Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Syed Wasif Abbas Hamdani,Haider Abbas,Abdul Rehman Janjua,Waleed Bin Shahid,Muhammad Faisal Amjad,Jahanzaib Malik,Malik Hamza Murtaza,Mohammed Atiquzzaman,Abdul Waheed Khan

DOI: https://doi.org/10.1145/3442480

IF: 16.6

2021-06-01

ACM Computing Surveys

Abstract:Cyber threats have been growing tremendously in recent years. There are significant advancements in the threat space that have led towards an essential need for the strengthening of digital infrastructure security. Better security can be achieved by fine-tuning system parameters to the best and optimized security levels. For the protection of infrastructure and information systems, several guidelines have been provided by well-known organizations in the form of cybersecurity standards. Since security vulnerabilities incur a very high degree of financial, reputational, informational, and organizational security compromise, it is imperative that a baseline for standard compliance be established. The selection of security standards and extracting requirements from those standards in an organizational context is a tedious task. This article presents a detailed literature review, a comprehensive analysis of various cybersecurity standards, and statistics of cyber-attacks related to operating systems (OS). In addition to that, an explicit comparison between the frameworks, tools, and software available for OS compliance testing is provided. An in-depth analysis of the most common software solutions ensuring compliance with certain cybersecurity standards is also presented. Finally, based on the cybersecurity standards under consideration, a comprehensive set of minimum requirements is proposed for OS hardening and a few open research challenges are discussed.

computer science, theory & methods

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

Halim Wildan Awalurahman,Ibrahim Hafizhan Witsqa,Indra Kharisma Raharjana,Ahmad Hoirul Basori

DOI: https://doi.org/10.20473/jisebi.9.1.95-107

2023-04-28

Journal of Information Systems Engineering and Business Intelligence

Abstract:Background: Software testing and software security have become one of the most important parts of an application. Many studies have explored each of these topics but there is a gap wherein the relation of software security and software testing in general has not been explored. Objective: This study aims to conduct a systematic literature review to capture the current state-of-the-art in software testing related to security. Methods: The search strategy obtains relevant papers from IEEE Xplore and ScienceDirect. The results of the search are filtered by applying inclusion and exclusion criteria. Results: The search results identified 50 papers. After applying the inclusion/exclusion criteria, we identified 15 primary studies that discuss software security and software testing. We found approaches, aspects, references, and domains that are used in software security and software testing. Conclusion: We found certain approach, aspect, references, and domain are used more often in software security testing Keywords: Software security, Software testing, Security testing approach, Security threats, Systematic literature review

Abdulganiyu, Oluwadamilare Harazeem

DOI: https://doi.org/10.1007/s10207-023-00682-2

2023-03-28

International Journal of Information Security

Abstract:With the recent increase in internet usage, the number of important, sensitive, confidential individual and corporate data passing through internet has increasingly grown. With gaps in the security systems, attackers have attempted to intrude the network, thereby gaining access to essential and confidential information, which may cause harm to the operation of the systems, and also affect the confidentiality of the data. To counter these possible attacks, intrusion detection systems (IDSs), which is an essential branch of cybersecurity, were employed to monitor and analyze network traffic thereby detects and reports malicious activities. A large number of review papers have covered different approaches for intrusion detection in networks, most of which follow a non-systematic approach, merely made a comparison of the existing techniques without reflecting an in-depth analytical synthesis of the methodologies and performances of the approaches to give a complete understanding of the state of IDS. Nonetheless, many of these reviews investigated more about the anomaly-based IDS with more emphasis on deep-learning models, while signature, hybrid-based (signature + anomaly-based) have received minimal focus. Hence, by adhering to the principles of Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA), this work reviewed existing contributions on anomaly-, signature-, and hybrid-based approaches to provide a comprehensive overview of network IDS's state of the art. The articles were retrieved from seven databases (ScienceDirect, SpringerNature, IEEE, MDPI, Hindawi, PeerJ, and Taylor & Francis) which cut across various reputable journals and conference Proceedings. Among the 776 pieces of the literature identified, 71 were selected for analysis and synthesis to answer the research questions. Based on the research findings, we identified unexplored study areas and unresolved research challenges. In order to create a better IDS model, we conclude by presenting promising, high-impact future research areas.

computer science, information systems, theory & methods, software engineering

Robert Bazuku,Anaamotulim Anab,Seth Gyemerah,Mohammed I. Daabo

DOI: https://doi.org/10.9734/ajrcos/2023/v16i4380

2023-10-20

Asian Journal of Research in Computer Science

Abstract:This article presents an overview of computer operating systems (OS) and emerging trends. OS is simply defined as an interface between computer hardware and the user. The objective of the study is to investigate the emerging trends of OS and to find out the direction of OS for modern computing systems. To achieve this goal the paper looks at the concepts of OS, its underlying architectures and evolution. The papers also outline the components of the OS provide knowledge on security issues with OS architectures and provide best practices to secure OS. The paper found out that the current trends in OS include IoT OS, Cloud OS, AI-powered OS, Blockchain OS, Hybrid OS and Container OS. The paper compares the strengths and weaknesses of the major OS. The Paper proposes a double-layer security approach where the OS is hardened with security policies and embedding security protocols in the Hardware architecture of the OS. It was discovered that every technology comes with its unique architecture and OS. This makes it worrisome for engineers to crack their brains to develop such a system. The paper further proposes the development of a universal OS for all architectures leaving room for further expansion while mitigating power consumption issues by incorporating green computing technology in the design architecture.

Bader Alouffi,Muhammad Hasnain,Abdullah Alharbi,Wael Alosaimi,Hashem Alyami,Muhammad Ayaz

DOI: https://doi.org/10.1109/access.2021.3073203

IF: 3.9

2021-01-01

IEEE Access

Abstract:Cloud computing has become a widely exploited research area in academia and industry. Cloud computing benefits both cloud services providers (CSPs) and consumers. The security challenges associated with cloud computing have been widely studied in the literature. This systematic literature review (SLR) is aimed to review the existing research studies on cloud computing security, threats, and challenges. This SLR examined the research studies published between 2010 and 2020 within the popular digital libraries. We selected 80 papers after a meticulous screening of published works to answer the proposed research questions. The outcomes of this SLR reported seven major security threats to cloud computing services. The results showed that data tampering and leakage were among the highly discussed topics in the chosen literature. Other identified security risks were associated with the data intrusion and data storage in the cloud computing environment. This SLR's results also indicated that consumers' data outsourcing remains a challenge for both CSPs and cloud users. Our survey paper identified the blockchain as a partnering technology to alleviate security concerns. The SLR findings reveal some suggestions to be carried out in future works to bring data confidentiality, data integrity, and availability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Teddy Surya Gunawan,Muhammad Kassim Lim,Nurul Fariza Zulkurnain,Mira Kartiwi

DOI: https://doi.org/10.11591/ijeecs.v11.i1.pp51-59

2018-07-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:The massive development of technology especially in computers, mobile devices, and networking has bring security issue forward as primarily concern. The computers and mobile devices connected to Internet are exposed to numerous threats and exploits. With the utilization of penetration testing, vulnerabilities of a system can be identified and simulated attack can be launched to determine how severe the vulnerabilities are. This paper reviewed some of the security concepts, including penetration testing, security analysis, and security audit. On the other hand, Kali Linux is the most popular penetration testing and security audit platform with advanced tools to detect any vulnerabilities uncovered in the target machine. For this purpose, Kali Linux setup and installation will be described in more details. Moreover, a method to install vulnerable server was also presented. Further research including simulated attacks to vulnerable server on both web and firewall system will be conducted.

Rohani Rohan,Debajyoti Pal,Jari Hautamäki,Suree Funilkul,Wichian Chutimaskul,Himanshu Thapliyal

DOI: https://doi.org/10.1016/j.heliyon.2023.e14234

IF: 3.776

2023-03-01

Heliyon

Abstract:Information Security Awareness (ISA) is a significant concept that got considerable attention recently and can assist in minimizing the risks associated with information security breaches. Several measurement scales have been developed in this regard, as measuring users' ISA is paramount. Although ISA specific scales are very important, yet what methodological rigor they use in terms of initial conceptualization of ISA, data collection and analysis during the development, and scale validation of such scales are some unknown aspects. Therefore, we provide a comprehensive review of the existing ISA specific scales to address all the above concerns. A popular method, PRISMA, is utilized, and a total of 24 articles that match with criteria of this research are included for the final in-depth analysis. Also, a holistic evaluation framework is developed containing three phases and 19 criteria. Findings revealed that most studies treat ISA as a multi-dimensional construct, and ISA researchers rarely conduct both pilot testing and pre-text evaluation while validating and refining the initial scales. Additionally, several articles did not report some of the essential elements used for checking the rigor of factor analysis, and evidence for validities of the identified scales is inadequate. Consequently, existing ISA specific scales must be improved both in terms of the methodological thoroughness of the scale development procedure and their validities. Moreover, not only justifying why the development of a new scale is necessary, but also improving the quality of the existing scales by doing multiple iterations is significant in the future. Likewise, the inclusion of all the dimensions of ISA, while generating the initial items pool is an important aspect to be considered. A thorough discussion, recommendations for future research, conclusions, and study limitations are provided.

Manish Bhurtel,Danda B. Rawat

DOI: https://doi.org/10.3390/fi15070248

2023-07-25

Future Internet

Abstract:Operating systems play a crucial role in computer systems, serving as the fundamental infrastructure that supports a wide range of applications and services. However, they are also prime targets for malicious actors seeking to exploit vulnerabilities and compromise system security. This is a crucial area that requires active research; however, OS vulnerabilities have not been actively studied in recent years. Therefore, we conduct a comprehensive analysis of OS vulnerabilities, aiming to enhance the understanding of their trends, severity, and common weaknesses. Our research methodology encompasses data preparation, sampling of vulnerable OS categories and versions, and an in-depth analysis of trends, severity levels, and types of OS vulnerabilities. We scrape the high-level data from reliable and recognized sources to generate two refined OS vulnerability datasets: one for OS categories and another for OS versions. Our study reveals the susceptibility of popular operating systems such as Windows, Windows Server, Debian Linux, and Mac OS. Specifically, Windows 10, Windows 11, Android (v11.0, v12.0, v13.0), Windows Server 2012, Debian Linux (v10.0, v11.0), Fedora 37, and HarmonyOS 2, are identified as the most vulnerable OS versions in recent years (2021–2022). Notably, these vulnerabilities exhibit a high severity, with maximum CVSS scores falling into the 7–8 and 9–10 range. Common vulnerability types, including CWE-119, CWE-20, CWE-200, and CWE-787, are prevalent in these OSs and require specific attention from OS vendors. The findings on trends, severity, and types of OS vulnerabilities from this research will serve as a valuable resource for vendors, security professionals, and end-users, empowering them to enhance OS security measures, prioritize vulnerability management efforts, and make informed decisions to mitigate risks associated with these vulnerabilities.

Ema Kušen,Mark Strembeck

DOI: https://doi.org/10.48550/arXiv.1701.00773

2017-01-04

Abstract:In an endeavor to reach the vision of ubiquitous computing where users are able to use pervasive services without spatial and temporal constraints, we are witnessing a fast growing number of mobile and sensor-enhanced devices becoming available. However, in order to take full advantage of the numerous benefits offered by novel mobile devices and services, we must address the related security issues. In this paper, we present results of a systematic literature review (SLR) on security-related topics in ubiquitous computing environments. In our study, we found 5165 scientific contributions published between 2003 and 2015. We applied a systematic procedure to identify the threats, vulnerabilities, attacks, as well as corresponding defense mechanisms that are discussed in those publications. While this paper mainly discusses the results of our study, the corresponding SLR protocol which provides all details of the SLR is also publicly available for download.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Houda Harkat,Luis M. Camarinha-Matos,João Goes,Hasmath F.T. Ahmed

DOI: https://doi.org/10.1016/j.cie.2024.109891

IF: 7.18

2024-02-01

Computers & Industrial Engineering

Abstract:In recent years, cyber-physical systems (CPS) have been to many vital areas, including medical devices, smart cars, industrial systems, energy grid, etc. As these systems increasingly rely on Internet, ensuring their security requirements, which are different from those of ordinary information technology systems, has become an important research topic. However, the area is not yet well structured and, therefore, it is essential to review and analyze recent work in this field to better understand the adopted approaches and also to identify corresponding gaps and future interesting research directions. This article is based on a systematic literature review that addresses core issues in CPS security. Part of the focus is placed on the defense mechanisms introduced to help the system fully recover from attacks. However, the framework devoted to risk/threat assessments has also been highlighted, as there is a substantial need to strengthen the systems architecture to be more proactive. In addition, the ethical and societal impact of CPS is emphasized since it is essential to get a vision of the unintended outcomes of the possible evolution of these systems.

computer science, interdisciplinary applications,engineering, industrial

Mikko T. Siponen,Harri Oinas-Kukkonen

DOI: https://doi.org/10.1145/1216218.1216224

2007-02-28

Abstract:This paper identifies four security issues (access to Information Systems, secure communication, security management, development of secure Information Systems), and examines the extent to which these security issues have been addressed by existing research efforts. Research contributions in relation to these four security issues are analyzed from three viewpoints: a meta-model for information systems, the research approaches used, and the reference disciplines used. Our survey reveals that most information security research has focused on the technical context, and on issues of access to IS and secure communication. The corresponding security issues have been resolved by using mathematical approaches as a research approach. The reference disciplines most commonly reflected have been mathematics, including philosophical logic. Based on this analysis, we suggest new directions for studying information security from an information systems viewpoint, with respect to research methodology and research questions. Empirical studies in relation to the issues of security management and the development of secure IS, based on suitable reference theories (e.g., psychology, sociology, semiotics, and philosophy), are particularly necessary.

Angad Pal Singh,Ankit Sharma

DOI: https://doi.org/10.48550/arXiv.2212.05347

2022-12-11

Abstract:Insider threats is the most concerned cybersecurity problem which is poorly addressed by widely used security solutions. Despite the fact that there have been several scientific publications in this area, but from our innovative study classification and structural taxonomy proposals, we argue to provide the more information about insider threats and defense measures used to counter them. While adopting the current grounded theory method for a thorough literature evaluation, our categorization's goal is to organize knowledge in insider threat research. Along with an analysis of major recent studies on detecting insider threats, the major goal of the study is to develop a classification of current types of insiders, levels of access, motivations behind it, insider profiling, security properties, and methods they use to attack. This includes use of machine learning algorithm, behavior analysis, methods of detection and evaluation. Moreover, actual incidents related to insider attacks have also been analyzed.

Cryptography and Security

Alioune Diallo,Jordan Samhi,Tegawendé Bissyandé,Jacques Klein

2024-09-24

Abstract:In developing countries, several key sectors, including education, finance, agriculture, and healthcare, mainly deliver their services via mobile app technology on handheld devices. As a result, mobile app security has emerged as a paramount issue in developing countries. In this paper, we investigate the state of research on mobile app security, focusing on developing countries. More specifically, we performed a systematic literature review exploring the research directions taken by existing works, the different security concerns addressed, and the techniques used by researchers to highlight or address app security issues. Our main findings are: (1) the literature includes only a few studies on mobile app security in the context of developing countries ; (2) among the different security concerns that researchers study, vulnerability detection appears to be the leading research topic; (3) FinTech apps are revealed as the main target in the relevant literature. Overall, our work highlights that there is largely room for developing further specialized techniques addressing mobile app security in the context of developing countries.

Cryptography and Security

Pierre Ciholas,Aidan Lennie,Parvin Sadigova,Jose M. Such

DOI: https://doi.org/10.48550/arXiv.1901.05837

2019-01-17

Cryptography and Security

Abstract:Smart Buildings are networks of connected devices and software in charge of automatically managing and controlling several building functions such as HVAC, fire alarms, lighting, shading and more. These systems evolved from mostly electronic and mechanical elements to complex systems relying on IT and wireless technologies and networks. This exposes smart buildings to new risks and threats that need to be enumerated and addressed. Research efforts have been done in several areas related to security in smart buildings but a clear overview of the research field is missing. In this paper, we present the results of a systematic literature review that provides a thorough understanding of the state of the art in research on the security of smart buildings. We found that the field of smart buildings security is growing significantly in complexity due to the many protocols introduced recently and that the research community is already studying. We also found an important lack of empirical evaluations, though evaluations on testbeds and real systems seems to be growing. Finally, we found an almost complete lack of consideration of non-technical aspects, such as social, organisational, and human factors, which are crucial in this type of systems, where ownership and liability is not always clear.

Sabarathinam Chockalingam,Dina Hadziosmanovic,Wolter Pieters,Andre Teixeira,Pieter van Gelder

DOI: https://doi.org/10.48550/arXiv.1707.02140

2017-07-07

Abstract:Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.

Cryptography and Security

Noor Suhani Sulaiman,Muhammad Ashraf Fauzi,Walton Wider,Jegatheesan Rajadurai,Suhaidah Hussain,Siti Aminah Harun

DOI: https://doi.org/10.3390/socsci11090386

2022-08-30

Social Sciences

Abstract:Cyber and information security (CIS) is an issue of national and international interest. Despite sophisticated security systems and extensive physical countermeasures to combat cyber-attacks, organisations are vulnerable due to the involvement of the human factor. Humans are regarded as the weakest link in cybersecurity systems as development in digital technology advances. The area of cybersecurity is an extension of the previously studied fields of information and internet security. The need to understand the underlying human behavioural factors associated with CIS policy warrants further study, mainly from theoretical perspectives. Based on these underlying theoretical perspectives, this study reviews literature focusing on CIS compliance and violations by personnel within organisations. Sixty studies from the years 2008 to 2020 were reviewed. Findings suggest that several prominent theories were used extensively and integrated with another specific theory. Protection Motivation Theory (PMT), the Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT) were identified as among the most referred-to theories in this area. The use of current theories is discussed based on their emerging importance and their suitability in future CIS studies. This review lays the foundation for future researchers by determining gaps and areas within the CIS context and encompassing employee compliance and violations within an organisation.

English Else

Puspita Kencana Sari,Putu Wuri Handayani,Achmad Nizar Hidayanto,Setiadi Yazid,Rizal Fathoni Aji

DOI: https://doi.org/10.3390/healthcare10122531

2022-12-15

Health Care

Abstract:This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.

health care sciences & services,health policy & services

Ariessa Davaindran Lingham,Nelson Tang Kwong Kin,Chen Wan Jing,Chong Heng Loong,Fatima-tuz-Zahra

DOI: https://doi.org/10.48550/arXiv.2012.13108

2020-12-24

Abstract:Security holds an important role in a software. Most people are not aware of the significance of security in software system and tend to assume that they will be fine without security in their software systems. However, the lack of security features causes to expose all the vulnerabilities possible to the public. This provides opportunities for the attackers to perform dangerous activities to the vulnerable insecure systems. This is the reason why many organizations are reported for being victims of system security attacks. In order to achieve the security requirement, developers must take time to study so that they truly understand the consequences and importance of security. Hence, this paper is written to discuss how secure software development can be performed. To reach the goal of this paper, relevant researches have been reviewed. Multiple case study papers have been studied to find out the answers to how the vulnerabilities are identified, how to eliminate them, when to implement security features, why do we implement them. Finally, the paper is concluded with final remarks on implementation of security features during software development process. It is expected that this paper will be a contribution towards the aforementioned software security domain which is often ignored during practical application.

Software Engineering