Dissertations / Theses on the topic 'Cybersecurity and privacy'

Security and privacy practices of end-users on social media are an important area of research, as well as a top-of-mind concern for individuals as well as organizations. In recent years, we have seen a sharp increase in data breaches and cyber security threats that have targeted social media users. Hence, it is imperative that we try to better understand factors that affect an end-user’s adoption of effective security safeguards and privacy protection practices. In this research, we propose and validate a theoretical model that posits several determinants of end-user security and privacy practices on social media. We hypothesize relationships among various cognitive, affective and behavioral factors identified under the themes of posture, proficiency, and practices. These constructs and hypotheses are validated through empirical research comprising an online survey questionnaire, and structural equation modeling (SEM) analysis. The key findings of this study highlight the importance of cyber threat awareness and social media security and privacy self-efficacy, which have a direct impact on end-user security and privacy practices. Additionally, our research shows that use of general technology applications for security and privacy impacts the adoption of security and privacy practices on social media. In totality, our research findings indicate that proficiency is a better predictor or security and privacy practices as compared to the posture of an end-user. Factors such as privacy disposition, privacy concerns, and perceived risk of privacy violations do not have as significant or direct effect on security and privacy practices. Based on our research findings, we provide some key take-aways in the form of theoretical contributions, suggestions for future research, as well as recommendations for organizational security awareness training programs.

Al giorno d'oggi siamo sempre più circondati da dispositivi interconnessi tra loro, i quali sono costantemente esposti ad attacchi informatici. In questo elaborato, dopo aver introdotto l'Internet of Things e i suoi molteplici ambiti applicativi, verrà svolta un'attenta analisi dei rischi e delle sfide riguardanti la cybersecurity che le aziende 4.0 dovranno affrontare. Verranno proposte delle possibili soluzioni attraverso l'impiego di tecnologie sempre più sofisticate ed innovative.

Despite substantial effort made by the usable security community at facilitating the use of recommended security systems and behaviors, much security advice is ignored and many security systems are underutilized. I argue that this disconnect can partially be explained by the fact that security behaviors have myriad unaccounted for social consequences. For example, by using two-factor authentication, one might be perceived as “paranoid”. By encrypting an e-mail correspondence, one might be perceived as having something to hide. Yet, to date, little theoretical work in usable security has applied theory from social psychology to understand how these social consequences affect people’s security behaviors. Likewise, little systems work in usable security has taken social factors into consideration. To bridge these gaps in literature and practice, I begin to build a theory of social cybersecurity and apply those theoretical insights to create systems that encourage better cybersecurity behaviors. First, through a series of interviews, surveys and a large-scale analysis of how security tools diffuse through the social networks of 1.5 million Facebook users, I empirically model how social influences affect the adoption of security behaviors and systems. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are negatively affected by social influence. Based on these empirical results, I put forth two prescriptions: (i) creating socially grounded interface “nudges” that encourage better cybersecurity behaviors, and (ii) designing new, more socially intelligent end-user facing security systems. As an example of a social “nudge”, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts. In an experimental evaluation with 50,000 Facebook users, I found that this social notification was significantly more effective than a non-social control notification at attracting clicks to improve account security and in motivating the adoption of promoted, optional security tools. As an example of a socially intelligent cybersecurity system, I designed Thumprint: an inclusive authentication system that authenticates and identifies individual group members of a small, local group through a single, shared secret knock. Through my evaluations, I found that Thumprint is resilient to casual but motivated adversaries and that it can reliably differentiate multiple group members who share the same secret knock. Taken together, these systems point towards a future of socially intelligent cybersecurity that encourages better security behaviors. I conclude with a set of descriptive and prescriptive takeaways, as well as a set of open problems for future work. Concretely, this thesis provides the following contributions: (i) an initial theory of social cybersecurity, developed from both observational and experimental work, that explains how social influences affect security behaviors; (ii) a set of design recommendations for creating socially intelligent security systems that encourage better cybersecurity behaviors; (iii) the design, implementation and comprehensive evaluation of two such systems that leverage these design recommendations; and (iv) a reflection on how the insights uncovered in this work can be utilized alongside broader design considerations in HCI, security and design to create an infrastructure of useful, usable and socially intelligent cybersecurity systems.

Medical literature identifies a number of technology-driven improvements in disease management such as implantable medical devices (IMDs) that are a standard treatment for candidates with specific diseases. Among patients using implantable cardiac defibrillators (ICD), for example, problems and issues are being discovered faster compared to patients without monitoring, improving safety. What is not known is why patients report not feeling safer, creating a safety paradox, and why patients identify privacy concerns in ICD monitoring. There is a major gap in the literature regarding the factors that contribute to perceived safety and privacy in remote patient monitoring (RPM). To address this gap, the research goal of this study was to provide an interpretive account of the experience of RPM patients. This study investigated two research questions: 1) How did RPM recipients perceive safety concerns?, and 2) How did RPM recipients perceive privacy concerns? To address the research questions, in-depth, semi-structured interviews were conducted with six participants to explore individual perceptions in rich detail using interpretative phenomenological analysis (IPA). Four themes were identified and described based on the analysis of the interviews that include — comfort with perceived risk, control over information, education, and security — emerged from the iterative review and data analysis. Participants expressed comfort with perceived risk, however being scared and anxious were recurrent subordinate themes. The majority of participants expressed negative feelings as a result of an initial traumatic event related to their devices and lived in fear of being shocked in inopportune moments. Most of these concerns stem from lack of information and inadequate education. Uncertainties concerning treatment tends to be common, due to lack of feedback from ICD RPM status. Those who knew others with ICD RPM became worrisome after hearing about incidences of sudden cardiac death (SCD) when the device either failed or did not work adequately to save their friend’s life. Participants also expressed cybersecurity concerns that their ICD might be hacked, maladjusted, manipulated with magnets, or turned off. They believed ICD RPM security was in place but inadequate as well as reported feeling a lack of control over information. Participants expressed wanting the right to be left alone and in most cases wanted to limit others’ access to their information, which in turn, created conflict within families and loved ones. Geolocation was a contentious node in this study, with most of participants reporting they did not want to be tracked under any circumstances. This research was needed because few researchers have explored how people live and interact with these newer and more advanced devices. These findings have implications for practice relating to RPM safety and privacy such as identifying a gap between device companies, practitioners, and participants and provided directions for future research to discover better ways to live with ICD RPM and ICD shock.

Dissertação de Mestrado em Gestão e Políticas Públicas
Os serviços online tornaram-se uma parte importante das nossas vidas, nomeadamente porque permitem o acesso à informação em qualquer sítio, a qualquer momento. Por assim ser, este tipo de serviços é útil não apenas para os utilizadores, mas para qualquer empresa ou instituição pública, nomeadamente por ajudar a reduzir os seus custos operacionais – por via da redução da infraestrutura física, da menor necessidade de recursos humanos, apresentando-se ainda menos dispendiosa, mais célere e cômoda para qualquer utente, se pensarmos por exemplo nos serviços públicos. Posto isso, este projeto de dissertação procurou descrever as perceções de cibercrime e cibersegurança dos cidadãos portugueses. Os dados necessários à elaboração da investigação foram recolhidos entre os dias 6 de julho e 6 de setembro de 2015, totalizando um total de 431 respostas, de inquiridos nacionais. Os resultados obtidos demonstram a preocupação com a privacidade, nomeadamente com os dados pessoais. Das três dimensões encontradas, com impacto na dimensão depende – Perceção da Ação do Estado – salienta-se “Segurança de Dados e Familiarização” o que leva a crer que maiores níveis de conhecimento e consciencialização levam a melhores níveis de satisfação. A formação de dois clusters permitiu verificar que a característica mais evidente é o género do indivíduo, razão pela qual, posteriormente, foram analisas as variáveis com diferenças estatisticamente significantes. Desta análise, salientam-se as variáveis relativas ao entendimento sobre a matéria, e à satisfação com a Ação do Estado.
Online services have become an important part of our lives, in particular, because they allow access to information anywhere, anytime. Because of that, this type of service is useful not only for mere users but for any company or public institution, in particular by helping to reduce its operating costs – by reducing physical infrastructure, the need for human resources, for being even cheaper, faster and comfortable for any user, if we think, for example, of public services. Thus, this dissertation project aims to describe the perceptions of cybercrime and cybersecurity of Portuguese citizens. The data was collected between July 6 and September 6, 2015, with a total of 431 responses, from national respondents. The results obtained prove the concern for privacy, particularly with personal data. Of the three dimensions found, with impact on the dimension depends - State Action Perception - highlights "Data Security and Familiarization" which leads to believe that higher levels of knowledge and awareness lead to better levels of satisfaction. The formation of two clusters allowed us to verify that the most obvious characteristic is the gender of the individual, reason why, afterward, differences in the means of variables were analyzed. From this analysis, we highlight the variables related to the understanding of the subject and the satisfaction with the State Action.
N/A

Il fine di questo elaborato di tesi è analizzare per quali scopi e secondo quali metodologie le piattaforme online di Social Media trattano i nostri dati online. L'analisi sarà incentrata in primo luogo in luce delle regolamentazioni vigenti, quali tipi e come tutelano i dati in ambito privacy; seguirà un approfondimento delle informative sui dati (privacy policy) di alcuni importanti Social dal quale verranno estrapolati e riconosciuti concetti come la profilazione. Lo studio di che cosa è la profilazione avrà come scopo l'introduzioni di questioni molto importanti riguardo i sistemi utilizzati per profilare - sistemi che sono nel modo più assoluto automatizzati, composti da algoritmi sviluppati sulla base di "deep learning" e "machine learning" in modo da non richiedere l'intervento umano - le conseguenze sul piano etico-sociale e i problemi di sicurezza informatica che me derivano. Nella parte finale, in particolare, verrà fatto notare come l'atto dell'invio di contenuti personalizzati non sia stato seriamente considerato e come il GDPR tratta questa situazione.

De nos jours, les réseaux sociaux ont considérablement changé la façon dont les personnes prennent des photos qu’importe le lieu, le moment, le contexte. Plus que 500 millions de photos sont partagées chaque jour sur les réseaux sociaux, auxquelles on peut ajouter les 200 millions de vidéos échangées en ligne chaque minute. Plus particulièrement, avec la démocratisation des smartphones, les utilisateurs de réseaux sociaux partagent instantanément les photos qu’ils prennent lors des divers événements de leur vie, leurs voyages, leurs aventures, etc. Partager ce type de données présente un danger pour la vie privée des utilisateurs et les expose ensuite à une surveillance grandissante. Ajouté à cela, aujourd’hui de nouvelles techniques permettent de combiner les données provenant de plusieurs sources entre elles de façon jamais possible auparavant. Cependant, la plupart des utilisateurs des réseaux sociaux ne se rendent même pas compte de la quantité incroyable de données très personnelles que les photos peuvent renfermer sur eux et sur leurs activités (par exemple, le cas du cyberharcèlement). Cela peut encore rendre plus difficile la possibilité de garder l’anonymat sur Internet dans de nombreuses situations où une certaine discrétion est essentielle (politique, lutte contre la fraude, critiques diverses, etc.).Ainsi, le but de ce travail est de fournir une mesure de protection de la vie privée, visant à identifier la quantité d’information qui permettrait de ré-identifier une personne en utilisant ses informations personnelles accessibles en ligne. Premièrement, nous fournissons un framework capable de mesurer le risque éventuel de ré-identification des personnes et d’assainir les documents multimédias destinés à être publiés et partagés. Deuxièmement, nous proposons une nouvelle approche pour enrichir le profil de l’utilisateur dont on souhaite préserver l’anonymat. Pour cela, nous exploitons les évènements personnels à partir des publications des utilisateurs et celles partagées par leurs contacts sur leur réseau social. Plus précisément, notre approche permet de détecter et lier les évènements élémentaires des personnes en utilisant les photos (et leurs métadonnées) partagées au sein de leur réseau social. Nous décrivons les expérimentations que nous avons menées sur des jeux de données réelles et synthétiques. Les résultats montrent l’efficacité de nos différentes contributions
Today, social networking has considerably changed why people are taking pictures all the time everywhere they go. More than 500 million photos are uploaded and shared every day, along with more than 200 hours of videos every minute. More particularly, with the ubiquity of smartphones, social network users are now taking photos of events in their lives, travels, experiences, etc. and instantly uploading them online. Such public data sharing puts at risk the users’ privacy and expose them to a surveillance that is growing at a very rapid rate. Furthermore, new techniques are used today to extract publicly shared data and combine it with other data in ways never before thought possible. However, social networks users do not realize the wealth of information gathered from image data and which could be used to track all their activities at every moment (e.g., the case of cyberstalking). Therefore, in many situations (such as politics, fraud fighting and cultural critics, etc.), it becomes extremely hard to maintain individuals’ anonymity when the authors of the published data need to remain anonymous.Thus, the aim of this work is to provide a privacy-preserving constraint (de-linkability) to bound the amount of information that can be used to re-identify individuals using online profile information. Firstly, we provide a framework able to quantify the re-identification threat and sanitize multimedia documents to be published and shared. Secondly, we propose a new approach to enrich the profile information of the individuals to protect. Therefore, we exploit personal events in the individuals’ own posts as well as those shared by their friends/contacts. Specifically, our approach is able to detect and link users’ elementary events using photos (and related metadata) shared within their online social networks. A prototype has been implemented and several experiments have been conducted in this work to validate our different contributions

Approved for public release; distribution is unlimited
Government agencies, businesses, and individuals alike have become more dependent on technology, and the desire and need for interconnectedness has led to increasing network vulnerability affecting both government and private sectors. Recognizing both government and private sector agencies individually lack the capabilities to defend against cyber threats, President Obama has called for a more robust and resilient cybersecurity alliance that encourages information-sharing partnerships with private sector owners and operators in charge of protecting U.S. critical infrastructure. Despite the recent drive for cyber legislation and policies, government agencies and private companies have seemed reluctant to share information related to cyber-attacks and threats with one another. To discover the deeper underlying issues that inhibit public-private cooperation, and to evaluate the effectiveness of public-private partnerships (PPPs) to advance cyber information sharing, this thesis examines the banking and finance sector of U.S. critical infrastructure sector. In doing so, it identifies reasons why information-sharing problems exist between government agencies and private companies; investigates how PPPs satisfy national cybersecurity needs; and, in turn, reveals issues for policymakers to consider when shaping policies that encourage an open dialog between the public and private sector.

This research investigates 202 data breach events occurring between 2015 and 2019 and the related financial effects on the USA's impacted private firms. From examining previous research, it is obvious that no known studies evaluate the financial impacts of cybercrimes on private firms. Prior studies mostly focus on public firms and stock market reactions even though there is the increasing number of cyberattacks on private firms too. This study seeks to fill the gap by providing the empirical evidence of the impacts on those firms' cash holding after experiencing a cybersecurity attack. Overall, the results of this research show if the private firms that have been cyberattacked face the connate aftermath and follow the similar precautions as public firms with data breaches or not. I find that the firms that experienced an attack two years ago increase their cash holdings significantly, while an attack that happened a year ago can only impact cash holdings while interacting with tangibility and ROA of a firm. These results are essential as the private firms draw up a budget and reform strategies for coping with cyber incidents.

Economic agents make rational cybersecurity investment decisions considering the costs and the benefits of their choice. Problems arise when the private costs and benefits do not align with social costs and benefits. The presence of externalities commonly leads to underinvestment and the situation is aggravated by the presence of informational challenges that are typical for cyberspace. In cases of critical infrastructure interdependence, firms are often unaware that their underinvestment impacts other network agents, who might be equally unaware of the situation. Without accurate information on cybersecurity it is difficult to provide incentives for private agents to invest in cybersecurity. Therefore, in this thesis, we present information sharing as a means to handle the informational challenges and bring cybersecurity investment closer to a socially optimal level. In this thesis, we develop an economic model for determining the optimal level of cybersecurity investment for private critical infrastructure operators. Our goal is to analyse cybersecurity investment decisions in a network of interdependent critical infrastructure operators. As the agents’ information systems are bound together, the critical elements of each system are now the critical elements of all the interdependent systems. A failure in one system will be externalized to the other agents’ systems. As a result, an agent’s decisions to invest in cybersecurity and to share breach information also impact the welfare of other agents. We assume that an agent’s investment costs increase in its own aggregate investment, but decrease in the other agents’ investment and information sharing effort. Therefore, an agent’s cybersecurity investment and information sharing decisions affect the other agents’ optimal cybersecurity investment level and their incentives to share breach information. We utilize our model to examine the incentives of private critical infrastructure owners and operators to invest in cybersecurity and share breach information. Critical infrastructure protection is a matter of national security of supply, and thus societal costs of a breach might be higher than the private costs incurred by the owner and operator. Hence, governmental intervention is justified. However, due to the unique qualities of cyberspace, we abandon traditional top-down orders and introduce a social planner, who is a member of the same network as the critical infrastructure providers. The social planner influences network agents’ incentives through its own cybersecurity investment and information sharing efforts. The model presented in the thesis is based on a definition of cybersecurity as public externality. The definition is based on a four layer framework model of cyberspace, where the content of a layer determines security on that layer as a good, and the protection of the lower layers impacts the security of the subsequent layers. On the physical layer, security is determined by private goods, and by club goods and private goods on the logical and informational layers. In our model, cybersecurity investment refers to these rivalrous and excludable security investments made on the lower layers of cyberspace. Cybersecurity is the positive externality of these investments. For this reason, there is no free riding in cybersecurity investment.

Робота обсягом 121 сторінки містить 15 ілюстрацій, 25 таблиць та 7 літературних посилань. Метою даної кваліфікаційної роботи є аналіз середовища мобільних застосунків, їх архітектури, дослідження можливих вразливостей застосунків та методів боротьби з ними. Об’єктом дослідження є сфера розробки мобільних застосунків. Предметом дослідження є інструменти, правила та інструкції з забезпечення захищеності мобільних застосунків. Результати роботи викладені у вигляді схеми архітектури системи безпеки мобільного застосунку, набору критеріїв до застосовуваних інструментів захисту, правил, що повинні бути дотримані в системі безпеці, та обов’язкових складових політики безпеки, що буде застосовуватись. Результати роботи можуть бути використані при розробці мобільних застосунків, а також для модернізації вже існуючих застосунків впровадженням запропонованої систем захисту. Також можливе використання окремих компонентів запропонованої системи безпеки та варіантів їх впровадження.
The work includes 121 pages, 15 illustrations, 25 tables and 7 literary references. The purpose of this qualification work is to analyze the environment of mobile applications, their architecture, the study of possible vulnerabilities in applications and methods to combat them. The object of research is the field of development of mobile applications. The subject of the study is the tools, rules and instructions for ensuring the security of mobile applications. The results of the work are presented in the form of a scheme of the architecture of the security system of the mobile application, a set of criteria for the applicable security tools, rules that must be observed in the security system, and the mandatory components of the security policy to be applied. The results of the work can be used in the development of mobile applications, as well as for the modernization of existing applications by implementation of the proposed protection systems. It is also possible to use the individual components of the proposed security system and their implementation options.

Дипломну магістерську роботу присвячено дослідженню теоретичних задач та обґрунтуванню практичних напрямів удосконалення системи управління державно-приватного партнерства та підтримки малого бізнесу в Україні, досвіду застосування ДПП в країнах Європи. На підставі аналізу підприємства ТОВ "ЛУКМІ УКРАЇНА" було запропоновано шляхи впровадження механізму підтримки малого бізнесу та державно-приватного партнерства. Було досліджено соціально-економічну значущість державно-приватного партнерства, а також його правове забезпечення. Виявлено умови розвитку ДПП в Україні, в секторі кібербезпеки та в системі міжмуніципального співробітництва в умовах децентралізації влади. Запропоновано шляхи вдосконалення правового механізму відповідно до ключових елементів його розвитку в сучасних умвах міжнародного досвіду.
The master's thesis is devoted to the study of theoretical problems and substantiation of practical areas of improving the management system of public-private partnership and support of small business in Ukraine, as well as research on the experience of PPP in Europe. Based on the analysis of the company LLC "LUKMI UKRAINE" was proposed ways to implement a mechanism to support small business and public-private partnership. The socio-economic significance of public-private partnership, as well as its legal support was studied. The conditions of PPP development in Ukraine, in the cybersecurity sector and in the system of inter-municipal cooperation in the conditions of decentralization of power are revealed. Ways to improve the legal mechanism in accordance with the key elements of its development in the current context of international experience are proposed.

On a regular basis, a variety of events take place in computer systems: program launches, firewall updates, user logins, and so on. To secure information resources, modern organisations have established security management systems. In cyber incident management, reporting and awareness-raising are a critical to identify and respond to potential threats in organisations. Security equipment operation systems record ’all’ events or actions, and major abnormalities are signaling via alerts based on rules or patterns. Investigation of these alerts is handled by specialists in the incident response team. Security professionals rely on the information in alert messages to respond appropriately. Incident response teams do not audit or trace the log files until an incident happens. Insufficient information in alert messages, and machine-friendly rather than human-friendly format cause cognitive overload on already limited cybersecurity human resources. As a result, only a smaller number of threat alerts are investigated by specialist staff and security holes may be left open for potential attacks. Furthermore, incident response teams have to derive the context of incidents by applying prior knowledge, communicate with the right people to understand what has happened, and initiate the appropriate actions. Insufficient information in alert messages and stakeholders’ participation raise challenges for the incident management process, which may result in late responses. In other words, cybersecurity resources are overburdened due to a lack of information in alert messages that provide an incomplete picture of a subject (incident) to assist with necessary decision making. The need to identify and track local and global sources in order to process and understand the critical elements of threat information causes cognitive overload on the company’s currently limited cybersecurity professionals. This problem can be overcome with a fully integrated report that clarifies the subject (incident) in order to reduce overall cognitive burden. Instead of spending additional time to investigating each subject of incident, which is dependent on the person’s expertise and the amount of time he has, a detailed report of incident can be utilised as an input of human-analyst. If cyber experts’ cognitive loads can be reduced, their response time efficiency may improves. The relationship between achieving incident management agility through contextual analytical with a comprehensive report and reducing human cognition overload is still being studied. There is currently a research gap in determining the key relationships between explainable Artificial Intelligence (AI) models and other technologies used in security management to gain insight into how explainable contextual analytics can provide distinct response capabilities. When using an explainable AI model for event modelling, research is necessary on how to improve self and shared insight about cyber data by gathering and interpreting security knowledge to reduce cognitive burden on analysts. Due to the fact that the level of cyber security expertise depends on prior knowledge or the results of a thorough report as an input, explainable intelligent models for understanding the inputs have been proposed. By enriching and interpreting security data in a comprehensive humanreadable report, analysts can get a better understanding of the situation and make better decisions. Explainable intelligent models are proposed in cyber incident management by interpreting security logs and cybersecurity alerts, and include a model which can be used in fraud detection where a large number of financial transactions necessitates the involvement of a human in the analysis process. In cyber incident management application, a wide and diverse amount of data are digested, and a report in natural language is developed to assist cyber analysts’ understanding of the situation. The proposed model produced easy-to-read reports/stories by presenting supplementary information in a novel narrative framework to communicate the context and root cause of the alert. It has been confirmed that, when compared to baseline reports, a more comprehensive report that answers core questions about the actor (who), riskiness (what), evidence (why), mechanism (how), time (when), and location (where) that support making real-time decisions by providing incident awareness. Furthermore, a common understanding of an incident and its consequences was established through a graph, resulting in Shared Situation Awareness (SSA) capability (the acquisition of cognition through collaboration with others). A knowledge graph, also known as a graph to semantic knowledge, is a data structure that represents various properties and relationships between objects. It has been widely researched and utilised in information processing and organisation. The knowledge graph depicts the various connections between the alert and relevant information from local and global knowledge bases. It interpreted knowledge in a human-readable format to enable more engagement in the cyber incident management. The proposed models are also known as explainable intelligence because they can reduce the cognitive effort required to process a large amount of security data. As a result, self-awareness and shared awareness of what is happening in cybersecurity incidents have been accomplished. The analyses and survey evaluation empirically demonstrated the models’ success in reducing significant overload on expert cognition, bringing more comprehensive information about the incident, and interpreting knowledge in a human-readable format to enable greater participation in cyber incident management. Finally, the intelligent model of knowledge graph is provided for transaction visualisation for fraud detection, an important challenge in security research. As with the same incident management challenges, fraud detection methods need to be more transparent by explaining their results in more detail. Despite the fact that fraudulent practices are always evolving, investigating money laundering based on an explainable AI that uses graph analysis, assist in the comprehension of schemes. A visual representation of the complex interactions that occur in transactions between money sender and money receiver, with explanations of human-readable aspects for easier digestion is provided. The proposed model, which was used in transaction visualisation and fraud detection, was highly regarded by domain experts. The Digital Defense Hackathon in December 2020 demonstrated that the model is adaptable and widely applicable (received first place in the Hackathon competition).

MCom (Business Information Systems)
Department of Business Information Systems
Although technology is being progressively used in supporting student learning and enhancing business processes within tertiary institutions, certain aspects are hindering the decisions of cloud usage. Among many challenges of utilizing cloud computing, cybersecurity has become a primary concern for the adoption. The main aim of the study was to investigate the effect of cloud cyber-security usage at rural based tertiary institutions in order to compare the usage with an urban-based institution and propose a cybersecurity framework for adoption of cloud computing cybersecurity. The research questions focused on determining the drivers for cloud cybersecurity usage; the current adoption issues; how cybersecurity challenges, benefits, and quality affects cloud usage; the adoption perceptions and awareness of key stakeholders and identifying a cloud cybersecurity adoption framework. A quantitative approach was applied with data collected from a simple random sample of students, lecturers, admin and IT staff within the tertiary institutions through structured questionnaires. The results suggested compliance with legal law as a critical driver for cloud cybersecurity adoption. The study also found a lack of physical control of data and harmful activities executed on the internet as challenges hampering the adoption. Prevention of identity fraud and cheaper security costs were identified as benefits of adoption. Respondents found cloud cybersecurity to be accurate and effective, although most of the students and employees have not used it. However, respondents were aware of the value of cybersecurity adoption and perceive for it to be useful and convenient, hence have shown the intention of adopting it. There were no significant elements identified to differentiate the perceptions of usage at rural and urban-based tertiary institutions. The results of the study are to be used for clarifying the cybersecurity aspects of cloud computing and forecasting the suitability cloud cybersecurity within the tertiary institutions. Recommendations were made on how tertiary institutions and management can promote cloud cybersecurity adoption and how students, lecturers, and staff can effectively use cloud cybersecurity.
NRF

The right to privacy is the most fundamental right of a citizen in any country. Electronic Health Records (EHRs) in healthcare has faced problems with privacy breaches, insider outsider attacks and unauthenticated record access in recent years, the most serious being related to the privacy and security of medical data. Ensuring privacy and security while handling patient data is of the utmost importance as a patient’s information should only be released to others with the patient’s permission or if it is allowed by law. Electronic health data (EHD) is an emerging health information exchange model that enables healthcare providers and patients to efficiently store and share their private healthcare information from any place and at any time as required. Generally, cloud services provide the infrastructure by reducing the cost of storing, processing and updating information with improved efficiency and quality. However, the privacy of EHRs is a significant hurdle when outsourcing private health data in the cloud because there is a higher risk of health information being leaked to unauthorized parties. Several existing techniques can analyse the security and privacy issues associated with e-healthcare services. These methods are designed for single databases, or databases with an authentication centre and thus cannot adequately protect the data from insider attacks. In fact, storing EHRs on centralized databases increases the security risk footprint and requires trust in a single authority. Therefore, this research study mainly focuses on how to ensure patient privacy and security while sharing sensitive data between the same or different organisations as well as healthcare providers in a distributed environment. This research successfully proposes and implements a permissioned blockchain framework named Healthchain, which maintains the security, privacy, scalability and integrity of the e-health data. The blockchain is built on Hyperledger Fabric, a permissioned distributed ledger solution by employing Hyperledger Composer and stores EHRs by utilizing InterPlanetary File System (IPFS) to build the decentralized web applications. Healthchain builds a two-pronged solution (i) an on-chain solution implemented on the secure network of Hyperledger Fabric which utilizes the state database Couch DB, (ii) an off-chain solution to securely store encrypted data via IPFS. The Healthchain architecture employs Practical Byzantine Fault Tolerance (PBFT) as the distributed network consensus processes to determine which block is to be added to the blockchain. Healthchain Hyperledger Fabric leverages container technology to host smart contracts called “chaincode” that comprises the application logic of this system. This research aimed at contributing towards the scalability in blockchain by storing the data hashes of health records on chain and the actual data is stored cryptographically off chain in IPFS, the decentralized storage. Moreover, the data stored in the IPFS will be encrypted by using special public key cryptographic algorithms to create robust blockchain solutions for EHD. This research study develops a privacy preserving framework with three main core contributions to the e-Health ecosystem: (i) it contributes a privacy preserving patient-centric framework namely Healthchain; (ii) introduces an efficient referral mechanism for the effective sharing of healthcare records; and (iii) prevents prescription drug abuse by performing drug tracking transactions employing smart contract functionality to create a smart health care ecosystem. The results demonstrates that the developed prototype ensures that healthcare records are not traceable to illegal disclosure as the model only stores the encrypted hash of records and is proven to be effective in terms of enhanced data privacy, data security, improved data scalability, interoperability and data integrity when accessing and sharing medical records among stakeholders across the Healthchain network. This research develops a foolproof security solution against cyber-attacks by exploiting the inherent features of the blockchain, thereby contributing to the robustness of healthcare information sharing systems and also unravels the potential for blockchain in health IT solutions.

In this report, I evaluate the risk Alibaba faces as a Chinese company in the e-commerce and cloud computing sectors when trying to expand internationally, due to the recent data privacy and security concerns raised by many in the Western world about Chinese technological companies (such as Huawei), making the company arisky investment. Furthermore, I examine the normality (or non-normality)of the distribution of monthly returns of Alibaba’s stock, presenting a few reasons for why it may be important for investors to protect themselves against large losses.

Atualmente, verifica-se que os Smartphones têm enfrentado um grande crescimento a nível mundial na vida das pessoas. As inúmeras vantagens destes dispositivos para os seus utilizadores têm sido cada vez mais evidentes. Estes aparelhos vivem da partilha de informação: os utilizadores não só recebem a informação pretendida, como também a podem partilhar. No entanto, em muitas instâncias, o utilizador acaba por compartilhar dados privados sem se aperceber, sem ter conhecimento, e muitas vezes sem o seu consentimento - dados estes que são recolhidos pelas empresas de telecomunicações e, pior ainda, vendidos a terceiros. Assim, esta partilha de dados descontrolada através do Smartphone pode implicar riscos e até mesmo ameaçar o direito de privacidade dos seus utilizadores, incluindo também aqueles com quem se troca dados através do Smartphone. Este estudo propõe-se a compreender até que ponto os estudantes universitários sabem que a sua privacidade está a ser posta em causa através da utilização de Smartphones. O objetivo central do estudo é perceber se, por um lado, este grupo de utilizadores se preocupa com a sua privacidade digital enquanto usa Smartphones ou se, por outro lado, lhes é indiferente o facto de terceiros conseguirem ter acesso aos seus dados privados sem o seu consentimento. Foram utilizadas duas técnicas para a recolha de dados: a) a entrevista com a observação dos alunos, b) o inquérito. Produziu-se um guião para as entrevistas com o objetivo de registar e observar comportamentos com o Smartphone. Por fim, elaborou-se um questionário com o intuito de recolher dados sobre a atividade, interação e opinião na utilização do telemóvel. A construção de ambas as ferramentas para a recolha de dados foram elaboradas com recurso ao modelo TUM, para que fosse possível, com uma adaptação deste modelo, medir a aceitação da tecnologia dos Smartphones juntamente com os riscos de privacidade de dados privados. Com os resultados obtidos, concluiu-se que os estudantes que participaram neste estudo, de um modo geral, não estão dispostos a abdicar da utilidade que o Smartphone lhes dá, mesmo que tal signifique que terceiros tenham acesso aos seus dados privados registados pelos aparelhos. Por outras palavras, pode-se dizer que estão dispostos a ter uma vida transparente perante as organizações que lhes disponibilizam os serviços através do Smartphone e perante terceiros que acedem a esses mesmos dados privados.
Smartphones have shown tremendous worldwide growth in the lives of people around the world. The numerous advantages of these devices for their users have been increasingly evident. These devices live by sharing information, where users not only receive the desired information, but can also share information. However, in many instances, the user shares private data without realizing it, without being aware of it and even without their consent, data that is collected by the telecommunications companies and even worse sold to unknown third parties. This uncontrolled data sharing through the Smartphone can mean risks and even threaten the privacy right to its users, including also the users with whom data is exchanged via the Smartphone. This study aims to understand the extent to which university students know that their privacy is being called into question through the use of smartphones. A central objective of the study is to understand whether this group of users is concerned with their digital privacy while using Smartphones or whether, on the other hand, they are indifferent to the fact that third parties gain access to their private data without their consent. Two techniques were used for data collection: a) the interview with the students' observation, b) the survey. A guide was developed for the interviews in order to record and observe behaviors with the Smartphone. The prepared questionnaire was used to collect data on the activity, interaction and opinion in their respective use of the Smartphone. The construction of both tools for data collection were elaborated using the TUM model, so that it was possible, with an adaptation of this model, to measure the acceptance of Smartphones technology together with the privacy risks of private data. With the results obtained, it was concluded that the students in this study are in no way willing to give up the utility that the Smartphone gives them, even if it means that third parties have access to their private data registered by the Smartphones. In other words, it can be said that they are willing to have a transparent life before the organizations that make services available to them through their Smartphone and third parties that access these same private data.

Depuis ses fondements, le domaine de l’Interaction Homme-Machine (IHM) est marqué par le souci constant de concevoir et de produire des systèmes numériques utiles et utilisables, c’est-à-dire adaptés aux utilisateurs dans leur contexte. Vu le développement exponentiel des recherches dans les IHM, deux états des lieux s’imposent dans les environnements en ligne : le concept de confiance et le comportement de l’usager. Ces deux états ne cessent de proliférer dans la plupart des solutions conçues et sont à la croisée des travaux dans les interfaces de paiements en ligne et dans les systèmes de recommandation. Devant les progrès des solutions conçues, l’objectif de cette recherche réside dans le fait de mieux comprendre les différents enjeux dans ces deux domaines, apporter des améliorations et proposer de nouvelles solutions adéquates aux usagers en matière de perception et de comportement en ligne. Outre l’état de l’art et les problématiques, ce travail est divisé en cinq parties principales, chacune contribue à mieux enrichir l’expérience de l’usager en ligne en matière de paiement et recommandations en ligne : • Analyse des multi-craintes en ligne : nous analysons les différents facteurs des sites de commerce électronique qui influent directement sur le comportement des consommateurs en matière de prise de décision et de craintes en ligne. Nous élaborons une méthodologie pour mesurer avec précision le moment où surviennent la question de la confidentialité, les perceptions en ligne et les craintes de divulgation et de pertes financières. • Intégration de personnalisation, contrôle et paiement conditionnel : nous proposons une nouvelle plateforme de paiement en ligne qui supporte à la fois la personnalisation et les paiements multiples et conditionnels, tout en préservant la vie privée du détenteur de carte. • Exploration de l’interaction des usagers en ligne versus la sensibilisation à la cybersécurité : nous relatons une expérience de magasinage en ligne qui met en relief la perception du risque de cybercriminalité dans les activités en ligne et le comportement des utilisateurs lié à leur préoccupation en matière de confidentialité. • Équilibre entre utilité des données et vie privée : nous proposons un modèle de préservation de vie privée basé sur l’algorithme « k-means » et sur le modèle « k-coRating » afin de soutenir l’utilité des données dans les recommandations en ligne tout en préservant la vie privée des usagers. • Métrique de stabilité des préférences des utilisateurs : nous ciblons une meilleure méthode de recommandation qui respecte le changement des préférences des usagers par l’intermédiaire d’un réseau neural. Ce qui constitue une amélioration à la fois efficace et performante pour les systèmes de recommandation. Cette thèse porte essentiellement sur quatre aspects majeurs liés : 1) aux plateformes des paiements en ligne, 2) au comportement de l’usager dans les transactions de paiement en ligne (prise de décision, multi-craintes, cybersécurité, perception du risque), 3) à la stabilité de ses préférences dans les recommandations en ligne, 4) à l’équilibre entre vie privée et utilité des données en ligne pour les systèmes de recommandation.
Technologies in Human-Machine Interaction (HMI) are playing a vital role across the entire production process to design and deliver advanced digital systems. Given the exponential development of research in this field, two concepts are largely addressed to increase performance and efficiency of online environments: trust and user behavior. These two extents continue to proliferate in most designed solutions and are increasingly enriched by continuous investments in online payments and recommender systems. Along with the trend of digitalization, the objective of this research is to gain a better understanding of the various challenges in these two areas, make improvements and propose solutions more convenient to the users in terms of online perception and user behavior. In addition to the state of the art and challenges, this work is divided into five main parts, each one contributes to better enrich the online user experience in both online payments and system recommendations: • Online customer fears: We analyze different components of the website that may affect customer behavior in decision-making and online fears. We focus on customer perceptions regarding privacy violations and financial loss. We examine the influence on trust and payment security perception as well as their joint effect on three fundamentally important customers’ aspects: confidentiality, privacy concerns and financial fear perception. • Personalization, control and conditional payment: we propose a new online payment platform that supports both personalization and conditional multi-payments, while preserving the privacy of the cardholder. • Exploring user behavior and cybersecurity knowledge: we design a new website to conduct an experimental study in online shopping. The results highlight the impact of user’s perception in cybersecurity and privacy concerns on his online behavior when dealing with shopping activities. • Balance between data utility and user privacy: we propose a privacy-preserving method based on the “k-means” algorithm and the “k-coRating” model to support the utility of data in online recommendations while preserving user’s privacy. • User interest constancy metric: we propose a neural network to predict the user’s interests in recommender systems. Our aim is to provide an efficient method that respects the constancy and variations in user preferences. In this thesis, we focus on four major contributions related to: 1) online payment platforms, 2) user behavior in online payments regarding decision making, multi-fears and cyber security 3) user interest constancy in online recommendations, 4) balance between privacy and utility of online data in recommender systems.