another turns out to be NP-complete. We also find capacity bounds for arbitrary correlations with data not directly accessed by the channel, as in the scenario of Dalenius's Desideratum.

Keywords: channel capacity; computational complexity; cryptography; data protection; information theory; Dalenius Desideratum; Kantorovich distance; NP-complete; Shannon capacity; additive forms; additive leakage; capacity bounds; channel capacity; g-leakage; general leakage bounds; information leakage; information theory; multiplicative forms; multiplicative leakage; operating conditions; prior knowledge; quantitative problem; security defences; security goal; sensitive information protection; system vulnerabilities; vulnerability measures; vulnerability severity; Additives; Channel capacity; Databases; Educational institutions; Entropy; Joints; Robustness; Dalenius Desideratum; Quantitative information flow; channel capacity; confidentiality (ID#: 15-6607)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6957119&isnumber=6957090

 

Honorable Mention:

 

Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, Jason I. Hong; “Increasing Security Sensitivity with Social Proof: A Large-Scale Experimental Confirmation;” CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security,   November 2014, Pages 739-749. Doi:   10.1145/2660267.2660271

Abstract: One of the largest outstanding problems in computer security is the need for higher awareness and use of available security tools. One promising but largely unexplored approach is to use social proof: by showing people that their friends use security features, they may be more inclined to explore those features, too. To explore the efficacy of this approach, we showed 50,000 people who use Facebook one of 8 security announcements'7 variations of social proof and 1 non-social control-to increase the exploration and adoption of three security features: Login Notifications, Login Approvals, and Trusted Contacts. Our results indicated that simply showing people the number of their friends that used security features was most effective, and drove 37% more viewers to explore the promoted security features compared to the non-social announcement (thus, raising awareness). In turn, as social announcements drove more people to explore security features, more people who saw social announcements adopted those features, too. However, among those who explored the promoted features, there was no difference in the adoption rate of those who viewed a social versus a non-social announcement. In a follow up survey, we confirmed that the social announcements raised viewer's awareness of available security features.

Keywords: Facebook, persuasion, security, security feature adoption, social cybersecurity, social influence (ID#: 15-6608)

URL: http://doi.acm.org/10.1145/2660267.2660271

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.