Lorena Montoya

The relation between residential property and its surroundings and day- and night-time residential burglary

This article examines how residential property and its surroundings influence day- and night-time residential burglary. Crime Prevention Through Environmental Design (CPTED) principles of territoriality, surveillance, access control, target hardening, image maintenance, and activity support underpin the study. Data were collected by observing 851 houses in the city of Enschede, half of which were burgled and half representing a random selection of houses not burgled. Multilevel multinomial regression models were estimated for predicting day- and night-time burglaries. The findings show that territoriality and access control predict daytime burglary while access control and target hardening predict night-time burglary. The analysis controls for offender availability, target attractiveness, and residential stability. The conclusion is that two separate burglary prevention frameworks are needed: one for day-and another one for night-time burglary.

Towards a collaborative framework to improve urban grid resilience

Two trends will help to ensure resilient electricity supply in Smart Cities: a) the ongoing deployment of Smart Grid technology and b) the adoption of distributed energy resources. Unfortunately, the increased reliance on ICT in the Smart Grid will expose new threats that could result in incidents that might affect urban electricity distribution networks by causing power outages. Diverse specialists will need to cooperate to address these threats. This position paper outlines a methodology for establishing a collaborative framework that supports the definition of response strategies to threats. We consider the ongoing evolution of the electricity grids and the threats emerging while the grid evolves. After outlining possible scenarios of urban grid development, we highlight several threats and the strategies of attackers. Finally, we introduce a framework that aims to foster the collaboration of stakeholders involved in city resilience planning taking into account grid vulnerability and criticality from a citys perspective.

Priming and warnings are not effective to prevent social engineering attacks

Humans tend to trust each other and to easily disclose personal information. This makes them vulnerable to social engineering attacks. The present study investigated the effectiveness of two interventions that aim to protect users against social engineering attacks, namely priming through cues to raise awareness about the dangers of social engineering cyber-attacks and warnings against the disclosure of personal information. A sample of visitors of the shopping district of a medium-sized town in the Netherlands was studied. Disclosure was measured by asking subjects for their email address, 9 digits from their 18 digit bank account number, and for those who previously shopped online, what they had purchased and in which web shop. Relatively high disclosure rates were found: 79.1% of the subjects filled in their email address, and 43.5% provided bank account information. Among the online shoppers, 89.8% of the subjects filled in the type of product(s) they purchased and 91.4% filled in the name of the online shop where they did these purchases. Multivariate analysis showed that neither priming questions, nor a warning influenced the degree of disclosure. Indications of an adverse effect of the warning were found. The implications of these findings are discussed.

Assessing loss event frequencies of smart grid cyber threats: Encoding flexibility into FAIR using Bayesian network approach

Assessing loss event frequencies (LEF) of smart grid cyber threats is essential for planning cost-effective countermeasures. Factor Analysis of Information Risk (FAIR) is a well-known framework that can be applied to consider threats in a structured manner by using look-up tables related to a taxonomy of threat parameters. This paper proposes a method for constructing a Bayesian network that extends FAIR, for obtaining quantitative LEF results of high granularity, by means of a traceable and repeatable process, even for fuzzy input. Moreover, the proposed encoding enables sensitivity analysis to show how changes in fuzzy input contribute to the LEF. Finally, the method can highlight the most influential elements of a particular threat to help plan countermeasures better. The numerical results of applying the method to a smart grid show that our Bayesian model can not only provide evaluation consistent with FAIR, but also supports more flexible input, more granular output, as well as illustrates how individual threat components contribute to the LEF.

Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention

The objective of this study is to get insight into the effectiveness of an information campaign to counter a social engineering attack via the telephone. Four different offenders phoned 48 employees and made them believe that their PC was distributing spam emails. Targets were told that this unfortunate situation could be solved by downloading and executing software from a website (i.e. an untrusted one). A total of 46.15 % of the employees not exposed to the intervention followed the instructions of the offender. This was significantly different to those exposed to an intervention 1 week prior to the attack (9.1%); however there was no effect for those exposed to an intervention 2 weeks prior to the attack (54.6%). This research suggests that scam awareness-raising campaigns reduce vulnerability only in the short term.

Threat navigator: grouping and ranking malicious external threats to current and future urban smart grids

Deriving value judgements about threat rankings for large and entangled systems, such as those of urban smart grids, is a challenging task. Suitable approaches should account for multiple threat events posed by different classes of attackers who target system components. Given the complexity of the task, a suitable level of guidance for ranking more relevant and filtering out the less relevant threats is desirable. This requires a method able to distill the list of all possible threat events in a traceable and repeatable manner, given a set of assumptions about the attackers. The Threat Navigator proposed in this paper tackles this issue. Attacker profiles are described in terms of Focus (linked to Actor-to-Asset relations) and Capabilities (Threat-to-Threat dependencies). The method is demonstrated on a sample urban Smart Grid. The ranked list of threat events obtained is useful for a risk analysis that ultimately aims at finding cost-effective mitigation strategies.

Analysing non-malicious threats to urban smart grids by interrelating threats and threat taxonomies

A comprehensive study of the smart grid threat landscape is important for designing resilient urban grids of the future. To this end, an analysis could first cross reference threat categorizations and interrelate treat events on the basis of threat lists that complement each other. This paper show how to cross-relate threat taxonomies and analyze relations between threats and system components to reasonably link diverse threats to a smart grid. We illustrate how one can look beyond a specific threat by (1) relating threat sources from one taxonomy to threat lists from other taxonomies; (2) analyzing how threats can be cross-related to identify possible scenarios of undesirable events; and (3) assigning threat categories to system components. These steps in sequence or individually aim to provide input to threat identification and (thus) risk assessment tasks. This paper focusses on threats listed in the IRENE research project and relates them to threat taxonomies used in the AFTER and SESAME projects which focused on smart grids as well.

A Hazus-Based Method for Assessing Robustness of Electricity Supply to Critical Smart Grid Consumers during Flood Events

Ensuring an external electricity supply to critical city components during flood events requires adequate urban grid planning. The proliferation of smart grid technologies means that such planning needs to assess how smart grids might function during floods. This paper proposes a method to qualitatively investigate robustness of electricity supply to smart grid consumers during flood events. This method builds on the Hazus methodology and aims to provide inputs for the risk analysis of urban grids.

Applying the Lost-Letter Technique to Assess IT Risk Behaviour

Information security policies are used to mitigate threats for which a technical prevention is not feasible. Compliance with information security policies is a notoriously difficult issue. Social sciences could provide tools to empirically study compliance with policies. We use a variation of the lost-letter technique to study IT risk behaviour, using USB keys instead of letters. The observational lost-letter study by Farrington and Knight (1979) was replicated in a university setting by dropping 106 USB keys. Labels on the USB keys were used to vary characteristics of the alleged victim. Observers noted characteristics of people who picked a USB key up and whether the USB key was returned. Results show that USB keys in their original box are stolen more than used ones and that people aged 30 or younger and those who place a found USB key in their pocket are more likely to steal. This suggests that the decision to steal a USB key is taken at the moment of pick up, despite ample opportunity to return it. The lost USB key technique proved to be a feasible method of data collection to measure policy compliance and thus also risk behaviour.

Spear phishing in organisations explained

Purpose The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account. Practical implications This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value The innovative aspect relates to explaining spear phishing using four socio-demographic variables.