ASICS : authenticated key exchange security incorporating certification systems

Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority (CA) and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems (ASICS). We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

On the security of TLS renegotiation

The Transport Layer Security (TLS) protocol is the most widely used security protocol on the Internet. It supports negotiation of a wide variety of cryptographic primitives through different cipher suites, various modes of client authentication, and additional features such as renegotiation. Despite its widespread use, only recently has the full TLS protocol been proven secure, and only the core cryptographic protocol with no additional features. These additional features have been the cause of several practical attacks on TLS. In 2009, Ray and Dispensa demonstrated how TLS renegotiation allows an attacker to splice together its own session with that of a victim, resulting in a man-in-the-middle attack on TLS-reliant applications such as HTTP. TLS was subsequently patched with two defence mechanisms for protection against this attack. We present the first formal treatment of renegotiation in secure channel establishment protocols. We add optional renegotiation to the authenticated and confidential channel establishment model of Jager et al., an adaptation of the Bellare--Rogaway authenticated key exchange model. We describe the attack of Ray and Dispensa on TLS within our model. We show generically that the proposed fixes for TLS offer good protection against renegotiation attacks, and give a simple new countermeasure that provides renegotiation security for TLS even in the face of stronger adversaries.

Encouraging visitors : a new set of guidelines for designing prison visitors’ centres

Visitors to prison are generally innocent of committing crime, but their interaction with inmates has been studied as a possible incentive to reduce recidivism. The way visitors’ centres are currently designed takes in consideration mainly security principles and the needs of guards or prison management. The human experience of the relatives or friends aiming to provide emotional support to inmates is usually not considered; facilities have been designed with an approach that often discourages people from visiting. This paper discusses possible principles to design prison visitors’ centres taking in consideration practical needs, but also human factors. A comparative case study analysis of different secure typologies, like libraries, airports or children hospitals, provides suggestions about how to approach the design of prison in order to ensure the visitor is not punished for the crimes of those they are visiting.

Indigenous knowledge and IP food security : a review of concepts and cases

Dáwat, Pamahándí, Tawíd, Ságda, Lampísa, Ibabások, Lapát, Panedlák: for most of us gathered here, these are words that we don’t usually use in our daily lives. Others may consider them as exotic, alien, funny and even backward. However, for indigenous kindred among us, these words denote an intimate identity and deep understanding of the world around them. It constitutes a broader knowledge system, be written or otherwise, which guides them in the management of resources within their ancestral land. This paper will provide a brief theoretical framework of the concepts of indigenous knowledge systems—hereinafter called IKS, and indigenous peoples food security, and hopefully a deeper or continued appreciation in the study of both concepts in general.

Security and privacy in eHealth : is it possible? A sociotechnical analysis

Advances in Information and Communication Technologies have the potential to improve many facets of modern healthcare service delivery. The implementation of electronic health records systems is a critical part of an eHealth system. Despite the potential gains, there are several obstacles that limit the wider development of electronic health record systems. Among these are the perceived threats to the security and privacy of patients’ health data, and a widely held belief that these cannot be adequately addressed. We hypothesise that the major concerns regarding eHealth security and privacy cannot be overcome through the implementation of technology alone. Human dimensions must be considered when analysing the provision of the three fundamental information security goals: confidentiality, integrity and availability. A sociotechnical analysis to establish the information security and privacy requirements when designing and developing a given eHealth system is important and timely. A framework that accommodates consideration of the legislative requirements and human perspectives in addition to the technological measures is useful in developing a measurable and accountable eHealth system. Successful implementation of this approach would enable the possibilities, practicalities and sustainabilities of proposed eHealth systems to be realised.

A framework for security analysis of key derivation functions

This paper presents a comprehensive formal security framework for key derivation functions (KDF). The major security goal for a KDF is to produce cryptographic keys from a private seed value where the derived cryptographic keys are indistinguishable from random binary strings. We form a framework of five security models for KDFs. This consists of four security models that we propose: Known Public Inputs Attack (KPM, KPS), Adaptive Chosen Context Information Attack (CCM) and Adaptive Chosen Public Inputs Attack(CPM); and another security model, previously defined by Krawczyk [6], which we refer to as Adaptive Chosen Context Information Attack(CCS). These security models are simulated using an indistinguisibility game. In addition we prove the relationships between these five security models and analyse KDFs using the framework (in the random oracle model).

A framework to better understand emotional experiences with portable interactive devices : preliminary trial

Two longitudinal experiments were conducted exploring emotional experiences with PIDs over six months including media and medial Portable Interactive Devices (PIDs). Results identifying the impact of negative social and personal interactions on the overall emotional experience as well as different task categories (Features, Functional, Mediation and Auxiliary) and their corresponding emotional responses have previously been reported [2,3,4,5]. This paper builds on these findings and presents the Designing for Evolving Emotional Experience (DE3) framework promoting positive (and deals with negative) emotional experiences with PIDs including a set of principles to better understand emotional experiences. To validate the DE3 framework a preliminary trial was conducted with five practicing industrial designers. The trial required them to consider initial design concepts using the DE3 framework followed by a questionnaire asking about their use of the framework for concept development. The trial aimed to analyse the effectiveness, efficiency and usefulness of the framework in assisting in the development of initial concepts for PIDs taking into account emotional experiences. Common themes regarding the framework are outlined including the ease of use, the effectiveness in focusing on the personal and social contexts and positive ratings regarding its use. Overall the feedback from the preliminary trial was encouraging with responses suggesting that the framework was accessible, rated highly and most importantly permitted designers to consider emotional experiences during concept development. The paper concludes with a discussion regarding the future development of the DE3 framework and the potential implications to design theory and the design discipline.

To what extent is the Mayer and Salovey (1997) model of emotional intelligence a useful predictor of leadership style and perceived leadership outcomes in Australian educational institutions?

Researchers have found that transformational leadership is related to positive outcomes in educational institutions. Hence, it is important to explore constructs that may predict leadership style in order to identify potential transformational leaders in assessment and selection procedures. Several studies in non-educational settings have found that emotional intelligence is a useful predictor of transformational leadership, but these studies have generally lacked methodological rigor and contextual relevance. This project, set in Australian educational institutions, employed a more rigorous methodology to answer the question: to what extent is the Mayer and Salovey (1997) model of emotional intelligence a useful predictor of leadership style and perceived leadership outcomes? The project was designed to move research in the field forward by using valid and reliable instruments, controlling for other predictors, obtaining an adequately sized sample of current leaders and collecting multiple ratings of their leadership behaviours. The study (N = 144 leaders and 432 raters) results indicated that emotional intelligence was not a useful predictor of leadership style and perceived leadership outcomes. In contrast, several of the other predictors in the study were found to predict leadership style.

The intervening role of Agreeableness in the relationship between trait emotional intelligence and Machiavellianism : reassessing the potential dark side of EI

Previous research into the potential ‘dark’ side of trait emotional intelligence (EI) has repeatedly demonstrated that trait EI is negatively associated with Machiavellianism. In this study, we reassess the potential dark side of trait EI, by testing whether Agreeableness mediates and/or moderates the relationship between trait EI and Machiavellianism. Hypothesized mediation and moderation effects were tested using a large sample of 884 workers who completed several self-report questionnaires. Results provide support for both hypotheses; Agreeableness was found to mediate and moderate the relationship between trait EI and Machiavellianism. Overall, results indicate that individuals high in trait EI tend to have low levels of Machiavellianism because they generally have a positive nature (i.e. are agreeable) and not because they are emotionally competent per se. Results also indicate that individuals high in ‘perceived emotional competence’ have the potential to be high in Machiavellianism, particularly when they are low in Agreeableness.

Taking culture seriously : the case of Indigenous knowledge and food security

Mainstream discourse on the revolving around food security is often portrayed by macro level indicators on nutrition, consumption and food production. While these indicators may prove significant in addressing food security in the national and regional levels, it falls short in addressing it among the indigenous peoples’ (IP) communities in the Philippines. Reflecting through the experiences in agricultural production, indigenous knowledge and socio-political institutions are relevant factors that must be seriously considered when food security among IPs are concerned. It is argued that disregarding micro level interactions over macro development policies will not address the issue of food security among marginalized sectors. The paper presents policy recommendations in taking cultural systems seriously in addressing food security among indigenous peoples.

Security ceremonies : including humans in cryptographic protocols

Whether by using electronic banking, by using credit cards, or by synchronising a mobile telephone via Bluetooth to an in-car system, humans are a critical part in many cryptographic protocols daily. We reduced the gap that exists between the theory and the reality of the security of these cryptographic protocols involving humans, by creating tools and techniques for proofs and implementations of human-followable security. After three human research studies, we present a model for capturing human recognition; we provide a tool for generating values called Computer-HUman Recognisable Nonces (CHURNs); and we provide a model for capturing human perceptible freshness.

Are two threats worse than one? The effects of face race and emotional expression on fear conditioning

Facial cues of racial outgroup or anger mediate fear learning that is resistant to extinction. Whether this resistance is potentiated if fear is conditioned to angry, other race faces has not been established. Two groups of Caucasian participants were conditioned with two happy and two angry face conditional stimuli (CSs). During acquisition, one happy and one angry face were paired with an aversive unconditional stimulus whereas the second happy and angry faces were presented alone. CS face race (Caucasian, African American) was varied between groups. During habituation, electrodermal responses were larger to angry faces regardless of race and declined less to other race faces. Extinction was immediate for Caucasian happy faces, delayed for angry faces regardless of race, and slowest for happy racial outgroup faces. Combining the facial cues of other race and anger does not enhance resistance to extinction of fear.

Understanding and measuring information security culture in developing countries : case of Saudi Arabia

The purpose of the current study was to develop a measurement of information security culture in developing countries such as Saudi Arabia. In order to achieve this goal, the study commenced with a comprehensive review of the literature, the outcome being the development of a conceptual model as a reference base. The literature review revealed a lack of academic and professional research into information security culture in developing countries and more specifically in Saudi Arabia. Given the increasing importance and significant investment developing countries are making in information technology, there is a clear need to investigate information security culture from developing countries perspective such as Saudi Arabia. Furthermore, our analysis indicated a lack of clear conceptualization and distinction between factors that constitute information security culture and factors that influence information security culture. Our research aims to fill this gap by developing and validating a measurement model of information security culture, as well as developing initial understanding of factors that influence security culture. A sequential mixed method consisting of a qualitative phase to explore the conceptualisation of information security culture, and a quantitative phase to validate the model is adopted for this research. In the qualitative phase, eight interviews with information security experts in eight different Saudi organisations were conducted, revealing that security culture can be constituted as reflection of security awareness, security compliance and security ownership. Additionally, the qualitative interviews have revealed that factors that influence security culture are top management involvement, policy enforcement, policy maintenance, training and ethical conduct policies. These factors were confirmed by the literature review as being critical and important for the creation of security culture and formed the basis for our initial information security culture model, which was operationalised and tested in different Saudi Arabian organisations. Using data from two hundred and fifty-four valid responses, we demonstrated the validity and reliability of the information security culture model through Exploratory Factor Analysis (EFA), followed by Confirmatory Factor Analysis (CFA.) In addition, using Structural Equation Modelling (SEM) we were further able to demonstrate the validity of the model in a nomological net, as well as provide some preliminary findings on the factors that influence information security culture. The current study contributes to the existing body of knowledge in two major ways: firstly, it develops an information security culture measurement model; secondly, it presents empirical evidence for the nomological validity for the security culture measurement model and discovery of factors that influence information security culture. The current study also indicates possible future related research needs.