The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.
Authored by Semi Yulianto, Roni Abdullah, Benfano Soewito
In recent times, the research looks into the measures taken by financial institutions to secure their systems and reduce the likelihood of attacks. The study results indicate that all cultures are undergoing a digital transformation at the present time. The dawn of the Internet ushered in an era of increased sophistication in many fields. There has been a gradual but steady shift in attitude toward digital and networked computers in the business world over the past few years. Financial organizations are increasingly vulnerable to external cyberattacks due to the ease of usage and positive effects. They are also susceptible to attacks from within their own organisation. In this paper, we develop a machine learning based quantitative risk assessment model that effectively assess and minimises this risk. Quantitative risk calculation is used since it is the best way for calculating network risk. According to the study, a network s vulnerability is proportional to the number of times its threats have been exploited and the amount of damage they have caused. The simulation is used to test the model s efficacy, and the results show that the model detects threats more effectively than the other methods.
Authored by Lavanya M, Mangayarkarasi S
Cyberattacks, particularly those that take place in real time, will be able to target an increasing number of networked systems as more and more items connect to the Internet of items. While the system is operational, it is susceptible to intrusions that might have catastrophic consequences, such as the theft of sensitive information, the violation of personal privacy, or perhaps physical injury or even death. These outcomes are all possible while the system is operational. A mixed-methods research approach was required in order to fulfill the requirements for understanding the nature and scope of real-time assaults on IoT-powered cybersecurity infrastructure. The quantitative data that was utilized in this research came from an online survey of IoT security professionals as well as an analysis of publicly available information on IoT security incidents. For the purpose of gathering qualitative data, in-depth interviews with industry experts and specialists in the area of Internet of Things security were conducted. The authors provide a novel method for identifying cybersecurity flaws and breaches in cyber-physical systems, one that makes use of deep learning in conjunction with blockchain technology. This method has the potential to be quite useful. Their proposed technique compares and evaluates unsupervised and deep learning-based discriminative methods, in addition to introducing a generative adversarial network, in order to determine whether cyber threats are present in IICs networks that are powered by IoT. The results indicate an improvement in performance in terms of accuracy, reliability, and efficiency in recognizing all types of attacks. The dropout value was found to be 0.2, and the epoch value was set at 25.
Authored by Varsha Agarwal, Pooja Gupta
The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.
Authored by Semi Yulianto, Roni Abdullah, Benfano Soewito
Cybersecurity risk analysis is crucial for orga-nizations to assess, identify, and prioritize possible threats to their systems and assets. Organizations aim to estimate the loss cost in case cybersecurity risks occur to decide the control actions they should invest in. Quantitative risk analysis aids organizations in making well-informed decisions about risk mitigation strategies and resource allocation. Therefore, organizations must use quantitative risk analysis methods to identify and prioritize risks rather than relying on qualitative methods. This paper proposes a spreadsheet-based quantitative risk analysis method based on verbal likelihoods. Our approach relies on tables constructed by experts that map between linguistic likelihood and possible probability ranges. Using linguistic terms to estimate the probability of risk occurrence will help experts apply quantitative estimation easily by using common language as input, thus eliminating the need to assign precise probabilities. We experimented with real examples to validate our approach s accuracy and reliability and compared our results with those obtained from another method. Also, we conducted tests to measure our model s performance and robustness. Our study showcases the effectiveness of our approach and demonstrates its potential for risk analysts to use it in real-world applications.
Authored by Karim Elhammady, Sebastian Fischmeister
Cybersecurity is largely based on the use of frameworks (ISO27k, NIST, etc.) which main objective is compliance with the standard. They do not, however, address the quantification of the risk deriving from a threat scenario. This paper proposes a methodology that, having evaluated the overall capability of the controls of an ISO27001 framework, allows to select those that mitigate a threat scenario and evaluate the risk according to a Cybersecurity Risk Quantification model.
Authored by Glauco Bertocchi, Alberto Piamonte
Simulation research on fish schooling behavior is of great significance. This paper proposes an improved fish schooling behavior simulation model, which introduces fish collision avoidance, escape, and pursuit rules based on the Boids model, so that the model can simulate the response of fish when facing threats. And the simulation of fish schooling behavior in complex environment was present based on Unity3D. The quantitative analysis of the simulation results shows that the model proposed in this paper can effectively reflect the behavior al characteristics of fish schools. These results are highly consistent with the actual fish schooling behavior, which clearly demonstrates the feasibility of the model in simulating fish schooling behavior.
Authored by Jiaxin Li, Xiaofeng Sun
Cyber-physical system such as automatic metering infrastructure (AMI) are overly complex infrastructures. With myriad stakeholders, real-time constraints, heterogeneous platforms and component dependencies, a plethora of attacks possibilities arise. Despite the best of available technology countermeasures and compliance standards, security practitioners struggle to protect their infrastructures. At the same time, it is important to note that not all attacks are same in terms of their likelihood of occurrence and impact. Hence, it is important to rank the various attacks and perform scenario analysis to have an objective decision on security countermeasures. In this paper, we make a comprehensive security risk analysis of AMI, both qualitatively and quantitatively. Qualitative analysis is performed by ranking the attacks in terms of sensitivity and criticality. Quantitative analysis is done by arranging the attacks as an attack tree and performing Bayesian analysis. Typically, state-of–the-art quantitative security risk analysis suffers from data scarcity. We acknowledge the aforementioned problem and circumvent it by using standard vulnerability database. Different from state-of-the-art surveys on the subject, which captures the big picture, our work is geared to is provide the prioritized baselines in addressing most common and damaging attacks.
Authored by Rajesh Kumar, Ishan Rai, Krish Vora, Mithil Shah
In recent times, the research looks into the measures taken by financial institutions to secure their systems and reduce the likelihood of attacks. The study results indicate that all cultures are undergoing a digital transformation at the present time. The dawn of the Internet ushered in an era of increased sophistication in many fields. There has been a gradual but steady shift in attitude toward digital and networked computers in the business world over the past few years. Financial organizations are increasingly vulnerable to external cyberattacks due to the ease of usage and positive effects. They are also susceptible to attacks from within their own organisation. In this paper, we develop a machine learning based quantitative risk assessment model that effectively assess and minimises this risk. Quantitative risk calculation is used since it is the best way for calculating network risk. According to the study, a network s vulnerability is proportional to the number of times its threats have been exploited and the amount of damage they have caused. The simulation is used to test the model s efficacy, and the results show that the model detects threats more effectively than the other methods.
Authored by Lavanya M, Mangayarkarasi S
The growth of Electric Vehicles (EVs), coupled with the deployment of large-scale extreme fast charging stations (XFCSs), has increased the attack surface for EV ecosystems. To secure such critical cyber-physical systems (CPSs), it is imperative for the system defenders to perform an in-depth analysis of potential attack vectors, evaluate possible countermeasures, and analyze attack-defense scenarios quantitatively to implement a defense strategy that will provide maximum utilization of their limited resources. Therefore, a systematic framework is essential, relying on modeling tools that security experts are familiar with. In this paper, we propose a comprehensive methodology for enabling the defender to perform a high-level attack surface analysis of an XFCS and determine the defense strategy with the highest utility value. We apply STRIDE threat modeling and attack defense tree (ADT) to enumerate realizable attack paths and identify possible defense measures. We then employ analytic hierarchy process (AHP) as a multi-criteria decisionmaking algorithm to obtain the highest utility strategy for the defender to adopt. The proposed methodology is validated by demonstrating its real-world feasibility through a case study, using sample attack paths for an XFCS.
Authored by Souradeep Bhattacharya, Manimaran Govindarasu, Mansi Girdhar, Junho Hong
Cybersecurity risk analysis is crucial for orga-nizations to assess, identify, and prioritize possible threats to their systems and assets. Organizations aim to estimate the loss cost in case cybersecurity risks occur to decide the control actions they should invest in. Quantitative risk analysis aids organizations in making well-informed decisions about risk mitigation strategies and resource allocation. Therefore, organizations must use quantitative risk analysis methods to identify and prioritize risks rather than relying on qualitative methods. This paper proposes a spreadsheet-based quantitative risk analysis method based on verbal likelihoods. Our approach relies on tables constructed by experts that map between linguistic likelihood and possible probability ranges. Using linguistic terms to estimate the probability of risk occurrence will help experts apply quantitative estimation easily by using common language as input, thus eliminating the need to assign precise probabilities. We experimented with real examples to validate our approach s accuracy and reliability and compared our results with those obtained from another method. Also, we conducted tests to measure our model s performance and robustness. Our study showcases the effectiveness of our approach and demonstrates its potential for risk analysts to use it in real-world applications.
Authored by Karim Elhammady, Sebastian Fischmeister
Security still remains an afterthought in modern Electronic Design Automation (EDA) tools, which solely focus on enhancing performance and reducing the chip size. Typically, the security analysis is conducted by hand, leading to vulnerabilities in the design remaining unnoticed. Security-aware EDA tools assist the designer in the identification and removal of security threats while keeping performance and area in mind. Stateof-the-art approaches utilize information flow analysis to spot unintended information leakages in design structures. However, the classification of such threats is binary, resulting in negligible leakages being listed as well. A novel quantitative analysis allows the application of a metric to determine a numeric value for a leakage. Nonetheless, current approximations to quantify the leakage are still prone to overlooking leakages. The mathematical model 2D-QModel introduced in this work aims to overcome this shortcoming. Additionally, as previous work only includes a limited threat model, multiple threat models can be applied using the provided approach. Open-source benchmarks are used to show the capabilities of 2D-QModel to identify hardware Trojans in the design while ignoring insignificant leakages.
Authored by Lennart Reimann, Sarp Erdönmez, Dominik Sisejkovic, Rainer Leupers
In this paper, an air Air target threat assessment method based on a variable weight cloud Bayesian network (VWCBN) is proposed, which addresses the qualitative issue of air target threat levels, as most of the existing threat assessment results in focus on quantitative analysis. The proposed method enables high, medium, and low qualitative decision-making for air target threat levels. Firstly, a Bayesian network model that incorporates the attribute of air threat is constructed, assessing the threat level of air targets. Secondly, the cloud model is introduced to the Bayesian network, using it to represent the probability of correlation between nodes in the network. Then, by combining the battlefield situation information, using an improved variable weight method with Gaussian expression, the weights of target attributes are determined. Finally, based on the correlation probability and target attribute weight, the cloud model operation rules are utilized to obtain the decision of the air target threat level. Simulation results demonstrate that the proposed VWCBN method can effectively assess target threats, obtain air target threat level decisions, and further improve the utilization of battlefield information.
Authored by Lin Zhou, Junfang Leng, Meng Zhang, Zheng Zhao, Yongjing Huo, Jiawei Wu
The growth of Electric Vehicles (EVs), coupled with the deployment of large-scale extreme fast charging stations (XFCSs), has increased the attack surface for EV ecosystems. To secure such critical cyber-physical systems (CPSs), it is imperative for the system defenders to perform an in-depth analysis of potential attack vectors, evaluate possible countermeasures, and analyze attack-defense scenarios quantitatively to implement a defense strategy that will provide maximum utilization of their limited resources. Therefore, a systematic framework is essential, relying on modeling tools that security experts are familiar with. In this paper, we propose a comprehensive methodology for enabling the defender to perform a high-level attack surface analysis of an XFCS and determine the defense strategy with the highest utility value. We apply STRIDE threat modeling and attack defense tree (ADT) to enumerate realizable attack paths and identify possible defense measures. We then employ analytic hierarchy process (AHP) as a multi-criteria decisionmaking algorithm to obtain the highest utility strategy for the defender to adopt. The proposed methodology is validated by demonstrating its real-world feasibility through a case study, using sample attack paths for an XFCS.
Authored by Souradeep Bhattacharya, Manimaran Govindarasu, Mansi Girdhar, Junho Hong
The perception of security when consumers use the m-fintech payment application impacts satisfaction and continuance intention. However, data security threats and legal breaches have made consumers skeptical about the continuance of m-fintech payments. Therefore, this study aims to analyze the perceived security factor as a form of consumer satisfaction and the desire to continue using it with the support of confirmation behavior. This study uses a quantitative method by surveying 357 m-fintech payment users in Jabodetabek. All collected data has been processed, cleaned, and analyzed utilizing variance-based Structural Equation Modeling statistics. The research finding has proven that all hypotheses are accepted. Perceived security significantly affects confirmation, satisfaction, and continuance intention. A confirmation significantly affects satisfaction, and satisfaction significantly affects the continuance intention of mfintech payment. The originality of this research measures perceived security formatively. The conclusions of this analysis serve as information for the digital central currency bank (CDBC) development plan based on the security level.
Authored by Ridho Ikhsan, Yudi Fernando, Vini Mariani, Anderes Gui, Ahmad Fakhrorazi, Ika Wahyuni-TD
The growth of Electric Vehicles (EVs), coupled with the deployment of large-scale extreme fast charging stations (XFCSs), has increased the attack surface for EV ecosystems. To secure such critical cyber-physical systems (CPSs), it is imperative for the system defenders to perform an in-depth analysis of potential attack vectors, evaluate possible countermeasures, and analyze attack-defense scenarios quantitatively to implement a defense strategy that will provide maximum utilization of their limited resources. Therefore, a systematic framework is essential, relying on modeling tools that security experts are familiar with. In this paper, we propose a comprehensive methodology for enabling the defender to perform a high-level attack surface analysis of an XFCS and determine the defense strategy with the highest utility value. We apply STRIDE threat modeling and attack defense tree (ADT) to enumerate realizable attack paths and identify possible defense measures. We then employ analytic hierarchy process (AHP) as a multi-criteria decisionmaking algorithm to obtain the highest utility strategy for the defender to adopt. The proposed methodology is validated by demonstrating its real-world feasibility through a case study, using sample attack paths for an XFCS.
Authored by Souradeep Bhattacharya, Manimaran Govindarasu, Mansi Girdhar, Junho Hong
Online loan is viewed as an alternative to banking but easier and provide direct connection between public and loan offerer. However, online security threats and scam are undermining the quality of online loan. This study aims to determine how the public views their privacy while using online loan applications, perceived risk, perceived security, and qualities on intention to apply online loan. In order to examine the intention, a quantitative survey method was adopted and survey questionnaire was sent to the public who had experienced and apply for online loan applications. 153 responses were received and analysed using IBM SPSS version 28 for demographic analysis and SmartPLS 4 for model and structural measurements. Results show that perceived security, service quality and system quality were not critical to the respondents when choosing online loan applications while perceived risk, information sharing, and privacy concern were critical. This study shows that general public believed that security and quality are part of the package when organization offered a product or service. Interestingly, while privacy, risk, and information are important, public felt that it is the duty of organization to take care of their interests. Future research should look into behavioural aspects of public risk, information sharing, and privacy concern to understand in-depth.
Authored by Natanael Kurniawan, Jacques, Muammar Tohepaly, Anderes Gui, Muhammad Shaharudin, Yuvaraj Ganesan
The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.
Authored by Semi Yulianto, Roni Abdullah, Benfano Soewito
Risk assessors and managers face many difficult challenges related to the new network system. These challenges include the continuous changes in the nature of network systems caused by technological progress, their distribution in the fields of physics, information and social cognition, and the complex network structure that usually includes thousands of nodes. Here, we review the probability and risk-based decision technology applied to network systems, and conclude that the existing methods can not solve all the components of the risk assessment triad (threat, vulnerability, consequence), and lack the ability to integrate across multiple areas of network systems, thus providing guidance for enhancing network security. We propose a cloud native security chain architecture and network topology reconstruction technology link based on the full link of microservices. The network security performance is quantified by multi-layer filtering mechanism and setting different fitness index functions. The method proposed in this paper solves the problems of packet loss, load balancing and distributed delay of network security mechanism in the global network to a certain extent.
Authored by Shuo Sheng, Kun Che, Ang Mi, Xiaobo Wan
Package registries host reusable code assets, allowing developers to share and reuse packages easily, thus accelerating the software development process. Current software registry ecosystems involve multiple independent stakeholders for package management. Unfortunately, abnormal behavior and information inconsistency inevitably exist, enabling adversaries to conduct malicious activities with minimal effort covertly. In this paper, we investigate potential security vulnerabilities in six popular software registry ecosystems. Through a systematic analysis of the official registries, corresponding registry mirrors and registry clients, we identify twelve potential attack vectors, with six of them disclosed for the first time, that can be exploited to distribute malicious code stealthily. Based on these security issues, we build an analysis framework, RScouter, to continuously monitor and uncover vulnerabilities in registry ecosystems. We then utilize RScouter to conduct a measurement study spanning one year over six registries and seventeen popular mirrors, scrutinizing over 4 million packages across 53 million package versions. Our quantitative analysis demonstrates that multiple threats exist in every ecosystem, and some have been exploited by attackers. We have duly reported the identified vulnerabilities to related stakeholders and received positive responses.
Authored by Yacong Gu, Lingyun Ying, Yingyuan Pu, Xiao Hu, Huajun Chai, Ruimin Wang, Xing Gao, Haixin Duan
Security system designers favor worst-case security metrics, such as those derived from differential privacy (DP), due to the strong guarantees they provide. On the downside, these guarantees result in a high penalty on the system’s performance. In this paper, we study Bayes security, a security metric inspired by the cryptographic advantage. Similarly to DP, Bayes security i) is independent of an adversary’s prior knowledge, ii) it captures the worst-case scenario for the two most vulnerable secrets (e.g., data records); and iii) it is easy to compose, facilitating security analyses. Additionally, Bayes security iv) can be consistently estimated in a black-box manner, contrary to DP, which is useful when a formal analysis is not feasible; and v) provides a better utility-security trade-off in high-security regimes because it quantifies the risk for a specific threat model as opposed to threat-agnostic metrics such as DP.
Authored by Konstantinos Chatzikokolakis, Giovanni Cherubin, Catuscia Palamidessi, Carmela Troncoso
This research aimed to examine the relationship between digital citizenship and information security achievements levels. For this purpose, the research was designed in the relational survey model within the scope of quantitative research. The sample of the research consists of teacher candidates studying at the Faculty of Education of Fırat University in the 2022-2023 academic year. To collect the research data, the Digital Citizenship Questionnaire and the Information Security Achievements Scale were used. At the end of the study, it was revealed that the digital citizenship levels of the teacher candidates were high, and the information security attainment levels related to threats and taking precautions were moderate. According to the gender variable, the digital citizenship levels of teacher candidates were found to be significantly higher in favor of females. Information security achievement levels differ significantly in favor of males according to the gender variable. It has been observed that as the information security achievements of the teacher candidates increase, the correct usage, health and social responsibility levels of digital citizenship tend to increase as well.
Authored by Songül Karabatak, Sevinç Ay, Murat Karabatak
In the digital era, web applications have become a prevalent tool for businesses. As the number of web applications continues to grow, they become enticing targets for malicious actors seeking to exploit potential security vulnerabilities. Organizations face constant risks associated with vulnerabilities in their web-based software systems, which can result in data breaches, service disruptions, and a loss of trust. Consequently, organizations require an effective and efficient approach to assess and analyze the security of acquired web-based software, ensuring sufficient confidence in its utilization. This research aims to enhance the quantitative evaluation and analysis of web application security through a model-based approach. We focus on integrating the Open Web Application Security Project s (OWASP) Application Security Verification Standard (ASVS) into a structured and analyzable metamodel. This model aims to effectively assess the security levels of web applications while offering valuable insights into their strengths and weaknesses. By combining the ASVS with a comprehensive framework, we aim to provide a robust methodology for evaluating and analyzing web application security.
Authored by Shao-Fang Wen, Basel Katt
Security still remains an afterthought in modern Electronic Design Automation (EDA) tools, which solely focus on enhancing performance and reducing the chip size. Typically, the security analysis is conducted by hand, leading to vulnerabilities in the design remaining unnoticed. Security-aware EDA tools assist the designer in the identification and removal of security threats while keeping performance and area in mind. Stateof-the-art approaches utilize information flow analysis to spot unintended information leakages in design structures. However, the classification of such threats is binary, resulting in negligible leakages being listed as well. A novel quantitative analysis allows the application of a metric to determine a numeric value for a leakage. Nonetheless, current approximations to quantify the leakage are still prone to overlooking leakages. The mathematical model 2D-QModel introduced in this work aims to overcome this shortcoming. Additionally, as previous work only includes a limited threat model, multiple threat models can be applied using the provided approach. Open-source benchmarks are used to show the capabilities of 2D-QModel to identify hardware Trojans in the design while ignoring insignificant leakages.
Authored by Lennart Reimann, Sarp Erdönmez, Dominik Sisejkovic, Rainer Leupers
The perception of security when consumers use the m-fintech payment application impacts satisfaction and continuance intention. However, data security threats and legal breaches have made consumers skeptical about the continuance of m-fintech payments. Therefore, this study aims to analyze the perceived security factor as a form of consumer satisfaction and the desire to continue using it with the support of confirmation behavior. This study uses a quantitative method by surveying 357 m-fintech payment users in Jabodetabek. All collected data has been processed, cleaned, and analyzed utilizing variance-based Structural Equation Modeling statistics. The research finding has proven that all hypotheses are accepted. Perceived security significantly affects confirmation, satisfaction, and continuance intention. A confirmation significantly affects satisfaction, and satisfaction significantly affects the continuance intention of mfintech payment. The originality of this research measures perceived security formatively. The conclusions of this analysis serve as information for the digital central currency bank (CDBC) development plan based on the security level.
Authored by Ridho Ikhsan, Yudi Fernando, Vini Mariani, Anderes Gui, Ahmad Fakhrorazi, Ika Wahyuni-TD