A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums

2022 | Decision Support Systems | Citations: 0

Authors: Biswas, Baidyanath; Mukhopadhyay, Arunabha; Bhattacharjee, Sudip; Kumar, Ajay; Delen, Dursun

Abstract: Online hacker communities are meeting spots for aspiring and seasoned cybercrimi ... Expand

Abstract: Online hacker communities are meeting spots for aspiring and seasoned cybercriminals where they engage in technical discussions, share exploits and relevant hacking tools to be used in launching cyber-attacks on business organizations. Sometimes, the affected organizations can detect these attacks in advance, with the help of cyberthreat intelligence derived from the explicit and implicit features of hacker communication in these forums. Herein, we proposed a novel text-mining based cyber-risk assessment and mitigation framework, which performs the following critical tasks. (i) Cyber-risk Assessment - to identify hacker expertise (i.e., newbie, beginner, inter­ mediate, and advanced) using explicit and implicit features applying various classification algorithms. Among these features, cybersecurity keywords, sharing of attachments, and sentiments emerged as significant. Further, we found that expert hackers demonstrate leadership in the online forums that eventually serve as communities of practice. Consequently, novice hackers gradually develop their cyber-attack skills through prolonged observa­ tions, interactions, and external influences in this social learning process. (ii) Cyber-risk mitigation – computes financial impact for every {hacker expertise, attack-type} combination, and then by ranking them on a {likelihood, impact} decision-matrix to prioritize mitigation strategies in affected organizations. Through these novel rec­ ommendations, our framework can guide managers to decide on appropriate cybersecurity controls using an {expected loss, probability, attack-type, hacker expertise} metric against financial losses due to cyber-attacks. Collapse

Topics: IT security IT security threat darknet source code logistics management

Methods: classification method sentiment analysis decision tree classification term frequency–inverse document frequency literature study

Theories: social exchange theory social practice theory

A Test of Protection Motivation Theory in the Information Security Literature: A Meta-Analytic Structural Equation Modeling Approach

2022 | Journal of the Association for Information Systems | Citations: 0

Authors: Mou, Jian; Cohen, Jason; Bhattacherjee, Anol; Kim, Jongki

Abstract: Information security is one of the important domains of information systems res ... Expand

Abstract: Information security is one of the important domains of information systems research today, with protection motivation theory (PMT) one of its most influential theoretical lenses. However, empirical findings based on PMT are often inconsistent and inconclusive. To reconcile these inconsistent findings, we conducted a meta-analysis to investigate the relationships among PMT constructs while also considering additional contextual constructs that are not specified in PMT. Ninety-two published studies were meta-analyzed and estimated using structural equation modeling. Our results provide support for three of the five predictors of security motivation intention, as postulated by PMT, mixed support for perceived vulnerability, and no support for response cost. We found that coping appraisal variables of response efficacy and self-efficacy have the largest average effects on security behavior. In addition, cultural attributes of collectivism and individualism moderated some of the pairwise correlations, PMT-theoretic relationships were generally stronger in personal contexts than in workplace contexts, and the intention-behavior relationship was strongest in workplace and compliance settings. Our results contribute to the information security literature by providing guidance for future PMT-related research and by demonstrating how meta-analysis and structural equation modeling can be combined to test theories in information systems research. . His research interests include electronic commerce, human-computer interaction, trust, and risk issues in electronic services, and the dynamic nature of systems use. His research has appeared in journals such as focuses on dysfunctional consequences of social media, healthcare informatics, and algorithm bias. He served on the editorial board of MIS Quarterly for four years and served as a senior editor at Journal of the Association for Information Systems. He holds PhD and MBA degrees from the Collapse

Topics: data security self efficacy cybersecurity behavior malware social norm

Methods: meta analysis structural equation modeling descriptive statistic literature sample SEM tool

Theories: expectancy–value theory

Information systems security research agenda: Exploring the gap between research and practice

2021 | Journal of Strategic Information Systems | Citations: 0

Authors: Dhillon, Gurpreet; Smith, Kane; Dissanayaka, Indika

Abstract: This paper undertakes a systematic review of the Information Systems Security li ... Expand

Abstract: This paper undertakes a systematic review of the Information Systems Security literature. The literature review consists of three parts: First, we perform topic modeling of major Information Systems journals to understand the field’s debates. Second, we conduct a Delphi Study composed of the Chief Information Security Officers of major corporations in the US to identify security issues that they view as important. Third, we compare Topic Modeling and the Delphi Study results and discuss key debates, gaps, and contradictions within the academic literature. Further, extant Information Systems Security literature is reviewed to discuss where the academic com­ munity has placed the research emphasis and what is now required in the discipline. Based on our analysis, we propose a future agenda for Information Systems security research. Collapse

Topics: IT security IT security threat systems design information security policy compliance malware

Methods: delphi study literature study topic model computational algorithm machine learning

Theories: socio technical theory

Network Vulnerability and Enterprises’ Response: The Preliminary Analysis

2021 | Americas Conference on Information Systems | Citations: 0

Authors: Yang, Hao; Zhang, Jinfeng; Zhang, Xiong

Abstract: In this study, we examine enterprises' response to network vulnerabilities. We ... Expand

Abstract: In this study, we examine enterprises' response to network vulnerabilities. We find the sentiment of the vulnerability fixing plan, whether poster ID is shown, vulnerability type, vulnerability hazard level, and industries enterprises belong to have significant impacts on enterprises' response to network vulnerabilities. This finding could shed lights on firms' management decisions on fixing network vulnerabilities. Collapse

Topics: crowdsourcing IT security threat SQL injection missing data Python

Methods: sentiment analysis multiple linear regression linear regression analysis regression analysis method parametric test

Examining Exploitability Risk of Vulnerabilities: A Hazard Model

2020 | Communications of the Association for Information Systems | Citations: 1

Authors: Roumani, Yaman; Nwankpa, Joseph

Abstract: With the increasing number and severity of security incidents and exploits, info ... Expand

Abstract: With the increasing number and severity of security incidents and exploits, information technology (IT) vendors, security managers, and consumers have begun to place more emphasis on security. Yet, fixing the sheer volume of vulnerabilities remains a challenge as IT vendors race against attackers to evaluate system vulnerabilities, prioritize them, and issue security patches before cybercriminals can exploit them. In this study, we posit that IT vendors can prioritize which vulnerabilities they should patch first by assessing their exploitability risk. Accordingly, we identified the vulnerabilities that cybercriminals will most likely exploit using vulnerability-related attributes and vulnerability types. To do so, we employed survival analysis and tested our models using historical data of vulnerabilities and exploits between 2007 and 2016. Our results indicate that IT vendors benefit the most from fixing remotely exploitable vulnerabilities; non-complex vulnerabilities; vulnerabilities that require no authentication; and vulnerabilities that affect confidentiality, integrity, and availability components. Furthermore, our findings suggest that IT vendors can mitigate the risk of exploit-related attacks by remedying code-injection vulnerabilities, buffer-overflow vulnerabilities, and numeric-error vulnerabilities. Collapse

Topics: electronic authentication research and development database system privacy SQL injection

Methods: regression analysis method survival analysis proportional hazards model game theoretical model Compustat

Theories: game theory theory of bounded rationality

Collaborative Learning for Information Security Topics: A Pilot Study

2020 | Americas Conference on Information Systems | Citations: 0

Authors: Tian, Xin; Li, Zhigang

Abstract: ... Expand

Abstract: Collapse

Topics: IT security data security SQL injection operating system

Methods: survey descriptive statistic linear regression analysis term frequency–inverse document frequency personal interview

Effects of Evidence-Based Malware Cybersecurity Training on Employees

2019 | Americas Conference on Information Systems | Citations: 0

Authors: He, Wu; Anwar, Mohd; Ash, Ivan; Li, Ling; Yuan, Xiaohong; Xu, Li; Tian, Xin

Abstract: This paper presents a research study conducted to investigate the effect of dif ... Expand

Abstract: This paper presents a research study conducted to investigate the effect of different evidence-based cybersecurity training methods on employees' cybersecurity risk perception and self-reported behavior. Our study participants were randomly assigned into four groups (i.e., malware report, malware videos, both malware report and malware videos, no interventions) to assess the effects of cybersecurity training on their perceptions of vulnerability, severity, self-efficacy, security intention as well as their self-reported cybersecurity behaviors. The results show that evidence-based malware report is a relatively better training method in affecting employees' intentions of engaging in recommended cybersecurity behaviors comparing with the other training methods used in this study. Collapse

Topics: malware IT security self efficacy cybersecurity behavior behavioral intention

Methods: survey analysis of covariance experimental group experiment qualitative interview

Enterprise security investment through time when facing different types of vulnerabilities

2019 | Information Systems Frontiers | Citations: 3

Authors: Miaoui, Yosra; Boudriga, Noureddine

Abstract: We propose in this work to use the utility theory to compute the optimal securit ... Expand

Abstract: We propose in this work to use the utility theory to compute the optimal security investment over an investment horizon, considering the typologies and dynamic aspects of vulnerabilities related to the assets of a firm. A regression over a 17-year statistics available in the National Vulnerability Database is performed to predict and forecast the evolution of vulnerabilities’ rates over the investment horizon. Techniques and methodologies are proposed to compute and plan investment tranches over the whole time-horizon, while coping with budget constraints. An analysis is conducted to assess the variation of the optimal investments and the residual risk, taking into account the attitude of decision-makers towards risk. The obtained results show that : a) the optimal amount of investment in information security necessary to counter located attacks increases with the investment horizon for all types of vulnerabilities, but such an increase highly depends on the type of vulnerabilities affecting the firm; b) differently to located attacks, the optimal amount of investment in information security necessary to counter distributed attacks does not always increase with the investment horizon; and c) the optimal amount to invest in security, and the optimum value of the residual risk depend on the decision-maker attitude towards security risk. Collapse

Topics: logistics management IT security threat database system artificial intelligence SQL injection

Methods: computational algorithm game theoretical model regression analysis method survey parametric test

Theories: utility theory expected utility theory decision theory

An Empirical Study of Security Issues Posted in Open Source Projects

2018 | HICSS | Citations: 0

Authors: Zahedi, Mansooreh; Babar, Muhammad Ali; Treude, Christoph

Abstract: When developers gain thorough understanding and knowledge of software security, ... Expand

Abstract: When developers gain thorough understanding and knowledge of software security, they can produce more secure software. This study aims at empirically identifying and understanding the security issues posted on a random sample of GitHub repositories. We tried to understand the presence of security issues and their key themes and topics. We applied a mixedmethods approach, combining topic modeling techniques and qualitative analysis. Our findings have revealed that a) the rate of security-related issues was rather small (approx. 3% of all issues), b) the majority of the security issues were related to identity management and cryptography topics. We present 7 high-level themes of problems that developers face in implementing security features. Collapse

Topics: IT security threat data encryption password electronic authentication authorization

Methods: topic model latent dirichlet allocation design pattern qualitative content analysis mixed method

Can Cybersecurity Be Proactive? A Big Data Approach and Challenges

2017 | HICSS | Citations: 0

Authors: Chen, Hong-Mei; Kazman, Rick; Monarch, Ira; Wang, Ping

Abstract: The cybersecurity community typically reacts to attacks after they occur. Being ... Expand

Abstract: The cybersecurity community typically reacts to attacks after they occur. Being reactive is costly and can be fatal where attacks threaten lives, important data, or mission success. But can cybersecurity be done proactively? Our research capitalizes on the Germination Period—the time lag between hacker communities discussing software flaw types and flaws actually being exploited—where proactive measures can be taken. We argue for a novel proactive approach, utilizing big data, for (I) identifying potential attacks before they come to fruition; and based on this identification, (II) developing preventive countermeasures. The big data approach resulted in our vision of the Proactive Cybersecurity System (PCS), a layered, modular service platform that applies big data collection and processing tools to a wide variety of unstructured data sources to predict vulnerabilities and develop countermeasures. Our exploratory study is the first to show the promise of this novel proactive approach and illuminates challenges that need to be addressed. Collapse

Topics: big data IT security knowledge representation database system SQL injection

Methods: natural language processing cluster analysis ontological modelling machine learning sentiment analysis