Internet Crime

It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the world, however, is accompanied by malicious and mischievous activities online. With the traditional crimes such as fraud, identity theft, and harassment now being committed with the use of the Internet, and networked home computers being exploited to carry out attacks such as denial of service, spamming, phishing and virus/worm propagation, it has become important to investigate security and privacy issues as they pertain to individual Internet users. To date very little is known about what characteristics of internet users affect their computing and on-line behaviors as they relate to security online. While some attention has been paid to understand the security issues affecting corporations, research investigating security issues as they relate to home users is still in infancy. Drawing from disciplines such as criminology, sociology, consumer fraud, and information security, this study seeks to find the role of computing skills and computer training, social influence, and gender on person’s vulnerability to Internet crimes. Our findings are significant and shed light in this important area of Internet crime contributing to the information security literature.

Designing Antiphishing Education

Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are known for their ability to exploit the human aspect of a computer system by pretending to originate from a source trusted by the victim. While technology defenses have been setup for protection, people are still succumbing to these attacks at alarming rates. Therefore, educational techniques must implement to strengthen the human factor of security. We propose the use of a phishing IQ test that when used in classroom setting can help users build experience needed to identify phishing e-mail during their daily routine.

Privacy and Banking in Australia

Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and privacy issues of banking. In this chapter we draw on the results from a qualitative study of the ways in which Australians think of privacy, security, and money. We find that changes in life stages, residence, and relationships motivate people to share additional personal information with their bank, in order to receive personalized services. The chapter proposes ways in which privacy rights management can help customers better represent themselves in a flexible manner, reflecting the changes in their lives.

Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration

This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies spanning multiple organizations. After reviewing recently proposed Role and Organization Based Access Control (ROBAC) models, an administrative ROBAC model called AROBAC07 is presented and formalized in this chapter. Two examples are used to motivate and demonstrate the usefulness of ROBAC. Comparison between AROBAC07 and other administrative RBAC models are given. We show that ROBAC/AROBAC07 can significantly reduce administration complexity for applications involving a large number of organizational units. Finally, an application compartment-based delegation model is introduced, which provides a method to construct administrative role hierarchy in AROBAC07. We show that the AROBAC07 model provides convenient ways to decentralize administrative tasks for ROBAC systems and scales up well for role-based systems involving a large number of organizational units.

E-Risk Insurance Product Design

An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption, to ensure minimal security breach. Nonetheless, a new virus or a clever hacker can easily compromise these deterrents, resulting in losses to the tune of millions of dollars annually. To minimize the financial loss, we propose that online businesses should invest in e-risk insurance products as a complementary alternative, above the network security appliances. In this work, we develop a Copula aided Bayesian Belief Network (CBBN) model, to assist insurance companies to design e-insurance products. The CBBN model does an e-vulnerability assessment (e-VA) and e-risk quantification (e-RQ). We first draw a casual diagram (BBN) stating the probable reason for security failure in an organization. We assume the marginal distributions for each of the nodes of the diagram. Using the CBBN model we compute the joint probability of the constituent nodes of the BBN. Next the conditional probability of each of the occurrences of the malicious event is arrived at. We then assume a loss distribution, and using the principles of collective risk modeling, we arrive at the expected severity of the attack. The e-risk insurance companies compute the premium, by charging an extra (i.e., overloading and contingency loading), over the expected severity of attack.

Employee Surveillance Based on Free Text Detection of Keystroke Dynamics

In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as well as governmental organizations. People inside the organization with ready access to confidential or proprietary data can easily violate the organization security policy, maliciously or inadvertently, without being caught. In order to protect their reputation and valuable assets, many organizations take the dramatic but necessary step of deploying and operating employee surveillance and monitoring tools within their network perimeters. In this chapter, we discuss employee surveillance schemes from both technological and legal perspectives. We argue that keystroke dynamics could be used to fight effectively against insider threat, and as such it could play an important role in employee surveillance. We present a keystroke recognition scheme based on free text detection that goes beyond the traditional approach of using keystroke dynamics for authentication or employee performance evaluation, and consider using such information for dynamic user profiling. The generated profiles can be used to identify reliably perpetrators in the event of security breach. Such form of user profiling provides a very effective way of combating insider threat that is less intrusive to individual privacy.

Using Technology to Overcome the Password's Contradiction

The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the analogical world. The digital era provided the means to easily try thousands of passwords in a short period of time and now the password schema is no longer safe. Now it suffers of the password’s contradiction: the fact that it requires both simplicity and complexity to be usable and safe. Being so, new technologies are required that can preserve the easiness of use, but can provide stronger authentication processes. This chapter presents the latest advances in three technologies that can be used, unaided or together, to improve the safety of user/password schemas without significant changes in the protected information system architecture, despite the human factors that traditionally reduce the security of those systems. The presented technologies are Keystroke Dynamics, Graphical Authentication and Pointer Dynamic.

Detecting Shill Bidding in Online English Auctions

Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate bidders. While shilling is recognized as a problem, presently there is little or no established means of defense against shills. This chapter presents an algorithm to detect the presence of shill bidding in online auctions. It observes bidding patterns over a series of auctions, providing each bidder a score indicating the likelihood of his/her potential involvement in shill behavior. The algorithm has been tested on data obtained from a series of realistic simulated auctions, and commercial online auctions. The algorithm is able to prune the search space required to detect which bidders are likely to be shills. This has significant practical and legal implications for commercial online auctions where shilling is considered a major threat. This chapter presents a framework for a feasible solution, which acts as a detection mechanism and a deterrent.

Information Security Awareness

This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by reference to the literature. It emphasizes the need to supplement technical information security controls with security awareness, training and educational activities to address human vulnerabilities. It outlines requirements noted in standards, laws and regulations, and explains the value of motivational employee communications techniques in creating a security culture.

E-Commerce Security and Honesty-Credit

E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit issue and honesty-credit system construction in e-commerce. It argues that the honesty-credit issue belongs to e-commerce security problems to some extent since it also destroys information integrity, confidentiality, and availability. The study of honesty-credit issue in e-commerce will help to promote social culture development as well as improve e-commerce security. Basing on analysis of three game models, the article suggests the construction of social honesty-credit system mainly include four aspects: cultivate citizens’ sense of honesty-credit, strengthen legislation, build mechanism of third-party authentication and regulate third-party service industry. At the end of the chapter, the case of Shanghai honesty-credit system construction of is introduced to describe China honesty-credit status.