Search results

This research aims to build a system that will continuously. This paper is an extended version of SECPRE 2021 paper and presents a research on the development and validation of a behavioral biometrics continuous authentication (BBCA) system that is based on users keystroke dynamics and touch gestures on mobile devices. This paper aims to build a system that will continuously authenticate the user of a smartphone.

Session authentication schemes establish the identity of the user only at the beginning of the session, so they are vulnerable to attacks that tamper with communications after the establishment of the authenticated session. Moreover, smartphones themselves are used as authentication means, especially in two-factor authentication schemes, which are often required by several services. Whether the smartphone is in the hands of the legitimate user constitutes a great concern and correspondingly whether the legitimate user is the one who uses the services. In response to these concerns, BBCA technologies have been proposed on a large corpus of literature. This paper presents a research on the development and validation of a BBCA system (named BioPrivacy), which is based on the user’s keystroke dynamics and touch gestures, using a multi-layer perceptron (MLP). Also, this paper introduces a new BB collection tool and proposes a methodology for the selection of an appropriate set of BB.

The system achieved the best results for keystroke dynamics which are 97.18% accuracy, 0.02% equal error rate, 97.2% true acceptance rate and 0.02% false acceptance rate.

This paper develops a new BB collection tool, named BioPrivacy, by which behavioral data of users on mobile devices can be collected. This paper proposes a methodology for the selection of an appropriate set of BB. This paper presents the development of a BBCA system based on MLP.

This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.

Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.

This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.

This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

This paper aims to identify the data elements that social network sites (SNS) users consider important for shaping their digital identity and explore how users’ privacy concerns, self-esteem and the chosen SNS shape this process.

This study conducted an online survey with the participation of 759 individuals, to examine the influence of privacy concerns, self-esteem and the chosen SNS platform, on the shaping of the digital identity, through a classification of identity elements that users disclose when using a SNS, the Rosenberg self-esteem scale and relevant constructs from the literature.

Findings reveal that users consider the name, gender, picture, interests and job as most important elements for shaping their digital identity. They also demonstrate that privacy concerns do not seem to affect the amount of information users choose to publish when shaping their digital identity. Specific characteristics of SNS platforms are found to affect the way that users shape their digital identity and their privacy behavior. Finally, self-esteem was found to affect privacy concerns and digital identity formation.

To avoid a lengthy questionnaire and the risk of low participation, the respondents answered the questions for one SNS of their choice instead of answering the full questionnaire for each SNS that they use. The survey included the most popular SNSs at the time of the survey in terms of popularity.

The results contribute to the theory by furthering our knowledge on the elements that shape digital identity and by providing evidence with regard to the role of privacy and self-esteem within social networking. In practice, they can be useful for SNS providers, as well as for entities that design security and privacy awareness campaigns.

This paper identifies novel factors that influence digital identity formation, including the specific SNS used with its particular characteristics in combination with privacy concerns and self-esteem of the user.

This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.

This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.

This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.

The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).

This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.

User profiling with big data raises significant issues regarding privacy. Privacy studies typically focus on individual privacy; however, in the era of big data analytics, users are also targeted as members of specific groups, thus challenging their collective privacy with unidentified implications. Overall, this paper aims to argue that in the age of big data, there is a need to consider the collective aspects of privacy as well and to develop new ways of calculating privacy risks and identify privacy threats that emerge.

Focusing on a collective level, the authors conducted an extensive literature review related to information privacy and concepts of social identity. They also examined numerous automated data-driven profiling techniques analyzing at the same time the involved privacy issues for groups.

This paper identifies privacy threats for collective entities that stem from data-driven profiling, and it argues that privacy-preserving mechanisms are required to protect the privacy interests of groups as entities, independently of the interests of their individual members. Moreover, this paper concludes that collective privacy threats may be different from threats for individuals when they are not members of a group.

Although research evidence indicates that in the age of big data privacy as a collective issue is becoming increasingly important, the pluralist character of privacy has not yet been adequately explored. This paper contributes to filling this gap and provides new insights with regard to threats for group privacy and their impact on collective entities and society.

In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private. This paper aims to analyze privacy requirements of personal communications over a public medium.

This paper systematically analyzes SNS services as communication models and considers privacy as an attribute of users’ communication. A privacy threat analysis for each communication model is performed, based on misuse scenarios, to elicit privacy requirements per communication type.

This paper identifies all communication attributes and privacy threats and provides a comprehensive list of privacy requirements concerning all stakeholders: platform providers, users and third parties.

Elicitation of privacy requirements focuses on the protection of both the communication’s message and metadata and takes into account the public–private character of the medium (SNS platform). The paper proposes a model of SNS functionality as communication patterns, along with a method to analyze privacy threats. Moreover, a comprehensive set of privacy requirements for SNS designers, third parties and users involved in SNS is identified, including voluntary sharing of personal data, the role of the SNS platforms and the various types of communications instantiating in SNS.

Search engines, the most popular online services, are associated with several concerns. Users are concerned about the unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. The authors call these search engines privacy-preserving search engines (PPSEs). This paper aims to investigate the factors that motivate search engine users to use PPSEs.

This study adopted protection motivation theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. The authors tested the research model using survey data from 830 search engine users worldwide.

The results confirm the interpretive power of PMT in privacy-related decision-making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, the results highlight the importance of subjective norms in predicting and determining PPSE use. Because subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, the authors reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.

Despite its interesting results, this research also has some limitations. First, because the survey was conducted online, the study environment was less controlled. Participants may have been disrupted or affected, for example, by the presence of others or background noise during the session. Second, some of the survey items could possibly be misinterpreted by the respondents in the study questionnaire, as they did not have access to clarifications that a researcher could possibly provide. Third, another limitation refers to the use of the Amazon Turk tool. According Paolacci and Chandler (2014) in comparison to the US population, the MTurk workers are more educated, younger and less religiously and politically diverse. Fourth, another limitation of this study could be that Actual Use of PPSE is self-reported by the participants. This could cause bias because it is argued that internet users’ statements may be in contrast with their actions in real life or in an experimental scenario (Berendt et al., 2005, Jensen et al., 2005); Moreover, some limitations of this study emerge from the use of PMT as the background theory of the study. PMT identifies the main factors that affect protection motivation, but other environmental and cognitive factors can also have a significant role in determining the way an individual’s attitude is formed. As Rogers (1975) argued, PMT as proposed does not attempt to specify all of the possible factors in a fear appeal that may affect persuasion, but rather a systematic exposition of a limited set of components and cognitive mediational processes that may account for a significant portion of the variance in acceptance by users. In addition, as Tanner et al. (1991) argue, the ‘PMT’s assumption that the subjects have not already developed a coping mechanism is one of its limitations. Finally, another limitation is that the sample does not include users from China, which is the second most populated country. Unfortunately, DuckDuckGo has been blocked in China, so it has not been feasible to include users from China in this study.

The proposed model and, specifically, the subjective norms construct proved to be successful in predicting PPSE use. This study demonstrates the need for PPSE to exhibit and advertise the technology and measures they use to protect users’ privacy. This will contribute to the effort to persuade internet users to use these tools.

This study sought to explore the privacy attitudes of search engine users using PMT and its constructs’ association with subjective norms. It used the PMT to elucidate users’ perceptions that motivate them to privacy adoption behavior, as well as how these perceptions influence the type of search engine they use. This research is a first step toward gaining a better understanding of the processes that drive people’s motivation to, or not to, protect their privacy online by means of using PPSE. At the same time, this study contributes to search engine vendors by revealing that users’ need to be persuaded not only about their policy toward privacy but also by considering and implementing new strategies of diffusion that could enhance the use of the PPSE.

This research is a first step toward gaining a better understanding of the processes that drive people’s motivation to, or not to, protect their privacy online by means of using PPSEs.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management.

Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions.

A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have.

The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS).

IS security management overlooks stakeholders' risk perception; for example, there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.

This paper aims to contribute to the ongoing discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research.

The paper analyses the privacy implications of particular characteristics of ubiquitous applications and discusses the fundamental principles and information practices used in digital environments for protecting individuals' private data.

A significant trend towards shifting privacy protection responsibility from government to the individuals is identified. Also, specific directions for future research are provided with a focus on interdisciplinary research.

This paper identifies key research issues and provides directions for future research.

This study contributes by identifying major challenges that should be addressed, so that a set of “fair information principles” can be applied in the context of ubiquitous environments. It also discusses the limitations of these principles and provides recommendations for future research.