Cybersecurity is meer dan alleen het nemen van technische maatregelen. En alhoewel gebruikers ten onrechte vaak alleen worden aangemerkt als ‘de zwakke schakel’ binnen die cybersecurity, moet een deel van de maatregelen zich toch echt wel richten op deze groep. Gebruikers gedragen zich immers soms bewust of onbewust onveilig: - ze klikken op hyperlinks als ze dat niet moeten doen; - reageren op een phishingmail; - gebruiken zwakke wachtwoorden; - hergebruiken wachtwoorden; - melden incidenten niet; - geven (te) veel gegevens prijs van zichzelf op social media; - maken niet consequent back-ups van hun data. Sinds jaar en dag lijken organisaties ‘awareness’ te zien als de sleutel om van gebruikers iets minder de zwakke schakel te maken. De gedachte daarachter is kortgezegd dat gebruikers zich ‘beter’ gaan gedragen als we ze voeden met informatie over dreigingen, goed en fout gedrag en het cybersecurity-beleid. Het is inmiddels echter wel duidelijk dat een beleid dat alleen gericht is op ‘awareness’ niet gaatzorgen voor het gewenste effect. Onderzoek toont bijvoorbeeld aan dat anti-phishingcampagnes, waar nepphishingmails worden verstuurd, niet heel lang beklijven. Cybersecuritybedrijven geven dan ook steeds vaker aan dat het niet alleen gaat om het verhogen van kennis en bewustwording, maar ook om andere aspecten die gedrag lijken te beïnvloeden. Recent wetenschappelijk experimenteel onderzoek laat zelfs zien dat het hebben van meer kennis kan leiden tot onveiliger gedrag: gebruikers die (een beetje) meer weten, gedragen zich nog onveiliger. Mogelijk komt dat doordat die groep zichzelf overschat en daardoor ten onrechte grotere risico’s durft te nemen. We moeten dus verder komen dan alleen awareness. Het lab observeert dat er twee grote vraagstukken spelen. 1. Wat moeten we dan verder nog doen? Het is duidelijk dat er geen simpele oplossing is voor het bevorderen van veilig cybergedrag. Toch is het goed om nieuwe oplossingsrichtingen te onderzoeken die richting geven aan het verbeteren van cyberveilig gedrag. 2. Hoe zorgen we ervoor dat organisaties daadwerkelijk verder gaan dan alleen het creëren van meer awareness? Individuele organisaties hebben lang niet altijd de kennis en kunde om dit zelf te doen. Moet de overheid dit stimuleren? Zo ja, hoe dan? Kan het aan de markt zelf (lees: cybersecurity bedrijven) overgelaten worden? Wat kunnen we leren over het stimuleren van effectieve gedragsinterventies binnen andere vakgebieden? https://nl.linkedin.com/in/rutgerleukfeldt
MULTIFILE
In this paper we research the following question: What motivational factors relate, in which degree, to intentions on compliance to ISP and how could these insights be utilized to promote endusers compliance within a given organization? The goal of this research is to provide more insight in the motivational factors applicable to ISP and their influence on end-user behavior, thereby broadening knowledge regarding information systems security behaviors in organizations from the viewpoint of non-malicious abuse and offer a theoretical explanation and empirical support. The outcomes are also useful for practitioners to complement their security training and awareness programs, in the end helping enterprises better effectuate their information security policies. In this study an instrument is developed that can be used in practice to measure an organizational context on the effects of six motivational factors recognized. These applicable motivational factors are determined from literature and subsequently evaluated and refined by subject matter experts. A survey is developed, tested in a pilot, refined and conducted within four organizations. From the statistical analysis, findings are reported and conclusions on the hypothesis are drawn. Recommended Citation Straver, Peter and Ravesteyn, Pascal (2018) "End-users Compliance to the Information Security Policy: A Comparison of Motivational Factors," Communications of the IIMA: Vol. 16 : Iss. 4 , Article 1. Available at: https://scholarworks.lib.csusb.edu/ciima/vol16/iss4/1
MULTIFILE
From the article: This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject. van Liempd, D., Sjouw, A., Smakman, M., & Smit, K. (2019). Social Engineering As An Approach For Probing Organizations To Improve It Security: A Case Study At A Large International Firm In The Transport Industry. 119-126. https://doi.org/10.33965/es2019_201904l015
MULTIFILE
The project aims to improve palliative care in China through the competence development of Chinese teachers, professionals, and students focusing on the horizontal priority of digital transformation.Palliative care (PC) has been recognised as a public health priority, and during recent years, has seen advances in several aspects. However, severe inequities in the access and availability of PC worldwide remain. Annually, approximately 56.8 million people need palliative care, where 25.7% of the care focuses on the last year of person’s life (Connor, 2020).China has set aims for reaching the health care standards of the developed countries by 2030 through the Healthy China Strategy 2030, where one of the improvement areas in health care includes palliative care, thus continuing the previous efforts.The project provides a constructive, holistic, and innovative set of actions aimed at resulting in lasting outcomes and continued development of palliative care education and services. Raising the awareness of all stakeholders on palliative care, including the public, is highly relevant and needed. Evidence based practice guidelines and education are urgently required for both general and specialised palliative care levels, to increase the competencies for health educators, professionals, and students. This is to improve the availability and quality of person-centered palliative care in China. Considering the aging population, increase in various chronic illnesses, the challenging care environment, and the moderate health care resources, competence development and the utilisation of digitalisation in palliative care are paramount in supporting the transition of experts into the palliative care practice environment.General objective of the project is to enhance the competences in palliative care in China through education and training to improve the quality of life for citizens. Project develops the competences of current and future health care professionals in China to transform the palliative care theory and practice to impact the target groups and the society in the long-term. As recognised by the European Association for Palliative Care (EAPC), palliative care competences need to be developed in collaboration. This includes shared willingness to learn from each other to improve the sought outcomes in palliative care (EAPC 2019). Since all individuals have a right to health care, project develops person-centered and culturally sensitive practices taking into consideration ethics and social norms. As concepts around palliative care can focus on physical, psychological, social, or spiritual related illnesses (WHO 2020), project develops innovative pedagogy focusing on evidence-based practice, communication, and competence development utilising digital methods and tools. Concepts of reflection, values and views are in the forefront to improve palliative care for the future. Important aspects in project development include health promotion, digital competences and digital health literacy skills of professionals, patients, and their caregivers. Project objective is tied to the principles of the European Commission’s (EU) Digital Decade that stresses the importance of placing people and their rights in the forefront of the digital transformation, while enhancing solidarity, inclusion, freedom of choice and participation. In addition, concepts of safety, security, empowerment, and the promotion of sustainable actions are valued. (European Commission: Digital targets for 2030).Through the existing collaboration, strategic focus areas of the partners, and the principles of the call, the PalcNet project consortium was formed by the following partners: JAMK University of Applied Sciences (JAMK ), Ramon Llull University (URL), Hanze University of Applied Sciences (HUAS), Beijing Union Medical College Hospital (PUMCH), Guangzhou Health Science College (GHSC), Beihua University (BHU), and Harbin Medical University (HMU). As project develops new knowledge, innovations and practice through capacity building, finalisation of the consortium considered partners development strategy regarding health care, (especially palliative care), ability to create long-term impact, including the focus on enhancing higher education according to the horizontal priority. In addition, partners’ expertise and geographical location was also considered important to facilitate long-term impact of the results.Primary target groups of the project include partner country’s (China) staff members, teachers, researchers, health care professionals and bachelor level students engaging in project implementation. Secondary target groups include those groups who will use the outputs and results and continue in further development in palliative care upon the lifetime of the project.
The goal of UPIN is to develop and evaluate a scalable distributed system that enables users to cryptographically verify and easily control the paths through which their data travels through an inter-domain network like the Internet, both in terms of router-to-router hops as well as in terms of router attributes (e.g., their location, operator, security level, and manufacturer). UPIN will thus provide the solution to a very relevant and current problem, namely that it is becoming increasingly opaque for users on the Internet who processes their data (e.g., in terms of service providers their data passes through as well as what jurisdictions apply) and that they have no control over how it is being routed. This is a risk for people’s privacy (e.g., a malicious network compromising a user’s data) as well as for their safety (e.g., an untrusted network disrupting a remote surgery). Motivating examples in which (sensitive) user data typically travels across the Internet without user awareness or control are: - Internet of Things for consumers: sensors such as sleep trackers and light switches that collect information about a user’s physical environment and send it across the Internet to remote services for analysis. - Medical records: health care providers requiring medical information (e.g., health records of patients or remote surgery telemetry) to travel between medical institutions according to specified agreements. - Intelligent transport systems: communication plays a crucial role in future autonomous transportation systems, for instance to avoid freight drones colliding or to ensure smooth passing of trucks through busy urban areas. The UPIN project is novel in three ways: 1. UPIN gives users the ability to control and verify the path that their data takes through the network all the way to the destination endpoint, both in terms of hops and attributes of routers traversed. UPIN accomplishes this by adding and improving remote attestation techniques for on-path routers to existing path verification mechanisms, and by adopting and further developing in-packet path selection directives for control. 2. We develop and simulate data and control plane protocols and router extensions to include the UPIN system in inter-domain networking systems such as IP (e.g., using BGP and segment routing) and emerging systems such as SCION and RINA. 3. We evaluate the scalability and performance of the UPIN system using a multi-site testbed of open programmable P4 routers, which is necessary because UPIN requires novel packet processing functions in the data plane. We validate the system using the earlier motivating examples as use cases. The impact we target is: - Increased trust from users (individuals and organizations) in network services because they are able to verify how their data travels through the network to the destination endpoint and because the UPIN APIs enable novel applications that use these network functions. - More empowered users because they are able to control how their data travels through inter-domain networks, which increases self-determination, both at the level of individual users as well as at the societal level.
