Marko Helenius

Towards a contingency approach with whitelist-and blacklist-based anti-phishing applications: what do usability tests indicate?

In web browsers, a variety of anti-phishing tools and technologies are available to assist users to identify phishing attempts and potentially harmful pages. Such anti-phishing tools and technologies provide Internet users with essential information, such as warnings of spoofed pages. To determine how well users are able to recognise and identify phishing web pages with anti-phishing tools, we designed and conducted usability tests for two types of phishing-detection applications: blacklist-based and whitelist-based anti-phishing toolbars. The research results mainly indicate no significant performance differences between the application types. We also observed that, in many web browsing cases, a significant amount of useful and practical information for users is absent, such as information explaining professional web page security certificates. Such certificates are crucial in ensuring user privacy and protection. We also found other deficiencies in web identities in web pages and web browsers that present challenges to the design of anti-phishing toolbars. These challenges will require more professional, illustrative, instructional, and reliable information for users to facilitate user verification of the authenticity of web pages and their content.

Tailored Security: Building Nonrepudiable Security Service-Level Agreements

The security features of current digital services are mostly defined and dictated by the service provider (SP). A user can always decline to use a service whose terms do not fulfill the expected criteria, but in many cases, even a simple negotiation might result in a more satisfying outcome. This article aims at building nonrepudiable security service-level agreements (SSLAs) between a user and an SP. The proposed mechanism provides a means to describe security requirements and capabilities in different dimensions, from overall targets and risks to technical specifications, and it also helps in translating between the dimensions. A negotiation protocol and a decision algorithm are then used to let the parties agree on the security features used in the service. This article demonstrates the feasibility and usability of the mechanism by describing its usage scenario and proof-of-concept implementation and analyzes its nonrepudiability and security aspects.

A usability test of whitelist and blacklist-based anti-phishing application

Anti-phishing tools on a web browser warn about spoofing pages or/and prompt to essential and necessary information that assists users to identify spoofing and potentially harmful pages. In order to discover how well users can identify phishing pages with these tools after they understand how the tools work, we designed and conducted usability tests for two detection mechanisms of anti-phishing tools: the blacklist-based and whitelist-based anti-phishing toolbars. As a result, we report that no significant performance differences between the blacklist-based and whitelist-based applications were found; but some other interesting findings and observations were collected. The most valuable observation is that due to the deficiency of existing web identities on the web pages and web browsers, e.g. abstract and professional web page security certificate information, anti-phishing toolbars need to be more illustrative and instructional in order to assist users to find reliable information for identifying the authenticity of the content on the web pages.

A non-repudiable negotiation protocol for security service level agreements

Security service level agreements SSLAs provide a systematic way for end users at home or in the office to guarantee sufficient security level when doing business or exchanging sensitive personal or organizational data with an online service. In this paper, we propose an SSLA negotiation protocol that implements non-repudiation with cryptographic identities and digital signatures and includes features that make it resistant to denial of service attacks. The basic version of the protocol does not rely on the use of a trusted third party, and it can be used for all kinds of simple negotiations. For the negotiation about SSLAs, the protocol provides an option to use an external knowledge base that may help the user in the selection of suitable security measures. We have implemented a prototype of the system, which uses JSON Web Signature for the message exchange and made some performance tests with it. The results show that the computational effort required by the cryptographic operations of the negotiation protocol remains at a reasonable level. Copyright

Towards a conceptual framework for privacy protection in the use of interactive 360° video surveillance

Interactive 360° video technology has not been embraced for surveillance purposes despite its ability to eliminate blind spots, which is an important attribute of video surveillance. Further, privacy invasion due to video surveillance has a negative impact, and this urges for attention. Hence, the paper authors considered these two aspects and proposed a conceptual design framework with its rationale for privacy protection in use within the infrastructure of the interactive 360° video surveillance system. This conceptual integration framework takes into account the next essential factors: i) the utilization of the positive characteristics of 360° video to improve surveillance; ii) the protection of peoples privacy; iii) the assistance needed in crime investigation and forensics; and iv) the ease and cost-effectiveness for deployment. These are factors of paramount significance for public safety and social order and they can be guaranteed with proactive approaches of design, based on the latest developments of Internet of Things technology and digital watermarking advancements.

Learnings from the Finnish Game Industry

The motivation behind our research was the rapid growth and business wins of world-class Finnish game companies, like Supercell, as well as the success of other game companies in Finland. In particular, Supercells growth is something that has not been heard of before and this raised the interest to research what game companies have been doing right. Supercell is not the only Finnish success. Rovio is also well known and has the roots for success from few years before. There are also other game companies in Finland that have succeeded and this motivated us to investigate what is happening behind the game industry and what could be learned from there that could be applied to other software industry as well. In order to explore and explain the different success factors, we interviewed the following eight Finnish game companies: Rovio Entertainment, Fingersoft, TicBits, Boomlagoon, 10tons, Tribeflame, Star Arcade and Mountain Sheep. In addition, we investigated public sources, like interviews given to newspapers and books written about companies. These sources cover well Supercell as they have given numerous public interviews to journalists. Similarly, Remedy was analysed based on public sources. Based on the results we recognised some 30 patterns that, depending on the context, could be used in other organisations as well. The patterns include the applicable context where they can be used, driving forces (and counterforces) that should be recognised, the problem they are solving and the solution to the problem coupled with the key enablers. Furthermore, narrative stories based on the interviews and public sources are included.

Applying Finite State Process Algebra to Formally Specify a Computational Model of Security Requirements in the Key2phone-Mobile Access Solution

Key2phone is a mobile access solution which turns mobile phone into a key for electronic locks, doors and gates. In this paper, we elicit and analyse the essential and necessary safety and security requirements that need to be considered for the Key2phone interaction system. The paper elaborates on suggestions/solutions for the realisation of safety and security concerns considering the Internet of Things (IoT) infrastructure. The authors structure these requirements and illustrate particular computational solutions by deploying the Labelled Transition System Analyser (LTSA), a modelling tool that supports a process algebra notation called Finite State Process (FSP). While determining an integrated solution for this research study, the authors point to key quality factors for successful system functionality.

Accountable security mechanism based on security service level agreement

This paper proposes a mechanism that realizes accountable security using a security service level agreement (SSLA), which defines the security level of a service agreed to between a user and service provider. The mechanism consists of three major components: security expression, translation, and negotiation techniques. The security expression technique provides a means to describe security requirements and capabilities of a user and service provider, as well as the SSLA between them, in different levels of detail. The translation technique provides a means to translate such information among different levels of detail, and the negotiation technique provides a means to negotiate and agree upon the SSLA between the user and service provider. Both the user and service provider need to be accountable and non-repudiable against the agreed to SSLA in order to empower it. The mechanism uses cryptographic identities and digital signatures for this purpose. This paper demonstrates the feasibility and usability of the mechanism by describing its usage scenario and implementing its prototype, and analyzes this mechanism.