3 minute read
6.6 Example Problems
from The Blue Book
6.6 Example Problems
Tangible example problems might include: IoT cybersecurity awareness and training modules The use of Internet of Things (IoT) technology is expanding daily in all spheres of business and society, from consumer-focused goods and services to industrial IoT. This has also introduced unprecedented safety, security and privacy risks [23]. The majority of IoT security deployments take place at the business unit level, where IT does participate, albeit insufficiently. This also implies that a number of key stakeholders in IoT security are unfamiliar with the IT security side of things. Further exacerbating the situation, IoT-related risks are often not well articulated, resulting in low awareness among users and employees. Thus, IoT security cannot be robust if the people involved do not have a good understanding, and this requires them to have the relevant awareness and training [134]. Awareness of adversarial AI attacks Contrary to the use of AI/ML methods to strengthen cybersecurity, threat actors are leveraging AI/ML methods for malicious purposes, for example, to increase the number of attack surfaces and bolster their attacking capabilities [154]. Adversarial AI methods are used to craft misleading data or behaviours with the intention of manipulating and disrupting critical AI systems. There is growing evidence that adversarial AI methods have been implemented in real-world attacks. In spite of this, the effort to defend AI systems from adversarial AI attacks is generally an afterthought. It is unfortunate that many companies still remain unaware of adversarial AI attacks and the failure of AI systems the attacks can cause. Therefore, it is urgent to raise companies’ awareness of adversarial AI attacks and motivate them to be alert and prepared to defend their AI systems, especially those used in crucial sectors, against the attacks. Cybersecurity awareness and training modules for mobile users The mobile phone has gained widespread acceptance as a commonplace tool for accessing the Internet and doing sensitive jobs. These could be the causes of the daily rise in cyberattacks and crimes aimed at mobile phone users [200] [31]. However, suitable cybersecurity awareness and training for mobile phone users are still rare. There is a common assumption that mobile phone use is similar to using a desktop or laptop, which is only partially correct. Indeed they share a commonality as computing devices; however, at the same time they also have many differences. For example, mobile phones possess a higher risk for theft or loss, authentication used to lock a mobile phone is often weak as a result of
Advertisement
the high frequency of logins to mobile phones, and the smaller screen size of mobile phones often makes it difficult to notice security warnings. Additionally, mobile phone users are far more diverse than those of laptops or desktops. People of various backgrounds, from urban to rural, educated to uneducated, white-collar to blue-collar, and so on, use mobile phones. There have not been many investigations into why and how these diverse individuals use a mobile phone, and what their expectations from cybersecurity awareness and training might be.
Cybersecurity awareness and training evaluation focusing on behavioural change.
Evaluations of cybersecurity awareness and training are frequently restricted to gauging security knowledge and self-reported attitude shifts. Indeed, improvement in knowledge and attitude is important, but the evaluation should actually measure the change in cybersecurity behaviour; after all, behaviour change is what the awareness and training programmes are ultimately aiming to achieve [39]. Studies examining actual cybersecurity behaviour are uncommon (most studies are often limited to assessing intention), and those that do so are often incomprehensible and incomplete. Regrettably, while numerous components of cybersecurity awareness and training are being discussed, there is still no proper and reliable method to measure cybersecurity behavioural change.
