Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Nikos Chondros,Alex Delis,Dina Gavatha,Aggelos Kiayias,Charalampos Koutalakis,Ilias Nicolacopoulos,Lampros Paschos,Mema Roussopoulos,Giorge Sotirelis,Panos Stathopoulos,Pavlos Vasilopoulos,Thomas Zacharias,Bingsheng Zhang,Fotis Zygoulis

DOI: https://doi.org/10.1007/978-3-319-11710-2_11

2013-01-01

Abstract:Electronic voting for local, regional and national elections and referenda is developing rapidly at a global scale as an efficient and low cost alternative to conventional methods of voting, with a positive impact on the quality of democratic representation. Still, despite the growing international experience, the harmonization of electronic voting systems with the legal and statutory frameworks poses a number of major legal, social and implementation challenges, subject to the national environment. This paper presents an overview of legal and social aspects of an electronic voting system focusing on the case of Greece.

Peter Parycek,Michael Sachs,Shefali Virkar,Robert Krimmer

DOI: https://doi.org/10.1007/978-3-319-68687-5_3

2017-01-01

Abstract:AbstractVoting is an important part of electronic participation whenever it comes to finding a common opinion among the many participants. The impact of the voting result on the outcome of the e-participation process might differ a lot as voting can relate to approving, polling or co-decision making. The greater the impact of the electronic voting on the outcomes of the e-participation process, the more important become the regulations and technologies that stipulate the voting system and its procedures. People need to have trust in the voting system in order to accept the outcomes. Hence, it is important to use thoroughly trustworthy, auditable and secure voting systems in e-participation; especially whenever the voting within the e-participation process is likely to have a significant impact on the outcome. This paper analyses the verdict of the Austrian Constitutional Court in relation to the repeal of the Elections to the Austrian Federation of Students in 2009 where electronic voting was piloted as additional remote channel for casting a ballot. The court states its perspectives on elections and electronic voting which serve as sources for the derivation of legal requirements for electronic voting in this paper, namely requirements for accountability and trust by the electoral committee. Then, possible solutions for the requirements based on scholarly literature are described. The paper does not intend to explicitly provide e-voting solutions for elections, but instead proposes to serve as a basis for discussion of electronic voting in different e-participation scenarios.

Aggelos Kiayias,Thomas Zacharias,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-54388-7_11

2017-01-01

Abstract:State-of-the-art e-voting systems rely on voters to perform certain actions to ensure that the election authorities are not manipulating the election result. This so-called \"end-to-end E2E verifiability\" is the hallmark of current e-voting protocols; nevertheless, thorough analysis of current systems is still far from being complete. In this work, we initiate the study of e-voting protocols as ceremonies. A ceremony, as introduced by Ellison [23], is an extension of the notion of a protocol that includes human participants as separate nodes of the system that should be taken into account when performing the security analysis. that centers on the two properties of end-to-end verifiability and voter privacy and allows the consideration of arbitrary behavioural distributions for the human participants. We then analyse the Helios system as an e-voting ceremony. Security in the e-voting ceremony model requires the specification of a class of human behaviours with respect to which the security properties can be preserved. We show how end-to-end verifiability and voter privacy are sensitive to human behaviour in the protocol by characterizing the set of behaviours under which the security can be preserved and also showing explicit scenarios where it fails. We then provide experimental evaluation with human subjects from two different sources where people used Helios: the elections of the International Association for Cryptologic Research IACR and a poll of senior year computer science students. We report on the auditing behaviour of the participants as we measured it and we discuss the effects on the level of certainty that can be given by each of the two electorates. The outcome of our analysis is a negative one: the auditing behaviour of people including cryptographers is not sufficient to ensure the correctness of the tally with good probability in either case studied. The same holds true even for simulated data that capture the case of relatively well trained participants while, finally, the security of the ceremony can be shown but under the assumption of essentially ideally behaving human subjects. We note that while our results are stated for Helios, they automatically transfer to various other e-voting systems that, as Helios, rely on client-side encryption to encode the voter's choice.

Aggelos Kiayias,Thomas Zacharias,Bingsheng Zhang

DOI: https://doi.org/10.1145/2810103.2813727

2015-01-01

Abstract:Recently, Kiayias, Zacharias and Zhang proposed a new E2E verifiable e-voting system called 'DEMOS' that for the first time provides E2E verifiability without relying on external sources of randomness or the random oracle model; the main advantage of such system is in the fact that election auditors need only the election transcript and the feedback from the voters to pronounce the election process unequivocally valid. Unfortunately, DEMOS comes with a huge performance and storage penalty for the election authority (EA) compared to other e-voting systems such as Helios. The main reason is that due to the way the EA forms the proof of the tally result, it is required to precompute a number of cipher texts for each voter and each possible choice of the voter. This approach clearly does not scale to elections that have a complex ballot and voters have an exponential number of ways to vote in the number of candidates. The performance penalty on the EA appears to be intrinsic to the approach: voters cannot compute an enciphered ballot themselves because there seems to be no way for them to prove that it is a valid ciphertext.In contrast to the above, in this work, we construct a new e-voting system that retains the strong E2E characteristics of DEMOS (but against computational adversaries) while completely eliminating the performance and storage penalty of the EA. We achieve this via a new cryptographic construction that has the EA produce and prove, using voters' coins, the security of a common reference string (CRS) that voters subsequently can use to affix non-interactive zero knowledge (NIZK) proofs to their ciphertexts. The EA itself uses the CRS to prove via a NIZK the tally correctness at the end. Our construction has similar performance to Helios and is practical. The privacy of our construction relies on the SXDH assumption over bilinear groups via complexity leveraging.

Guillaume Nguyen,Manon Knockaert,Michael Lognoul,Xavier Devroey

2024-12-05

Abstract:While procedures prevail on the European market for the greater good of its citizens, it might be daunting when trying to introduce a product, whether innovative or not. In the current world, Cyber-Physical Systems (CPSs) are ubiquitous in our daily lives. Cars can provide intrusive assistance as they can brake or turn wheels on their own, buildings are getting smarter to optimize energy consumption, smart cities are emerging to facilitate information sharing and orchestrate the response to emergency situations, etc. As the presence of such tools will grow in the coming years and people will rely even more on CPSs, we certainly need to ensure that they are safe and reliable for users or everybody else, which is why regulations are so important. However, compliance should not act as a barrier to new actors coming to the European market. Nor should it prevent current actors from keeping systems deemed compliant when introduced while obsolete at the time they are used. While the individual elements we point out might not bring novelty in the various research areas we cover (EU policies, requirements engineering, business engineering, and software engineering), this paper identifies the challenges related to building and testing a CPS with respect to applicable laws and discusses the difficulty of automating the response to those challenges, such as finding a relevant legal text, paying for mentioned materials or identifying the level of compliance to a legal text. Our analysis of the holistic context when considering the compliance testing of CPS provides an overview enabling more effective decision-making as well.

Software Engineering,Computers and Society,Systems and Control

Dea Saka Kurnia Putra,Edit Prima

DOI: https://doi.org/10.48550/arXiv.1809.05235

2018-09-14

Cryptography and Security

Abstract:OSD PSE is the Indonesian Government Certification Authority (CA) for National e-Procurement System and later named OSD PSE G2. It has a unique hierarchical structure under the OSD Lemsaneg. As an Issuing CA, the OSD PSE G2 publishes and guarantee the quality of the Certificate Policy and Certification Practice Statement (CP-CPS) in order to gain the PKI user trustworthy. In this article, we analyze the CP-CPS version 1.0 that published by OSD PSE G2. For this purpose, we apply the methodology of PKI Assessment Guidelines (PAG). The quality assessment of this CP-CPS, including its compliance to the related reference/standard, namely: CP OSD Lemsaneg v.1.1; RFC 3647; and CA Business Practice Disclosure Principle on Trust Service Principles and Criteria for Certification Authorities (BPDP-TSPCCA) version 2.0. We finally found that the CP-CPS version 1.0 does not comply with related standard and reference. Hence, the CP-CPS need to be updated following the current condition of OSD PSE G2.

Nikos Chondros,Bingsheng Zhang,Thomas Zacharias,Panos Diamantopoulos,Stathis Maneas,Christos Patsonakis,Alex Delis,Aggelos Kiayias,Mema Roussopoulos

DOI: https://doi.org/10.1109/icdcs.2016.56

2015-01-01

Abstract:E-voting systems have emerged as a powerful technology for improving democracy by reducing election cost, increasing voter participation, and even allowing voters to directly verify the entire election procedure. Prior internet voting systems have single points of failure, which may result in the compromise of availability, voter secrecy, or integrity of the election results. In this paper, we present the design, implementation, security analysis, and evaluation of D-DEMOS, a complete e-voting system that is distributed, privacy-preserving and end-to-end verifiable. Our system includes a fully asynchronous vote collection subsystem that provides immediate assurance to the voter her vote was recorded as cast, without requiring cryptographic operations on behalf of the voter. We also include a distributed, replicated and fault-tolerant Bulletin Board component, that stores all necessary election-related information, and allows any party to read and verify the complete election process. Finally, we also incorporate trustees, i.e., individuals who control election result production while guaranteeing privacy and end-to-end-verifiability as long as their strong majority is honest. Our system is the first e-voting system whose voting operation is human verifiable, i.e., a voter can vote over the web, even when her web client stack is potentially unsafe, without sacrificing her privacy, and still be assured her vote was recorded as cast. Additionally, a voter can outsource election auditing to third parties, still without sacrificing privacy. Finally, as the number of auditors increases, the probability of election fraud going undetected is diminished exponentially. We provide a model and security analysis of the system. We implement a prototype of the complete system, we measure its performance experimentally, and we demonstrate its ability to handle large-scale elections.

Panagiotis Grontas,Aris Pagourtzis,Alexandros Zacharakis,Bingsheng Zhang

2018-01-01

Abstract:In this work, we propose a first version of an e-voting scheme that achieves end-to-end verifiability, everlasting privacy and efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under standard JCJ assumptions. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing server after interaction; the token is a valid signature only if a certain condition holds and the validity of the signature can only be checked by a designated verifier. We utilize this primitive to blindly mark votes under coercion in an auditable manner.

Marie-Laure Zollinger,Verena Distler,Peter B. Roenne,Peter Y. A. Ryan,Carine Lallemand,Vincent Koenig

DOI: https://doi.org/10.48550/arXiv.2105.14901

2021-06-15

Abstract:This paper presents a mobile application for vote-casting and vote-verification based on the Selene e-voting protocol and explains how it was developed and implemented using the User Experience Design process. The resulting interface was tested with 38 participants, and user experience data was collected via questionnaires and semi-structured interviews on user experience and perceived security. Results concerning the impact of displaying security mechanisms on UX were presented in a complementary paper. Here we expand on this analysis by studying the mental models revealed during the interviews and compare them with theoretical security notions. Finally, we propose a list of improvements for designs of future voting protocols.

Human-Computer Interaction

Nan Sun,Chang-Tsun Li,Hin Chan,Ba Dung Le,MD Zahidul Islam,Leo Yu Zhang,MD Rafiqul Islam,Warren Armstrong

DOI: https://doi.org/10.1109/ACCESS.2022.3168716

2022-04-02

Abstract:Advances of emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers' confidence and markets' trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security certification. In this paper, we conduct a systematic review of the CC standards and its adoptions. Adoption barriers of the CC are also investigated based on the analysis of current trends in security evaluation. Specifically, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project that promotes the CC among stakeholders in ICT security products related to specification, development, evaluation, certification and approval, procurement, and deployment. Best practices on developing Protection Profiles, recommendations, and future directions for trusted cybersecurity advancement are presented.

Cryptography and Security,Computers and Society

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Olamide Olanubi,Opeyemi Joshua Adelowo,Emmanuel Ifeanyi Obeagu

DOI: https://doi.org/10.9734/ajrcos/2023/v16i4379

2023-10-13

Asian Journal of Research in Computer Science

Abstract:Background: The growing concern over phishing attacks on voting systems, particularly with the rise of online voting, has highlighted vulnerabilities in elections. The convenience of internet voting has led to security risks like clone phishing attacks. While online voting offers accessibility benefits, security, privacy, and usability issues have arisen. Multi-factor authentication (MFA) has been proposed to enhance security in mobile internet voting systems. Visual cryptography, dividing images into shares for decentralized data storage, is suggested to counter clone phishing. MFA's effectiveness in various sectors is established, and secure voting systems combining visual cryptography and blockchain have been proposed. This research sought to bolster the security of the voting system using visual cryptography and multi-factor authentication (MFA), with the goal of increasing voter trust and the reliability of the voting procedure, by designing a secure system and evaluating its performance, accuracy, and accessibility. Methodology: The researchers developed an improved voting system using visual cryptography and multi-factor authentication, assessed its performance against Eligo and Voxvote, utilized Java for programming, MYSQL via XAMPP for the database, HTML, CSS, JavaScript, and PHP (Laravel) for client-server sides. The Scrum agile methodology was followed, employing brief sprints for adaptive development. Evaluation was done through web tools and benchmarks. The system's architecture and flowchart were presented, featuring an interactive GUI, Java 2 platform, MySQL, PHP 7, and specific hardware/software requirements. System setup included database and server configuration, fingerprint scanner installation, and Java runtime setup. Deployment involved executing a built Java program, and system testing was conducted on Windows 10, utilizing the Apache server and initiating the "Electronic Voting" program for online multi-factor authentication. Results: Achieving a performance rate of 92%, the developed system surpassed its competitors Eligo and Voxvote, which achieved scores of 15% and 33% correspondingly, as indicated by the data. Eligo and Voxvote attained scores of 88% and 80% individually, whereas the newly designed system obtained a rating of 93% in terms of accessibility. Nonetheless, the research also highlighted specific downsides, encompassing intricacy, reluctance to embrace change, and technological barriers. To tackle these issues and enhance the adoption of such systems, these limitations underscore the necessity for further investigation and advancement. Conclusion: The study demonstrates that integrating multi-factor authentication and visual cryptography significantly enhances voting system security, reducing clone phishing risks. Visual cryptography secures decryption keys, preserving voting integrity, while multi-factor authentication adds defence against unauthorized access. The researcher's online voting system outperforms competitors in performance metrics and accessibility. The study underscores the importance of combining these techniques for improved voting system reliability and security.

Oksana Kulyk,Stephan Neumann,Jurlind Budurushi,Melanie Volkamer,Rolf Haenni,Reto Koenig,Philemon Von Bergen

DOI: https://doi.org/10.1109/ares.2015.75

2015-08-01

Abstract:Efficiency is the bottleneck of many cryptographic protocols towards their practical application in different contexts. This holds true also in the context of electronic voting, where cryptographic protocols are used to ensure a diversity of security requirements, e.g. secrecy and integrity of cast votes. A new and promising application area of electronic voting is boardroom voting, which in practice takes place very frequently and often on simple issues such as approving or refusing a budget. Hence, it is not a surprise that a number of cryptographic protocols for boardroom voting have been already proposed. In this work, we introduce a security model adequate for the boardroom voting context. Further, we evaluate the efficiency of four boardroom voting protocols, which to best of our knowledge are the only boardroom voting protocols that satisfy our security model. Finally, we compare the performance of these protocols in different election settings.

Beate Krieger,Friedrich Ederer,Ruth Amann,Thomas Morgenthaler,Christina Schulze,Britta Dawal

DOI: https://doi.org/10.3389/fped.2023.1258377

IF: 3.569

2024-01-04

Frontiers in Pediatrics

Abstract:Background: Concepts such as participation and environment may differ across cultures. Consequently, cultural equivalence must be assured when using a measure like the Young Children Participation and Environment Measure (YC-PEM) in other settings than the original English-speaking contexts. This study aimed to cross-culturally translate and adapt the YC-PEM into German as it is used in Germany, Austria, and Switzerland. Methods: Following international guidelines, two translations were compared, and the research and expert team made the first adaptations. Twelve caregivers of children with and without disabilities from three German-speaking countries participated in two rounds of think-aloud interviews. Data were analyzed by content analysis to look for item, semantic, operational, conceptual, and measurement equivalence to reach a cultural equivalence version in German. Results: Adaptations were needed in all fields but prominently in item, operational, and conceptual equivalence. Operational equivalence resulted in graphical adaptations in the instructions and questions to make the German version of YC-PEM, YC-PEM (G), more user-friendly. Conclusion: This study presents a cross-cultural translation and adaptation process to develop a German version of the YC-PEM suitable for Germany, Austria, and Switzerland. A culturally adapted YC-PEM (G) is now available for research, practice, and further validation.

pediatrics

Chris Culnane,Andrew Conway,Vanessa Teague,Ty Wilson-Brown

2024-09-20

Abstract:This report describes the implications for eVACS of two cryptographic errors in the Ada Web Services Library that it depends on. We identified these errors in the course of examining and testing the 2024 eVACS code, which was made publicly available in March 2024. We disclosed the problems to AdaCore, and explained the implications at the time to the relevant electoral authorities.

Cryptography and Security

Tzer-Long Chen,Chia-Hui Liu,Ya-Hui Ou,Yao-Min Huang,Zhen-Yu Wu

DOI: https://doi.org/10.1007/s10207-024-00852-w

2024-05-08

International Journal of Information Security

Abstract:The integrity of electronic voting systems is critical in safeguarding the democratic process worldwide. This study addresses the twin challenges of bribery and coercion that undermine most existing electronic voting systems. Recognizing the limitations of current security measures, which fail to protect voter autonomy even after the disclosure of voting secrets, we propose an innovative level-five secure e-voting system. By integrating an additional setup phase, our system maintains voter volition, ensuring security even when key secrets are compromised. Utilizing cryptographic techniques, blind signatures, and subliminal channels in conjunction with smart card PIN mechanisms, our approach not only bolsters system security but also enhances its potential for widespread adoption. This work underscores the importance of advanced cryptographic methods in developing coercion-resistant electronic voting systems that prioritize voter privacy and choice.

computer science, information systems, theory & methods, software engineering

Xinyu Zhang,Bingsheng Zhang,Aggelos Kiayias,Thomas Zacharias,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2021.3103336

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Electronic voting (e-voting), compared with article voting, has advantages in several aspects. Among those benefits, the ability to audit the electoral process at every stage is one of the most desired features of an e-voting system. In Eurocrypt 2015, Kiayias, Zacharias, and Zhang proposed a new E2E verifiable e-voting system that for the first time provides E2E verifiability without relying on external sources of randomness or the random oracle model; the main advantage of such system is in the fact that election auditors need only the election transcript and the feedback from the voters to pronounce the election process unequivocally valid. Unfortunately, their system comes with a huge performance and storage penalty for the election authority (EA) compared to other e-voting systems such as Helios. The main reason is that due to the way the EA forms the proof of the tally result, it is required to precompute a number of ciphertexts for each voter and each possible choice of the voter. The performance penalty on the EA appears to be intrinsic to the approach: voters cannot compute an enciphered ballot themselves because there seems to be no way for them to prove that it is a valid ciphertext. In this work, we construct a new e-voting system that retains similar strong E2E characteristics (but against computational adversaries) while completely eliminating the performance and storage penalty of the EA. Our construction has similar performance to Helios and is practical. The privacy of our construction relies on the SXDH assumption over bilinear groups via complexity leveraging.

A. Wiesmaier,M. Lippert,E. Karatsiolis,G. Raptis,J. Buchmann

DOI: https://doi.org/10.48550/arXiv.cs/0411065

2005-05-26

Abstract:National Root CAs enable legally binding E-Business and E-Government transactions. This is a report about the development, the evaluation and the certification of the new certification services system for the German National Root CA. We illustrate why a new certification services system was necessary, and which requirements to the new system existed. Then we derive the tasks to be done from the mentioned requirements. After that we introduce the initial situation at the beginning of the project. We report about the very process and talk about some unfamiliar situations, special approaches and remarkable experiences. Finally we present the ready IT system and its impact to E-Business and E-Government.

Cryptography and Security

Habby Nur Cahyo,Mohammad Suryawinata

DOI: https://doi.org/10.21070/ijins.v20i.739

2022-10-05

Indonesian Journal of Innovation Studies

Abstract:Technological advancement has growth rapidly impacted to bring great changes to humans. It is included for voting. By utilizing the advancement and growth of the technology, voting is conducted computer technology in the term of electronic voting or generally referred to as e-voting. The problem currently being confronted by the chairman’s election is the COVID-19 pandemic, which makes it impossible to hold a direct election. This research uses qualitative research methods through system development method in carrying out the the SDLC (System Development Lift Cycle) method as it has gone through several e-voting system development processes such as design, analysis, prototype, and implementation. In building this e-voting, the application design uses the PHP programming language, HTML tags, Mysql database as a database server, Web Hosting. The development of this e-voting application is web-based online. Thus, the e-voting applications can be accessed online. Based on the test results, it can be concluded that the application of online e-voting can be implemented to the election of the chairman of RT.01 RW.03 Kludan Village. It can be proved through the application testing to 10 random voters by filling out a questionnaire and getting the results of application acceptance of 83% which is encompassed as very good category.

English Else