References of "Lenzini, Gabriele 50002200"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailSecurity analysis of socio-technical physical systems
Lenzini, Gabriele UL; Mauw, Sjouke UL; Ouchani, Samir UL

in Computers electrical engineering (2015)

Recent initiatives that evaluate the security of physical systems with objects as assets and people as agents – here called socio-technical physical systems – have limitations: their agent behavior is too ... [more ▼]

Recent initiatives that evaluate the security of physical systems with objects as assets and people as agents – here called socio-technical physical systems – have limitations: their agent behavior is too simple, they just estimate feasibility and not the likelihood of attacks, or they do estimate likelihood but on explicitly provided attacks only. We propose a model that can detect and quantify attacks. It has a rich set of agent actions with associated probability and cost. We also propose a threat model, an intruder that can misbehave and that competes with honest agents. The intruder’s actions have an associated cost and are constrained to be realistic. We map our model to a probabilistic symbolic model checker and we express templates of security properties in the Probabilistic Computation Tree Logic, thus supporting automatic analysis of security properties. A use case shows the effectiveness of our approach. [less ▲]

Detailed reference viewed: 227 (16 UL)
Full Text
Peer Reviewed
See detailService security and privacy as a socio-technical problem
Bella, Giampaolo; Curzon, Paul; Lenzini, Gabriele UL

in JOURNAL OF COMPUTER SECURITY (2015), 23(5), 563-585

The security and privacy of the data that users transmit, more or less deliberately, to modern services is an open problem. It is not solely limited to the actual Internet traversal, a sub-problem vastly ... [more ▼]

The security and privacy of the data that users transmit, more or less deliberately, to modern services is an open problem. It is not solely limited to the actual Internet traversal, a sub-problem vastly tackled by consolidated research in security protocol design and analysis. By contrast, it entails much broader dimensions pertaining to how users approach technology and understand the risks for the data they enter. For example, users may express cautious or distracted personas depending on the service and the point in time; further, pre-established paths of practice may lead them to neglect the intrusive privacy policy offered by a service, or the outdated protections adopted by another. The approach that sees the service security and privacy problem as a socio-technical one needs consolidation. With this motivation, the article makes a threefold contribution. It reviews the existing literature on service security and privacy, especially from the socio-technical standpoint. Further, it outlines a general research methodology aimed at layering the problem appropriately, at suggesting how to position existing findings, and ultimately at indicating where a transdisciplinary task force may fit in. The article concludes with the description of the three challenge domains of services whose security and privacy we deem open socio-technical problems, not only due to their inherent facets but also to their huge number of users. [less ▲]

Detailed reference viewed: 181 (6 UL)
Full Text
Peer Reviewed
See detailMaybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Beneson, Zinaida; Lenzini, Gabriele UL; Oliveira, Daniela et al

in Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security (2015)

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience ... [more ▼]

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience literature shows that there are upper bounds on the human capacity for executing cognitive tasks and for information processing. We argue that the usable security discipline should scientifically understand human capacities for security tasks, i.e., what we can realistically expect from people. We propose a framework for evaluation of human capacities in security that assigns socio-technical systems to complexity classes according to their security and usability. The upper bound of human capacity is considered the point at which people start experiencing cognitive strain while performing a task, because cognitive strain demonstrably leads to errors in the task execution. The ultimate goal of the work we initiate in this paper is to provide designers of security mechanisms or policies with the ability to say:“This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond people’s capacity. [less ▲]

Detailed reference viewed: 107 (1 UL)
Full Text
Peer Reviewed
See detailGenerating attacks in SysML activity diagrams by detecting attack surfaces
Ouchani, Samir UL; Lenzini, Gabriele UL

in Journal of Ambient Intelligence and Humanized Computing (2015), 6(3), 361-373

In the development process of a secure system is essential to detect as early as possible the system’s vulnerable points, the so called attack surfaces, and to estimate how feasible it would be that known ... [more ▼]

In the development process of a secure system is essential to detect as early as possible the system’s vulnerable points, the so called attack surfaces, and to estimate how feasible it would be that known attacks breach through them. Even if attack surfaces can be sometimes detected automatically, mapping them against known attacks still is a step apart. Systems and attacks are not usually modelled in compatible formalisms. We develop a practical framework that automates the whole process. We formalize a system as SysML activity diagrams and in the same formalism we model libraries of patterns taken from standard catalogues of social engineering and technical attacks. An algorithm that we define, navigates the system’s diagrams in search for its attack surfaces; then it evaluates the possibility and the probability that the detected weak points host attacks among those in the modelled library. We prove the correctness and the completeness of our approach and we show how it works on a use case scenario. It represents a very common situation in the domain of communication and data security for corporations. [less ▲]

Detailed reference viewed: 166 (5 UL)
Full Text
Peer Reviewed
See detailMaybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security
Benenson, Zinaida; Lenzini, Gabriele UL; Oliveira, Daniela et al

in Proc. of the New Security Paradigm Workshop (2015)

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience ... [more ▼]

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience literature shows that there are upper bounds on the human capacity for executing cognitive tasks and for information processing. We argue that the usable security discipline should scientifically understand human capacities for security tasks, i.e., what we can realistically expect from people. We propose a framework for evaluation of human capacities in security that assigns socio-technical systems to complexity classes according to their security and usability. The upper bound of human capacity is considered the point at which people start experiencing cognitive strain while performing a task, because cognitive strain demonstrably leads to errors in the task execution. The ultimate goal of the work we initiate in this paper is to provide designers of security mechanisms or policies with the ability to say:“This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond people’s capacity". [less ▲]

Detailed reference viewed: 154 (12 UL)
Full Text
Peer Reviewed
See detailPrinciples of Persuasion in Social Engineering and Their Use in Phishing
Ferreira, Ana UL; Lenzini, Gabriele UL; Conventry, Lynne

in T. Tryfonas, I. Askoxylakis (Ed.) Human Aspects of Information Security, Privacy, and Trust Third International Conference, HAS 2015 (2015)

Research on marketing and deception has identified principles of persuasion that in influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different ... [more ▼]

Research on marketing and deception has identified principles of persuasion that in influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini's principles of influence, Gragg's psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies. [less ▲]

Detailed reference viewed: 389 (14 UL)
Full Text
Peer Reviewed
See detailAn Analysis of Social Engineering Principles in Effective Phishing
Ferreira, Ana; Lenzini, Gabriele UL

in Proc. of the 5th International Workshop on Socio-Technical Security and Trust (2015)

Detailed reference viewed: 277 (9 UL)
Full Text
Peer Reviewed
See detailDo graphical cues effectively inform users? A socio-technical security study in accessing wifi networks.
Ferreira, Ana UL; Huynen, Jean-Louis UL; Koenig, Vincent UL et al

in Lecture Notes in Computer Science (2015), 9190

We study whether the padlock and the signal strength bars, two visual cues shown in network managers, convey their intended messages. Since users often choose insecure networks when they should not ... [more ▼]

We study whether the padlock and the signal strength bars, two visual cues shown in network managers, convey their intended messages. Since users often choose insecure networks when they should not, finding the answer is not obvious; in our study we clarify whether the problem lies in uninformative and ambiguous cues or in the user who, despite understanding the cues, chooses otherwise. This paper describes experiments and comments the results that bring evidence to our study. [less ▲]

Detailed reference viewed: 284 (93 UL)
Full Text
Peer Reviewed
See detailIn Cyber-Space No One Can Hear You S·CREAM, A Root Cause Analysis for Socio-Technical Security
Ferreira, Ana UL; Huynen, Jean-Louis UL; Koenig, Vincent UL et al

in Foresti, Sara (Ed.) Security and Trust Management (2015)

Inspired by the root cause analysis techniques that in the field of safety research and practice help investigators understand the reasons of an incident, this paper investigates the use of root cause ... [more ▼]

Inspired by the root cause analysis techniques that in the field of safety research and practice help investigators understand the reasons of an incident, this paper investigates the use of root cause analysis in security. We aim at providing a systematic method for the security analyst to identify the socio-technical attack modes that can potentially endanger a system’s security. [less ▲]

Detailed reference viewed: 212 (14 UL)
Full Text
Peer Reviewed
See detailCan Transparency Enhancing Tools support patient's accessing Electronic Health Records?
Lenzini, Gabriele UL; Ferreira, Ana UL

in Advances in Intelligent Systems and Computing (2015)

Patients that access their health records take more care of their health and, when in therapy, commit more seriously to improve their condition. This leads to a more effective and more efficient ... [more ▼]

Patients that access their health records take more care of their health and, when in therapy, commit more seriously to improve their condition. This leads to a more effective and more efficient healthcare management, and is also in agreement with European directives on data protection. However, accessing medical data can be risky. Security should be assured and it should be evident to the patients, who has access to what data and any violation to patient's privacy requirements should be reported. We call this property transparency. Precisely this work looks into the Transparency Enhancing Tools that have been proposed to increase people's awareness about security and privacy on the Internet, and discusses to which extent these tools can empower transparency in healthcare. [less ▲]

Detailed reference viewed: 204 (10 UL)
Full Text
Peer Reviewed
See detail4.2 Social Dynamics Metrics-Working Group Report
Benenson, Zinaida; Bleikertz, Sören; Foley, Simon N. et al

in Socio-Technical Security Metrics (2015)

Individuals continually interact with security mechanisms when performing tasks in everyday life. These tasks may serve personal goals or work goals, be individual or shared. These interactions can be ... [more ▼]

Individuals continually interact with security mechanisms when performing tasks in everyday life. These tasks may serve personal goals or work goals, be individual or shared. These interactions can be influenced by peers and superiors in the respective environments (workplace, home, public spaces), by personality traits of the users, as well as by contextual constraints such as available time, cognitive resources, and perceived available effort. All these influencing factors, we believe, should be considered in the design, implementation and maintenance of good socio-technical security mechanisms. Therefore, we need to observe reliable socio-technical data, and then transform them into meaningful and helpful metrics for user interactions and influencing factors. More precisely, there are three main questions that the group discussed: 1. What data do we need to observe and what of this data we actually can observe and measure? 2. How can we observe and measure? 3. What can we do with the results of the observations? [less ▲]

Detailed reference viewed: 93 (3 UL)
Full Text
Peer Reviewed
See detailA Framework for Analyzing Verifiability in Traditional and Electronic Exams.
Dreier, Jannik; Giustolisi, Rosario UL; Kassem, Ali et al

in Information Security Practice and Experience 11th International Conference, ISPEC 2015, Beijing, China, May 5-8, 2015 (2015)

Detailed reference viewed: 156 (2 UL)
Full Text
Peer Reviewed
See detailA Secure Exam Protocol Without Trusted Parties
Bella, Giampaolo; Giustolisi, Rosario UL; Lenzini, Gabriele UL et al

in ICT Systems Security and Privacy Protection. 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015 (2015)

Detailed reference viewed: 328 (14 UL)
Full Text
Peer Reviewed
See detailEnvisioning secure and usable access control for patients
Ferreira, Ana UL; Lenzini, Gabriele UL; Santos-Pereira, Cátia et al

in IEEE 3rd International Conference on Serious Games and Applications in Healthcare (2014, May)

It has been observed in pilot tests that patients who are able to access their Electronic Health Records (EHR), become more responsible and involved in the maintenance of their health. Patients accessing ... [more ▼]

It has been observed in pilot tests that patients who are able to access their Electronic Health Records (EHR), become more responsible and involved in the maintenance of their health. Patients accessing their EHR can commit more faithfully to therapies, thus increasing their treatments’ success rate. However, despite technologically feasible and legally possible, there is no validated or standardized toolset available yet, for patients to review and manage their EHR. Many privacy, security and usability issues must be solved first before this practice can be made mainstream. This paper proposes and discusses the design of an access control visual application that addresses most of these issues, and offers patients a secure, controlled and easy access to their EHR. [less ▲]

Detailed reference viewed: 221 (35 UL)
Full Text
Peer Reviewed
See detailSocio-technical Security Analysis of Wireless Hotspots
Ferreira, Ana UL; Huynen, Jean-Louis UL; Koenig, Vincent UL et al

in Lecture Notes in Computer Science (2014)

We present a socio-technical analysis of security of Hotspot and Hotspot 2.0. The analysis focuses is user-centric, and aim at understanding which user action can compromise security in presence of a ... [more ▼]

We present a socio-technical analysis of security of Hotspot and Hotspot 2.0. The analysis focuses is user-centric, and aim at understanding which user action can compromise security in presence of a attacker. We identify research questions about possible factors that may affect user’s security decisions, and propose experiments to answer them. [less ▲]

Detailed reference viewed: 297 (28 UL)
Full Text
Peer Reviewed
See detailA Socio-Technical Methodology for the Security and Privacy Analysis of Services
Bella, Giampaolo; Curzon, Paul; Giustolisi, Rosario UL et al

in IEEE 38th Annual International Computers, Software and Applications Conference Workshops, 27–29 July 2014, Västerås, Sweden (2014)

Detailed reference viewed: 164 (5 UL)
Peer Reviewed
See detailProceedings of the 2014 Workshop on Socio-Technical Aspects in Security and Trust, STAST 2014
Bella, Giampaolo; Lenzini, Gabriele UL

Scientific Conference (2014)

Detailed reference viewed: 71 (1 UL)
Full Text
Peer Reviewed
See detailSecure exams despite malicious management
Bella, Giampaolo; Giustolisi, Rosario UL; Lenzini, Gabriele UL

in Twelfth Annual International Conference on Privacy, Security and Trust (PST), Ryerson University, Toronto, July 23-24, 2014 (2014)

Detailed reference viewed: 165 (8 UL)
Full Text
Peer Reviewed
See detailRemark!: A Secure Protocol for Remote Exams
Giustolisi, Rosario UL; Lenzini, Gabriele UL; Ryan, Peter UL

in Security Protocols XXII - Lecture Notes in Computer Science (2014)

Detailed reference viewed: 417 (61 UL)