Information Safety Assurances Increase Intentions to Use COVID-19 Contact Tracing Applications, Regardless of Autonomy-Supportive or Controlling Message Framing

Promoting the use of contact tracing technology will be an important step in global recovery from the COVID-19 pandemic. Across two studies, we assessed two messaging strategies as motivators of intended contact tracing uptake. In one sample of 1117 Australian adults and one sample of 888 American adults, we examined autonomy-supportive and controlling message framing and the presence or absence of information safety as predictors of intended contact tracing application uptake, using an online randomized 2 × 2 experimental design. The results suggested that the provision of data safety assurances may be key in affecting people’s intentions to use contact tracing technology, an effect we found in both samples regardless of whether messages were framed as autonomy-supportive or controlling. Those in high information safety conditions consistently reported higher intended uptake and more positive perceptions of the application than those in low information safety conditions. In Study 2, we also found that perceptions of government legitimacy related positively to intended application uptake, as did political affiliation. In sum, individuals appeared more willing to assent to authority regarding contact tracing insofar as their data safety can be assured. Yet, public messaging strategies alone may be insufficient to initiate intentions to change behavior, even in these unprecedented circumstances.

Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system

OBJECTIVE

The study sought to understand the impact of a phishing training program on phishing click rates for employees at a single, anonymous US healthcare institution.

MATERIALS AND METHODS

We stratified our population into 2 groups: offenders and nonoffenders. Offenders were defined as those that had clicked on at least 5 simulated phishing emails and nonoffenders were those that had not. We calculated click rates for offenders and nonoffenders, before and after a mandatory training program for offenders was implemented.

RESULTS

A total of 5416 unique employees received all 20 campaigns during the intervention period; 772 clicked on at least 5 emails and were labeled offenders. Only 975 (17.9%) of our set clicked on 0 phishing emails over the course of the 20 campaigns; 3565 (65.3%) clicked on at least 2 emails. There was a decrease in click rates for each group over the 20 campaigns. The mandatory training program, initiated after campaign 15, did not have a substantial impact on click rates, and the offenders remained more likely to click on a phishing simulation.

DISCUSSION

Phishing is a common threat vector against hospital employees and an important cybersecurity risk to healthcare systems. Our work suggests that, under simulation, employee click rates decrease with repeated simulation, but a mandatory training program targeted at high-risk employees did not meaningfully decrease the click rates of this population.

CONCLUSIONS

Employee phishing click rates decrease over time, but a mandatory training program for the highest-risk employees did not decrease click rates when compared with lower-risk employees.

Readiness for Health Information Technology is Associated to Information Security in Healthcare Institutions

BACKGROUND

Health information technologies (HITs) present numerous opportunities for the improvement and transformation of healthcare, which include reducing human errors, improving clinical outcomes, facilitating care coordination, improving efficiency of practice and tracking data over time. HITs involve various technologies that range from simple charting, to a more advanced decision support and integration with medical technology.

OBJECTIVE

The aims of this study were to examine the readiness for the implementation of health information technologies (HITs) among medical and administrative staff as well as to evaluate the effects of information security status on the readiness.

METHODS

In this cross-sectional study, 236 medical employees (F/M: 192/44; mean age: 34±7.43 years) and 139 administrative employees (F/M: 93/46, mean age: 36±7.64 years) from 15 public health institutions in Kocaeli, Marmara Region were included. The data were collected via a structured questionnaire regarding opinions about information security and privacy, use of information technologies and the Organizational Information Technology Innovation Readiness Scale (OITIRS). After an explanatory factor analysis was performed for the scale, two subgroups regarding Organizational Readiness and Technological Readiness were obtained. Binary logistic regression analyses were performed to evaluate related factors for these subgroups of OITIRS.

RESULTS

According to binary logistic regression analysis, establishing of a password management system was found to be a crucial factor for both organizational and technological readiness among medical and administrative employees in health institutions (p<0.05). The enhancement of collaboration among staff by implementing information technologies was a critical factor for the medical staff; whereas, the attitude of employees to ensure information security was an important factor for the administrative employees in both subgroups (p<0.05).

CONCLUSION

Both medical and administrative unit employees stated that establishing a password management system that determines the frequency of changing passwords in the organization would affect both organizational and technical readiness in healthcare institutions.

Continuous Quantitative Risk Management in Smart Grids Using Attack Defense Trees

Although the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.

The Case against Commercial Antivirus Software: Risk Homeostasis and Information Problems in Cybersecurity

New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on security outcomes in the short run and little-to-no effect over the long run. It tests the preliminary plausibility of four predictions from the revised risk homeostasis theory using new survey data from 1,072 respondents. The estimations suggest the plausible operation of a number of risk homeostasis dynamics: (1) commercial AV users are significantly more likely to self-report a cybersecurity event in the past year than nonusers, even after correcting for potential reverse causality and informational mechanisms; (2) nonusers become somewhat less likely to self-report a cybersecurity event as the perceived riskiness of various e-mail-based behaviors increases, while commercial AV users do not; (3) the negative short-run effect of commercial AV use on cybersecurity outcomes fade over time at a predicted rate of about 7.03 percentage points per year of use; and (4) after five years of use, commercial AV users are statistically indistinguishable from nonusers in terms of their probability of self-reporting a cybersecurity event as perceptions of risky e-mail-based behaviors increase.

Edge Computing to Secure IoT Data Ownership and Trade with the Ethereum Blockchain

With an increasing penetration of ubiquitous connectivity, the amount of data describing the actions of end-users has been increasing dramatically, both within the domain of the Internet of Things (IoT) and other smart devices. This has led to more awareness of users in terms of protecting personal data. Within the IoT, there is a growing number of peer-to-peer (P2P) transactions, increasing the exposure to security vulnerabilities, and the risk of cyberattacks. Blockchain technology has been explored as middleware in P2P transactions, but existing solutions have mainly focused on providing a safe environment for data trade without considering potential changes in interaction topologies. we present EdgeBoT, a proof-of-concept smart contracts based platform for the IoT built on top of the ethereum blockchain. With the Blockchain of Things (BoT) at the edge of the network, EdgeBoT enables a wider variety of interaction topologies between nodes in the network and external services while guaranteeing ownership of data and end users’ privacy. in EdgeBoT, edge devices trade their data directly with third parties and without the need of intermediaries. This opens the door to new interaction modalities, in which data producers at the edge grant access to batches of their data to different third parties. Leveraging the immutability properties of blockchains, together with the distributed nature of smart contracts, data owners can audit and are aware of all transactions that have occurred with their data. we report initial results demonstrating the potential of EdgeBoT within the IoT. we show that integrating our solutions on top of existing IoT systems has a relatively small footprint in terms of computational resource usage, but a significant impact on the protection of data ownership and management of data trade.

Risk Awareness, Self-Efficacy, and Social Support Predict Secure Smartphone Usage

It is widely acknowledged that non-compliance with smartphone security behaviors is widespread and may cause severe harm to people and devices. In addition to device-based security issues, there are psychological factors involved in these behaviors such as self-efficacy, risk awareness, and social support. The present study examines associations of these three factors with smartphone security behaviors and explores possible mechanisms among these variables. In a longitudinal survey with 192 Chinese college students (73.4% women, mean age 24.46 years, SD = 5.15), self-efficacy, risk awareness, and social support were assessed with psychometric scales at two points in time, 2 weeks apart. Hierarchical regression analyses were performed with follow-up smartphone security behaviors as the dependent variable, controlling for baseline values and demographic and IT-related covariates. Main effects of self-efficacy, risk awareness, and social support on smartphone security behaviors were identified. Moreover, a triple interaction among the three predictors emerged in a synergistic way, indicating that their combination yielded more favorable levels of secure smartphone use. The total model accounted for 50% of the behavioral variance, with all covariates included, and the triple interaction among self-efficacy, risk awareness, and social support accounted for 2.3% of variance. Results document that psychological factors are involved in smartphone security behaviors beyond demographic and IT-related covariates. Interventions could be designed to improve smartphone security behaviors not only by developing privacy-enhancing technologies but also by considering psychological factors such as self-efficacy, risk awareness, and social support.

Covert Timing Channel Analysis Either as Cyber Attacks or Confidential Applications

Covert timing channels are an important alternative for transmitting information in the world of the Internet of Things (IoT). In covert timing channels data are encoded in inter-arrival times between consecutive packets based on modifying the transmission time of legitimate traffic. Typically, the modification of time takes place by delaying the transmitted packets on the sender side. A key aspect in covert timing channels is to find the threshold of packet delay that can accurately distinguish covert traffic from legitimate traffic. Based on that we can assess the level of dangerous of security threats or the quality of transferred sensitive information secretly. In this paper, we study the inter-arrival time behavior of covert timing channels in two different network configurations based on statistical metrics, in addition we investigate the packet delaying threshold value. Our experiments show that the threshold is approximately equal to or greater than double the mean of legitimate inter-arrival times. In this case covert timing channels become detectable as strong anomalies.

[Willingness to Acceptance for the Information Leakage of Medical Information Data Using the Contingent Valuation Method]

Appropriate information security measures are very important for today's highly computerized hospitals to maintain the trust from patients. If once the personal information leakage of medical information was occurred, the hospital could lose their trust that has built for long time so far. It is important for hospitals to know the impact of the leakage accident previously advance to decide the investment for information security. The purpose of this study is to evaluate the impact of medical information leakage. The comforting fee for the patient's mental damage as the willingness to accept (WTA) was estimated, when the information leak occurred from a hospital using the contingent valuation method (CVM). Questionnaire survey was conducted using an internet survey service in Japan. We asked for 300 citizens about the use of personal information communication equipment and information security measures and their awareness for the information leakage. In addition, we presented a hypothetical scenario regarding information leakage of own medical information, asked the WTA as the comforting fee by the one choice of acceptance or rejection for the presented fee. In 300 responses, 190 were could be used for WTA estimation. WTA as the comforting fee when the information leakage of medical care information occurred, was estimated 570,541 yen in total. The result was similar with the value estimated by the damage compensation payment estimation model.

A Multidimensional Hyperjerk Oscillator: Dynamics Analysis, Analogue and Embedded Systems Implementation, and Its Application as a Cryptosystem

A lightweight image encryption algorithm is presented based on chaos induction via a 5-dimensional hyperjerk oscillator (5DHO) network. First, the dynamics of our 5DHO network is investigated and shown to exhibit up to five coexisting hidden attractors in the state space that depend exclusively on the system's initial values. Further, a simple implementation of the circuit was used to validate its ability to exhibit chaotic dynamical properties. Second, an Arduino UNO platform is used to confirm the usability of our oscillator in embedded system implementation. Finally, an efficient image encryption application is executed using the proposed chaotic networks based on the use of permutation-substitution sequences. The superior qualities of the proposed strategy are traced to the dynamic set of keys used in the substitution process which heralds the generation of the final ciphered image. Based on the average results obtained from the entropy analysis (7.9976), NPCR values (99.62), UACI tests (33.69) and encryption execution time for 512 × 512 images (0.1141 s), the proposed algorithm is adjudged to be fast and robust to differential and statistical attacks relative to similar approaches.

An Edge-Fog Secure Self-Authenticable Data Transfer Protocol

Development of the Internet of Things (IoT) opens many new challenges. As IoT devices are getting smaller and smaller, the problems of so-called “constrained devices” arise. The traditional Internet protocols are not very well suited for constrained devices comprising localized network nodes with tens of devices primarily communicating with each other (e.g., various sensors in Body Area Network communicating with each other). These devices have very limited memory, processing, and power resources, so traditional security protocols and architectures also do not fit well. To address these challenges the Fog computing paradigm is used in which all constrained devices, or Edge nodes, primarily communicate only with less-constrained Fog node device, which collects all data, processes it and communicates with the outside world. We present a new lightweight secure self-authenticable transfer protocol (SSATP) for communications between Edge nodes and Fog nodes. The primary target of the proposed protocol is to use it as a secure transport for CoAP (Constrained Application Protocol) in place of UDP (User Datagram Protocol) and DTLS (Datagram Transport Layer Security), which are traditional choices in this scenario. SSATP uses modified header fields of standard UDP packets to transfer additional protocol handling and data flow management information as well as user data authentication information. The optional redundant data may be used to provide increased resistance to data losses when protocol is used in unreliable networks. The results of experiments presented in this paper show that SSATP is a better choice than UDP with DTLS in the cases, where the CoAP block transfer mode is used and/or in lossy networks.

Wearable devices in healthcare: Privacy and information security issues

BACKGROUND

Mobile health has provided new and exciting ways for patients to partake in their healthcare. Wearable devices are designed to collect the user's health data, which can be analysed to provide information about the user's health status. However, little research has been conducted that addresses privacy and information security issues of these devices.

OBJECTIVE

To investigate the privacy and information security issues to which users are exposed when using wearable health devices.

METHOD

The study used a cross-sectional survey approach to collect data from a convenience sample of 106 respondents.

RESULTS

Half of the respondents did not understand the need to protect health information. There also appeared to be a general lack of awareness among respondents about the information security issues surrounding their data collected by wearable devices.

CONCLUSION

Users were not knowledgeable about the privacy risks that their data are exposed to or how these data are protected once collected.

IMPLICATIONS

Users of wearable devices that collect personal information about health need to be educated about privacy and information security issues to which they are exposed when using these devices.

Enhancing Sensor Network Security with Improved Internal Hardware Design

With the rapid development of the Internet-of-Things (IoT), sensors are being widely applied in industry and human life. Sensor networks based on IoT have strong Information transmission and processing capabilities. The security of sensor networks is progressively crucial. Cryptographic algorithms are widely used in sensor networks to guarantee security. Hardware implementations are preferred, since software implementations offer lower throughout and require more computational resources. Cryptographic chips should be tested in a manufacturing process and in the field to ensure their quality. As a widely used design-for-testability (DFT) technique, scan design can enhance the testability of the chips by improving the controllability and observability of the internal flip-flops. However, it may become a backdoor to leaking sensitive information related to the cipher key, and thus, threaten the security of a cryptographic chip. In this paper, a secure scan test architecture was proposed to resist scan-based noninvasive attacks on cryptographic chips with boundary scan design. Firstly, the proposed DFT architecture provides the scan chain reset mechanism by gating a mode-switching detection signal into reset input of scan cells. The contents of scan chains will be erased when the working mode is switched between test mode and functional mode, and thus, it can deter mode-switching based noninvasive attacks. Secondly, loading the secret key into scan chains of cryptographic chips is prohibited in the test mode. As a result, the test-mode-only scan attack can also be thwarted. On the other hand, shift operation under functional mode is disabled to overcome scan attack in the functional mode. The proposed secure scheme ensures the security of cryptographic chips for sensor networks with extremely low area penalty.

Information security climate and the assessment of information security risk among healthcare employees

Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act-covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.

National and Transnational Security Implications of Asymmetric Access to and Use of Biological Data

Biology and biotechnology have changed dramatically during the past 20 years, in part because of increases in computational capabilities and use of engineering principles to study biology. The advances in supercomputing, data storage capacity, and cloud platforms enable scientists throughout the world to generate, analyze, share, and store vast amounts of data, some of which are biological and much of which may be used to understand the human condition, agricultural systems, evolution, and environmental ecosystems. These advances and applications have enabled: (1) the emergence of data science, which involves the development of new algorithms to analyze and visualize data; and (2) the use of engineering approaches to manipulate or create new biological organisms that have specific functions, such as production of industrial chemical precursors and development of environmental bio-based sensors. Several biological sciences fields harness the capabilities of computer, data, and engineering sciences, including synthetic biology, precision medicine, precision agriculture, and systems biology. These advances and applications are not limited to one country. This capability has economic and physical consequences, but is vulnerable to unauthorized intervention. Healthcare and genomic information of patients, information about pharmaceutical and biotechnology products in development, and results of scientific research have been stolen by state and non-state actors through infiltration of databases and computer systems containing this information. Countries have developed their own policies for governing data generation, access, and sharing with foreign entities, resulting in asymmetry of data sharing. This paper describes security implications of asymmetric access to and use of biological data.

A Type-Aware Approach to Message Clustering for Protocol Reverse Engineering

Protocol Reverse Engineering (PRE) is crucial for information security of Internet-of-Things (IoT), and message clustering determines the effectiveness of PRE. However, the quality of services still lags behind the strict requirement of IoT applications as the results of message clustering are often coarse-grained with the intrinsic type information hidden in messages largely ignored. Aiming at this problem, this study proposes a type-aware approach to message clustering guided by type information. The approach regards a message as a combination of n-grams, and it employs the Latent Dirichlet Allocation (LDA) model to characterize messages with types and n-grams via inferring the type distribution of each message. The type distribution is finally used to measure the similarity of messages. According to this similarity, the approach clusters messages and further extracts message formats. Experimental results of the approach against Netzob in terms of a number of protocols indicate that the correctness and conciseness can be significantly improved, e.g., figures 43.86% and 3.87%, respectively for the CoAP protocol.

Dynamically Reconfigurable Encryption and Decryption System Design for the Internet of Things Information Security

Information security is the foundation for building trust between the Internet of Things (IoT) and its users. Due to the sharp increase of information quantity and the limitation of hardware resources, it is difficult to maintain the high performance of hardware equipment, while also enhancing information security. To solve the problem of high consumption and low flexibility of multiple cryptographic algorithms hardware implementation, we have designed the Dynamically Reconfigurable Encryption and Decryption System, which is based on Field Programmable Gate Array. Considering the functional requirements, the cryptographic algorithm reconfigurable module files stored in External Memory could be configured dynamically into the assigned on-chip Reconfigurable Partition, supported by Core Controller and the Reconfiguration Control Platform. The experiment results show that, compared with the Static Encryption and Decryption System, our design reduces the logic resources by more than 30% and completes the algorithm swapping at the configuration speed of 15,759.51 Bytes/ms. It indicates that our design could reduce logic resources consumption and improve utilization efficiency and system flexibility.

Views of Health Information Management Staff on Non-Technical Security Management Factors, Mashhad, Iran

Health care organizations are worried about information security because they generate important and valuable information in the field of health informatics. Therefore, the present study was conducted to investigate the health information management staff's viewpoint on non-technical security management factors. A descriptive cross-sectional study was conducted between Feb to Apr 2018 in 12 academic hospitals in Mashhad, north-eastern Iran. Data were collected through a paper-based questionnaire that was designed based on previous studies and published literature. From the views of staff, the information security management had the highest average (Mean = 3.63) while organizational culture had the lowest average (Mean = 3.32). The results of this study showed that security controls are essential for protecting critical information. Organizations must also consider appropriate security actions for protecting critical organizational information.

Development and Evaluation of a New Security and Privacy Track in a Health Informatics Graduate Program: Multidisciplinary Collaboration in Education

BACKGROUND

The widespread application of technologies such as electronic health record systems, mobile health apps, and telemedicine platforms, has made it easy for health care providers to collect relevant data and deliver health care regimens. While efficacious, these new technologies also pose serious security and privacy challenges.

OBJECTIVE

The training program described here aims at preparing well-informed health information security and privacy professionals with enhanced course materials and various approaches.

METHODS

A new educational track has been built within a health informatics graduate program. Several existing graduate courses have been enhanced with new security and privacy modules. New labs and seminars have been created, and students are being encouraged to participate in research projects and obtain real-world experience from industry partners. Students in this track receive both theoretical education and hands-on practice. Evaluations have been performed on this new track by conducting multiple surveys on a sample of students.

RESULTS

We have succeeded in creating a new security track and developing a pertinent curriculum. The newly created security materials have been implemented in multiple courses. Our evaluation indicated that students (N=72) believed that receiving security and privacy training was important for health professionals, the provided security contents were interesting, and having the enhanced security and privacy training in this program was beneficial for their future career.

CONCLUSIONS

The security and privacy education for health information professionals in this new security track has been significantly enhanced.

[Design and Validation of Remote Radiotherapy System]

Telemedicine technology is a means of deploying medical resources with low cost and high efficiency. A set of remote radiotherapy system based on Citrix was designed in this paper, so that the senior radiation therapists from the developed areas can provide medical services effectively for the patients in the rural areas. This paper focused on the design ideas and the detail of the technical implementation of how to design a remote radiotherapy system based on the existing equipment in the primary hospital. And the technical reliability and security of the remote radiotherapy system were verified by the scientific test method with pairwise comparison. The early practical experience shows that through the remote radiotherapy system the primary radiotherapy personnel and the radiotherapy experts from thirdgrade class-A hospital can form effective alliance in radiotherapy techniques to allow patients in rural areas to receive more professional radiation therapy.

Highly Secure Physically Unclonable Cryptographic Primitives Based on Interfacial Magnetic Anisotropy

Information security is of great importance for the approaching Internet of things (IoT) era. Physically unclonable functions (PUFs) have been intensively studied for information security. However, silicon PUFs are vulnerable to hazards such as modeling and side-channel attacks. Here we demonstrate a magnetic analogue PUF based on perpendicularly magnetized Ta/CoFeB/MgO heterostructures. The perpendicular magnetic anisotropy originates from the CoFeB/MgO interface, which is sensitive to the subnanometer variation of MgO thickness within a certain range (0.6-1.3 nm). When the MgO layer is thinned, a thickness variation resulting from ion milling nonuniformity induces unclonable random distributions of eas y-axis magnetization orientations in heterostructures. The analogue PUF can provide a much larger key size than a conventional binary-bit counterpart. Moreover, after the thinning process, the unique eas y-axis magnetization orientation in each single device was formed, which can avoid setting random states to realize low power consumption and high-density integration. This magnetic PUF is a promising innovative primitive for secret key generation and storage with high security in the IoT era.

Double Quantum Image Encryption Based on Arnold Transform and Qubit Random Rotation

Quantum image encryption offers major advantages over its classical counterpart in terms of key space, computational complexity, and so on. A novel double quantum image encryption approach based on quantum Arnold transform (QAT) and qubit random rotation is proposed in this paper, in which QAT is used to scramble pixel positions and the gray information is changed by utilizing random qubit rotation. Actually, the independent random qubit rotation operates once, respectively, in spatial and frequency domains with the help of quantum Fourier transform (QFT). The encryption process accomplishes pixel confusion and diffusion, and finally the noise-like cipher image is obtained. Numerical simulation and theoretical analysis verify that the method is valid and it shows superior performance in security and computational complexity.

Concealment and discovery: The role of information security in biomedical data re-use

This paper analyses the role of information security (IS) in shaping the dissemination and re-use of biomedical data, as well as the embedding of such data in material, social and regulatory landscapes of research. We consider data management practices adopted by two UK-based data linkage infrastructures: the Secure Anonymised Information Linkage, a Welsh databank that facilitates appropriate re-use of health data derived from research and routine medical practice in the region, and the Medical and Environmental Data Mash-up Infrastructure, a project bringing together researchers to link and analyse complex meteorological, environmental and epidemiological data. Through an in-depth analysis of how data are sourced, processed and analysed in these two cases, we show that IS takes two distinct forms: epistemic IS, focused on protecting the reliability and reusability of data as they move across platforms and research contexts, and infrastructural IS, concerned with protecting data from external attacks, mishandling and use disruption. These two dimensions are intertwined and mutually constitutive, and yet are often perceived by researchers as being in tension with each other. We discuss how such tensions emerge when the two dimensions of IS are operationalized in ways that put them at cross purpose with each other, thus exemplifying the vulnerability of data management strategies to broader governance and technological regimes. We also show that whenever biomedical researchers manage to overcome the conflict, the interplay between epistemic and infrastructural IS prompts critical questions concerning data sources, formats, metadata and potential uses, resulting in an improved understanding of the wider context of research and the development of relevant resources. This informs and significantly improves the reusability of biomedical data, while encouraging exploratory analyses of secondary data sources.

Difficulties and Challenges of Anomaly Detection in Smart Cities: A Laboratory Analysis

Smart cities work with large volumes of data from sensor networks and other sources. To prevent data from being compromised by attacks or errors, smart city IT administrators need to apply attack detection techniques to evaluate possible incidents as quickly as possible. Machine learning has proven to be effective in many fields and, in the context of wireless sensor networks (WSNs), it has proven adequate to detect attacks. However, a smart city poses a much more complex scenario than a WSN, and it has to be evaluated whether these techniques are equally valid and effective. In this work, we evaluate two machine learning algorithms (support vector machines (SVM) and isolation forests) to detect anomalies in a laboratory that reproduces a real smart city use case with heterogeneous devices, algorithms, protocols, and network configurations. The experience has allowed us to show that, although these techniques are of great value for smart cities, additional considerations must be taken into account to effectively detect attacks. Thus, through this empiric analysis, we point out broader challenges and difficulties of using machine learning in this context, both for the technical complexity of the systems, and for the technical difficulty of configuring and implementing them in such environments.

Fringing Electric Field Sensors for Anti-Attack at System-Level Protection

Information system security has been in the spotlight of individuals and governments in recent years. Integrated Circuits (ICs) function as the basic element of communication and information spreading, therefore they have become an important target for attackers. From this perspective, system-level protection to keep chips from being attacked is of vital importance. This paper proposes a novel method based on a fringing electric field (FEF) sensor to detect whether chips are dismantled from a printed circuit board (PCB) as system-level protection. The proposed method overcomes the shortcomings of existing techniques that can be only used in specific fields. After detecting a chip being dismantled from PCB, some protective measures like deleting key data can be implemented to be against attacking. Fringing electric field sensors are analyzed through simulation. By optimizing sensor's patterns, areas and geometrical parameters, the methods that maximize sensitivity of fringing electric field sensors are put forward and illustrated. The simulation is also reproduced by an experiment to ensure that the method is feasible and reliable. The results of experiments are inspiring in that they prove that the sensor can work well for protection of chips and has the advantage of universal applicability, low cost and high reliability.

Hacking the Human: The Prevalence Paradox in Cybersecurity

OBJECTIVE

This work assesses the efficacy of the "prevalence effect" as a form of cyberattack in human-automation teaming, using an email task.

BACKGROUND

Under the prevalence effect, rare signals are more difficult to detect, even when taking into account their proportionally low occurrence. This decline represents diminished human capability to both detect and respond. As signal probability (SP) approaches zero, accuracy exhibits logarithmic decay. Cybersecurity, a context in which the environment is entirely artificial, provides an opportunity to manufacture conditions enhancing or degrading human performance, such as prevalence effects. Email cybersecurity prevalence effects have not previously been demonstrated, nor intentionally manipulated.

METHOD

The Email Testbed (ET) provides a simulation of a clerical email work involving messages containing sensitive personal information. Using the ET, participants were presented with 300 email interactions and received cyberattacks at rates of either 1%, 5%, or 20%.

RESULTS

Results demonstrated the existence and power of prevalence effects in email cybersecurity. Attacks delivered at a rate of 1% were significantly more likely to succeed, and the overall pattern of accuracy across declining SP exhibited logarithmic decay.

APPLICATION

These findings suggest a "prevalence paradox" within human-machine teams. As automation reduces attack SP, the human operator becomes increasingly likely to fail in detecting and reporting attacks that remain. In the cyber realm, the potential to artificially inflict this state on adversaries, hacking the human operator rather than algorithmic defense, is considered. Specific and general information security design countermeasures are offered.

A Lightweight Protocol for Secure Video Streaming

The Internet of Things (IoT) introduces many new challenges which cannot be solved using traditional cloud and host computing models. A new architecture known as fog computing is emerging to address these technological and security gaps. Traditional security paradigms focused on providing perimeter-based protections and client/server point to point protocols (e.g., Transport Layer Security (TLS)) are no longer the best choices for addressing new security challenges in fog computing end devices, where energy and computational resources are limited. In this paper, we present a lightweight secure streaming protocol for the fog computing "Fog Node-End Device" layer. This protocol is lightweight, connectionless, supports broadcast and multicast operations, and is able to provide data source authentication, data integrity, and confidentiality. The protocol is based on simple and energy efficient cryptographic methods, such as Hash Message Authentication Codes (HMAC) and symmetrical ciphers, and uses modified User Datagram Protocol (UDP) packets to embed authentication data into streaming data. Data redundancy could be added to improve reliability in lossy networks. The experimental results summarized in this paper confirm that the proposed method efficiently uses energy and computational resources and at the same time provides security properties on par with the Datagram TLS (DTLS) standard.

[Application of classified protection of information security in the information system of air pollution and health impact monitoring]

OBJECTIVE

To study the application of classified protection of information security in the information system of air pollution and health impact monitoring, so as to solve the possible safety risk of the information system.

METHODS

According to the relevant national standards and requirements for the information system security classified protection, and the professional characteristics of the information system, to design and implement the security architecture of information system, also to determine the protection level of information system.

RESULTS

Basic security measures for the information system were developed in the technical safety and management safety aspects according to the protection levels, which effectively prevented the security risk of the information system.

CONCLUSION

The information system established relatively complete information security protection measures, to enhanced the security of professional information and system service, and to ensure the safety of air pollution and health impact monitoring project carried out smoothly.

An Axiology of Information Security for Futuristic Neuroprostheses: Upholding Human Values in the Context of Technological Posthumanization

Previous works exploring the challenges of ensuring information security for neuroprosthetic devices and their users have typically built on the traditional InfoSec concept of the “CIA Triad” of confidentiality, integrity, and availability. However, we argue that the CIA Triad provides an increasingly inadequate foundation for envisioning information security for neuroprostheses, insofar as it presumes that (1) any computational systems to be secured are merely instruments for expressing their human users' agency, and (2) computing devices are conceptually and practically separable from their users. Drawing on contemporary philosophy of technology and philosophical and critical posthumanist analysis, we contend that futuristic neuroprostheses could conceivably violate these basic InfoSec presumptions, insofar as (1) they may alter or supplant their users' biological agency rather than simply supporting it, and (2) they may structurally and functionally fuse with their users to create qualitatively novel “posthumanized” human-machine systems that cannot be secured as though they were conventional computing devices. Simultaneously, it is noted that many of the goals that have been proposed for future neuroprostheses by InfoSec researchers (e.g., relating to aesthetics, human dignity, authenticity, free will, and cultural sensitivity) fall outside the scope of InfoSec as it has historically been understood and touch on a wide range of ethical, aesthetic, physical, metaphysical, psychological, economic, and social values. We suggest that the field of axiology can provide useful frameworks for more effectively identifying, analyzing, and prioritizing such diverse types of values and goods that can (and should) be pursued through InfoSec practices for futuristic neuroprostheses.

Can Cyberloafing and Internet Addiction Affect Organizational Information Security?

Researchers have noted potential links between Internet addiction, the use of work computers for nonwork purposes and an increased risk of threat to the organization from breaches in cybersecurity. However, much of this research appears conjectural in nature and lacks clear empirical evidence to support such claims. To fill this knowledge gap, a questionnaire-based study explored the link between cyberloafing, Internet addiction, and information security awareness (ISA). A total of 338 participants completed an online questionnaire, which comprised of the Online Cognition Scale, Cyberloafing Scale, and the Human Aspects of Information Security Questionnaire. Participants who reported higher Internet addiction and cyberloafing tendencies had lower ISA, and Internet addiction and cyberloafing predicted a significant 45 percent of the variance in ISA. Serious cyberloafing, such as the propensity to visit adult websites and online gambling, was shown to be the significant predictor for poorer ISA. Implications for organizations and recommendations to reduce or manage inappropriate Internet use are discussed.

A DNA-Based Encryption Method Based on Two Biological Axioms of DNA Chip and Polymerase Chain Reaction (PCR) Amplification Techniques

Researchers have gained a deeper understanding of DNA-based encryption and its effectiveness in enhancing information security in recent years. However, there are many theoretical and technical issues about DNA-based encryption that need to be addressed before it can be effectively used in the field of security. Currently, the most popular DNA-based encryption schemes are based on traditional cryptography and the integration of existing DNA technology. These schemes are not completely based on DNA computing and biotechnology. Herein, as inspired by nature, encryption based on DNA has been developed, which is, in turn, based on two fundamental biological axioms about DNA sequencing: 1) DNA sequencing is difficult under the conditions of not knowing the correct sequencing primers and probes, and 2) without knowing the correct probe, it is difficult to decipher precisely and sequence the information of unknown and mixed DNA/peptide nucleic acid (PNA) probes, which only differ in nucleotide sequence, arranged on DNA chips (microarrays). In essence, when creating DNA-based encryption by means of biological technologies, such as DNA chips and polymerase chain reaction (PCR) amplification, the encryption method discussed herein cannot be decrypted, unless the DNA/PNA probe or PCR amplification is known. The biological analysis, mathematical analysis, and simulation results demonstrate the feasibility of the method, which provides much stronger security and reliability than that of traditional encryption methods.

Attack Classification Schema for Smart City WSNs

Urban areas around the world are populating their streets with wireless sensor networks (WSNs) in order to feed incipient smart city IT systems with metropolitan data. In the future smart cities, WSN technology will have a massive presence in the streets, and the operation of municipal services will be based to a great extent on data gathered with this technology. However, from an information security point of view, WSNs can have failures and can be the target of many different types of attacks. Therefore, this raises concerns about the reliability of this technology in a smart city context. Traditionally, security measures in WSNs have been proposed to protect specific protocols in an environment with total control of a single network. This approach is not valid for smart cities, as multiple external providers deploy a plethora of WSNs with different security requirements. Hence, a new security perspective needs to be adopted to protect WSNs in smart cities. Considering security issues related to the deployment of WSNs as a main data source in smart cities, in this article, we propose an intrusion detection framework and an attack classification schema to assist smart city administrators to delimit the most plausible attacks and to point out the components and providers affected by incidents. We demonstrate the use of the classification schema providing a proof of concept based on a simulated selective forwarding attack affecting a parking and a sound WSN.

Indirect effect of management support on users' compliance behaviour towards information security policies

BACKGROUND

Health information systems are innovative products designed to improve the delivery of effective healthcare, but they are also vulnerable to breaches of information security, including unauthorised access, use, disclosure, disruption, modification or destruction, and duplication of passwords. Greater openness and multi-connectedness between heterogeneous stakeholders within health networks increase the security risk.

OBJECTIVE

The focus of this research was on the indirect effects of management support (MS) on user compliance behaviour (UCB) towards information security policies (ISPs) among health professionals in selected Malaysian public hospitals. The aim was to identify significant factors and provide a clearer understanding of the nature of compliance behaviour in the health sector environment.

METHOD

Using a survey design and stratified random sampling method, self-administered questionnaires were distributed to 454 healthcare professionals in three hospitals. Drawing on theories of planned behaviour, perceived behavioural control (self-efficacy (SE) and MS components) and the trust factor, an information system security policies compliance model was developed to test three related constructs (MS, SE and perceived trust (PT)) and their relationship to UCB towards ISPs.

RESULTS

Results showed a 52.8% variation in UCB through significant factors. Partial least squares structural equation modelling demonstrated that all factors were significant and that MS had an indirect effect on UCB through both PT and SE among respondents to this study.

CONCLUSION

The research model based on the theory of planned behaviour in combination with other human and organisational factors has made a useful contribution towards explaining compliance behaviour in relation to organisational ISPs, with trust being the most significant factor. In adopting a multidimensional approach to management-user interactions via multidisciplinary concepts and theories to evaluate the association between the integrated management-user values and the nature of compliance towards ISPs among selected health professionals, this study has made a unique contribution to the literature.

Ultra-Wideband Multi-Dye-Sensitized Upconverting Nanoparticles for Information Security Application

Multi-dye-sensitized upconverting nanoparticles (UCNPs), which harvest photons of wide wavelength range (450-975 nm) are designed and synthesized. The UCNPs embedded in a photo-acid generating layer are integrated on destructible nonvolatile resistive memory device. Upon illumination of light, the system permanently erases stored data, achieving enhanced information security.

Information security risk management for computerized health information systems in hospitals: a case study of Iran

Background

In recent years, hospitals in Iran – similar to those in other countries – have experienced growing use of computerized health information systems (CHISs), which play a significant role in the operations of hospitals. But, the major challenge of CHIS use is information security. This study attempts to evaluate CHIS information security risk management at hospitals of Iran.

Materials and methods

This applied study is a descriptive and cross-sectional research that has been conducted in 2015. The data were collected from 551 hospitals of Iran. Based on literature review, experts’ opinion, and observations at five hospitals, our intensive questionnaire was designed to assess security risk management for CHISs at the concerned hospitals, which was then sent to all hospitals in Iran by the Ministry of Health.

Results

Sixty-nine percent of the studied hospitals pursue information security policies and procedures in conformity with Iran Hospitals Accreditation Standards. At some hospitals, risk identification, risk evaluation, and risk estimation, as well as risk treatment, are unstructured without any specified approach or methodology. There is no significant structured approach to risk management at the studied hospitals.

Conclusion

Information security risk management is not followed by Iran’s hospitals and their information security policies. This problem can cause a large number of challenges for their CHIS security in future. Therefore, Iran’s Ministry of Health should develop practical policies to improve information security risk management in the hospitals of Iran.

A Comparative Study of Anomaly Detection Techniques for Smart City Wireless Sensor Networks

In many countries around the world, smart cities are becoming a reality. These cities contribute to improving citizens’ quality of life by providing services that are normally based on data extracted from wireless sensor networks (WSN) and other elements of the Internet of Things. Additionally, public administration uses these smart city data to increase its efficiency, to reduce costs and to provide additional services. However, the information received at smart city data centers is not always accurate, because WSNs are sometimes prone to error and are exposed to physical and computer attacks. In this article, we use real data from the smart city of Barcelona to simulate WSNs and implement typical attacks. Then, we compare frequently used anomaly detection techniques to disclose these attacks. We evaluate the algorithms under different requirements on the available network status information. As a result of this study, we conclude that one-class Support Vector Machines is the most appropriate technique. We achieve a true positive rate at least 56% higher than the rates achieved with the other compared techniques in a scenario with a maximum false positive rate of 5% and a 26% higher in a scenario with a false positive rate of 15%.

The Role of Human Factors/Ergonomics in the Science of Security: Decision Making and Action Selection in Cyberspace

OBJECTIVE

The overarching goal is to convey the concept of science of security and the contributions that a scientifically based, human factors approach can make to this interdisciplinary field.

BACKGROUND

Rather than a piecemeal approach to solving cybersecurity problems as they arise, the U.S. government is mounting a systematic effort to develop an approach grounded in science. Because humans play a central role in security measures, research on security-related decisions and actions grounded in principles of human information-processing and decision-making is crucial to this interdisciplinary effort.

METHOD

We describe the science of security and the role that human factors can play in it, and use two examples of research in cybersecurity--detection of phishing attacks and selection of mobile applications--to illustrate the contribution of a scientific, human factors approach.

RESULTS

In these research areas, we show that systematic information-processing analyses of the decisions that users make and the actions they take provide a basis for integrating the human component of security science.

CONCLUSION

Human factors specialists should utilize their foundation in the science of applied information processing and decision making to contribute to the science of cybersecurity.

Patient privacy in the genomic era

According to many scientists and clinicians, genomics is taking on a key role in the field of medicine. Impressive advances in genome sequencing have opened the way to a variety of revolutionary applications in modern healthcare. In particular, the increasing understanding of the human genome, and of its relation to diseases and response to treatments brings promise of improvements in better preventive and personalized medicine. However, this progress raises important privacy and ethical concerns that need to be addressed. Indeed, each genome is the ultimate identifier of its owner and, due to its nature, it contains highly personal and privacy-sensitive data. In this article, after summarizing recent advances in genomics, we discuss some important privacy issues associated with human genomic information and methods put in place to address them.

Cyber security: a critical examination of information sharing versus data sensitivity issues for organisations at risk of cyber attack

Cyber threats are growing and evolving at an unprecedented rate.Consequently, it is becoming vitally important that organisations share information internally and externally before, during and after incidents they encounter so that lessons can be learned, good practice identified and new cyber resilience capabilities developed. Many organisations are reluctant to share such information for fear of divulging sensitive information or because it may be vague or incomplete. This provides organisations with a complex dilemma: how to share information as openly as possibly about cyber incidents, while protecting their confidentiality and focusing on service recovery from such incidents. This paper explores the dilemma of information sharing versus sensitivity and provides a practical overview of considerations every business continuity plan should address to plan effectively for information sharing in the event of a cyber incident.

Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education

BACKGROUND

Privacy and information security are important for all healthcare services, including home-based services. We have designed and implemented a prototype technology platform for providing home-based healthcare services. It supports a personal electronic health diary and enables secure and reliable communication and interaction with peers and healthcare personnel. The platform runs on a small computer with a dedicated remote control. It is connected to the patient's TV and to a broadband Internet. The platform has been tested with home-based rehabilitation and education programs for chronic obstructive pulmonary disease and diabetes. As part of our work, a risk assessment of privacy and security aspects has been performed, to reveal actual risks and to ensure adequate information security in this technical platform.

METHODS

Risk assessment was performed in an iterative manner during the development process. Thus, security solutions have been incorporated into the design from an early stage instead of being included as an add-on to a nearly completed system. We have adapted existing risk management methods to our own environment, thus creating our own method. Our method conforms to ISO's standard for information security risk management.

RESULTS

A total of approximately 50 threats and possible unwanted incidents were identified and analysed. Among the threats to the four information security aspects: confidentiality, integrity, availability, and quality; confidentiality threats were identified as most serious, with one threat given an unacceptable level of High risk. This is because health-related personal information is regarded as sensitive. Availability threats were analysed as low risk, as the aim of the home programmes is to provide education and rehabilitation services; not for use in acute situations or for continuous health monitoring.

CONCLUSIONS

Most of the identified threats are applicable for healthcare services intended for patients or citizens in their own homes. Confidentiality risks in home are different from in a more controlled environment such as a hospital; and electronic equipment located in private homes and communicating via Internet, is more exposed to unauthorised access. By implementing the proposed measures, it has been possible to design a home-based service which ensures the necessary level of information security and privacy.

Assessing and comparing information security in swiss hospitals

BACKGROUND

Availability of information in hospitals is an important prerequisite for good service. Significant resources have been invested to improve the availability of information, but it is also vital that the security of this information can be guaranteed.

OBJECTIVE

The goal of this study was to assess information security in hospitals through a questionnaire based on the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 27002, evaluating Information technology - Security techniques - Code of practice for information-security management, with a special focus on the effect of the hospitals' size and type.

METHODS

The survey, set up as a cross-sectional study, was conducted in January 2011. The chief information officers (CIOs) of 112 hospitals in German-speaking Switzerland were invited to participate. The online questionnaire was designed to be fast and easy to complete to maximize participation. To group the analyzed controls of the ISO/IEC standard 27002 in a meaningful way, a factor analysis was performed. A linear score from 0 (not implemented) to 3 (fully implemented) was introduced. The scores of the hospitals were then analyzed for significant differences in any of the factors with respect to size and type of hospital. The participating hospitals were offered a benchmark report about their status.

RESULTS

The 51 participating hospitals had an average score of 51.1% (range 30.6% - 81.9%) out of a possible 100% where all items in the questionnaire were fully implemented. Room for improvement could be identified, especially for the factors covering "process and quality management" (average score 1.3 ± 0.8 out of a maximum of 3) and "organization and risk management" (average score 1.3 ± 0.7 out of a maximum of 3). Private hospitals scored significantly higher than university hospitals in the implementation of "security zones" and "backup" (P = .008).

CONCLUSIONS

Half (50.00%, 8588/17,177) of all assessed hospital beds in German-speaking Switzerland are in hospitals that have a score of 49% or less of the maximum possible score in information security. Patient data need to be better protected because of the data protection laws and because sensitive, personal data should be guaranteed confidentiality, integrity, and availability.

Dual-channel in-line digital holographic double random phase encryption

We present a robust encryption method for the encoding of 2D/3D objects using digital holography and virtual optics. Using our recently developed dual-plane in-line digital holography technique, two in-line digital holograms are recorded at two different planes and are encrypted using two different double random phase encryption configurations, independently. The process of using two mutually exclusive encryption channels makes the system more robust against attacks since both the channels should be decrypted accurately in order to get a recognizable reconstruction. Results show that the reconstructed object is unrecognizable even when the portion of the correct phase keys used during decryption is close to 75%. The system is verified against blind decryptions by evaluating the SNR and MSE. Validation of the proposed method and sensitivities of the associated parameters are quantitatively analyzed and illustrated.

SMS-based medical diagnostic telemetry data transmission protocol for medical sensors

People with special medical monitoring needs can, these days, be sent home and remotely monitored through the use of data logging medical sensors and a transmission base-station. While this can improve quality of life by allowing the patient to spend most of their time at home, most current technologies rely on hardwired landline technology or expensive mobile data transmissions to transmit data to a medical facility. The aim of this paper is to investigate and develop an approach to increase the freedom of a monitored patient and decrease costs by utilising mobile technologies and SMS messaging to transmit data from patient to medico. To this end, we evaluated the capabilities of SMS and propose a generic communications protocol which can work within the constraints of the SMS format, but provide the necessary redundancy and robustness to be used for the transmission of non-critical medical telemetry from data logging medical sensors.

Common criteria related security design patterns for intelligent sensors--knowledge engineering-based implementation

Intelligent sensors experience security problems very similar to those inherent to other kinds of IT products or systems. The assurance for these products or systems creation methodologies, like Common Criteria (ISO/IEC 15408) can be used to improve the robustness of the sensor systems in high risk environments. The paper presents the background and results of the previous research on patterns-based security specifications and introduces a new ontological approach. The elaborated ontology and knowledge base were validated on the IT security development process dealing with the sensor example. The contribution of the paper concerns the application of the knowledge engineering methodology to the previously developed Common Criteria compliant and pattern-based method for intelligent sensor security development. The issue presented in the paper has a broader significance in terms that it can solve information security problems in many application domains.

How secure is your information system? An investigation into actual healthcare worker password practices

For most healthcare information systems, passwords are the first line of defense in keeping patient and administrative records private and secure. However, this defense is only as strong as the passwords employees chose to use. A weak or easily guessed password is like an open door to the medical records room, allowing unauthorized access to sensitive information. In this paper, we present the results of a study of actual healthcare workers' password practices. In general, the vast majority of these passwords have significant security problems on several dimensions. Implications for healthcare professionals are discussed.