Giovanni Apruzzese, Pavel Laskov, Edgardo Montes de Oca, Wissam Mallouli, Luis Búrdalo Rapa, Athanasios Vasileios Grammatopoulos, and Fabio Di Franco. 2022. The Role of Machine Learning in Cybersecurity. 1, 1 (June 2022), 38 pages.

Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such discrepancy has its root cause in the current state-of-the-art, which does not allow to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience. This paper is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain -- to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.

Read the full paper here: doi.org/10.48550/arXiv.2206.09707.

van Haastrecht, M.; Golpur, G.; Tzismadia, G.; Kab, R.; Priboi, C.; David, D.; Răcătăian, A.; Baumgartner, L.; Fricker, S.; Ruiz, J.F.; Armas, E.; Brinkhuis, M.; Spruit, M. A Shared Cyber Threat Intelligence Solution for SMEs. Electronics 2021, 10, 2913.

Small- and medium-sized enterprises (SMEs) frequently experience cyberattacks, but often do not have the means to counter these attacks. Therefore, cybersecurity researchers and practitioners need to aid SMEs in their defence against cyber threats. Research has shown that SMEs require solutions that are automated and adapted to their context. In recent years, we have seen a surge in initiatives to share cyber threat intelligence (CTI) to improve collective cybersecurity resilience. Shared CTI has the potential to answer the SME call for automated and adaptable solutions. Sadly, as we demonstrate in this paper, current shared intelligence approaches scarcely address SME needs. We must investigate how shared CTI can be used to improve SME cybersecurity resilience. In this paper, we tackle this challenge using a systematic review to discover current state-of-the-art approaches to using shared CTI. We find that threat intelligence sharing platforms such as MISP have the potential to address SME needs, provided that the shared intelligence is turned into actionable insights. Based on this observation, we developed a prototype application that processes MISP data automatically, prioritises cybersecurity threats for SMEs, and provides SMEs with actionable recommendations tailored to their context. Subsequent evaluations in operational environments will help to improve our application, such that SMEs are enabled to thwart cyberattacks in future.

Read the full paper here: doi.org/10.3390/electronics10232913.

Smit, T.; van Haastrecht, M.; Spruit, M. The Effect of Countermeasure Readability on Security Intentions. J. Cybersecur. Priv. 2021, 1, 675-703.

Human failure is a primary contributor to successful cyber attacks. For any cybersecurity initiative, it is therefore vital to motivate individuals to implement secure behavior. Research using protection motivation theory (PMT) has given insights into what motivates people to safeguard themselves in cyberspace. Recent PMT results have highlighted the central role of the coping appraisal in the cybersecurity context. In cybersecurity, we cope with threats using countermeasures. Research has shown that countermeasure awareness is a significant antecedent to all coping appraisal elements. Yet, although awareness plays a key role within the PMT framework, it is generally challenging to influence. A factor that is easy to influence is countermeasure readability. Earlier work has shown the impact of readability on understanding and that readability metrics make measuring and improving readability simple. Therefore, our research aims to clarify the relationship between countermeasure readability and security intentions. We propose an extended theoretical framework and investigate its implications using a survey. In line with related studies, results indicate that people are more likely to have favorable security intentions if they are aware of countermeasures and are confident in their ability to implement them. Crucially, the data show that countermeasure readability influences security intentions. Our results imply that cybersecurity professionals can utilize readability metrics to assess and improve the readability of countermeasure texts, providing an actionable avenue towards influencing security intentions.

Read the full paper here: doi.org/10.3390/jcp1040034.

Brad, E.; Brad, S. Requirements Analysis in Disruptive Engineering Solutions Using the Paradigm of Living Systems. Appl. Sci. 2021, 11, 9854.

A particular characteristic of disruptive products is in reengineering advanced technologies for addressing the needs of low-end consumers and/or non-consumers, to transform them into new consumers. This requires a lean co-creative analysis of requirements with all stakeholders involved. Even if a theory encourages the continuous connection of designers and users throughout the design lifecycle for agile adaptation of requirements to the new experiences of users by intersecting them with various versions of the prototype, the rigid budget and time allocated to the design project require novel approaches to clarify the right vectors of product-evolution from the very early design stages of the project lifecycle—allowing agile approaches to fine-tune the set of requirements. In this context, an analysis process of requirements that uses a constructor inspired by living systems is introduced in this paper. This constructor identifies gaps in requirement formulation and indicates areas where improvements must be undertaken. The method is applied in the case of a new cybersecurity software solution that targets micro and small companies.

Read the full paper here: doi.org/10.3390/app11219854.

Sarhan,I., & Spruit,M. (2021). Open-CyKG: An Open Cyber Threat Intelligence Knowledge Graph. Knowledge-Based Systems, 233(107524).

Instant analysis of cybersecurity reports is a fundamental challenge for security experts as an immeasurable amount of cyber information is generated on a daily basis, which necessitates automated information extraction tools to facilitate querying and retrieval of data. Hence, we present Open-CyKG: an Open Cyber Threat Intelligence (CTI) Knowledge Graph (KG) framework that is constructed using an attention-based neural Open Information Extraction (OIE) model to extract valuable cyber threat information from unstructured Advanced Persistent Threat (APT) reports. More specifically, we first identify relevant entities by developing a neural cybersecurity Named Entity Recognizer (NER) that aids in labeling relation triples generated by the OIE model. Afterwards, the extracted structured data is canonicalized to build the KG by employing fusion techniques using word embeddings. As a result, security professionals can execute queries to retrieve valuable information from the Open-CyKG framework.

Read the full paper here: doi.org/10.1016/j.knosys.2021.107524.

Brad S. (2021) Domain Analysis with TRIZ to Define an Effective “Design for Excellence” Framework. In: Borgianni Y., Brad S., Cavallucci D., Livotov P. (eds) Creative Solutions for a Sustainable Development. TFC 2021. IFIP Advances in Information and Communication Technology, vol 635. Springer, Cham.

Design for Excellence (DfEx) is the name given to an engineering process where a product is designed to meet a set of objective functions that cover its lifecycle. There are negative correlations between different objective functions in this set and issues related to technological complexity are added, since modern products typically fall into the category of smart connected mechatronic products. This context leads to complexity in terms of tackling the design process. Simultaneous engineering and PLM platforms can only partially handle such levels of complexity. To our knowledge, the subject of DfEx was treated in current researches from a limited perspective, which does not necessarily cover the complexity of the present-day context. In order to formulate a reliable DfEx framework, this research considers a strategy based on tools that manage in a systematic way the process of identifying the comprehensive set of barriers and conflicts that obstruct DfEx. This research highlights the level of complexity in setting up a reliable methodology to DfEx of modern, sophisticated mechatronic products. A set of guidelines to be placed at the foundation of an effective DfEx methodology is formulated with the support of TRIZ.

Read the full paper here: link.springer.com/chapter/10.1007/978-3-030-86614-3_34.

José Javier de Vicente Mohino, Wissam Mallouli, José Francisco Ruiz, Max van Haastrecht. GEIGER: Solution for small businesses to protect themselves against cyber-threats. ARES 2021: The 16th International Conference on Availability, Reliability and Security. August 2021, online/virtual.

In a world where cybersecurity has an increasing importance, any company, regardless of what sector, size or activity is related to, should rely on tools and solutions that can help it to be secure in the best possible way. The GEIGER platform described in this paper acts as a perfect fit for micro and small enterprises (MSEs). These companies need to be protected against threats but sometimes do not have the resources (money, personnel, time…) to deal with them. Often, private cybersecurity solutions are either expensive or hard to implement for micro and small companies. However, GEIGER is designed to bring cybersecurity principles, security countermeasures and awareness in a smooth and friendly way, with special focus on the MSEs. Its ability to adapt to new challenges comes in handy when dealing with sophisticated threats and the functionalities provided to help MSEs adopting a more prominent security posture. Having the support of an innovative solution can help MSEs to achieve a more effective approach regarding cybersecurity, which leads to a better overall business management and operation.

Read the full paper here: dl.acm.org/doi/10.1145/3465481.3469202

Alireza Shojaifar and Heini Järvinen. 2021. Classifying SMEs for Approaching Cybersecurity Competence and Awareness. In The 16th International Conference on Availability, Reliability and Security (ARES 2021), August 17-20, 2021, Vienna, Austria. ACM, New York, NY, USA, 10 Pages.

Cybersecurity is increasingly a concern for small and medium-sized enterprises (SMEs), and there exist many awareness training programs and tools for them. The literature mainly studies SMEs as a unitary type of company and provides one-size-fits-all recommendations and solutions. However, SMEs are not homogeneous. They are diverse with different vulnerabilities, cybersecurity needs, and competencies. Few studies considered such differences in standards and certificates for security tools adoption and cybersecurity tailoring for these SMEs. This study proposes a classification framework with an outline of cybersecurity improvement needs for each class. The framework suggests five SME types based on their characteristics and specific security needs: cybersecurity abandoned SME, unskilled SME, expert-connected SME, capable SME, and cybersecurity provider SME. In addition to describing the five classes, the study explains the framework's usage in sampled SMEs. The framework proposes solutions for each class to approach cybersecurity awareness and competence more consistent with SME needs.

Read the full paper here: dl.acm.org/doi/10.1145/3465481.3469200.

Watch the video presenting this paper here.

Max van Haastrecht, Injy Sarhan, Alireza Shojaifar, Louis Baumgartner, Wissam Mallouli, and Marco Spruit. 2021. A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs. In The 16th International Conference on Availability, Reliability and Security (ARES 2021), August 17–20, 2021, Vienna, Austria. ACM, New York, NY, USA 12 Pages.

Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.

Read the full paper here: dl.acm.org/doi/10.1145/3465481.3469199.

Watch the video presenting this paper here.

Bernd Remmele, Jessica Peichl. Structuring a Cybersecurity Curriculum for Non-IT Employees of Micro- and Small Enterprises. ARES 2021: The 16th International Conference on Availability, Reliability and Security. August 2021, online/virtual.

Micro- and Small Enterprises (MSE) and the persons working there (owners/managers, employees) are often neglected in policies and initiatives concerning cybersecurity and data privacy. Communication strategies are targeting IT-departments or IT-specialists - most MSEs have neither. The Horizon 2020 project GEIGER wants to address this problem by providing a cybersecurity monitoring solution that can be used by IT-laypersons. In addition to an easy-to-use software tool focusing on the monitoring of imminent cyber threats GEIGER develops an Education Ecosystem, which approaches this target groups at different levels: from regular employees, who cannot or don't want to extensively deal with cybersecurity, to designated persons (internal or external), who are made responsible for monitoring the functioning of GEIGER in a company. To take full account of this, the competence level of individuals and their development are part of the data structure of the GEIGER monitoring. Hence, it also includes automated recommendations to follow certain training sequences included in GEIGER or from other sources. To define the different levels of competence in cybersecurity, i.e. also their development, to propose adequate learning objectives and design pertinent learning materials, GEIGER has elaborated a curriculum. The structure of this curriculum follows the conditions and requirements given by the general situation of security threats and learning scenarios in MSEs. It has three main dimensions: ‘levels’ that reflect the competence development within MSE-specific learning environments; ‘pillars’ that reflect the GEIGER-specific topical differentiation in general cybersecurity as well as handling and communicating GEIGER functions; object ‘layers’ that reflect specific cybersecurity threats as they appear for the IT-lay target groups in MSEs. To allow for interoperability of the educational parts of GEIGER the competences of the GEIGER curriculum are written in form of xAPI-statements, i.e. a specific metadata-format for learning achievements.

Read the full paper here: dl.acm.org/doi/10.1145/3465481.3469198.

Watch the video presenting this paper here.

van Haastrecht, M.; Yigit Ozkan, B.; Brinkhuis, M.; Spruit, M. Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics. Appl. Sci. 2021, 11, 6909.

Cybersecurity threats are on the rise, and small- and medium-sized enterprises (SMEs) struggle to cope with these developments. To combat threats, SMEs must first be willing and able to assess their cybersecurity posture. Cybersecurity risk assessment, generally performed with the help of metrics, provides the basis for an adequate defense. Significant challenges remain, however, especially in the complex socio-technical setting of SMEs. Seemingly basic questions, such as how to aggregate metrics and ensure solution adaptability, are still open to debate. Aggregation and adaptability are vital topics to SMEs, as they require the assimilation of metrics into an actionable advice adapted to their situation and needs. To address these issues, we systematically review socio-technical cybersecurity metric research in this paper. We analyse aggregation and adaptability considerations and investigate how current findings apply to the SME situation. To ensure that we provide valuable insights to researchers and practitioners, we integrate our results in a novel socio-technical cybersecurity framework geared towards the needs of SMEs. Our framework allowed us to determine a glaring need for intuitive, threat-based cybersecurity risk assessment approaches for the least digitally mature SMEs. In the future, we hope our framework will help to offer SMEs some deserved respite by guiding the design of suitable cybersecurity assessment solutions.

Read the full paper here: doi.org/10.3390/app11156909.

Haastrecht,M. van, Sarhan,I., Yigit Ozkan,B., Brinkhuis,M., & Spruit,M. (2021). SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing. Frontiers in Research Metrics and Analytics, 6, Section Text-mining and Literature-based Discovery.

Research output has grown significantly in recent years, often making it difficult to see the forest for the trees. Systematic reviews are the natural scientific tool to provide clarity in these situations. However, they are protracted processes that require expertise to execute. These are problematic characteristics in a constantly changing environment. To solve these challenges, we introduce an innovative systematic review methodology: SYMBALS. SYMBALS blends the traditional method of backward snowballing with the machine learning method of active learning. We applied our methodology in a case study, demonstrating its ability to swiftly yield broad research coverage. We proved the validity of our method using a replication study, where SYMBALS was shown to accelerate title and abstract screening by a factor of 6. Additionally, four benchmarking experiments demonstrated the ability of our methodology to outperform the state-of-the-art systematic review methodology FAST2.

Read the full paper here: frontiersin.org/articles/10.3389/frma.2021.685591/full.

Sarhan,I., & Spruit,M. (2020). Can We Survive without Labelled Data in NLP? Transfer Learning for Open Information Extraction . Applied Sciences, 10(17), Natural Language Processing: Emerging Neural Approaches and Applications, 5758.

Various tasks in natural language processing (NLP) suffer from lack of labelled training data, which deep neural networks are hungry for. In this paper, we relied upon features learned to generate relation triples from the open information extraction (OIE) task. First, we studied how transferable these features are from one OIE domain to another, such as from a news domain to a bio-medical domain. Second, we analyzed their transferability to a semantically related NLP task, namely, relation extraction (RE). We thereby contribute to answering the question: can OIE help us achieve adequate NLP performance without labelled data? Our results showed comparable performance when using inductive transfer learning in both experiments by relying on a very small amount of the target data, wherein promising results were achieved. When transferring to the OIE bio-medical domain, we achieved an F-measure of 78.0%, only 1% lower when compared to traditional learning. Additionally, transferring to RE using an inductive approach scored an F-measure of 67.2%, which was 3.8% lower than training and testing on the same task. Hereby, our analysis shows that OIE can act as a reliable source task.

Read the full paper here: doi.org/10.3390/app10175758.

Alireza Shojaifar, Samuel A. Fricker. "SMEs’ Confidentiality Concerns for Security Information." IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2020), July 2020, Online/Virtual

Small and medium-sized enterprises (SME) are considered an essential part of the EU economy; however, highly vulnerable to cyber-attacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs’ cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies’ information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies’ willingness to share their information. Security information sharing decreases the risk of incidents and increases users’ self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers (CISOs) of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self-Determination Theory (SDT). The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities.

Read the full paper here: arxiv.org/abs/2007.06308.