It has been widely recognized in the psychology of cybersecurity literature that ordinary users rather than technology systems are the weakest link in cybersecurity. The present study focused on ...assessing the cybersecurity judgment of 462 college students as a specific group of ordinary users in order to further identify specific weakest links of the weakest link. It was found that (1) the average percentage correct for cybersecurity judgement among the 462 students was 65%, (2) 104 (23%) students showed the lowest correct judgements (below 50%), (3) two of 16 cybersecurity items received the lowest correct judgement (below 50%), and (4) students' correct rational judgment (64%) was not significantly higher than their correct intuitive judgement (66%). These results not only empirically quantify the weakest link in cybersecurity judgement in general but also further specify the weakest links within the weakest link in particular, and thus have generated the earliest benchmarking data of the weakest link phenomenon and can help design effective cybersecurity prevention and intervention programs for ordinary users.
•Ordinary users rather than technology systems are considered the weakest link in cybersecurity.•Cybersecurity judgment were assessed to identify specific weakest links of the weakest link.•Three specific weakest links are found, while average percentage correct was 65%.•These earliest benchmarking data help design prevention and intervention programs.
K-12 students and teachers are a vulnerable population for cybersecurity risks. Identifying both risk factors and protective factors associated with intuitive and rational judgment of cybersecurity ...risks would help them develop strategies to tackle cyber risks. A total of 2703 K-12 students and teachers from 45 GenCyber Summer Camps participated in the survey study at the beginning of the camps, and a total of 1021 K-12 students and teachers participated in the follow-up survey at the end of the camps. The Cybersecurity Judgment Questionnaire was developed and administered to assess intuitive and rational judgments of cybersecurity risks. Two major findings of the study include: (1) three significant risk factors associated with both intuitive and rational cybersecurity judgment were Age Group, Region, and Prior GenCyber Camp Experience. That is, younger students, the campers from the West region, and participants attending the camps before tended to have a lower level of cybersecurity judgment; and (2) two significant protective factors were Cyber Use Length and Current GenCyber Camp Experience, i.e., the experiences of both using computers, Internet, cellphones and participating in the current camps having significant advantages in judging cybersecurity risks intuitively and rationally. Thus, it is critical to use both the push strategy to minimize the risk factors and the pull strategy to maximize the protective factors. It is concluded with a summary of limitations and future studies, i.e., replicating the findings in regular K-12 schools, examining more risk and protective factors, conducting longitudinal studies, and studying underlying mechanisms.
•K-12 students and teachers are particularly vulnerable to cybersecurity risks.•Cybersecurity risk judgments was assessed with Cybersecurity Judgment Questionnaire.•2703 K-12 students and teachers from 17 states of US participated in the study.•Three major risk factors and two important protective factors were identified.
Cybersecurity is increasingly affecting the healthcare sector. In a recent article, the authors analyzed specific attacks against picture archiving and communications systems (PACS) and medical ...imaging networks and proposed security measures. This article discusses issues that require consideration when deploying these proposed measures and provides recommendations on how to implement them. Hospitals should deploy virus scanners on systems where permitted, with high priority on devices that are part of the central IT infrastructure of the hospital. They should introduce a systematic management of software updates on operating system, application software and virus scanner level and clarify the provision of security updates for the intended duration of use when purchasing a new device. They should agree with the PACS vendor on a long-term strategy for implementing access rights, and enable encrypted network communication where possible. This requires an agreement on the encryption algorithms to be used, and a public-key infrastructure. For most of these tasks, standards and profiles exist today. There are, however, some gaps: Implementation of cybersecurity measures would be facilitated by integration profiles on certificate and signature management, and access rights in a PACS environment.
Existing cybersecurity vulnerability assessment tools were designed based on the policies and standards defined by organizations such as the U.S. Department of Energy and the National Institute of ...Standards and Technology (NIST). Frameworks such as the cybersecurity capability maturity model (C2M2) and the NIST Cybersecurity Framework (CSF) are often used by the critical infrastructure owners and operators to determine the cybersecurity maturity of their facility. Although these frameworks are exceptional at performing qualitative cybersecurity analysis and identifying vulnerabilities, they do not provide a means to perform prioritized mitigation of those vulnerabilities in order to achieve a desired cybersecurity maturity. To address that challenge, we developed a framework and software application called the cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). This paper presents the detailed architecture of CyFEr’s enhanced prioritized gap analysis (EPGA) methodology and its application to CSF. The efficacy of the presented framework is demonstrated by comparing against existing similar models and testing against the cyber injects from a real-world cyber-attack that targeted industrial control systems (ICS) in critical infrastructures.
•Demonstrates the cybersecurity vulnerability mitigation framework (CyFEr).•CyFEr is mathematically constructed to use the cyber security controls.•CyFEr was effectively applied to the NIST Cybersecurity Framework (CSF).•CyFEr’s integration with NIST CSF is demonstrated through a real-world cyber-attack.•Applicability of CyFEr and comparative analysis against other methods are shown.•Multiple Illustrations are used to demonstrate CyFEr’s complex logical constructs.
For the corporate sphere, cybersecurity becomes an inescapable business responsibility, and accountability becomes a way of providing trust and ensuring resilience against cyber risks and high-impact ...cyber threats. The purpose of this study was to create a disclosure index that allows analysis of the scope of the disclosure of voluntary and mandatory cybersecurity information. The content analysis technique used focuses on the examination and identification of the cybersecurity information revealed in the annual reports and the 20 F annual forms of the companies with the highest stock market prices in Argentina, Brazil, Chile, Colombia, Mexico, and Peru during the period of 2016–2020. Longitudinal analysis indicates an increase over time in the disclosures and scope of information. The findings highlight that the country with the highest related disclosure is Argentina; the most extensive disclosures are due to the financial sector; and the strategy dimension represents the greatest weight in the index score. The study provides a novel instrument for measuring the content of disclosure on cybersecurity that is applicable in any specific context. In this case, the scope of disclosure in Latin America—a region which, according to our research, does not have previous studies on the subject—is evaluated.
This paper develops a generalized framework that allows us to investigate the vulnerability of the power system nonlinear state estimator to false data injection attacks (FDIAs) from the operator's ...perspective and to initiate some countermeasures. Unlike most existing FDIA methods, which assume a perfect knowledge of the system measurements and topology by a hacker, we derive and analyze the uncertainties for launching successful FDIAs along with their upper bounds. To effectively defend against an FDIA, we propose a robust detector that checks the measurement statistical consistency using a subset of secure PMU measurements. We first show that if these secure PMU measurements are free of bad data while making the system observable, the FDIA is detectable. We then show that detectability is also ensured if these conditions are relaxed while using alternative redundant measurements from short-term nodal synchrophasor predictions together with the robust Huber M-estimator. Numerical simulation results on the IEEE 30-bus and 118-bus systems demonstrate the effectiveness and robustness of the proposed method even the secure measurements contain noise and bad data.