Search results

The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.

Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.

The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.

The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.

The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.

WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.

The purpose of the study was twofold: to investigate the correlation between a sample of personal psychological and demographic factors and resistance to phishing; and to investigate if national culture moderates the strength of these correlations.

To measure potential determinants, a survey was distributed to 2,099 employees of nine organizations in Sweden, USA and India. Then, the authors conducted unannounced phishing exercises, in which a phishing attack targeted the same sample.

Intention to resist social engineering, general information security awareness, formal IS training and computer experience were identified to have a positive significant correlation to phishing resilience. Furthermore, the results showed that the correlation between phishing determinants and employees’ observed that phishing behavior differs between Swedish, US and Indian employees in 6 out of 15 cases.

The identified determinants had, even though not strong, a significant positive correlation. This suggests that more work needs to be done to more fully understand determinants of phishing. The study assumes that culture effects apply to all individuals in a nation. However, differences based on cultures might exist based on firm characteristics within a country. The Swedish sample is dominating, while only 40 responses from Indian employees were collected. This unequal size of samples suggests that conclusions based on the results from the cultural analysis should be drawn cautiously. A natural continuation of the research is therefore to further explore the generalizability of the findings by collecting data from other nations with similar cultures as Sweden, USA and India.

Using direct observations of employees’ security behaviors has rarely been used in previous research. Furthermore, analyzing potential differences in theoretical models based on national culture is an understudied topic in the behavioral information security field. This paper addresses both these issues.

The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied.

The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server‐side attacks and eight for client‐side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts.

Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server‐side attacks and between 43 and 67 percent for client‐side attacks. Based on these scenarios, the influence of different protective measures is identified.

The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack.

Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.

This paper aims to assess the influence of a set of human and organizational factors in information system deployments on the probability that a number of security‐related mistakes are in the deployment.

A Bayesian network (BN) is created and analyzed over the relationship between mistakes and causes. The BN is created by eliciting qualitative and quantitative data from experts of industrial control system deployments in the critical infrastructure domain.

The data collected in this study show that domain experts have a shared perception of how strong the influence of human and organizational factors are. According to domain experts, this influence is strong. This study also finds that security flaws are common in industrial control systems operating critical infrastructure.

The model presented in this study is created with the help of a number of domain experts. While they agree on qualitative structure and quantitative parameters, future work should assure that their opinion is generally accurate.

The influence of a set of important variables related to organizational/human aspects on information security flaws is presented.

The context of this study is deployments of systems that operate nations' critical infrastructure. The findings suggest that initiatives to secure such infrastructures should not be purely technical.

Previous studies have focused on either the causes of security flaws or the actual flaws that can exist in installed information systems. However, little research has been spent on the relationship between them. The model presented in this paper quantifies such relationships.